pickpocket stealing walletIn a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.

The complaint paints a picture of an alleged hacker living up to the handle “erratic.”  According to the complaint, on July 18 Ms. Thompson stated in a Twitter Direct Message “Ive basically strapped myself with a bomb vest, f***ing dropping capital ones dox and admitting it … I wanna distribute those buckets i think first … There ssns…with full name and dob”.  Initial press reports indicate that Ms. Thompson, a 33 year old Seattle resident, has held a variety of software engineering jobs, including a stint at Amazon Web Services in 2015 and 2016, and that, per her resume, she is currently the owner of Netcrave Communications, a “hosting company.”  Hmmmm.

Per the complaint, Capital One indicates that the compromised data was primarily related to credit card applications, with only some of the data tokenized or encrypted.  The complaint further alleges that, according to Capital One, data from tens of millions of applications may have been accessed, including approximately 120,000 Social Security numbers and 77,000 bank account numbers.
As of today, Capital One’s website states that the hack “affected approximately 100 million individuals in the United States and approximately 6 million in Canada. … Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. … The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
Capital One further states that the hack compromised information beyond credit card application data, including: “[c]ustomer status data, e.g., credit scores, credit limits, balances, payment history, contact information” and “[f]ragments of transaction data from a total of 23 days during 2016, 2017 and 2018.”  According to Capital One, “[a]bout 140,000 Social Security numbers of our credit card customers” were compromised, along with “[a]bout 80,000 linked bank account numbers of our secured credit card customers.”  Capital One adds that “[f]or our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.”

These are early days for this breach investigation, and we’ll no doubt learn more as things unfold.  But a key question will be, what does this breach tell us about the security of cloud-hosted data?

Early reports indicate that Capital One’s cloud host is Amazon Web Services, but that large enterprises such as Capital One build their own web applications on top of Amazon’s cloud platform.  The complaint indicates that “a firewall configuration permitted commands to reach and be executed by [a] server, which enabled access to folders or buckets of data in Capital One’s [cloud] storage space ….”  And Capital One’s website indicate that, upon its discovery of the hack, Capital One “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”

This suggests that the security vulnerability was not the cloud provider’s, but rather was a vulnerability in configuration by the cloud customer entity.  And, as noted in KrebsOnSecurity‘s post today, there may be other improperly secured Amazon cloud instances for other organizations.  Time will tell.  Certainly, cloud hosting by a reputable, security-conscious provider can bring with it many cyber security advantages, including patching hygiene and robust perimeter defenses.  But the devil is in the details, and configurations of user overlays are a potential risk hot spot.

Lightning Strike in ThunderstormSecurity risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  Law firms also have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Results of the 2018 ABA Legal Technology Survey reveal a bleak picture for law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of a law firm’s security posture:  computer acceptable use policy (41%); remote access policy (37%); personal technology use/BYOD policy (21%); incident response plan (25%); disaster recovery / business continuity plan (40%).
  • Only 53% of the firms have a formal policy or process to manage retention of data held by the firm, and as of 2017, only 40% have an official records retention schedule.
  • 31% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 46% of the firms have file encryption tools, only 38% have email encryption capabilities, and only 24% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

In the midst of a troubling threat environment, why are so many firms still behind the curve in their data security safeguards?  Here are ten factors to consider: Continue Reading Law Firm Data Security Vulnerabilities

Threatening dark clouds covering the skyJust another day at the firm.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?

Business email compromise (BEC) is a growing threat for businesses generally.  Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.

But BEC is only one of many potent threats to law firm data security.  Here are some high-profile examples from the news: Continue Reading Law Firm Data Security Threats

Courtesy of Wikipedia, To Serve Man (The Twilight Zone)

To truly appreciate just how we are served by the digital economy, we must revisit Damon Knight’s award-winning 1950 short story To Serve Man.  Popularized by a beloved 1962 TV episode of The Twilight Zone, Knight’s tale tells of aliens coming to Earth to bring humans “peace and plenty.”  Courtesy of the aliens’ advanced technologies, we soon enjoy the global benefits of unlimited electrical power, inexhaustible food, and the end of warfare.  And better yet, humans are invited to visit the aliens’ home planet, a galactic paradise.

Meanwhile, a skeptical person toils to decipher the aliens’ cryptic language, in order to read a purloined alien book and come to understand their motives for such astounding beneficence toward humankind.  The book’s translated title is reassuring – “To Serve Man.”  Only later is our intrepid translator able to decipher the book’s first paragraph, revealing that it is not a treatise on helping humanity.  It’s a cookbook.

The digital revolution has indeed brought us benefits on a global scale, unimaginable just a few decades ago.  The Internet informs us, social media connect us, and our apps and devices support us.  All problems solved, right?

But something is wrong in our advanced-technology-paradise.  The digital economy traffics in something of great value – our information – and we remain largely oblivious to the basis of our “bargain.”  The signs are right there, in front of us, like a book waiting to be read.  For example, consider this from The Atlantic: Continue Reading How the digital economy serves us

money blowing awayI’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, you’re the “Manager of Money,” right? 

“Nope – that’s indeed my title, but I don’t have the authority to manage all of RabbitHole’s money. My focus is just on the paper money, not electronic accounts and transfers. And I only keep track of the paper currency that is boxed up and kept off-site – what employees do with money day-to-day is up to them, their business units, and the company’s Money Policy.”

What does the Money Policy say? Continue Reading What if companies treated their money like their information?

Green cup of coffeeEarth Day reminds me of grabbing a coffee before a client meeting in San Francisco a couple years ago.  As I walked into a local Blue Bottle Coffee, I entered an environmental tableau.  The diverse crowd of customers was uniform in its vibe (young professional/Tech), clothing (black or grey organic fiber), and appetite for a curated/organic/Fair Trade coffee experience – and happy to pay a premium for it.  A phalanx of recycling containers awaited every conceivable waste stream.  Nary a plastic straw was in sight.  It felt as if I was in a temple of sustainable sensibilities, with a business model and patronage profoundly committed to Green principles.

But what struck me instead were the billowing clouds of data exhaust streaming from laptops, tablets, and phones, themselves toxic waste sites for massive amounts of uncontrolled data.

The contrast between our environmental practices and how we treat our data is gobsmacking.  Though we never uniformly agree on anything, it’s indisputable that Green principles are now squarely in the mainstream.  We believe in reducing/reusing/recycling; we expect clean air and water;  we care about the healthfulness of the food we ingest; and we worry about climate change.  We talk about these values; we support varying degrees of government regulation for these aims; and, most importantly, we tend to align our money with our motivations, causing an increasing number of companies to adopt environmentally sustainable practices.

But what about our data?  We freely generate massive amounts of data, in rapidly increasing volumes.  We allow our data to accumulate in vast troves, locally and in the cloud, without a thought to the repercussions.  We fail to take the often simple steps to secure the data we possess, or to be aware of the security practices of those with whom we entrust our data.  How we actually treat our data belies any professed interest in the privacy of our information.  We happily ingest information from virtually any source, without regard for its toxicity.  We do not demand effective government regulation of the powerful companies that handle our data.  And, most importantly, we do not use our market behavior to compel companies to treat our data responsibly.

Why is this so?  How is it that our 21st Century data practices mirror the environmental-obliviousness of the 1960’s?  How did Green environmental sensibilities successfully take root and flourish, and what does that tell us about how we now could make better data practices a reality?  And what would it look like to be Data Green?

Stay tuned.


Majestic giant redwood treesThey say that the right time to plant a tree is yesterday.  In a world of data dangers and opportunities, the time to elevate how your business governs its information is now.  That’s easy to say, but with all of the conflicting priorities facing companies today, for many it’s hard to get started, or to push ahead.  Sometimes it helps to revisit why an effort is worthwhile.

So, here are a dozen reasons why your organization should redouble efforts to govern its information, in 2019 and beyond: 

12. Unnecessary business data causes unnecessary litigation costs.

“If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”  Former District Court Magistrate Judge John Facciola

11. Thousands of federal and state records retention laws apply to your company.

We know, because we track them.  Your regulators expect you to know them too.

10. It’s a when, not if, world for data breaches.

“You’re going to be hacked.  Have a plan.” Joseph Demarest, FBI Cyber Division

9. Unnecessary business data multiplies data security exposures.

Hacked company systems frequently contain two, three, or even four times more data than was needed for retention compliance or any valid business purpose.  It’s not possible for a breach to compromise the security of information that compliantly no longer exists.

8. How you govern data can build – or bust – your brand.

In our data-driven world, how well your organization manages information tells you, and tells the world, how well you manage your business.

7. Merely adding more storage or more tools won’t solve your data problems.

More storage is simply a reaction, not a strategy.  And adding technology tools, without the right rules, only makes things worse, not better.

6. It’s OK to destroy your data.  Really.

Disposal of data in good faith, pursuant to a compliantly established and legally validated data retention schedule, and absent an applicable litigation preservation duty, is both responsible and defensible.

5. Bad information results in bad decisions.

Actually … data is simply data.  Calling some data “bad” distracts us from the true issue, which is the quality of our business practices in creating, retaining, and using information to make decisions.

4. Your business data is in others’ custody … but you’re still responsible for it.

Your litigation preservation duties do not vanish for information hosted elsewhere but still in your control; your data security obligations do not evaporate when you house protected data with a service provider; your imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and your records retention and destruction rules do not disappear if your data is hosted remotely. You still need to govern information compliance and risk for your data in other’s custody.

3. “Your” data may belong to others … and you’re responsible to take care of it.

Companies commonly possess third-party data.  If your agreements don’t clarify permissible use, ownership of derivative information, retention/disposition, privacy, security, and litigation preservation and production obligations, you have risks and exposures without any rules to protect you.

2. Your information risks, and opportunities are all connected, arising from a single source – your data. Your response strategies should be synchronized too.

Privacy, data security, retention, litigation preservation, and defensible disposition aren’t separate issues. They all interrelate, springing from the data itself.  How you handle information compliance, cost, risk, and value should be integrated as well, in an information governance strategy.   

And that leaves the single most important reason of all:

1. Regardless of industry, you’re in the information business.

It doesn’t matter what products you sell or services you provide.  In today’s world, the success of your business – indeed, its viability – turns upon information.

Consider the attention and resources you apply to your other strategic assets, such as your finances, your facilities and equipment, and your people.  You make those investments because it would be foolish not to manage their value, costs, and risks.  Your information deserves no less.

So … it’s time to plant that tree.

Our firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.

The Information Governance perspective is a ready-made, scalable resource. Any organization can make meaningful headway, right away, by simply adopting an inclusive IG perspective when addressing information matters, before investing in significant organizational changes and expensive technology tools.

What does this mean? Simply this – whenever any information-related issue is dealt with or decision will be made by your organization, be sure to ask the following: Continue Reading Why govern our information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

Weird SportAs you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  It all feels beyond embarrassing, and downright dangerous.

This is not just a bad dream – it’s the reality for companies possessing third-party data without clarity on what rules and responsibilities apply.

Most companies possess some data that they do not truly and solely own.  Perhaps your company signs a nondisclosure agreement and obtains others’ information while evaluating a business opportunity.  Or maybe your company is a service provider that receives or generates data on behalf of customers or clients.  Your company has possession of the data, but it remains responsible to the third-parties if there’s a problem.

What kinds of problems? Well, what if the third party’s data is lost, corrupted, misappropriated, hacked, or held for ransom?  What if the cost of maintaining the information, after the work concludes or need passes, becomes onerous?  What if the information becomes relevant in future litigation?  Who is authorized to make decisions about the information when the unexpected happens, and who is responsible for the expenses and exposures?

Information Governance – your organization’s strategic approach to managing information compliance, cost, and risk while maximizing information value – is tailor-made for this commonplace scenario.  Here’s how it works: Continue Reading Why govern our information? Reason #3: “Your” data may actually belong to others … and you’re responsible to take care of it.

Lightning Strike in ThunderstormIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes). How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, with cloud providers. We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used to operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge troves of business data on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promptly restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our business data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example: Continue Reading Why govern our information? Reason #4: Your business data is in others’ custody … but you’re still responsible for it.