As we watch the tsunami of state comprehensive consumer privacy laws now spreading from California across the U.S., it’s time to revisit the flood zone of state-level PII breach notification statutes, which also flowed forth from California back in 2002. By 2018 that wave had reached every state, along with the District of Columbia, Puerto
We’ve already seen how new FTC regulations for GLBA-regulated financial institutions require retention schedules and disposal of unnecessary data as essential data security controls. The FTC is now also taking that position for all businesses under Section 5 of the FTC Act, as seen in a slew of recent FTC data security enforcement actions.
Two
Data security laws increasingly require disposal of unnecessary data, But will regulators take this seriously?
Continue Reading Less Data #1: State-level data security regulators are enforcing data disposal
It’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.
Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached. By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).
These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws.
Scope of PII
State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition:
Continue Reading The Puzzle of State PII Breach Notification Statutes
Law firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.” This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments. IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.
But all this convenience comes at a price. IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls. An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.
Let’s look at some vulnerable IoT devices commonly found in today’s law firm:
IP-Connected Security Systems and Infrastructure. Think of cameras, smart meters, and HVAC controls. Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.
Smart Video Conference Systems. This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet. Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.
Printers & Phones. Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge. Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.
Light Bulbs? Yes, light bulbs! According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks. “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.” The more nodes, the more avenues for entry into a system without being on the network.
Continue Reading Law Firm IoT: Internet of Things or Instruments of Trouble?
Yes, with a troubling threat environment and unique vulnerabilities, law firms indeed have data security challenges. But there are strategic opportunities too. When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for stronger client relationships, lower and better-controlled expenses, and higher revenue.
As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing:
It’s a more competitive world than ever for attracting and retaining clients. There still will be winners and losers, but now the margin of difference is more slim. That’s why strategic improvement in a law firm’s data security posture can make a big difference.
Here are three key examples of how better data security is a strategic win for law firms:
Continue Reading Law Firm Data Security Opportunities
In a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.
The complaint paints a picture of an alleged hacker living up to the handle “erratic.” According to the complaint,
Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.
Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners. Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on. Law firms also have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.
Despite their valuable information, many law firms are demonstrably lax in their data security posture. Results of the 2018 ABA Legal Technology Survey reveal a bleak picture for law firm data security controls:
In the midst of a troubling threat environment, why are so many firms still behind the curve in their data security safeguards? Here are ten factors to consider:
Continue Reading Law Firm Data Security Vulnerabilities
Just another day at the firm. The case was settled, with a $500,000 payment to be made to the approved settlement administrator. The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions. Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated. Poof – gone in an instant.
Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions. But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say? Was it from publicly available information in the court file? Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator? Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?
Business email compromise (BEC) is a growing threat for businesses generally. Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.
But BEC is only one of many potent threats to law firm data security. Here are some high-profile examples from the news:
Continue Reading Law Firm Data Security Threats
They say that the right time to plant a tree is yesterday. In a world of data dangers and opportunities, the time to elevate how your business governs its information is now. That’s easy to say, but with all of the conflicting priorities facing companies today, for many it’s hard to get started, or to