They say that the right time to plant a tree is yesterday. In a world of data dangers and opportunities, the time to elevate how your business governs its information is now. That’s easy to say, but with all of the conflicting priorities facing companies today, for many it’s hard to get started, or to
Having too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses. Keeping data without a legal or business reason also exacerbates data security exposures. To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.
Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire. PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….” HIPAA regulations mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible. Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed. And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.
Instead, most such laws and standards focus on securely sanitizing or destroying storage media. For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”
But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls. And one of the most powerful security controls is to not keep too much data, for too long.…
Being a CISO is a tough gig. The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small. But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response. For some CISOs, it may feel like High Noon, all over again.
This is unfair to the CISO, and wrong on at least two counts. First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control. Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.…
Most people have elevated stress during the holiday season — work, travel, family, money, time. And holiday stress can make people inattentive, tired, frustrated, and willing to take short cuts, especially when it comes to computer and Internet use. This is when mistakes happen. It’s when we decide to evade policy by emailing work home or by using the unsecured airport Wi-Fi because our plane is delayed. It’s also when malicious acts of information theft, sabotage, and fraud can more easily occur and go undetected.
According to a recent survey, insider threats — as opposed to outside actors — can account for nearly 75% of cyber incidents. These incidents occur because of the actions of employees, suppliers, customers, and previous employees. Law firms are not exempt, particularly small to medium size firms. In fact, smaller firms typically have fewer resources to devote to cybersecurity and use more outside suppliers.
End-of-year activities for law firms also make them especially vulnerable to insider threats, whether inadvertent or malicious: the push to bill and collect for more hours, time-sensitive legal matters that must be resolved before the end of the calendar year, attending to year-end tax accounting, case and client review, bonus calculations. Lawyers and their staff feel the strain of extra hours, looming deadlines, and sometimes contentious clients at the same time we all feel holiday pressures at home.
What is at risk?…
Whew – we’ve survived yet another round of states enacting or amending their PII breach notification laws. If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.
Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached. Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes. Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.
These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do:…
Last week’s post explored why law firms need data security policies. Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.
What does a records retention schedule have to do with data security? Simply this – keeping data without a legal or business reason exacerbates data security exposures.
Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose. This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.
It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.
But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right? Actually, far too few firms do.…
The indictment filed last Friday by Special Counsel Robert Mueller explains how Russian military intelligence officers hacked into computer systems of the DNC, the DCCC, and Clinton Campaign employees during the 2016 presidential race. With sweeping, specific details that have compelled unanimous confidence among Americans (except apparently our President), the 29-page indictment is a textbook on sources and methods. No, not intelligence-gathering sources and methods, which are of course highly classified. Instead, the indictment catalogs the sources of data that were stolen, and the methods used by the GRU intelligence units to methodically hack into the targeted systems, exfiltrate the data, evade detection, and weaponize the data through publications timed to inflict maximum impact.
The lessons to be learned from the indictment’s allegations, summarized below, are useful to any organization serious about data security and prevention, detection, and response to hacking, whether state-sponsored or otherwise.
As explored in last week’s posts, the bad news for law firms is their challenging data security threat environment. On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.
Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable. Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.
Why are law firms so vulnerable?
Law firms have highly valuable information.
Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners. Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on. In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.
Many firms are behind the curve on data security safeguards.
Despite their valuable information, many law firms are demonstrably lax in their data security posture. Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:
- Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture: computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
- Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
- 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
- Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
Why are so many firms behind the curve in their data security safeguards? Here are ten factors to consider (warning – some of the below is not sugar-coated):…
Law firms face significant data security threats. But there’s good news for law firms on data security. When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for higher revenue, lower and better-controlled expenses, and stronger client relationships.
As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing (a) increased competition from nontraditional providers and technology-driven service models; (b) the Internet-driven dissolving of historic barriers to remote service delivery; (c) the post-recession tightening in companies’ outside legal spend; (d) the shift of work to in-house legal staff; (e) the ongoing consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and (f) the resulting pressure on mid-sized firms to scale/merge up or specialize/boutique down. There’s no viable “let’s simply wait it out” option in the face of these trends. In short, it’s now a far more competitive world for attracting and retaining clients. There will continue to be winners and losers, but now the margin of difference is more slim.
And this is the “there must be a pony in here somewhere” epiphany – in this highly competitive environment, strategic improvement in a law firm’s data security posture can, more than ever before, make a huge difference.
Here are three examples of how better data security is a strategic win for law firms:…
It all seemed so routine, so straightforward. The case was settled, with a $500,000 payment to be made to the approved settlement administrator. The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions. Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated. Poof – gone in an instant.
Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions. But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say? Was it from publicly available information in the court file? Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator? Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?…