Our firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.

The Information Governance perspective is a ready-made, scalable resource. Any organization can make meaningful headway, right away, by simply adopting an inclusive IG perspective when addressing information matters, before investing in significant organizational changes and expensive technology tools.

What does this mean? Simply this – whenever any information-related issue is dealt with or decision will be made by your organization, be sure to ask the following:
Continue Reading Why govern our information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  It all feels beyond embarrassing, and downright dangerous.

This is not just a bad dream – it’s the reality for companies possessing third-party data without clarity on what rules and responsibilities apply.

Most companies possess some data that they do not truly and solely own.  Perhaps your company signs a nondisclosure agreement and obtains others’ information while evaluating a business opportunity.  Or maybe your company is a service provider that receives or generates data on behalf of customers or clients.  Your company has possession of the data, but it remains responsible to the third-parties if there’s a problem.

What kinds of problems? Well, what if the third party’s data is lost, corrupted, misappropriated, hacked, or held for ransom?  What if the cost of maintaining the information, after the work concludes or need passes, becomes onerous?  What if the information becomes relevant in future litigation?  Who is authorized to make decisions about the information when the unexpected happens, and who is responsible for the expenses and exposures?

Information Governance – your organization’s strategic approach to managing information compliance, cost, and risk while maximizing information value – is tailor-made for this commonplace scenario.  Here’s how it works:
Continue Reading Why govern our information? Reason #3: “Your” data may actually belong to others … and you’re responsible to take care of it.

Lightning Strike in ThunderstormIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes). How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, with cloud providers. We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used to operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge troves of business data on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promptly restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our business data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example:
Continue Reading Why govern our information? Reason #4: Your business data is in others’ custody … but you’re still responsible for it.

A metal cattle brand with the word brand as the marking areaThe “business case” for information governance often focuses solely on quantifying specific costs for data management and exposures for data security and ediscovery.  Number crunching is of course important, but it misses something bigger, more strategic, and ultimately more crucial to the organization – its brand.  Companies, regardless of industry, are fundamentally in the information business.  It follows that how an organization manages its information assets reveals how the organization manages itself.  And that matters, a lot, because companies that align themselves with their brand, achieving brand discipline, are more successful.

In their seminal 1993 Harvard Business Review article, Customer Intimacy and Other Value Disciplines, Michael Treacy and Fred Wiersema made the case for how highly successful companies (1) understand and redefine value for their customers, (2) build “powerful, cohesive business systems” to deliver more of that value than their competitors, and (3) raise their customers’ expectations beyond what the competition can deliver.  The most successful companies do this work within at least one of three disciplines: operational excellence, product leadership, or customer intimacy.

Treacy and Wiersema based their insights on an intensive study of 40 companies that achieved breakout success in their markets.  They followed the article with their quintessential business strategy book The Discipline of Market Leaders.  Twenty years later, this book is likely still on your CEO’s bookshelf.

What’s the point for information governance?  It’s this – a successful company brand cannot be lipstick on a pig.  It must be organic, a discipline that pervades the organization from the bottom to the top, inward and outward, in its core processes, business structure, management systems, and culture.  And how your organization manages information value, cost, compliance, and risk is no exception.  Simply put, stronger information governance yields a stronger brand for your business.  And this is true for each of the three disciplines of highly successful companies:
Continue Reading Why govern our information? Reason #8: It can build – or bust – your brand

One Bullet in Gun BarrelHaving too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses.  Keeping data without a legal or business reason also exacerbates data security exposures.  To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.

Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire.   PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….”  HIPAA regulations  mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible.  Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed.  And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.

Instead, most such laws and standards focus on securely sanitizing or destroying storage media.  For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”

But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls.  And one of the most powerful security controls is to not keep too much data, for too long.
Continue Reading Why govern our information? Reason #9: Unnecessary business data multiplies data security exposures

Hands pointing towards businessman holding head in hands Being a CISO is a tough gig.  The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small.  But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response.  For some CISOs, it may feel like High Noon, all over again.

This is unfair to the CISO, and wrong on at least two counts.  First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control.  Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.
Continue Reading Why govern our information? Reason #10: It’s a when, not if, world for data breaches

Depressed employee with laptopMost people have elevated stress during the holiday season — work, travel, family, money, time.  And holiday stress can make people inattentive, tired, frustrated, and willing to take short cuts, especially when it comes to computer and Internet use.  This is when mistakes happen.  It’s when we decide to evade policy by emailing work home or by using the unsecured airport Wi-Fi because our plane is delayed.  It’s also when malicious acts of information theft, sabotage, and fraud can more easily occur and go undetected.

According to a recent survey, insider threats — as opposed to outside actors — can account for nearly 75% of cyber incidents.  These incidents occur because of the actions of employees, suppliers, customers, and previous employees.  Law firms are not exempt, particularly small to medium size firms.  In fact, smaller firms typically have fewer resources to devote to cybersecurity and use more outside suppliers.

End-of-year activities for law firms also make them especially vulnerable to insider threats, whether inadvertent or malicious: the push to bill and collect for more hours, time-sensitive legal matters that must be resolved before the end of the calendar year, attending to year-end tax accounting, case and client review, bonus calculations.  Lawyers and their staff feel the strain of extra hours, looming deadlines, and sometimes contentious clients at the same time we all feel holiday pressures at home.

What is at risk?
Continue Reading Law firm insider threats don’t take a break for the holidays — they may get worse.

Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about?
Continue Reading If you teach a man to phish …

Last Piece of PuzzleWhew – we’ve survived yet another round of states enacting or amending their PII breach notification laws.  If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do:
Continue Reading With PII breach notification statutes, the rules keep changing

Empty SafeLast week’s post explored why law firms need data security policies.  Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.

What does a records retention schedule have to do with data security?  Simply this – keeping data without a legal or business reason exacerbates data security exposures.

Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose.  This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.

It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.

But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right?  Actually, far too few firms do.
Continue Reading Law firm data retention – they can’t hack what you no longer have