4 Things Businesses Are Getting Wrong About Privacy

/

  1. “We can address privacy later.” This approach can cost you more money than it will save you for several reasons. One big reason not put off privacy until later is that the FTC is cracking down on businesses as small as solo operations for inadequate data privacy practices.

  2. “We don’t need a lawyer to handle privacy.” I see this time and time again - companies try to rely on a nonlawyer to help them with compliance. We cannot ignore the “law” part of privacy. The laws set the minimum requirements. Why wouldn’t you want a lawyer to interpret the laws for you? Any idea how those standards measure up in court? A privacy lawyer is absolutely necessary to have on the team.

  3. “We’ll do a quick privacy project.” This is a long-term relationship. Buckle in.

  4. “We are too small to worry about data privacy.” Wrong; see number 1.

Prepare for New Required Skills in Technology Responsibility

/

Will all businesses eventually need to be in the business of technology?  Will a user be liable for his or her actions or inactions with regard to technology?  As data protection laws are created and impose duties on users, it seems that a technology responsibility course could become part of education’s core curriculum:  math, science, language arts, social studies and technology responsibility (tech res). Once upon a time, technology was an elective; these days, it seems like a necessity.   

Using technology responsibly is about risk management and acting reasonably. 

Who needs-to-know?

You might wonder who really needs to know about technology. The answer to this question used to be something along the lines of “leave it to the IT department”.  These days, the correct answer to the question is, “everyone”.  I am confident that everyone is using a computer or smart phone to access data. Thin about all of the Word documents, PDFs and emails you have access to.  “Data” is a broad category and includes information that is personal, confidential, related to the company and/or used for entertainment.  In the past, even if this information might have been accessible to people, it was not so easily accessed and shared.  Entering a filing room to pull a confidential file still required more steps than selecting “send as attachment” or “post” or “tweet” or……you get the point.  Basically, everyone is using technology in some form and should know something about the technology they are using. At a bare minimum, users should know about the major risks and liabilities.  Unfortunately, in practice, many people ignore warnings about risks and liabilities by scrolling down and clicking “accept”.  Blind acceptance could result in the release of rights to your photos, agreeing to share your list of contacts or numerous other things.  It wouldn’t hurt for everyone to be more informed before they select “accept”.  Hence why “everyone” is included in the need-to know category.         

Who needs to care?

Who needs to know is slightly different than who needs to care

As individuals, most people aren’t going to care who shares their vacation photo or who sees their grocery list.  For the most part, if individuals have any information worth worrying about, a breach of information, while unfortunate, would be miniscule and likely only harm that individual.  Besides, most individuals willingly divulge information regularly via social media.  No one is wondering what’s on your grocery list because we all saw pictures of your meals for the past few weeks.

Then there is the camp of individuals guarding their credit card and social security numbers. Such individuals would be correct that these pieces of information are important, but on a small scale.  Credit card companies are great about finding fraudulent charges. Everyone should be monitoring their bank account anyway. Maybe this is harsh, but no matter how many selfies you take, you probably aren’t as important as you would like to think.  Of course, feel free to care, but know that you probably do not make the cut for the “need-to-care” group.     

Those that really need to care about responsibility using technology are typically those in possession of other people’s information.  Don’t get me wrong, it is a great habit for an individual to be cautious and protect his or her own information.  This is sort of like locking your doors.  It’s your house. 

If you lock the doors, great for you.  If you don’t lock the doors and someone steals your belongings, I might feel sorry for you, but my belongings are still safe. 

However, if you are holding a lot of my belongings and fail to lock the doors, I will be very upset if my stuff is stolen.  The same concept applies to the data.  If you have the information or access to data, you have a responsibility to provide security.  The people who really need to care are those involved with business.  Businesses tend to have information including contact information, financial information and confidential information.  I use the term “business” very broadly because all types of businesses are included. This even includes non-profits, education, consumer goods, healthcare, sales, services, etc.  Do not assume you are exempt.  Businesses must have security in place to protect the information of others.  Think of it as if your house is holding their valuables.  YOU, the business, should ensure that the doors are locked.

Businesses should care, but who is the business?

For fear of a tragedy of the commons, an elaboration about who within the business should be accountable for caring about data protection. 

The structure is flexible and could include a variety of different models depending on what works best for your business.  If there is a board of directions, the responsibility could begin with them.  If there is a partnership, the partners could be accountable.  The important point is that someone is made accountable for monitoring and implementing protection.  What you don’t want to happen is that everyone assumes someone else is dealing with it. (A tragedy of the commons.)  You don’t want to assume that your partner password-protected his computer.  As a business owner, it is your duty to think through these issues and plan ahead.  Either monitor things yourself or assign the duty to another person or to an entire department.  Perhaps hire a technology expert to report back to you.  Create a policy and follow a particular procedure.  Educate each of your employees about what is expected and precisely how they can follow protocol.  As a partner in a business, ask questions and raise concerns if you do not see these policies in place.  Regularly check to see if the policies are being executed correctly.  After all, just because a door has locks doesn’t mean people are always using them.

With breach requirements at the state level and new legislation incentivizing the disclosure of breaches to the federal government, it is only a matter of time before required duties arise demanding a proactive approach.  Similar to requirements for book-keeping to help protect against future problems, we will eventually see requirements for safe-guarding data. 

Reasonable care standards are already being incentivized, if not implemented.  It would be wise to create good habits now.  If tech responsibility is eventually added to the elementary school curriculum, it is only a matter of time before a failure to use basic protections will constitute gross negligence, from which there will be little insulation from liability.

You should care earlier rather than later.

A Trail of Bread Crumbs in the Cloud:  Metadata.

/

What is Metadata?

Metadata is the extra information added to or imbedded in the users’ input. An example would be when you take a picture and the location is automatically attached to the photo. This is great when you want to organize your personal photos by date or location. However, it might not be great if someone wants to be sure you are away on vacation-somewhere far away-so they can steal from your home. It would be easy for a thief to connect with his or her victims on social media, watch the GPS coordinates of posts and take advantage of opportunities. It also takes the guess work out of stalking someone. Or maybe a more common use of this type of information would be when an employer sees a post from Cancun after the employee is out “sick”. 

Metadata is not only in pictures and includes more than just location information. Metadata is in the documents you write. Edits, number of prints, names of editors, dates and number or times a document was opened are all automatically recorded as well. You can opt to hide this information, but I’m not so sure it wouldn’t be recoverable. 

 Metadata in the cloud

Now that you have an understanding of metadata, you ask, “so what”?  You are probably thinking, “no problem, I just won’t post pictures online until I am home.”  Well, not so fast. Let’s say that you take all of your pictures with your iPhone and store them in the cloud whether it is iCloud or Dropbox etc. You will have metadata in the cloud. The location of your pictures is discoverable and recorded. 

To a lot of people, this seems like a non-issue because they have nothing to hide. As a lawyer using the cloud, you should be aware of metadata being left behind which reveals a client’s identity or other types of privileged information. Typically, the presence of a third party destroys the attorney-client privilege. When using the cloud, is there an assumption of a third party? Even after removing your information from the cloud, could you ever ensure that the metadata won’t show up in someone else’s hands? Because there seems to be a trail of breadcrumbs left behind, should attorneys have an expectation of confidentiality during or after using the cloud? Even if you opted to hide the metadata, I don’t think you could be sure you have privacy in the cloud.  At least not yet…

Metadata in documents

Have you been in possession of a document and noticed it was authored by a stranger? You had no direct contact with the stranger, and yet the stranger’s name is in listed in properties of your document. This type of information could be very useful or very harmful to you in an adversarial proceeding. A history of changes to the document might also be visible. Knowing this type of information can be embedded in the document can help you know where to look for clues. You should also be mindful of the metadata when you send documents to others; be sure you know exactly what information you are sending.  

Be aware that your documents have metadata embedded and if necessary. If you don’t want to include metadata, consider cleaning the metadata or sending a printed copy.

No Walls: Thinking About Privacy in the Cloud

/

Below is a link to Dropbox’s principles on how it will treat governments’ requests for information. 

 https://www.dropbox.com/transparency/principles

In my opinion, what Dropbox is attempting to accomplish is a necessary next step.  Think of your Dropbox account as your home closet.  Your closet is full or private objects and information and a government would need a warrant to search it.  The government could not simply cut a hole in the wall and enter your closet from the outside, so why should the government be able to access your information in Dropbox from another path?

This should seem logical.  However, the cloud and technology need their own set of rules and conceptualizations.  Because we are comfortable and familiar with the idea of tangible property inside a closet, it seems second nature to analogize the closet to the cloud.  It seems like an obvious connection, but is it correct?  Is the cloud like your closet or is it time to accept that intangible information or data needs its own set of novel guidelines?  After all, although you may own the walls surrounding your closet, you are unlikely to own the digital walls surrounding your information.  A government would need tools to destroy a structure and cut through walls to gain access to your closet.  No tools or destruction are necessary to access your data.  In the cloud, access is as simple as drawing a door. There are “doors” that you didn’t know existed.

The analogy almost works except that in the cloud, there are no walls.  How do you find privacy in a plane/universe where information is floating around?  If we want walls, we need to build them.  The walls must be defined, universally recognized, and enforceable.   

There are no boundaries to what technology can accomplish.  It’s time we start thinking without boundaries.

 

Privacy in the Cloud aka "Stranger Danger!"

/

Shortly after I was taught how to turn on a computer, I was taught that nothing on the computer is private.  My computer education went something like this:  learn to walk, learn to turn on the computer, learn to use a floppy disk, learn to write code.  Somewhere around the age of five years old is when I decided I didn’t want to learn how to write code and would rather play computer games.  (I <3 Mr. Robot!)  This is all part of growing up with a father that, as my family loving refers to, “does something with computers for a living”.  Thanks to my father, I’ve never had to send my computer to the repair shop. 

I have easily taken for-granted that I grew up in a technology-friendly, security-focused environment.  As I have gotten older, I realize that not everyone understands computers like we did at home.  I realize this when I see people post their phone numbers or pictures of their children in front of the elementary school they attend.  It is great that so many moments can be shared with a million of your closest family and strangers, but what stands out to me in these situations is, “STRANGER-DANGER!”. 

My first thought is usually, “why would you put this online for crazy people to see?!  You are putting your child in danger!”  In case this isn’t abundantly clear to anyone but me, a photo of your helpless child at the location where they can be found all day, every day, makes it simple for someone to hurt/kidnap/stalk/etc. your child.  When I bring this up in conversation, most people tell me that they believed one of two things: (1) security settings only allowed friends to see the pictures (clearly the settings failed); or (2) that I am an overly paranoid person and need to get a life. 

I love my rose-colored glasses. But, bad people exist in the world.  Obviously, not everyone is bad, but if I understand statistics, the more exposure you have, the more likely you will cross paths with a bad person.  Why increase your chances of becoming a victim?

Around now is when I start sounding more paranoid, but if I am wrong, then why do houses and cars come with locks? Most people lock their houses, cars, and even bicycles. We don’t watch someone tie up a bike and think, “what a paranoid guy”.  Many of us were taught to use the “buddy system” and chose to walk in a well-lit area versus alone in a dark alley. People actively make choices to protect themselves and their belongings…because bad people exist.

My purpose in writing these blogs is to document my research on the “cloud”.  My ultimate goals are to inform people about the cloud including its uses, benefits, and dangers.  I plan to consolidate useful tips and share solutions I’ve developed.  Like anything new, there are issues that need to be resolved.  A lot of the issues are hidden and will appear only after trial and error.  I will hopefully predict some of these hidden issues. 

Because issues will be addressed as they arise over time, I think it is best to approach this topic as a sort of day-to-day journal of progress.  I will update my findings as new developments come to the surface and I uncover more through research.

Before we begin this journey together, I feel that is important to have a realistic understanding of privacy on the computer and on the internet.  I also think it is important that I explain briefly why the cloud is important and how you use it.  Finally, I should arrive at my ultimate purpose of this blog and share my findings and opinions on how to best protect yourself in the cloud.  First, we need to go back in time to when I was five….