How to Protect Data

/

Asking how to protect data is similar to asking “which is the best lock?”. 

Typically, a variety of security measures are recommended to create layers of protection.  The first step in protecting data is identifying your assets and vulnerabilities.  Begin by listing which technology your company already uses, how it is used and the goals technology strives to achieve.  A few starting questions include the following: 

  • Does the company use the cloud? 

  • Who is the cloud service provider?  What is in the SLA?

  • Does the company permit BYOD (bring your own device)? 

  • Who has access to company’s information?  Who needs access and does everyone need equal access?

  • Does the company use encryption?

  • Does the company use passwords?

  • What type of information does the company handle (i.e. regulated)?

  • What does the company need technology to do? Is status quo working to achieve the company’s goals?

Once you’ve answered questions like those listed above, you are ready to begin proactive protection. 

There are many products and services that can address your needs.  It takes time and research, but if you have narrowed down a list of needs, it should be easier to shop for the appropriate tools.  The person making these lists and evaluating the needs of the company are the people with decision making authority.  If your company has a board, the discussion begins at the board level.  Ultimately, the board could be liable for failing to consider cyber protections. 

Are we safe yet? 

Data protection will be constant, requiring regular monitoring and tweaking as risks shift and evolve.  There must be a system in place for detecting a breach.  Despite having proactive, preventative safeguards in place, the risk of a breach still exists.  By implementing preventative safeguards, you help lesson the severity of a breach.  To help protect against liability, it is helpful to have taken reasonable steps to mitigate or avoid a breach in the first place.  A few options for monitoring include: 

·       Inhouse technology team to monitor changes in legislation and risk

·       Outside experts perform routine audits to monitor the protections

·       Software to identify threats

·       A tech expert on the board 

Ultimately, business owners or the board will be responsible for either managing the risk or allocating the duty elsewhere to an individual or to a special department.  A failure to even consider these risks could result in director and officer liability. 

Is all a wasted effort in the event of a breach?

A breach is possible regardless of the proactive steps taken by the company.  [Insert your favorite lesson about how life is not always fair.]  However, your proactive steps could lesson the blow.  If you have taken reasonable steps in implementing security measures, you may have met your responsibilities and could avoid liability. 

Coping with a breach. 

The occurrence of a breach is not a game-ender.  You can recover.  First, you must have a procedure in place to handle a breach.  The following are areas that should be included in a comprehensive breach reaction plan. 

·       Detection of the breach

·       Accessing damage

·       Disclosure of the breach

·       Recovery

·       Cybersecurity liability insurance 

Included in the details of your company policy should be who you call and when you call them.  Your company attorney should be among those at the top of the call list.   

Quick Tips 

  1. Business decision-makers should pay attention to how technology is used in the company and know what protections are in place.  The decision-makers should regularly evaluate these protections and implement necessary changes.

  2. Regularly conduct routine risk assessments.  Keep track of the technology being used and the data involved.

  3. Regularly monitor for a breach and have an action plan.

  4. The action plan must include a procedure for mandated disclosures.

  5. Keep current on state and federal laws regarding technology use. Regularly educate your employees and board members on current policy and procedures. 

  6. Keep looking forward. 

A Trail of Bread Crumbs in the Cloud:  Metadata.

/

What is Metadata?

Metadata is the extra information added to or imbedded in the users’ input. An example would be when you take a picture and the location is automatically attached to the photo. This is great when you want to organize your personal photos by date or location. However, it might not be great if someone wants to be sure you are away on vacation-somewhere far away-so they can steal from your home. It would be easy for a thief to connect with his or her victims on social media, watch the GPS coordinates of posts and take advantage of opportunities. It also takes the guess work out of stalking someone. Or maybe a more common use of this type of information would be when an employer sees a post from Cancun after the employee is out “sick”. 

Metadata is not only in pictures and includes more than just location information. Metadata is in the documents you write. Edits, number of prints, names of editors, dates and number or times a document was opened are all automatically recorded as well. You can opt to hide this information, but I’m not so sure it wouldn’t be recoverable. 

 Metadata in the cloud

Now that you have an understanding of metadata, you ask, “so what”?  You are probably thinking, “no problem, I just won’t post pictures online until I am home.”  Well, not so fast. Let’s say that you take all of your pictures with your iPhone and store them in the cloud whether it is iCloud or Dropbox etc. You will have metadata in the cloud. The location of your pictures is discoverable and recorded. 

To a lot of people, this seems like a non-issue because they have nothing to hide. As a lawyer using the cloud, you should be aware of metadata being left behind which reveals a client’s identity or other types of privileged information. Typically, the presence of a third party destroys the attorney-client privilege. When using the cloud, is there an assumption of a third party? Even after removing your information from the cloud, could you ever ensure that the metadata won’t show up in someone else’s hands? Because there seems to be a trail of breadcrumbs left behind, should attorneys have an expectation of confidentiality during or after using the cloud? Even if you opted to hide the metadata, I don’t think you could be sure you have privacy in the cloud.  At least not yet…

Metadata in documents

Have you been in possession of a document and noticed it was authored by a stranger? You had no direct contact with the stranger, and yet the stranger’s name is in listed in properties of your document. This type of information could be very useful or very harmful to you in an adversarial proceeding. A history of changes to the document might also be visible. Knowing this type of information can be embedded in the document can help you know where to look for clues. You should also be mindful of the metadata when you send documents to others; be sure you know exactly what information you are sending.  

Be aware that your documents have metadata embedded and if necessary. If you don’t want to include metadata, consider cleaning the metadata or sending a printed copy.

No Walls: Thinking About Privacy in the Cloud

/

Below is a link to Dropbox’s principles on how it will treat governments’ requests for information. 

 https://www.dropbox.com/transparency/principles

In my opinion, what Dropbox is attempting to accomplish is a necessary next step.  Think of your Dropbox account as your home closet.  Your closet is full or private objects and information and a government would need a warrant to search it.  The government could not simply cut a hole in the wall and enter your closet from the outside, so why should the government be able to access your information in Dropbox from another path?

This should seem logical.  However, the cloud and technology need their own set of rules and conceptualizations.  Because we are comfortable and familiar with the idea of tangible property inside a closet, it seems second nature to analogize the closet to the cloud.  It seems like an obvious connection, but is it correct?  Is the cloud like your closet or is it time to accept that intangible information or data needs its own set of novel guidelines?  After all, although you may own the walls surrounding your closet, you are unlikely to own the digital walls surrounding your information.  A government would need tools to destroy a structure and cut through walls to gain access to your closet.  No tools or destruction are necessary to access your data.  In the cloud, access is as simple as drawing a door. There are “doors” that you didn’t know existed.

The analogy almost works except that in the cloud, there are no walls.  How do you find privacy in a plane/universe where information is floating around?  If we want walls, we need to build them.  The walls must be defined, universally recognized, and enforceable.   

There are no boundaries to what technology can accomplish.  It’s time we start thinking without boundaries.

 

Privacy in the Cloud aka "Stranger Danger!"

/

Shortly after I was taught how to turn on a computer, I was taught that nothing on the computer is private.  My computer education went something like this:  learn to walk, learn to turn on the computer, learn to use a floppy disk, learn to write code.  Somewhere around the age of five years old is when I decided I didn’t want to learn how to write code and would rather play computer games.  (I <3 Mr. Robot!)  This is all part of growing up with a father that, as my family loving refers to, “does something with computers for a living”.  Thanks to my father, I’ve never had to send my computer to the repair shop. 

I have easily taken for-granted that I grew up in a technology-friendly, security-focused environment.  As I have gotten older, I realize that not everyone understands computers like we did at home.  I realize this when I see people post their phone numbers or pictures of their children in front of the elementary school they attend.  It is great that so many moments can be shared with a million of your closest family and strangers, but what stands out to me in these situations is, “STRANGER-DANGER!”. 

My first thought is usually, “why would you put this online for crazy people to see?!  You are putting your child in danger!”  In case this isn’t abundantly clear to anyone but me, a photo of your helpless child at the location where they can be found all day, every day, makes it simple for someone to hurt/kidnap/stalk/etc. your child.  When I bring this up in conversation, most people tell me that they believed one of two things: (1) security settings only allowed friends to see the pictures (clearly the settings failed); or (2) that I am an overly paranoid person and need to get a life. 

I love my rose-colored glasses. But, bad people exist in the world.  Obviously, not everyone is bad, but if I understand statistics, the more exposure you have, the more likely you will cross paths with a bad person.  Why increase your chances of becoming a victim?

Around now is when I start sounding more paranoid, but if I am wrong, then why do houses and cars come with locks? Most people lock their houses, cars, and even bicycles. We don’t watch someone tie up a bike and think, “what a paranoid guy”.  Many of us were taught to use the “buddy system” and chose to walk in a well-lit area versus alone in a dark alley. People actively make choices to protect themselves and their belongings…because bad people exist.

My purpose in writing these blogs is to document my research on the “cloud”.  My ultimate goals are to inform people about the cloud including its uses, benefits, and dangers.  I plan to consolidate useful tips and share solutions I’ve developed.  Like anything new, there are issues that need to be resolved.  A lot of the issues are hidden and will appear only after trial and error.  I will hopefully predict some of these hidden issues. 

Because issues will be addressed as they arise over time, I think it is best to approach this topic as a sort of day-to-day journal of progress.  I will update my findings as new developments come to the surface and I uncover more through research.

Before we begin this journey together, I feel that is important to have a realistic understanding of privacy on the computer and on the internet.  I also think it is important that I explain briefly why the cloud is important and how you use it.  Finally, I should arrive at my ultimate purpose of this blog and share my findings and opinions on how to best protect yourself in the cloud.  First, we need to go back in time to when I was five….