Caution Against Cybersecurity Without Data Privacy  

/

The Conundrum

I’ve noticed an interesting conundrum: cybersecurity programs operating without consulting a privacy attorney.

When I first realized that cybersecurity was being implemented without consulting a privacy attorney, I thought, “how?” and “why?” How would you know which data requires cybersecurity if you don’t know which data is entitled to privacy? Why would you spend money on a cybersecurity program that might not help you avoid legal liability and fines?

A privacy law determines what needs to be protected. Cybersecurity is how to protect it.

Privacy Law & Cybersecurity Work Together

From trade secrets to personal identifying information, we look to the law to understand which type of data is entitled to privacy. Some laws even dictate how we achieve privacy by mandating security measures such as encryption. The laws might also impose duties and obligations on companies that handle data. Failure to comply with privacy laws can cost companies a lot of money in the form of penalties, fines, expensive law suits, and crippling damage to reputation. Without a proper assessment of privacy law, a cybersecurity program might not include appropriate security measures that will reduce legal liability or allow the company to meet its legal obligations. Cybersecurity without data privacy is an expensive shot in the dark. I can only assume that when companies pursue cybersecurity without understanding data privacy laws, they do so out of ignorance or misunderstanding, but it is not intentional.

Rather than randomly apply cybersecurity measures, companies should narrow the focus of its cybersecurity program by tailoring it around potential legal liability. Of course, it is crucial to implement general cybersecurity to protect the company’s network from malicious attacks and intrusions, but it is also important to understand that some types of data require additional security, procedures for destruction, processes for obtaining appropriate consent and access, and other requirements depending on applicable privacy laws. Such requirements should be addressed in a comprehensive cybersecurity program.

Consider basic home security. We put locks on the outward facing doors and windows to protect ourselves and our belongings. Many of us even install alarm systems. We put locks on bathroom doors to protect privacy. But do we put locks on all doors? For some reason, we do not put locks on closet doors. It is another door, yet not deserving of a lock because of the general understanding about how closets are used and the expectations of privacy and security within a closet. Of course, you could add a lock to your closet door. Nothing is stopping you. You could add locks to every single door and cabinet in the house. But this would be unnecessary and inconvenient. Could you imagine having to unlock a cabinet door to get a cup for water? Even though it is possible, we simply do not need locks on every door and cabinet.

Unlike the common sense we share about home security and physical privacy, cybersecurity and data privacy are less intuitive. The good news is that rather than rely on common intuition, we have privacy laws to guide us in determining which doors in the cyber world require locks so that we are not wasting resources by installing locks that unnecessary and inconvenient.

Having a cybersecurity program without considering privacy law might not only be a waste of money, but it could also miss the target and leave your company exposed to legal liability.

A Holistic Approach to Cybersecurity

/

I’ve been throwing around the word “holistic” a lot lately. By lately, I mean the last 3 to 5 years. My obsession with the word began when I began searching for a solution to what I describe as “digestion issues”. Doctors tried to prescribe xan...tax…ex…but I wanted a better answer. I was drawn to the concept of “a holistic approach to health”. Focusing not only on diet, but the food – am I eating seasonal foods? Am I balancing spicy foods with cooling food? Am I getting enough rest and variety of exercise? For the first time I realized it is not about eating the same chicken salad and performing the same cardio routine every day, but about mixing it up; finding balance.

I continue to talk about the holistic approach to health, but now, I am applying the word “holistic” to my work by referring to a holistic approach to cyber liability.

Have I gone holistically crazy?

Unless it is contagious, I seem to be on the same path as other industry leaders. Many of the articles I am reading on data privacy and cybersecurity refer to a holistic approach. Looking at a company’s infrastructure from all angles, collaborating across departments, considering the big-picture and implementing processes throughout a lifecycle of data, evaluating exposure from inside-out, considering the before, during, & after, and in between – this is holistic.

It seems that many people, myself included, are preaching a holistic approach to life whether it be health in the real world or in the cyber world. When has a holistic ever been a bad idea? When did we get away from balance and start binging on grilled chicken? 

Your health and your network respond well to the holistic approach. Think of the vulnerabilities or problems from every angle and plug in solutions. Part of the holistic approach is accepting that it is a work in progress. You can’t achieve perfection, but rather strive for healthy.  

By now you’ve seen references to “cyber hygiene” or “cyber health”. This means companies need to think of cyber liability from all angles and incorporate routine check-ups. Understand that managing cyber liability is part of day-to-day business. 

 

What do you mean by "Where is my data"?

/

You may have recently been instructed to “know where your data is located” or maybe you’ve been asked “where is your data”?

The location of your data refers to the physical location. Somewhere a machine is sitting in a room, storing your information. These machines are called servers, and there can be more than one. Your data could be fragmented among multiple services, in multiple locations. Here are few examples of where your data might be stored:

·       Desktop computer

·       Laptop computer

·       Phone

·       Printer

·       Scanner

·       Your personal server

·       Server belonging to the cloud service provider

·       Server belonging to a third party contracted by your cloud service provider

·       Servers used by mobile applications that store your information 

Admittedly, the above list starts off with no surprises and then trails off into the weeds. You may be wondering how you can possibly know anything about servers owned by other people. Many people ignore this information, but recent changes to data protection laws have increased liability for ignorance. To use software services, you consent to the terms of service or end-user agreement. Embedded in these agreements you will find details about how a company uses your information and where the servers are located. Hopefully, you also find details about any third parties with access to your data (i.e. storing your data).

You can audit yourself by listing all of the devices from which you can access your data. Then list all of the platforms you use to access data. These typically require, or at one point required some sort of login credentials. Review the terms of service and end-user agreements for each service provider. Finally, list the applications you use and review the terms of service.

With a simple audit, you will be more informed about where your data is located and be better prepared to answer the tough questions.

4 Types of Data Law Firms Must Protect

/

By now we all should have realized that cyber-related risks are not going to disappear. Technology is here to stay and so are risks associated with using technology. Data breaches, ransomware and phishing attacks are a daily occurrence and constitute some of the risks of using technology.   

But don’t despair. We face and manage risks in our everyday activities such as riding in cars. Rather than avoid transportation, we wear our seatbelts and follow traffic laws to reduce the risks associated with riding in cars. Risks associated with technology can be reduced in the same manner; apply safety features and follow the rules.

A law firm’s exposure to risk depends on the type of data processed and stored by the firm. It also depends on the type of technology the firm uses.

Lawyers have obligations to maintain confidentiality, competence, and safe-keep information belonging to clients. Information subject to lawyers’ obligations should be protected. Depending on the lawyer’s practice area, the law firm may also handle medical records, financial information, and other personal information subject to regulation. Consider whether or not you handle information that falls into a regulated category, and learn the regulatory requirements for treatment of such information.

Essentially you can categorize information as follows:

1.       Confidential

2.       Privileged

3.       Client Property

4.       Regulated

Not all information is created equal. If the information does not fall into one of the above categories, it might not require as much security. For example, it is unlikely you need to stash your news subscription password in a secret vault. 

Once you identify which information requires protection, you must apply the appropriate security measures. To do so, you need to understand the technology you are using and how to secure it.

For instance, the door to your office has a lock and maybe a security code as the chosen security measures. Tape would not work. It also unlikely that a “do not enter” sign would keep people out. Much like you understand the various methods of securing a door, you should understand the various methods of securing technology. How do you secure cloud access? How do you secure email? Think about where you store data that fits into one of the 4 categories mentioned above. After you identify the location of your data, consider each access point. Can you access your email from only one laptop? Or can you access email by logging in from a browser on any device? How do you access your data?

For each access point, research different security measures. Find the appropriate locks and know that there are people and resources out there who can help you properly protect your data.

Attention Small-Medium Businesses: Cybersecurity Can Cost You Everything

/

Small and medium-sized businesses (“SMBs”) are not immune from cyber liability and can be held responsible, not only for a cyber breach, but for laxed cybersecurity. Laxed cybersecurity will inevitably result in financial harm in the form of penalties or lost business.

Historically, SMBs may have thought of themselves as too small to be noticed in matters involving cybersecurity. Perhaps, the idea that SMBs could go unnoticed was reinforced by an assumption that only big businesses could be monitored or held accountable for a data breach. After all, why would anyone care to monitor the cybersecurity of a SMB?

With the strictest laws in data privacy and, effectively, cybersecurity, taking effect in May 2018, the days of going unnoticed are over. While the new laws might not directly affect SMBs, the indirect affects will be just as significant to the SMB’s existence.  

For example, businesses directly impacted by the new laws will have a duty to ensure its third-party vendors have adequate security measures to protect data. The third-party vendors are often SMBs. The SMBs’ failure to use adequate security will cost the business substantial amounts of money. Rather than risk millions or billions of dollars (i.e. GDPR fines), the business directly affected by the strict laws will have a great incentive to trade the unsecure SMB for more secure alternatives.  

As if a threat to a company’s existence is not sufficiently compelling, there are also U.S. laws that directly impact SMBs. Depending on the SMB’s industry and the type of collected data, laws that dictate data privacy might require strict security. Violations of such laws may subject SMBs to financial penalties, fines and other civil punishment.   

To demonstrate that no business is small enough to go entirely unnoticed, imagine a boutique hair salon. The salon regularly purchases hair products from an international distributor. The salon uses an online portal to order supplies and since orders are fairly regular, they are scheduled automatically every few weeks. Imagine that the salon also accepts credit card payments and stores customer information to track a salon-awards program. The awards program offers customers credit at the salon for each fifty dollars spent. The salon has no cybersecurity policy because the owner believes the salon doesn’t work with “technical stuff” or “secrets” that a hacker would want. There is one administrative password shared by the staff. It is “password123”. The same password is used to login to the distributor’s portal. The company has been in business for ten years and has had to buy more computer storage for all of the customer information. The salon has never purged information.  

For the salon, it is business as usual until one day, the computers are down. The salon can’t process credit card and it the computers seem to have a glitch. The salon will eventually realize that its systems have been breached. Credit card and customer information have been stolen, and the salon’s portal to the distributor is compromised. As a result, the international distributor is also breached.   

Laws involving cybersecurity, data, and privacy directly and indirectly can have a devastating impact on SMBs. It is more important now than ever that SMBs implement an adequate cybersecurity program. There are many online guides to help you get started. There are also cybersecurity consultants, experts, and attorneys who can help you understand how to protect your data, comply with laws, and ultimately minimize your liability. Cybersecurity is an investment in the future of your business. For SMBs, it is survival at the securest.