What do you mean by "Where is my data"?

/

You may have recently been instructed to “know where your data is located” or maybe you’ve been asked “where is your data”?

The location of your data refers to the physical location. Somewhere a machine is sitting in a room, storing your information. These machines are called servers, and there can be more than one. Your data could be fragmented among multiple services, in multiple locations. Here are few examples of where your data might be stored:

·       Desktop computer

·       Laptop computer

·       Phone

·       Printer

·       Scanner

·       Your personal server

·       Server belonging to the cloud service provider

·       Server belonging to a third party contracted by your cloud service provider

·       Servers used by mobile applications that store your information 

Admittedly, the above list starts off with no surprises and then trails off into the weeds. You may be wondering how you can possibly know anything about servers owned by other people. Many people ignore this information, but recent changes to data protection laws have increased liability for ignorance. To use software services, you consent to the terms of service or end-user agreement. Embedded in these agreements you will find details about how a company uses your information and where the servers are located. Hopefully, you also find details about any third parties with access to your data (i.e. storing your data).

You can audit yourself by listing all of the devices from which you can access your data. Then list all of the platforms you use to access data. These typically require, or at one point required some sort of login credentials. Review the terms of service and end-user agreements for each service provider. Finally, list the applications you use and review the terms of service.

With a simple audit, you will be more informed about where your data is located and be better prepared to answer the tough questions.

4 Types of Data Law Firms Must Protect

/

By now we all should have realized that cyber-related risks are not going to disappear. Technology is here to stay and so are risks associated with using technology. Data breaches, ransomware and phishing attacks are a daily occurrence and constitute some of the risks of using technology.   

But don’t despair. We face and manage risks in our everyday activities such as riding in cars. Rather than avoid transportation, we wear our seatbelts and follow traffic laws to reduce the risks associated with riding in cars. Risks associated with technology can be reduced in the same manner; apply safety features and follow the rules.

A law firm’s exposure to risk depends on the type of data processed and stored by the firm. It also depends on the type of technology the firm uses.

Lawyers have obligations to maintain confidentiality, competence, and safe-keep information belonging to clients. Information subject to lawyers’ obligations should be protected. Depending on the lawyer’s practice area, the law firm may also handle medical records, financial information, and other personal information subject to regulation. Consider whether or not you handle information that falls into a regulated category, and learn the regulatory requirements for treatment of such information.

Essentially you can categorize information as follows:

1.       Confidential

2.       Privileged

3.       Client Property

4.       Regulated

Not all information is created equal. If the information does not fall into one of the above categories, it might not require as much security. For example, it is unlikely you need to stash your news subscription password in a secret vault. 

Once you identify which information requires protection, you must apply the appropriate security measures. To do so, you need to understand the technology you are using and how to secure it.

For instance, the door to your office has a lock and maybe a security code as the chosen security measures. Tape would not work. It also unlikely that a “do not enter” sign would keep people out. Much like you understand the various methods of securing a door, you should understand the various methods of securing technology. How do you secure cloud access? How do you secure email? Think about where you store data that fits into one of the 4 categories mentioned above. After you identify the location of your data, consider each access point. Can you access your email from only one laptop? Or can you access email by logging in from a browser on any device? How do you access your data?

For each access point, research different security measures. Find the appropriate locks and know that there are people and resources out there who can help you properly protect your data.

Attention Small-Medium Businesses: Cybersecurity Can Cost You Everything

/

Small and medium-sized businesses (“SMBs”) are not immune from cyber liability and can be held responsible, not only for a cyber breach, but for laxed cybersecurity. Laxed cybersecurity will inevitably result in financial harm in the form of penalties or lost business.

Historically, SMBs may have thought of themselves as too small to be noticed in matters involving cybersecurity. Perhaps, the idea that SMBs could go unnoticed was reinforced by an assumption that only big businesses could be monitored or held accountable for a data breach. After all, why would anyone care to monitor the cybersecurity of a SMB?

With the strictest laws in data privacy and, effectively, cybersecurity, taking effect in May 2018, the days of going unnoticed are over. While the new laws might not directly affect SMBs, the indirect affects will be just as significant to the SMB’s existence.  

For example, businesses directly impacted by the new laws will have a duty to ensure its third-party vendors have adequate security measures to protect data. The third-party vendors are often SMBs. The SMBs’ failure to use adequate security will cost the business substantial amounts of money. Rather than risk millions or billions of dollars (i.e. GDPR fines), the business directly affected by the strict laws will have a great incentive to trade the unsecure SMB for more secure alternatives.  

As if a threat to a company’s existence is not sufficiently compelling, there are also U.S. laws that directly impact SMBs. Depending on the SMB’s industry and the type of collected data, laws that dictate data privacy might require strict security. Violations of such laws may subject SMBs to financial penalties, fines and other civil punishment.   

To demonstrate that no business is small enough to go entirely unnoticed, imagine a boutique hair salon. The salon regularly purchases hair products from an international distributor. The salon uses an online portal to order supplies and since orders are fairly regular, they are scheduled automatically every few weeks. Imagine that the salon also accepts credit card payments and stores customer information to track a salon-awards program. The awards program offers customers credit at the salon for each fifty dollars spent. The salon has no cybersecurity policy because the owner believes the salon doesn’t work with “technical stuff” or “secrets” that a hacker would want. There is one administrative password shared by the staff. It is “password123”. The same password is used to login to the distributor’s portal. The company has been in business for ten years and has had to buy more computer storage for all of the customer information. The salon has never purged information.  

For the salon, it is business as usual until one day, the computers are down. The salon can’t process credit card and it the computers seem to have a glitch. The salon will eventually realize that its systems have been breached. Credit card and customer information have been stolen, and the salon’s portal to the distributor is compromised. As a result, the international distributor is also breached.   

Laws involving cybersecurity, data, and privacy directly and indirectly can have a devastating impact on SMBs. It is more important now than ever that SMBs implement an adequate cybersecurity program. There are many online guides to help you get started. There are also cybersecurity consultants, experts, and attorneys who can help you understand how to protect your data, comply with laws, and ultimately minimize your liability. Cybersecurity is an investment in the future of your business. For SMBs, it is survival at the securest.

Why Lawyers Should Adapt to Technology & How

/

Lawyers must adapt to technology. The saying “if it’s not broke, then don’t fix it” does not apply to technology. Ethical obligations and client demand are driving forces that demand lawyers adapt to technology.

The Professional Rules of Responsibility require lawyers to be competent, maintain confidentiality. Lawyers have a duty to understand the technology available to help clients. and are expected to use technological advances to zealously advocate for clients. 

Clients are using technology. They expect the lawyers to integrate almost as effortless as the rest of the world. Clients also understand cyber risk. Small to large companies face cyber liability. These clients expect the lawyers to understand these challenges just as well as they understand other civil and criminal liability. If a company is using a computer, it is highly likely they are exposed to cyber liability.

If you understand the need to adapt, you may be wondering how to adapt. I suggest approaching technology like any other lifestyle change. Slowly introducing new technology to your daily life, while reading the news. There is a plethora of information out there about technology and cyber liability. Join the conversation; subscribe. If you need more guidance, reach out to a technology organization. The Texas State bar and the American Bar Association have special interest groups that cater to technology and law. Check online videos for how-to’s. Ask members of your local bar for help.

You don’t want to be left behind.     

How to Protect Data

/

Asking how to protect data is similar to asking “which is the best lock?”. 

Typically, a variety of security measures are recommended to create layers of protection.  The first step in protecting data is identifying your assets and vulnerabilities.  Begin by listing which technology your company already uses, how it is used and the goals technology strives to achieve.  A few starting questions include the following: 

  • Does the company use the cloud? 

  • Who is the cloud service provider?  What is in the SLA?

  • Does the company permit BYOD (bring your own device)? 

  • Who has access to company’s information?  Who needs access and does everyone need equal access?

  • Does the company use encryption?

  • Does the company use passwords?

  • What type of information does the company handle (i.e. regulated)?

  • What does the company need technology to do? Is status quo working to achieve the company’s goals?

Once you’ve answered questions like those listed above, you are ready to begin proactive protection. 

There are many products and services that can address your needs.  It takes time and research, but if you have narrowed down a list of needs, it should be easier to shop for the appropriate tools.  The person making these lists and evaluating the needs of the company are the people with decision making authority.  If your company has a board, the discussion begins at the board level.  Ultimately, the board could be liable for failing to consider cyber protections. 

Are we safe yet? 

Data protection will be constant, requiring regular monitoring and tweaking as risks shift and evolve.  There must be a system in place for detecting a breach.  Despite having proactive, preventative safeguards in place, the risk of a breach still exists.  By implementing preventative safeguards, you help lesson the severity of a breach.  To help protect against liability, it is helpful to have taken reasonable steps to mitigate or avoid a breach in the first place.  A few options for monitoring include: 

·       Inhouse technology team to monitor changes in legislation and risk

·       Outside experts perform routine audits to monitor the protections

·       Software to identify threats

·       A tech expert on the board 

Ultimately, business owners or the board will be responsible for either managing the risk or allocating the duty elsewhere to an individual or to a special department.  A failure to even consider these risks could result in director and officer liability. 

Is all a wasted effort in the event of a breach?

A breach is possible regardless of the proactive steps taken by the company.  [Insert your favorite lesson about how life is not always fair.]  However, your proactive steps could lesson the blow.  If you have taken reasonable steps in implementing security measures, you may have met your responsibilities and could avoid liability. 

Coping with a breach. 

The occurrence of a breach is not a game-ender.  You can recover.  First, you must have a procedure in place to handle a breach.  The following are areas that should be included in a comprehensive breach reaction plan. 

·       Detection of the breach

·       Accessing damage

·       Disclosure of the breach

·       Recovery

·       Cybersecurity liability insurance 

Included in the details of your company policy should be who you call and when you call them.  Your company attorney should be among those at the top of the call list.   

Quick Tips 

  1. Business decision-makers should pay attention to how technology is used in the company and know what protections are in place.  The decision-makers should regularly evaluate these protections and implement necessary changes.

  2. Regularly conduct routine risk assessments.  Keep track of the technology being used and the data involved.

  3. Regularly monitor for a breach and have an action plan.

  4. The action plan must include a procedure for mandated disclosures.

  5. Keep current on state and federal laws regarding technology use. Regularly educate your employees and board members on current policy and procedures. 

  6. Keep looking forward.