Fingerprint hud interface and people network

Departing Employees, Data Theft, and Digital Forensics

In late 2019, it was reported by Infosecurity Magazine that 72% of former employees admitted taking company data with them upon departure. Determining what actions a former employee took on a company device leading up to their departure can help assist in determining if company data was stolen or misappropriated. Did the departing employee retire or leave for a competitor? Where they forthcoming with their intent to depart or was it abrupt? Depending on the specifics of the situation, it may be advisable to perform a digital forensic investigation to help locate some answers.

It’s Never a Bad Idea to Preserve a Former Employee’s Devices

When an employee makes the decision to leave a company, it may be time to forensically preserve the contents of an employee’s business device(s), including cloud-based accounts. We are talking about devices provided by the employer for the employee to conduct their work and not personal devices. This will ensure the digital data has been collected in a manner that is admissible in court (should that be the outcome). If the device is not preserved and is reallocated to another employee, important information regarding the previous employee’s actions on the device may be overwritten.

Once the devices used by the employee have been forensically preserved, analysis may begin.

What Evidence May be Available?

USB device activity – This type of analysis includes determining what USB devices (removable storage devices) were plugged in during the system by the user. From reviewing the USB device activity in addition to file access records, it may be possible to determine whether or not file transfers to external devices have occurred on the device

Sent and received emails – Reviewing the  work email account may prove beneficial in locating possible file transfers via email to personal accounts, messages that have been deleted and who they were communicating with about their departure.

File sharing websites – From Dropbox to Google Drive, employees may use online file sharing websites and applications  to steal company data. A review of the web browser history, including active and deleted records, may show access to file sharing websites as well as possible file uploads. It’s also advisable to see if any file sharing programs have been installed on their work computer or mobile device.

Device activity prior to departure – This type of analysis can help determine what the user did on the device prior to leaving the company. Were a large number of files deleted? Were programs uninstalled or removed? This type of analysis can give you a good picture of what was going on in the days leading up to the separation

Deleted file recovery – If a former employee has deleted files before turning their device over, forensic software may have the capability to locate and restore these previously existing files.

Internet history and searches – Web browser history may play a helpful part in determining activity prior to leaving the company. Internet history analysis has the capability to show what websites were visited and when, as well as the ability to recover deleted web browser history and searches. You may also find file access records within the browser history cache which can show when files were accessed and from what location.

Conclusion

Engaging a digital forensics company to analyze a former employee’s business devices can ultimately act as a guard to protect an organization’s intellectual property. If nothing else, consulting with a digital forensics expert can assist in analyzing the situation and offering suggestions on the best way to move forward.

Cybersecurity and information or network protection. Future tech

Legal Tech: The Intersection of E-Discovery and Cybersecurity: You’ve Come a Long Way, Baby

Data is an asset and a liability. It fits into both accounting columns and will not fail to be used against a corporate entity if not secured properly. Databases contain trade secrets, personally identifiable information, HIPAA-protected health care information, proprietary information and classified data. They also house sensitive information and evidence of liability or criminal behavior. As the size of databases grew, one thing became apparent: the information stored in those repositories had to be kept secure. As the importance of data became more evident, so did the importance of information security and cybersecurity.

Lawyers and cybersecurity experts were forced together as soon as employees had access to the internet. Before data breaches became the norm, the ugly secret in the IT closet was the amount of pornography in databases. Employees were searching pornographic materials at work, from their work desktops, and they seemed to believe that no one would ever find out. Unfortunately for them, when lawyers conducted ediscovery for investigations and litigation, they uncovered large volumes of pornography in their clients’ databases. Attorneys were obligated to inform corporate executives of this behavior, including the who, what and when. It was not long before firewalls were installed to block pornographic websites and other nefarious sites.

Lawyers routinely battled over the discovery of electronic data and how to get more data from adversaries in court. Receiving more data also meant reviewing more data. Lawyers reviewed data by looking at every document for relevance and privilege. But what good is it to pore over documents and strategically produce data if a hacker can breach your client’s database, exfiltrate all of the most sensitive data and post it on the dark net? Lawyers needed information security and cybersecurity experts to help block access to the Internet.

Meanwhile, the military and intelligence community were light-years ahead of lawyers. They compiled classified data and kept it from being compromised. The IC was aware of the value of sensitive intelligence data and the hazards of that data falling into the wrong hands. Thus, the military created cybersecurity tools and protocols within the Air Force Computer Emergency Response Team in the late 1990s — primarily network defense tools. Lawyers were largely unaware of and had no access to them, but as corporations and other governmental agencies started looking for ways to protect their most valuable assets, they had to turn to the U.S. government for help. The two professions rarely speak the same language but have the same goals and are often in the room at the same time. For information security and data security, the federal government led the way, with corporations following closely behind, leaving only law firms still lagging.

In 2002, Congress enacted the Federal Information Security Management Act (FISMA), 44 U.S.C. S 3541, et seq. As part of the E-Government Act of 2002, FISMA created the foundation for information security in the federal government and recognized the importance of InfoSEC to the economy and national security.

As data grew, federal CIOs recommended moving data to the cloud to reduce the government’s on-site data storage and risk. Federal CIOs agreed with this protocol, but lawyers did not. Lawyers tend to be risk adverse, not familiar with cybersecurity and very busy. They had no intention of pushing their data outside of their agency. There was one exception, the Department of Justice has had a contract known as Mega for litigation support for over 20 years. Early on, the Mega contractors were primarily defense companies like Lockheed Martin and CACI. The DOJ controlled the environment and worked seamlessly with the Mega contractors for a couple of decades. All federal agencies could utilize that contract for litigation support help. It was convenient because the security component was handled by the DOJ and the contractors were in the defense business.

However, by 2010, federal agencies were looking to upgrade their ediscovery platforms to more modern and robust tools only available in the cloud. Law firms and corporations were using ediscovery vendors to host robust and revolutionary software applications in their environment. Technology-assisted review, computer-assisted review and predictive coding became the norm for the private sector. These tools were innovative and saved time and money, but for the private sector, there was no standard security protocol for hosting third-party data. In fact, while each vendor follows some form of security protocol today, there is still no standard in the private sector. Vendors cobble their security programs together based on ISO and NIST publications.

In 2011, the Office of Management and Budget authorized, via memorandum, the Federal Risk Authorization Program, and the FedRamp Program Management Office was established in 2012. The purpose of FedRamp was to provide a set of guidelines and protocols for securing government data in the cloud. A FedRamp authorization consists of 170+ controls and subcontrols that secure cloud infrastructures, networks and databases. Many of these controls are policies. The bulk of data in agencies that investigate and litigate is used by attorneys. To avoid breaches of legal data, federal agencies locked down their data behind firewalls.

FedRamp authorization allowed federal agencies to put their data in the cloud, but it was an expensive and painful process for those with no knowledge of cybersecurity. Until this year, only three ediscovery companies have made it through the FedRamp authorization process. Meanwhile, data breaches were becoming a common occurrence.

If you are an attorney and you need ediscovery tools, having them behind the firewall of your corporation, firm or agency is no longer the best option. Having the technical expertise, budget and variable options for the management of terabytes and petabytes of legal data is not usually feasible. Multinational organizations and financial institutions are the only entities that can support such infrastructure, and most of them still use cloud-based vendors for ediscovery.

The best cybersecurity experts come straight out of the government. They are in our armed forces, the intelligence community and entities that include DHS and the White House, and they have been dedicated to protecting our government networks from attack. Therefore, using a FedRamp-authorized vendor is turning out to be the best option for agencies. The FedRamp guidelines work as private sector guidelines too. Legal departments, CISOs and vendors are working together to meet the FedRamp guidelines to build secure environments for the tools of their choice.

The fight to keep data safe has become an extremely complex and expensive endeavor. A 2019 study by Emsisoft reported that in 2019 at least 966 health care providers, government agencies and educational institutions in the U.S. were targeted by ransomware attacks. SeeThe State of Ransomware in the US: Report and Statistics 2019 (Dec. 12, 2019). The cumulative cost of those attacks to taxpayers was more than $7.5 billion. Id. The number of attacks on law firms and corporate legal departments is also increasing and jeopardizing attorney-client privilege. Let us look at some recent data breaches and what could have prevented them.

Federal Breach: OPM

In 2014 and again in 2015, the U.S. government discovered the theft of all personnel security clearance information including background investigation files and fingerprints. The attackers gained valid user credentials and employed malware which installed itself onto the Office of Personnel Management’s network and established a back door. More than 20 million records were exfiltrated. The Chinese government reportedly stole the entire database. The fallout from this breach is so wide-reaching that we may not know just how many Americans were targeted after China analyzed the data. Basic cyber hygiene could have helped prevent, identify and detect the initial attack in the early stages before the hackers had opened access to OPM’s network for almost 18 months. Routine patching, user awareness and trained network defenders would have significantly reduced risk. Also, using enhanced protections and monitoring around the OPM security file database could have reduced damage and exposure of millions of U.S. government employees’ security files.

State Breach: IDES

The Illinois Department of Employment Security contracted with a vendor to launch the Pandemic Unemployment Assistance Portal as an add-on to its unemployment system. The new PUA went live in May 2020. A few days later an outside entity discovered that a spreadsheet with the names, addresses and Social Security numbers of Illinois unemployment applicants was publicly visible on the website. Approximately 32,500 applicants’ personally identifiable information was exposed. This breach has been referred to by officials as a “glitch.” Free credit monitoring services are being offered to the victims.

New IT projects need to be put through an information assurance process, and data projects require quality assurance processes. A good IA process checks all the risks associated with the hardware, software and implementation of both. During the IA process is when any open portals should have been discovered. A good quality assurance program will check all permissions and access for data and would have discovered PII that was public facing. Neither process worked on this project. Contractors need to include these assurances before turning over a new system. The client must be involved and needs to see the results of both processes before going live.

Law Firm Breach: GSMS

Recently, Grubman Shire Meiselas & Sacks, a New York entertainment law firm to the stars, was hit with a ransomware attack. The attackers allegedly demanded 12 bitcoins for the decryption key. At the time of this writing, 12 bitcoins converts to about $111,265 — not a lot of money to a New York law firm. However, approximately 750 GB of attorney-client privileged data was also being offered on the Internet to the highest bidder. Ransomware is a particularly vicious cyberattack because it shuts your business down, destroys goodwill and breaches client trust. Law firms have been especially slow to seek out cybersecurity and information security experts before they get attacked. At least five law firms were hit with the so-called Maze ransomware in January 2020 alone.

Basic user awareness can help block ransomware. Initial attacks usually come in via phishing messages, phone calls and text messages. Never give up sensitive information nor click on links or attachments from unknown senders. Security email filtering and scanning for inbound email to law firms should be in place and only allow trusted file types. Finally, routine security updates for endpoint machines, mobile devices and servers need to be performed to close vulnerabilities.

E-Discovery Vendor Breach: Epiq Global

In February 2020, Epiq Global — an ediscovery vendor with 80 offices worldwide — was the victim of big-game hunting, a practice where Ryuk ransomware attackers go after large enterprises. Epiq Global hosts client data and third-party data for law firms and corporations. The attack followed a format usually used by the Ryuk attackers: A phishing scheme gathers administrator and user credentials to gain access to the network. This opens the door to spying, encrypting data and exfiltrating it or demanding a ransom and extorting the victims. Law firms and corporate legal departments around the world were impacted. The big question for law firms is whether these vendor breaches violate attorney-client privilege.

It comes down to end-user awareness, basic cyber hygiene and information separation as well as partitioned access for sensitive data. End users need to be able to identify potentially malicious messages and alert their cybersecurity team. If one user identifies a malicious message, there are likely nine other staff receiving the same message. Building an alert culture is key to helping secure sensitive data. Additionally, separating key databases and putting up enhanced protections such as access control and monitoring will help detect and identify anomalous behavior. Administrators must use a separate account and a separate machine for troubleshooting and maintenance of the crown jewel datasets. Finally, two-factor authentication for all users greatly reduces risk of user and administrator accounts being compromised.

As we see the ransomware attacks against law firms, state and local governments and corporations increase, the need for a set of cybersecurity standards for law firms that host client data also intensifies. The Association of Corporate Counsel is working on a new Data Steward program that will create a baseline for law firms and corporate counsel. In the meantime, lawyers would be wise to follow the FedRamp Moderate authorization requirements for the hosting of client data. In the long run, it is less expensive than paying a ransom and losing the goodwill and trust of your clientele. Moreover, some of these breaches may eventually constitute a breach of attorney-client privilege and lead the courts to start sanctioning lawyers. The intersection of cybersecurity and ediscovery is complete.


Originally appeared in Cybersecurity Law & Strategy. © 2020 ALM Media LLC. Reprinted with permission.

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

Responding to a DSAR Request

In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests.

An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR:

Conduct a Data Inventory

Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information.  The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements.

Organize DSAR Requests

You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data.  There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery.

Fulfill the Request

A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated with providing the data), and finally, providing the information within the required timeframe.  Remember that you can’t violate any other person’s privacy rights when delivering data so you will need to mask or redact any personally identifiable information (PII).

Demonstrate Compliance

According to the provisions of the GDPR, organizations must have the ability to demonstrate compliance with the regulation, including being able to show records outlining all DSARs received. The record should include the data subject’s contact information, a description of the request, when and how the response was made and by whom (including reasons why it was honored or denied) and the time taken to reply.

When responding to a data request, organizations are required to remind the requester that they have the right to object to the processing of the data, request the rectification of it, or lodge a complaint with a supervisory authority.

Next up in this series: DSAR Best Practices and Workflows an Organization Should Follow. Do you have anything to add regarding how to respond to a DSAR request? Tell us about it in the comments!

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

DSARs 101: What to Expect When Doing Business with EU Customers

For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk.

Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges.

What is a DSAR?

On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system).

Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU.

The General Data Protection Regulation

The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located.

According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

DSARs are the direct result of the right of access provided for in the GDPR. Such requests might ask for specific personal details or could demand a full list of the personal data being stored. Either way, an organization is required to provide the requester with a copy of any relevant information about them.

The UK Data Protection Act 2018

Countries across the EU have passed or will soon enact their own data protection legislation, and the Data Protection Act 2018 is the UK’s implementation of the GDPR. The DPA provides individuals in the UK with the right to obtain a copy of their personal data and extends the lawful bases for processing sensitive personal information beyond what the GDPR provides. The DPA also sets the minimum age of consent for processing a subject’s data at 13, as opposed to 16 in the GDPR.

According to a 2019 survey conducted by Lexology, since the introduction of the GDPR and the DPA, a growing trend is rapidly emerging: DSARs are increasingly being used by those more aware of their rights surrounding their personal information. This tendency is expected to grow, amplifying the need for businesses to put clear policies and procedures in place that will not only keep them in compliance with the GDPR and the DPA, but also help them avoid costly enforcement action.

 

Next up in this series: How to Respond to a DSAR Request. Do you have other thoughts to add regarding DSARs? Tell us about them in the comments!

Palm Trees

Encryption’s Impact on Potential Liability Under CCPA

(This article is brought to you courtesy of the International Association of Privacy Professional (IAPP) and first appeared in The Privacy Advisor, IAPP’s original content publication for privacy professionals).

In the last decade, California has suffered twice as many data breaches as any other state, with roughly 1,493 breaches affecting nearly 5.6 billion records. For an organization that handles the data of California consumers, adopting a robust security system is prudent.

Encrypting consumer data is one strategy that an organization can adopt as part of a comprehensive information security and privacy program. Encryption benefits consumers by rendering compromised data unreadable, so that even if encrypted data is disclosed, the risk of harm to an individual, such as identity theft or physical safety, is significantly limited. Where California’s privacy laws apply to an organization, encrypting customer data will provide immunity from the private right of action under the California Consumer Privacy Act and limit obligations of notification in the event of a data breach under California’s data breach notification law.

How will encrypting data benefit your organization in California?

Under CCPA, California consumers are provided a private right of action, which permits them to file civil suits against businesses for certain types of data breaches and potentially recover either statutory damages of up to $750 or actual damages, whichever is greater. In class-action litigation involving millions of consumers, these damages can add up quickly. Compared to the EU General Data Protection Regulation, which allows for fines of up to 4% of global turnover, damages under the CCPA do not have a similar liability cap. As a result, a business’s damages under the CCPA could conceivably dwarf the fines permitted by the GDPR.

As mentioned above, this private right of action only applies to certain types of data breaches. First, the breach must consist of a California resident’s first name (or first initial) and last name in combination with one of the following: Social Security number, some unique identification number issued on a government document that is commonly used to verify an individual’s identity, account number or credit or debit card number in combination with any required security code, medical information, health insurance information, or unique biometric data used to authenticate an individual. Collectively, all these categories are referred to as “covered personal information.”

Even if covered personal information is compromised, the private right of action under the CCPA only applies to breaches of nonencrypted or nonredacted covered personal information resulting from a business’s failure to implement and maintain reasonable security procedures and practices. In determining reasonableness, the attorney general may look to the 20 security controls promulgated by the Center for Internet Security, which the California Department of Justice identified in 2016 as establishing the minimum controls required to show a reasonable security system. These controls recommend encryption. Thus, for an organization seeking to limit liability under the CCPA, encrypting covered personal information of California consumers is a very effective way to do so.

Moreover, under California’s data breach notification law, an organization that does business in California and maintains personal information of California residents may be required to notify the residents if they have been affected by a data breach. However, if the compromised personal information is encrypted, it falls outside the scope of the data breach notification law and the obligation to notify is not triggered. Though the definitions of personal information are not identical under the CCPA and California’s data breach notification law, there is a significant amount of overlap.

Like the CCPA, California’s data breach notification law also provides consumers with a right of private action if they have been injured by a violation of the law. Unlike the CCPA, though, the data breach notification law does not provide statutory damages. As a result, if an organization encrypts the personal information it maintains on California consumers, it can avoid the obligation to notify consumers of a data breach and it reduces the likelihood of civil actions.

CCPA in action

On Feb. 3, a California consumer filed a class-action suit, arising from a data breach, against high-end children’s clothing retailer Hanna Anderson and Salesforce, a software-as-a-service company specializing in customer relationship management. The claim alleges, among other things, a violation of the CCPA and states that consumers’ unencrypted and unredacted personal information, including financial information, was compromised by a breach. The complaint alleges the information accessed by the hackers was for sale on the dark web. Had the personal information stored been encrypted, the plaintiff’s chances at recovering any damages under the CCPA would be significantly limited as their claims would not be covered by the CCPA’s private right of action. Moreover, any harm to consumers would have been limited or eliminated due to the hacker’s conceived inability to decrypt the data.

If your organization handles covered personal information, encrypting it would be a smart decision. Not only does it help mitigate the risks of harm consumers face in the event of a security incident, but it shields your company from liability under the CCPA’s private right of action.

Photo by Ev on Unsplash

Opening

When the US Begins to Reopen, Plenty of Privacy Questions Will Remain

(This article is brought to you courtesy of the International Association of Privacy Professional (IAPP) and first appeared in The Privacy Advisor, IAPP’s original content publication for privacy professionals).

Everyone wants the world to go back to normal. The last six weeks have been taxing in just about every way imaginable. We all dream of a time when we can talk to our friends and family face-to-face and when trips to the grocery store aren’t riddled with anxiety.

Depending on where you’re hanging your hat at present, that time is likely far away. But as speakers indicated during a recent Brookings Institution webinar, that doesn’t mean it’s too early to plan for what a reopening of the economy looks like, what may happen to the data that will be used in those efforts and whether a U.S. privacy law may help to provide clarity should a similar event occur in the future.

During the webinar, The Brookings Institution Rubenstein Fellow Alex Engler said people are familiar with the traditional technologies used to fight against COVID-19; however, the use of artificial intelligence during the pandemic has proven to be nebulous thus far.

Engler believes AI has the potential to be helpful to assist in tracking the spread of the disease, but most efforts to incorporate the technology aren’t panning out.

“Over the last decade, we’ve seen a fundamental change in how valuable AI can be. You might be tempted to think, ‘Well, it helped in all these other ways; obviously, it’s going have a big impact with COVID-19.’ That, at least so far, hasn’t turned out to be true,” Engler said during the event. “We have examples of AI in the news that are probably snake oil. I point toward using AI and thermal imaging cameras to detect people walking around with fevers. The evidence that that is working or good to implement to keep people out of grocery stores is not very good.”

Michelle Richardson of the Center for Democracy and Technology’s Privacy and Data Project warned AI should not be treated as a “cure-all.” In some instances in which it may be tempting to use AI, a simpler, safer measure to gather information is likely out in the open, she said.

“There was an article that cited a small vendor that said, ‘Just give me access to people’s medical records and that way I can predict where we should be sending (personal protective equipment).’ That data is already available,” Richardson said. “We have public health officials screaming it from the rooftops saying, ‘We know where it needs to go.’ We do not need to throw open everyone’s medical records for AI processing to get that information.”

Contact tracing has been cited as a vital method to help mitigate the spread of COVID-19. Google and Apple made news by announcing they would develop tools to help notify smartphone users when they come into contact with someone who tested positive for COVID-19. A smartphone user would voluntarily download a contact tracing app, and through the use of Bluetooth technology, would receive the notice of another person who also has the app.

For the system to work, Engler said, users would have to update their operating system, download the app and provide consent. He also highlighted how privacy could impact the total amount of people who would be willing to participate.

“Pew said 81% of people in the U.S. own smartphones, so you are starting with a baseline of 81%. Of those, how many update their operating system and then download the app. If they have real privacy concerns, they may be disincentivized to engage in this if they do not trust what is going to happen to their data. Of those, how many voluntary report that they got sick or enable their public health organization to,” he said.

There is also the matter of how anonymous the data will remain. The information collected by the apps is not officially location data, according to Engler. That does not mean it can’t become quickly become location data.

“We’ve seen some of those overseas identified and they are being harassed. It’s quite easy to reassociate people. You only need a few data points to figure out a real person’s identity, especially when you are talking about location. While we say this is not location per se, you only need a few data points to put in there before it becomes location,” Richardson said. “It’s going to be easier to reassociate some of this than people realize.”

A lot of information is set to be collected from all these different initiatives, and it will be important to protect it from malicious actors. Engler pointed to another avenue of data misuse that should be considered. If the pandemic goes on for longer than most anticipate, all that information may become very valuable, and Engler believes the erosion of standards around privacy is a bigger concern than “people literally stealing” data.

“You can imagine a circumstance where the pandemic really starts to drag on and we are a couple of years in, and there’s a network of health applications that are using this data for COVID-19. But they’ve also mission creeped into various other things and suddenly there’s a financial market for the data,” Engler said. “That’s how I think about this becoming a bigger problem when the data comes out. Not necessarily the lack of the security, though I think that’s worth being concerned about, but I worry more about the systemic leakage. This just becomes another market for data.”

There is a lot of uncertainty around what will happen to all this data as the pandemic continues and how it can be safely used. Part of that is fueled by the lack of a U.S. privacy law. Richardson said federal rules would have helped fill in some of those gray areas, not just for citizens, but for companies as well. She hopes Congress will work to get a federal law on the books to avoid this level of uncertainty the next time a major event occurs.

“Corporate behavior has not met people’s expectations. It’s been surprising to them, and they have become suspicious. We may be in a better situation right now if we had a law that better aligned those things. People could trust technology more,” Richardson said. “They might be more comfortable sharing their information knowing that it would be locked down and not repurposed for things that would be surprising or offensive to them.”

“Companies would also then have more clarity. A lot of the proposals we see at the federal level have clear exceptions for public interest research, so to the extent some of them want to help public officials and contribute to this, they would be able to do so with some clear parameters and liability protection instead of worrying about where the line is.”

Credit card security. Online Shopping security

Coronavirus Home Office Security – Practical Tips for Securing Your “New” Home Office

I’ve been working as an independent consultant for quite some time. Along the journey, I’ve picked up many tips and tricks to maximize productivity while working from home with great results.  There have been many articles written about this issue and I hope to add some serious security ideas to the discussion that you may not have considered.

Many of you are being told to work from home with no idea on where to start and what matters the most. This article is going to focus on practical information to help you secure your home office. Check with your company to see if there are any protocols in place. If not, start with these basics.

Strong and weak easy Password. Note pad and laptop.

Use strong passwords and a password manager

Passwords should be unique for every account and should comprise a long string of upper- and lower-case letters, numbers, and special characters. Clearly, it’s difficult to remember all these passwords, which is why password managers are such popular tools these days. I use LastPass for saving and accessing passwords but of course there are other products available I particularly like LastPass because anything you save to LastPass on one device is instantly available to you on any other device you use. if you don’t already have a LastPass account, you can get started by signing up for a free trial at https://lastpass.com/create-account.php. I am not affiliated with LastPass in any way.

Set up two-factor authentication

Multifactor Authentication is an added layer of security that you can enable within LastPass and requires a second step before you can gain access to your account. Enabling this security feature helps protect your account from keyloggers and other threats – even if your Master Password was compromised, your account could not be accessed without this second form of authentication.

Virtual private network, VPN, Data encryption, IP substitute.

Use a VPN

A Virtual Private Network, or VPN, is a piece of software that changes your IP address and encrypts all of your internet traffic. This improves online privacy, security, and helps users to bypass online censorship imposed by the government, ISPs or any other organization or person blocking websites. A popular main reason to use a VPN is to protect your online information and to visit websites that can be hard to enjoy locally. When left unprotected, your private data, such as bank account information and credit card numbers, can fall into the wrong hands. A good VPN encrypts your data, so even if you connect to a public wi-fi network, your private data is guaranteed to be protected.

Set up firewalls

A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) in order to block malicious traffic like viruses and hackers.

Your home internet provider may already have a firewall in place so check before your bother to set one up

Use an antivirus software

Antivirus software is nearly as crucial as a PC’s operating system. Even if you’re aware of potential threats and practice extreme caution, some threats just can’t be prevented without the extra help of an AV program—or a full antivirus suite.

Antivirus software is critical for EVERY PC or device you use at home. Without it, you risk losing your personal information, your files, and even the cash from your bank account.

AV software can keep your Windows PC safe from spyware, Trojans, malware, and more.

There are quite a few great choices out there for you can easily find with a Google search, or better yet, ask your IT person what he/she recommends.

Man touching a wifi security concept

Secure your home router

Wireless internet or Wi-Fi access has become a necessity in the home and workplace, but it can also open a door to risks from hackers, scammers, and identity thieves. Whether in your home or office, an unsecured Wi-Fi router running on the default manufacturer settings could be a liability when it comes to hackers and Wi-Fi squatters accessing your private information and burdening your broadband.

If your Wi-Fi network isn’t secured properly — a public IP address, no unique Wi-Fi password — you could be letting anyone with a wireless-enabled device to gain access. You might not be worried about someone using your wireless connection, but the real risk is exposing sensitive information you send and receive — your emails, banking information, and maybe even your smart home’s daily schedule — to cybercriminals.

Install updates regularly

Microsoft Update is the online extension of Windows that helps you keep your computer current. Microsoft Update includes updates from Windows Update and from Office Update, in addition to updates for other Microsoft products and for third-party device drivers. Use Microsoft Update to install updates for your computer’s operating system, software, and hardware.

New content is added to the site regularly so that you can obtain recent updates and fixes to help protect your computer and to keep it running smoothly. To use the Microsoft Update site to install all critical updates for your computer, follow these steps.

I choose the other route: automatic updates. By using Automatic Updates, I don’t have to visit the Microsoft Update Web site to scan for updates. Instead, Windows automatically delivers them to my computer and installs them automatically.

Red key with text BackUp and touch finger icon on blue digital laptop keyboard

Back up your data

The main reason for data backup is to save important files if a system crash or hard drive failure occurs. There should be additional data backups if the original backups result in data corruption or hard drive failure.

Additional backups are necessary if natural or man-made disasters occur.

Encrypt your hard drives in Windows 10

Simply locking your PC with a password isn’t enough, as hackers can still find ways to bypass the lock screen. Windows Hello makes the processes a lot harder considering it relies on biometrics, but in cases where your information is stored on a secondary hard drive that can be pulled out, biometrics become largely irrelevant.

The good news is that you can still protect your information on Windows 8 by using BitLocker drive encryption.

In both cases you need the Pro version of Windows, not Home.

BitLocker can be used to secure both internal and external hard drives. It doesn’t only function after signing into Windows, it can also determine if a security threat is present during the boot up process, so you’re fully covered.

MacOS has encryption built in regardless of the version.

Beware remote desktop tools

Remote desktop tools aren’t new but with organizations becoming increasingly international and teams becoming more mobile they’re fast becoming essential.

A search for remote desktop software reveals a myriad of options. It can be overwhelming navigating past rogue tools, confusing interfaces, and buggy services.

For a great overview, take a look at the 10 Best Free Remote Desktop Tools.

The abstract image of the hacker's hand reach through a laptop s

Look out for phishing emails and sites

What is phishing? Phishing is a cybercrime in which a target is contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. Don’t buy into these schemes.

The FTC has a great article surrounding phishing. Take the time to educate yourself on this very real threat.

The FBI’s IC3 (Internet Crime Complaint Center) has a chart showing the huge amount of loss victims have been taken for. What’s extremely sad is how the scams focus so much on our elderly.

chart showing the huge amount of loss victims have been taken for.

Use encrypted communications

In the legal profession, encrypted communications could be critical since we’re dealing with attorney client privilege so often. I used the website https://haveibeenpwned.com/ and checked my email to see if I had been a victim of a breach and sure enough, I have two out of three emails that have been breached. There are several tools to stop this from happening to you (I installed one myself) and you can find a great list at https://www.techradar.com/best/best-encryption-software including free, paid and business tools and services.

Check your bar association to see if encryption is required in your state to protect confidentiality.

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

Lock your device

To lock your computer:

Press the Win+L key combination on the computer keyboard (Win is the Windows key). Windows key features the Windows logo.

Click the padlock button in the lower-right corner of the Start button menu. Clicking the padlock icon locks your PC. Why lock your computer? I know you didn’t ask that question, right? For step by step directions, go to https://www.wikihow.com/Lock-a-Computer.

Hopefully, I set out some helpful information and tips for you to assist the transition to your new unfamiliar environment. Working from home can certainly have its benefits, but it also comes with major responsibilities. Take the time to implement those responsibilities.

digital fingerprint login for cybersecurity online on internet

Popular Jewel-Osco Grocery Chain Claims BIPA is Unlawful

BIPA (Biometric Information Privacy Act) was first introduced by Illinois in 2008 and requires informed consent of the collection of biometric data prior to collection, prohibits companies from profiting from biometric data, permits only a limited right to disclose data, mandates protection obligations and retention guidelines and creates a private right of action for any individuals harmed by violators of BIPA.

Albertson’s, which owns the popular Jewel-Osco chain of grocery stores in Chicago IL, disagrees with this law — so they’re taking the state to court. Albertson’s argues that the Illinois Biometric Information Privacy Act should be considered special legislation prohibited by the state’s constitution, because it applies to some companies while improperly leaving others out.

The grocery chain, who is fighting a lawsuit, claims that it shouldn’t have to face litigation for collecting employees’ fingerprints because there is no functional difference between it and the types of businesses excluded from liability under Illinois’ biometric privacy law. BIPA sets up many private employers for huge judgments, while exempting government and financial institutions.

One often forgotten requirement under BIPA is data retention. Like all other privacy laws, data retention is mandatory. BIPA states that PII (personal identifiable information) must be deleted within three years or organizations can face up to $1,000 in fines/violations. Robert Fowler, Director of Strategic Partnerships at Exterro, states that BIPA is just another example of why it’s critical for organizations to know the kind of personal data they are collecting and ensure document retention requirements are enforced around it. In order to meet the requirements of BIPA, conducting a data inventory isn’t a nice to have anymore—it’s a necessity.”

Personal data you don’t have cannot be breached. A clear way to mitigate a lot of organizational risk is to get rid of data that you don’t need. It’s an unnecessary added liability to over-retain personal data that serves no business purpose.

Albertson’s issues surrounding compliance to BIPA start with the organization’s data map, which, for any organization, needs to be built the right way. Keeping the data inventory up-to-date can help prevent running afoul of data privacy laws like BIPA, or for larger organizations with an international presence, the EU’s General Data Protection Regulation (GDPR). Fines for violating such privacy laws can really add up, which makes it all the more important to ensure the only data retained by organizations is accurate and necessary for business purposes.

A Guide to the Galaxy – Incorporating Privacy-by-Design into eDiscovery Workflows

Fifty years ago, on July 16, 1969, the Apollo 11 lunar mission sent the first astronauts to the surface of the moon. The computing technology used on that Apollo mission was revolutionary. The astronauts could control the spacecraft through a command module computer, and critical safety and propulsion mechanisms were controlled by software for the first time. Today the computing technology of the average cell phone far exceeds the computing power of the spacecraft that got humans to the moon and home safely. A single iPhone could guide 120 million Apollo era spacecraft to the moon, all at the same time!

With that kind of computing power in our pockets, it is no wonder so many of us take advantage of numerous mobile applications, social media, messaging, and collaboration workstream tools as often as we do. On average, each of us spends 4 hours a day staring down at our phone, often blurring the lines between business and private communications.

The universe of discoverable ESI (electronically stored information) is evolving rapidly. For many organizations, within three years of adopting an enterprise-level workstream collaboration platform, the volume of new data generated from that platform will eclipse the amount of data generated by email. Notably, Microsoft Teams is quickly becoming Office 365’s main collaboration tool and is on pace to become as prominent as Outlook. Messaging data and social media communications are routinely implicated in discovery requests and, with increasing regularity, submitted as critical evidence in legal proceedings. Data collections and discovery requests involving mobile, messaging, and collaboration applications often involve personal data and PII (personally identifiable information). Sensitive personal information might be there unintentionally, due to the nature of the applications for keeping people connected and perhaps a business culture that comingles business and personal lives. Other reasons may include the frequency at which many of us increasingly use these applications outside the traditional 9-to-5 workday and a lack of corporate guidance or use policies for new and emerging technologies.

There is no doubt that redefining our eDiscovery processes, methods, and approaches is necessary for new technologies and the ESI they generate. Potentially responsive information likely exists in the candid communications common to messaging or collaboration applications, such as in chats, on virtual “white boards,” and in edited and re-edited versions of documents. But getting to this information, and along the way mitigating risks for personal data protection, is easier said than done. Emerging technologies are dynamic, context sensitive, and multi-dimensional. Every new content source requires its own method of collection, and they all behave just a little differently. It is likely that organizations will increasingly select discovery tools that can collect and process data across multiple cloud technologies or applications. This will ensure a reliable, defensible method of collection and processing compatible with conventional eDiscovery workflows already in place.

The implications for privacy and data protection, though, are considerable. Myriad multi-jurisdictional regulations require a balancing act to protect the data privacy of individuals while simultaneously meeting obligations for discovery. These regulations, such as the EU’s General Data Protection Regulation (GDPR), the Health Information Portability and Accountability Act (HIPAA), and the now imminent California Consumer Privacy Act (CCPA), cannot be ignored. A raised consciousness and awareness of privacy protections in discovery is required, in parallel with efforts to preserve and produce relevant, discoverable ESI with efficiency and precision. A serious regulatory risk exists for unintended personal data – particularly health or other similarly sensitive information – which may somehow find its way into collection and discovery. The risk is heightened when the appropriate data minimization controls have not been implemented or even considered, resulting in personal data being swept up in overly broad collection exercises.

The challenge of protecting personal data is increasingly being addressed by eDiscovery workflows designed specifically for mobile data and ESI from collaboration applications. Although these solutions are at a relatively early stage of development, well-defined guidance is available for how to embed data protection across workflows without sacrificing existing road-tested best practices, i.e. Privacy by Design.

The Privacy by Design concept has been around for quite a while, with inception as a Canadian thought experiment in how to ensure data protection across emerging technologies. But it has now been codified in Article 25 of the GDPR. Privacy by Design provides a solid roadmap for how to build data protection compliance into a product or workflow from the ground-up, as opposed to shoe-horning requirements into a process after it has already been developed. Privacy by Design-based approaches for discovery seek to integrate personal information protection over the lifecycle of all data handling processes. Importantly, the focus is on adaptation and evolution, not a zero-sum game that trades capability for over-restrictive data protection measures. Key attention is accordingly placed on relevance and materiality, from data collection through production, across the entire EDRM (electronic discovery reference model).

In practice, Privacy by Design throughout discovery could be as follows (see illustration):

  • Information governance
    • Privacy compliance and legal teams become engaged when new content sources are evaluated for business use. These teams ensure that data collection can be carried out in a defensible way and that it incorporates security measures and data protection considerations, thus demonstrating accountability and a thoughtful consideration of these issues.
    • Well-defined use policies and clear requirements for employees are then implemented for enterprise devices and apps, particularly as processes and protocols evolve for eDiscovery.
  • Coordination with custodians
    • A collection process for more detailed, nuanced coordination with custodians is established – perhaps including some measure of self-collection for certain applications. However, self-collection will require a level of due diligence and assurance that the collections proceed properly, involving the right data, from the right custodian, for the right matter. In most cases, well-articulated, streamlined coordination with custodians will enable further insights into what unintended personal data or personal health data might be implicated in a collection. Again, this type of approach demonstrates accountability, a compliance requirement that could be crucial in the event of regulatory oversight.
  • Extracting personal data from data sets
    • As data moves across the EDRM and enters into processing, review and production, solutions for indexing, entity identification, and extraction aimed at removing, redacting, or otherwise disposing of any non-necessary personal data, ahead of even the review process, may significantly mitigate risk.
    • As an added measure, this same entity identification/extraction process can be replicated and reused for data subject access requests and breach responses, further enhancing the organization’s regulatory compliance posture.
  • Smart productions
    • At the very last stage of the discovery process, production quality control can serve as a last line of defense in eliminating non-material or unintended personal data. An emphasis on flawless productions is not only an essential part of the workflow, but should serve as the endgame of a truly well-developed eDiscovery playbook. The goal is to show every effort being made to ensure accountability for data protection compliance.
  • Data security across processing activities and transfers
    • It is absolutely necessary – at every stage of discovery – to ensure that technical and organizational measures for security and data protection are in place, including access controls, security processes, audits, and data transfer protections. Security protections are critical regardless of whether data is processed, hosted, reviewed, and ultimately produced in the EU, United States, or anywhere else. Data security can be the common thread for assuring data protection compliance across numerous regulatory frameworks, as well as for data transfers in cross-border litigation and investigations.

Our shifting global regulatory landscape for data protection, together with exponential growth in the use of mobile applications and collaboration workflow tools, is changing the way data collection is approached, how data is handled, and how organizations will be held accountable for the treatment of personal and sensitive data in the discovery process. Solutions will require a re-consideration of conventional approaches to forensics, data collection, and eDiscovery workflows.

Privacy by Design offers a useful model for embedding privacy protections into the discovery process. It enables organizations to chart a course in the new universe of data, including development of well-crafted information governance processes for new and emerging technologies, focusing on privacy risk mitigation throughout the EDRM, and ensuring an emphasis on data security each step of the way.

Technology doesn’t wait for anyone. While only 50 years separate the computers of the Apollo mission from today’s iPhones, the pace of technology advancement is exponential. eDiscovery processes must keep up.