Fingerprint hud interface and people network

Departing Employees, Data Theft, and Digital Forensics

In late 2019, it was reported by Infosecurity Magazine that 72% of former employees admitted taking company data with them upon departure. Determining what actions a former employee took on a company device leading up to their departure can help assist in determining if company data was stolen or misappropriated. Did the departing employee retire or leave for a competitor? Where they forthcoming with their intent to depart or was it abrupt? Depending on the specifics of the situation, it may be advisable to perform a digital forensic investigation to help locate some answers.

It’s Never a Bad Idea to Preserve a Former Employee’s Devices

When an employee makes the decision to leave a company, it may be time to forensically preserve the contents of an employee’s business device(s), including cloud-based accounts. We are talking about devices provided by the employer for the employee to conduct their work and not personal devices. This will ensure the digital data has been collected in a manner that is admissible in court (should that be the outcome). If the device is not preserved and is reallocated to another employee, important information regarding the previous employee’s actions on the device may be overwritten.

Once the devices used by the employee have been forensically preserved, analysis may begin.

What Evidence May be Available?

USB device activity – This type of analysis includes determining what USB devices (removable storage devices) were plugged in during the system by the user. From reviewing the USB device activity in addition to file access records, it may be possible to determine whether or not file transfers to external devices have occurred on the device

Sent and received emails – Reviewing the  work email account may prove beneficial in locating possible file transfers via email to personal accounts, messages that have been deleted and who they were communicating with about their departure.

File sharing websites – From Dropbox to Google Drive, employees may use online file sharing websites and applications  to steal company data. A review of the web browser history, including active and deleted records, may show access to file sharing websites as well as possible file uploads. It’s also advisable to see if any file sharing programs have been installed on their work computer or mobile device.

Device activity prior to departure – This type of analysis can help determine what the user did on the device prior to leaving the company. Were a large number of files deleted? Were programs uninstalled or removed? This type of analysis can give you a good picture of what was going on in the days leading up to the separation

Deleted file recovery – If a former employee has deleted files before turning their device over, forensic software may have the capability to locate and restore these previously existing files.

Internet history and searches – Web browser history may play a helpful part in determining activity prior to leaving the company. Internet history analysis has the capability to show what websites were visited and when, as well as the ability to recover deleted web browser history and searches. You may also find file access records within the browser history cache which can show when files were accessed and from what location.

Conclusion

Engaging a digital forensics company to analyze a former employee’s business devices can ultimately act as a guard to protect an organization’s intellectual property. If nothing else, consulting with a digital forensics expert can assist in analyzing the situation and offering suggestions on the best way to move forward.

Cybersecurity and information or network protection. Future tech

Legal Tech: The Intersection of E-Discovery and Cybersecurity: You’ve Come a Long Way, Baby

Data is an asset and a liability. It fits into both accounting columns and will not fail to be used against a corporate entity if not secured properly. Databases contain trade secrets, personally identifiable information, HIPAA-protected health care information, proprietary information and classified data. They also house sensitive information and evidence of liability or criminal behavior. As the size of databases grew, one thing became apparent: the information stored in those repositories had to be kept secure. As the importance of data became more evident, so did the importance of information security and cybersecurity.

Lawyers and cybersecurity experts were forced together as soon as employees had access to the internet. Before data breaches became the norm, the ugly secret in the IT closet was the amount of pornography in databases. Employees were searching pornographic materials at work, from their work desktops, and they seemed to believe that no one would ever find out. Unfortunately for them, when lawyers conducted ediscovery for investigations and litigation, they uncovered large volumes of pornography in their clients’ databases. Attorneys were obligated to inform corporate executives of this behavior, including the who, what and when. It was not long before firewalls were installed to block pornographic websites and other nefarious sites.

Lawyers routinely battled over the discovery of electronic data and how to get more data from adversaries in court. Receiving more data also meant reviewing more data. Lawyers reviewed data by looking at every document for relevance and privilege. But what good is it to pore over documents and strategically produce data if a hacker can breach your client’s database, exfiltrate all of the most sensitive data and post it on the dark net? Lawyers needed information security and cybersecurity experts to help block access to the Internet.

Meanwhile, the military and intelligence community were light-years ahead of lawyers. They compiled classified data and kept it from being compromised. The IC was aware of the value of sensitive intelligence data and the hazards of that data falling into the wrong hands. Thus, the military created cybersecurity tools and protocols within the Air Force Computer Emergency Response Team in the late 1990s — primarily network defense tools. Lawyers were largely unaware of and had no access to them, but as corporations and other governmental agencies started looking for ways to protect their most valuable assets, they had to turn to the U.S. government for help. The two professions rarely speak the same language but have the same goals and are often in the room at the same time. For information security and data security, the federal government led the way, with corporations following closely behind, leaving only law firms still lagging.

In 2002, Congress enacted the Federal Information Security Management Act (FISMA), 44 U.S.C. S 3541, et seq. As part of the E-Government Act of 2002, FISMA created the foundation for information security in the federal government and recognized the importance of InfoSEC to the economy and national security.

As data grew, federal CIOs recommended moving data to the cloud to reduce the government’s on-site data storage and risk. Federal CIOs agreed with this protocol, but lawyers did not. Lawyers tend to be risk adverse, not familiar with cybersecurity and very busy. They had no intention of pushing their data outside of their agency. There was one exception, the Department of Justice has had a contract known as Mega for litigation support for over 20 years. Early on, the Mega contractors were primarily defense companies like Lockheed Martin and CACI. The DOJ controlled the environment and worked seamlessly with the Mega contractors for a couple of decades. All federal agencies could utilize that contract for litigation support help. It was convenient because the security component was handled by the DOJ and the contractors were in the defense business.

However, by 2010, federal agencies were looking to upgrade their ediscovery platforms to more modern and robust tools only available in the cloud. Law firms and corporations were using ediscovery vendors to host robust and revolutionary software applications in their environment. Technology-assisted review, computer-assisted review and predictive coding became the norm for the private sector. These tools were innovative and saved time and money, but for the private sector, there was no standard security protocol for hosting third-party data. In fact, while each vendor follows some form of security protocol today, there is still no standard in the private sector. Vendors cobble their security programs together based on ISO and NIST publications.

In 2011, the Office of Management and Budget authorized, via memorandum, the Federal Risk Authorization Program, and the FedRamp Program Management Office was established in 2012. The purpose of FedRamp was to provide a set of guidelines and protocols for securing government data in the cloud. A FedRamp authorization consists of 170+ controls and subcontrols that secure cloud infrastructures, networks and databases. Many of these controls are policies. The bulk of data in agencies that investigate and litigate is used by attorneys. To avoid breaches of legal data, federal agencies locked down their data behind firewalls.

FedRamp authorization allowed federal agencies to put their data in the cloud, but it was an expensive and painful process for those with no knowledge of cybersecurity. Until this year, only three ediscovery companies have made it through the FedRamp authorization process. Meanwhile, data breaches were becoming a common occurrence.

If you are an attorney and you need ediscovery tools, having them behind the firewall of your corporation, firm or agency is no longer the best option. Having the technical expertise, budget and variable options for the management of terabytes and petabytes of legal data is not usually feasible. Multinational organizations and financial institutions are the only entities that can support such infrastructure, and most of them still use cloud-based vendors for ediscovery.

The best cybersecurity experts come straight out of the government. They are in our armed forces, the intelligence community and entities that include DHS and the White House, and they have been dedicated to protecting our government networks from attack. Therefore, using a FedRamp-authorized vendor is turning out to be the best option for agencies. The FedRamp guidelines work as private sector guidelines too. Legal departments, CISOs and vendors are working together to meet the FedRamp guidelines to build secure environments for the tools of their choice.

The fight to keep data safe has become an extremely complex and expensive endeavor. A 2019 study by Emsisoft reported that in 2019 at least 966 health care providers, government agencies and educational institutions in the U.S. were targeted by ransomware attacks. SeeThe State of Ransomware in the US: Report and Statistics 2019 (Dec. 12, 2019). The cumulative cost of those attacks to taxpayers was more than $7.5 billion. Id. The number of attacks on law firms and corporate legal departments is also increasing and jeopardizing attorney-client privilege. Let us look at some recent data breaches and what could have prevented them.

Federal Breach: OPM

In 2014 and again in 2015, the U.S. government discovered the theft of all personnel security clearance information including background investigation files and fingerprints. The attackers gained valid user credentials and employed malware which installed itself onto the Office of Personnel Management’s network and established a back door. More than 20 million records were exfiltrated. The Chinese government reportedly stole the entire database. The fallout from this breach is so wide-reaching that we may not know just how many Americans were targeted after China analyzed the data. Basic cyber hygiene could have helped prevent, identify and detect the initial attack in the early stages before the hackers had opened access to OPM’s network for almost 18 months. Routine patching, user awareness and trained network defenders would have significantly reduced risk. Also, using enhanced protections and monitoring around the OPM security file database could have reduced damage and exposure of millions of U.S. government employees’ security files.

State Breach: IDES

The Illinois Department of Employment Security contracted with a vendor to launch the Pandemic Unemployment Assistance Portal as an add-on to its unemployment system. The new PUA went live in May 2020. A few days later an outside entity discovered that a spreadsheet with the names, addresses and Social Security numbers of Illinois unemployment applicants was publicly visible on the website. Approximately 32,500 applicants’ personally identifiable information was exposed. This breach has been referred to by officials as a “glitch.” Free credit monitoring services are being offered to the victims.

New IT projects need to be put through an information assurance process, and data projects require quality assurance processes. A good IA process checks all the risks associated with the hardware, software and implementation of both. During the IA process is when any open portals should have been discovered. A good quality assurance program will check all permissions and access for data and would have discovered PII that was public facing. Neither process worked on this project. Contractors need to include these assurances before turning over a new system. The client must be involved and needs to see the results of both processes before going live.

Law Firm Breach: GSMS

Recently, Grubman Shire Meiselas & Sacks, a New York entertainment law firm to the stars, was hit with a ransomware attack. The attackers allegedly demanded 12 bitcoins for the decryption key. At the time of this writing, 12 bitcoins converts to about $111,265 — not a lot of money to a New York law firm. However, approximately 750 GB of attorney-client privileged data was also being offered on the Internet to the highest bidder. Ransomware is a particularly vicious cyberattack because it shuts your business down, destroys goodwill and breaches client trust. Law firms have been especially slow to seek out cybersecurity and information security experts before they get attacked. At least five law firms were hit with the so-called Maze ransomware in January 2020 alone.

Basic user awareness can help block ransomware. Initial attacks usually come in via phishing messages, phone calls and text messages. Never give up sensitive information nor click on links or attachments from unknown senders. Security email filtering and scanning for inbound email to law firms should be in place and only allow trusted file types. Finally, routine security updates for endpoint machines, mobile devices and servers need to be performed to close vulnerabilities.

E-Discovery Vendor Breach: Epiq Global

In February 2020, Epiq Global — an ediscovery vendor with 80 offices worldwide — was the victim of big-game hunting, a practice where Ryuk ransomware attackers go after large enterprises. Epiq Global hosts client data and third-party data for law firms and corporations. The attack followed a format usually used by the Ryuk attackers: A phishing scheme gathers administrator and user credentials to gain access to the network. This opens the door to spying, encrypting data and exfiltrating it or demanding a ransom and extorting the victims. Law firms and corporate legal departments around the world were impacted. The big question for law firms is whether these vendor breaches violate attorney-client privilege.

It comes down to end-user awareness, basic cyber hygiene and information separation as well as partitioned access for sensitive data. End users need to be able to identify potentially malicious messages and alert their cybersecurity team. If one user identifies a malicious message, there are likely nine other staff receiving the same message. Building an alert culture is key to helping secure sensitive data. Additionally, separating key databases and putting up enhanced protections such as access control and monitoring will help detect and identify anomalous behavior. Administrators must use a separate account and a separate machine for troubleshooting and maintenance of the crown jewel datasets. Finally, two-factor authentication for all users greatly reduces risk of user and administrator accounts being compromised.

As we see the ransomware attacks against law firms, state and local governments and corporations increase, the need for a set of cybersecurity standards for law firms that host client data also intensifies. The Association of Corporate Counsel is working on a new Data Steward program that will create a baseline for law firms and corporate counsel. In the meantime, lawyers would be wise to follow the FedRamp Moderate authorization requirements for the hosting of client data. In the long run, it is less expensive than paying a ransom and losing the goodwill and trust of your clientele. Moreover, some of these breaches may eventually constitute a breach of attorney-client privilege and lead the courts to start sanctioning lawyers. The intersection of cybersecurity and ediscovery is complete.


Originally appeared in Cybersecurity Law & Strategy. © 2020 ALM Media LLC. Reprinted with permission.

Connection network in servers data center room storage systems 3D rendering

Remembering eDiscovery Defensibility in a Crisis

Notwithstanding containment efforts, the coronavirus has spread worldwide.  According to a recent McKinsey & Co. report, the U.S. economy could be in a state of recovery until as late as 2023. The hardest-hit sectors – commercial aerospace, air & travel, and oil & gas – might not even restart until sometime in 2021.

The COVID-19 pandemic is having a massive impact on a wide range of industries, including the eDiscovery space. However, despite the global crisis, litigation has not stopped and the eDiscovery process continues. Data is being collected, preserved, reviewed, and produced, hopefully in a cost-effective manner and fully-defensible manner.

Pandemic-Proofing Your eDiscovery Defensibility

Covid-19 has vast potential to expose flaws in the eDiscovery workflow, making the need for a defensible process more critical than ever. Here are some ways to strengthen your procedure:

  • Collect data defensibly. Data collection from a custodian’s laptop may not be possible with social distancing guidelines unless remote enterprise-level forensic technology is available. Work with your outside and in-house counsel to formulate and document a plan ranking critical custodians’ availability. Then prioritize available network sources like file shares and email servers while deprioritizing physical media until collection is deemed safe for both collectors and collectees. The active data collection approach will vary from data source to data source, so work with your outside counsel and collection specialist on the best practices for a data source type. If your organization uses Microsoft O365, it might be time to develop a plan and approach for using the eDiscovery & Legal Hold modules in the Security and Compliance Center to streamline and document your collection efforts from Microsoft systems.
  • Document your chain of custody. As the data transitions from its original source (e.g., Exchange, file shares, SharePoint, etc.) to the collection destination such as a data landing zone, maintaining step-by-step documentation in the chain of custody will be critical. Using hash values to track the data packages in your collection process is the best practice for authenticating your data downstream. Whether your organization is using basic spreadsheets or leveraging automated workflow technologies, identifying the individuals on the team who will be responsible and accountable for managing your data and paper trail is vital.
  • Review provider reports. In the face of the pandemic, eDiscovery processing and hosting providers are being pushed to the brink in the management of their businesses, possibly putting significant pressure on their pre-COVID best practices and workflows. As a best practice, work closely with your eDiscovery providers to verify their chain-of-custody documentation, exception reports, and other standard reports that track data and physical media through the entire workflow. Then take the time to review the materials with your provider’s project manager to ensure full documentation.

Defensibility is the foundation of any eDiscovery workflow. Your organization needs to go the extra mile during this crisis to ensure that nothing falls through the cracks.

Do you have further recommendations regarding enhancing eDiscovery defensibility in a crisis? Tell us about them in the comments!

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

Responding to a DSAR Request

In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests.

An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR:

Conduct a Data Inventory

Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information.  The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements.

Organize DSAR Requests

You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data.  There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery.

Fulfill the Request

A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated with providing the data), and finally, providing the information within the required timeframe.  Remember that you can’t violate any other person’s privacy rights when delivering data so you will need to mask or redact any personally identifiable information (PII).

Demonstrate Compliance

According to the provisions of the GDPR, organizations must have the ability to demonstrate compliance with the regulation, including being able to show records outlining all DSARs received. The record should include the data subject’s contact information, a description of the request, when and how the response was made and by whom (including reasons why it was honored or denied) and the time taken to reply.

When responding to a data request, organizations are required to remind the requester that they have the right to object to the processing of the data, request the rectification of it, or lodge a complaint with a supervisory authority.

Next up in this series: DSAR Best Practices and Workflows an Organization Should Follow. Do you have anything to add regarding how to respond to a DSAR request? Tell us about it in the comments!

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

DSARs 101: What to Expect When Doing Business with EU Customers

For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk.

Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges.

What is a DSAR?

On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system).

Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU.

The General Data Protection Regulation

The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located.

According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

DSARs are the direct result of the right of access provided for in the GDPR. Such requests might ask for specific personal details or could demand a full list of the personal data being stored. Either way, an organization is required to provide the requester with a copy of any relevant information about them.

The UK Data Protection Act 2018

Countries across the EU have passed or will soon enact their own data protection legislation, and the Data Protection Act 2018 is the UK’s implementation of the GDPR. The DPA provides individuals in the UK with the right to obtain a copy of their personal data and extends the lawful bases for processing sensitive personal information beyond what the GDPR provides. The DPA also sets the minimum age of consent for processing a subject’s data at 13, as opposed to 16 in the GDPR.

According to a 2019 survey conducted by Lexology, since the introduction of the GDPR and the DPA, a growing trend is rapidly emerging: DSARs are increasingly being used by those more aware of their rights surrounding their personal information. This tendency is expected to grow, amplifying the need for businesses to put clear policies and procedures in place that will not only keep them in compliance with the GDPR and the DPA, but also help them avoid costly enforcement action.

 

Next up in this series: How to Respond to a DSAR Request. Do you have other thoughts to add regarding DSARs? Tell us about them in the comments!

Internet piracy and cybersecurity concept. Integrated circuit and virtual digital padlocks.

Keep Calm and Carry On: 5 Data Security Do’s and Don’ts for Everyone

Cyber criminals see opportunity in the pandemic. Some exploit security vulnerabilities in remote working. Others prey on people’s fears by crafting phishing emails and malware-infected websites purportedly about the coronavirus.

You don’t have to be a security expert to fight back. We can all make a difference by following good security practices in our day to day work. These are five data security do’s and don’ts for everyone.

DO be patient – with technology, others and yourself.

Millions of employees suddenly have to learn new tools and work habits. Employers are struggling to support a newly remote workforce. Technology providers are straining to meet demand. It’s a recipe for frustration.

When we get frustrated or upset we’re more likely to take make mistakes or take security shortcuts. Instead, cultivate patience. We need to be patient when tools don’t work, organizations are over-burdened and people – ourselves included – are slow to master new technology.

DON’T forget to update privacy and security settings.

Technology helps us be productive and stay connected out of the office, but we have to use it responsibly. Cyber criminals will exploit any security vulnerability. Public settings on social media and collaboration tools leave the door open to trolls.

First, make a rough inventory of devices and programs you use for work: computers; smartphones and tablets; mobile apps; wireless router; smart (connected) devices like Wi-Fi enabled printers; VPN; cloud storage accounts; webmail; collaborative tools like Slack and Zoom; social media accounts. You may be surprised how long the list is.

Next, review and update privacy and security settings. Pay special attention to social media and collaborative platforms; they often default to less secure settings. Unlink accounts while you’re at it (Facebook doesn’t actually need to be linked to everything in your life).

Finally, revisit your passwords. Use strong, unique passwords for all your devices and accounts.

DO thank your information security team.

The security outlook was already grim before Covid-19. Companies and law firms of all sizes are under constant cyberattack. Ransomware is an ever-present threat. IT departments are short on staff and resources.

Information security is a difficult and stressful job, but it doesn’t have to be a thankless one. Take a moment to tell your data security team how much you appreciate their hard work.

DON’T fall for phishing, smishing or fake news.

A majority of data breaches originate in phishing emails. Other methods popular with cyber criminals are smishing (the text message version of email phishing), fake news links in social media and malicious websites. We are the weak link and there are plenty of depressing statistics to prove it.

By the same token, we’re the front-line defense. We thwart a cyberattack every time we recognize a phishing attack or social media scam for what it is.

Be on the lookout for warning signs:

  • You don’t know the sender, or it’s someone you haven’t heard from in a long time and who has no reason to contact you.
  • The message is out of character or the sender doesn’t usually send files or links by email/text.
  • Content clues like missing or different signature block, spelling errors, grammatical mistakes, not the sender’s usual “voice.”
  • The message violates the organization’s security procedures, chain of command, code of conduct, etc.
  • It involves money in any way.

If an email or text might be legitimate but you have even the smallest doubt, verify first. For news, stick to trusted sites. Constant vigilance is essential. Cyberattacks directed at individual technology users are increasingly sophisticated and topical.

DO what you can where you are.

At the end of the day, it all comes down to doing what we can where we are. Following good data security practices for individuals is the baseline.

From leadership to participation, there are many ways to actively support your organization’s security initiatives. Approving a software purchase, raising the alarm about a possible security problem (even if it turns out to be nothing) and attending technology training webinars are just a few examples.

Are you tech-savvy or a remote working pro? Your colleagues need your help.

Cybersecurity is essential business for lawyers and legal professionals. We have an ethical obligation to safeguard clients’ confidential and privileged information. Moreover, clients – and potential clients – need legal counsel and practical assistance in cybersecurity issues.

Data security in the legal sector is both a duty and an opportunity to provide superior service. By educating ourselves about cybersecurity and following best practices, we can all help safeguard our own and our clients’ confidential information.

Credit card security. Online Shopping security

Coronavirus Home Office Security – Practical Tips for Securing Your “New” Home Office

I’ve been working as an independent consultant for quite some time. Along the journey, I’ve picked up many tips and tricks to maximize productivity while working from home with great results.  There have been many articles written about this issue and I hope to add some serious security ideas to the discussion that you may not have considered.

Many of you are being told to work from home with no idea on where to start and what matters the most. This article is going to focus on practical information to help you secure your home office. Check with your company to see if there are any protocols in place. If not, start with these basics.

Strong and weak easy Password. Note pad and laptop.

Use strong passwords and a password manager

Passwords should be unique for every account and should comprise a long string of upper- and lower-case letters, numbers, and special characters. Clearly, it’s difficult to remember all these passwords, which is why password managers are such popular tools these days. I use LastPass for saving and accessing passwords but of course there are other products available I particularly like LastPass because anything you save to LastPass on one device is instantly available to you on any other device you use. if you don’t already have a LastPass account, you can get started by signing up for a free trial at https://lastpass.com/create-account.php. I am not affiliated with LastPass in any way.

Set up two-factor authentication

Multifactor Authentication is an added layer of security that you can enable within LastPass and requires a second step before you can gain access to your account. Enabling this security feature helps protect your account from keyloggers and other threats – even if your Master Password was compromised, your account could not be accessed without this second form of authentication.

Virtual private network, VPN, Data encryption, IP substitute.

Use a VPN

A Virtual Private Network, or VPN, is a piece of software that changes your IP address and encrypts all of your internet traffic. This improves online privacy, security, and helps users to bypass online censorship imposed by the government, ISPs or any other organization or person blocking websites. A popular main reason to use a VPN is to protect your online information and to visit websites that can be hard to enjoy locally. When left unprotected, your private data, such as bank account information and credit card numbers, can fall into the wrong hands. A good VPN encrypts your data, so even if you connect to a public wi-fi network, your private data is guaranteed to be protected.

Set up firewalls

A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) in order to block malicious traffic like viruses and hackers.

Your home internet provider may already have a firewall in place so check before your bother to set one up

Use an antivirus software

Antivirus software is nearly as crucial as a PC’s operating system. Even if you’re aware of potential threats and practice extreme caution, some threats just can’t be prevented without the extra help of an AV program—or a full antivirus suite.

Antivirus software is critical for EVERY PC or device you use at home. Without it, you risk losing your personal information, your files, and even the cash from your bank account.

AV software can keep your Windows PC safe from spyware, Trojans, malware, and more.

There are quite a few great choices out there for you can easily find with a Google search, or better yet, ask your IT person what he/she recommends.

Man touching a wifi security concept

Secure your home router

Wireless internet or Wi-Fi access has become a necessity in the home and workplace, but it can also open a door to risks from hackers, scammers, and identity thieves. Whether in your home or office, an unsecured Wi-Fi router running on the default manufacturer settings could be a liability when it comes to hackers and Wi-Fi squatters accessing your private information and burdening your broadband.

If your Wi-Fi network isn’t secured properly — a public IP address, no unique Wi-Fi password — you could be letting anyone with a wireless-enabled device to gain access. You might not be worried about someone using your wireless connection, but the real risk is exposing sensitive information you send and receive — your emails, banking information, and maybe even your smart home’s daily schedule — to cybercriminals.

Install updates regularly

Microsoft Update is the online extension of Windows that helps you keep your computer current. Microsoft Update includes updates from Windows Update and from Office Update, in addition to updates for other Microsoft products and for third-party device drivers. Use Microsoft Update to install updates for your computer’s operating system, software, and hardware.

New content is added to the site regularly so that you can obtain recent updates and fixes to help protect your computer and to keep it running smoothly. To use the Microsoft Update site to install all critical updates for your computer, follow these steps.

I choose the other route: automatic updates. By using Automatic Updates, I don’t have to visit the Microsoft Update Web site to scan for updates. Instead, Windows automatically delivers them to my computer and installs them automatically.

Red key with text BackUp and touch finger icon on blue digital laptop keyboard

Back up your data

The main reason for data backup is to save important files if a system crash or hard drive failure occurs. There should be additional data backups if the original backups result in data corruption or hard drive failure.

Additional backups are necessary if natural or man-made disasters occur.

Encrypt your hard drives in Windows 10

Simply locking your PC with a password isn’t enough, as hackers can still find ways to bypass the lock screen. Windows Hello makes the processes a lot harder considering it relies on biometrics, but in cases where your information is stored on a secondary hard drive that can be pulled out, biometrics become largely irrelevant.

The good news is that you can still protect your information on Windows 8 by using BitLocker drive encryption.

In both cases you need the Pro version of Windows, not Home.

BitLocker can be used to secure both internal and external hard drives. It doesn’t only function after signing into Windows, it can also determine if a security threat is present during the boot up process, so you’re fully covered.

MacOS has encryption built in regardless of the version.

Beware remote desktop tools

Remote desktop tools aren’t new but with organizations becoming increasingly international and teams becoming more mobile they’re fast becoming essential.

A search for remote desktop software reveals a myriad of options. It can be overwhelming navigating past rogue tools, confusing interfaces, and buggy services.

For a great overview, take a look at the 10 Best Free Remote Desktop Tools.

The abstract image of the hacker's hand reach through a laptop s

Look out for phishing emails and sites

What is phishing? Phishing is a cybercrime in which a target is contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. Don’t buy into these schemes.

The FTC has a great article surrounding phishing. Take the time to educate yourself on this very real threat.

The FBI’s IC3 (Internet Crime Complaint Center) has a chart showing the huge amount of loss victims have been taken for. What’s extremely sad is how the scams focus so much on our elderly.

chart showing the huge amount of loss victims have been taken for.

Use encrypted communications

In the legal profession, encrypted communications could be critical since we’re dealing with attorney client privilege so often. I used the website https://haveibeenpwned.com/ and checked my email to see if I had been a victim of a breach and sure enough, I have two out of three emails that have been breached. There are several tools to stop this from happening to you (I installed one myself) and you can find a great list at https://www.techradar.com/best/best-encryption-software including free, paid and business tools and services.

Check your bar association to see if encryption is required in your state to protect confidentiality.

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

Lock your device

To lock your computer:

Press the Win+L key combination on the computer keyboard (Win is the Windows key). Windows key features the Windows logo.

Click the padlock button in the lower-right corner of the Start button menu. Clicking the padlock icon locks your PC. Why lock your computer? I know you didn’t ask that question, right? For step by step directions, go to https://www.wikihow.com/Lock-a-Computer.

Hopefully, I set out some helpful information and tips for you to assist the transition to your new unfamiliar environment. Working from home can certainly have its benefits, but it also comes with major responsibilities. Take the time to implement those responsibilities.

Internet and technology concept on virtual screen.

Putting Data Security First: 3 Simple Steps

The bad news first. An estimated 3.5 million cybersecurity positions will be unfilled globally by 2021.* Leaving data security entirely up to the professionals isn’t a viable option. Like it or not we’re all on the information security team now.

The good news is there are simple things everyone can do to help. The key is making data security a priority. This post gives three steps anyone can take to develop a security-first mindset.

If you’ve already incorporated security practices into your daily routine, consider sharing these tips with colleagues and clients. Cybersecurity in legal needs more advocates.

1. Embrace (minor) inconvenience in your digital life.

The standard security recommendations for individual users are hardly secret. On the contrary, basic security practices like these are well known:

  • Password-protect everything;
  • Use a strong, unique password for each login;
  • Install updates promptly;
  • Enable auto-lock on inactivity;
  • Keep devices in hand or locked in the trunk when out of office;
  • Never connect to open wifi networks;
  • Don’t link accounts, including social media; and,
  • Make regular backups.

These practices cost little or nothing to follow. They’re also easy to do even for the technology-averse. However, there is a trade-off. Following security best practices does take more time and attention than ignoring security.

The first step is to embrace inconvenience where necessary for security. It’s a small price to pay to safeguard confidential information.

2. Don’t be afraid to speak up – especially when you don’t have all the answers.

The second step is to take ownership of security by speaking up.

The most important time to speak up is when you see – or suspect – a security incident or violation of security procedures.  Be alert to problems from propped open doors to malware attacks, and report them immediately. Early detection can be the difference between a minor fix and a major breach.

Next most important is when you have a question. (For example, do you know who and how to raise the alert about a possible security incident?) If you don’t know something, you can be certain you’re not alone. You’ll help others in the same situation by asking the question and sharing the answer.

3. Approach email with extreme caution.

Most security incidents originate from email. Phishing continues to be a huge problem across industries (phishing emails purport to be from a trusted sender and seek to induce the recipient to disclose personal information or open a malware-infected attachment or link). Spear-phishing (personalized, targeted phishing) and whaling (spear-phishing against high-value targets like top management) is more sophisticated by the day. Law firm websites and legal professionals’ LinkedIn profiles are a phishing data mine for bad actors.

The third step is to approach email with extreme caution. Especially a) if the request involves money or personal information or b) the message contains an attachment or link. Ask yourself:

  • Do I know the sender?
  • Am I expecting this email?
  • Does it have the right signature block?
  • Does this person normally send files or attachments by email?
  • Does the content match the sender’s identity and role?
  • Are there spelling errors or grammatical mistakes?
  • Is the “voice” right?
  • Have there been any emails or other communications leading up to this message?
  • Are there other recipients on the message?
  • Does the request violate my organization’s procedures?

If an email might be legitimate but you have even the smallest doubt, verify first. Ask IT or contact the purported sender by a different medium (phone call, text, etc.).

In short, make skepticism your default attitude to both work and personal email.

Confidential client information is the lifeblood of the law. Moreover, as eDiscovery professionals we’re squarely in the data business. We owe it to our clients, our employers and ourselves to adopt a security-first mindset.

*Cybersecurity Ventures’ prediction based on 2019/2020 Official Annual Cybersecurity Jobs Report sponsored by Herjavec Group

The Mindful Data Transfer – Bringing Balance to Cross-Border Discovery and EU Data Protection Obligations

The implementation of the European Union (EU)’s General Data Protection Regulation (GDPR) has raised a number of questions as to how best to approach cross-border discovery. Friction between legal holds and the “right of erasure,” anxiety about the scope of collections amid data minimization requirements, and considerable financial and operational penalties for failure to comply with the GDPR have created an environment of trepidation about how, and where, to best process, host, and review EU data in connection with US-based eDiscovery. In particular, risk associated with data transfers and access to data have prompted a data location-centric and localized view toward the management of EU data that is subject to discovery.

But let’s stop for a moment and take a deep breath here.

The timorous approach of limited data transfer and localized-only management of EU personal data actually stands in contrast to what the GDPR is designed to do, which is ensure a high level of protection of personal data while ALSO facilitating the free flow of personal data both within the European Union AND to third countries (i.e. those countries outside of the European Economic Area).

Even with limited case law on the GDPR, and an enforcement picture that’s still developing, we have regulatory guidance which reflects an understanding of the need for data transfer in cross-border investigations and pre-trial discovery procedures provided by the Article 29 Working Party (WP29, the group of regulatory representatives now referred to as the Europe Data Protection Board under the GDPR).

By implementing appropriate data management across the EDRM that is adequate, relevant and limited to what is necessary in each discovery exercise, it is possible to strike a balance between discovery needs and EU data protection requirements.

More specifically, cross-border discovery success can be ensured by following a mindful approach to data transfer and access, steeped in awareness of not only the impacts and risks for data subjects and custodians, but also including the best practice methods and technical measures needed to ensure the security and confidentiality of data.

Such a mindful approach to cross-border transfer and discovery brings greater assurance and clarity, but is not without responsibility. It requires balancing data collection, processing, and data transfer requirements with an understanding of how best to approach the data protection rights of EU individuals. The key for gaining certainty in understanding resides in the following recommended practices:

Assessing the impact for data subjects

Though it predates the GDPR, WP29 guidance on pre-trial discovery for cross-border litigation strongly promotes balancing the obligations of the discovery process with the potential impacts to the rights and freedoms of data subjects. Considerations should include the necessity and proportionality of data collected for discovery and ensuring that adequate safeguards and protections are in place.

There is little to suggest that these considerations have changed all that much under the GDPR. In fact, the need for organizations to document their decisions and analyses related to cross-border discovery “balancing” is underscored by the accountability obligations of the GDPR, and particularly via the data protection impact assessment (DPIA) requirement. It is possible to demonstrate the necessary awareness of, and commitment to, the protection of EU personal data by carrying out a DPIA with analysis of impacts to data subjects and ensuring the documented measures are in place for remediation.

In the event discovery is subjected to a regulatory oversight inquiry, the DPIA provides the appropriate documentation of GDPR compliance considerations and balancing of EU data protection requirements with discovery, as well as solid evidence of good faith data protection efforts.

Applying technical and organizational measures for security

Article 32 of the GDPR lays out the framework for implementing the technical and organizational measures required to ensure a level of security appropriate to the risks presented for data subjects. For discovery processes, this will mean ensuring ongoing confidentiality, integrity, and resilience of data processing and hosting systems, and could even mean instituting an approved certification mechanism to demonstrate advanced security implementation, such as ISO 27001.

While risk adverse organizations may have taken to limiting/eliminating data transfers and following a localized, in-country approach to data processing, hosting, and review to avoid the specter of GDPR enforcement, it can be argued that the real risk is in failing to approach the technical and organizational measures required for security in a holistic and well thought-out manner. Think about it: data that exists in an insufficiently secure environment within the borders of a single jurisdiction is likely more at-risk than data that is securely protected in its place of origin, while in transit, and in a cross-border location that is also securely protected.

The crux of these requirements is protection for the data subject, not limitations around data movements.

Accordingly, a mindful approach to cross-border discovery will look to the interests of the client by focusing on robust security, and not choking off the flow of data, as the real means to ensuring success and cost mitigation under the GDPR.

Ensuring lawful and secure transfer and remote access to personal data

Given the spirit, purpose, and intention of the GDPR as a means of protecting an individual’s personal information while also fostering the free flow of data, a position to keep data localized in the EU simply because of the GDPR’s limitations on transfers to third countries outside the EEA would seem misguided. Reality is more nuanced.

A mindful approach to data transfer is focused on ensuring that the data protection guarantees enjoyed by individuals in the EU are not lost when the data is transferred overseas. Carrying out discovery requirements solely in-country misses the point, and potentially at considerable financial and logistical/operational expense.

The transfer requirements of GDPR Chapter V are not intended to prohibit data transfers entirely, but rather to ensure that the appropriate safeguards exist when transfers take place to countries (such as the US) where substantially equivalent protections have not been defined for individuals.

Accordingly, a mindful approach to data transfers, as with other elements of cross-border discovery, entails considering how data subjects can be protected throughout the process.

Despite some continued concerns about its efficacy, the Privacy Shield self-certification mechanism allows for the transfer of data to the United States, and does so by extending GDPR protections to EU individuals. It has now passed annual review twice. Intra-company transfers are allowable under the Privacy Shield, as well as transfers to other Privacy Shield signatory companies.

Those organizations that do not have a Privacy Shield certification in place, or fall outside the jurisdiction of the Federal Trade Commission or Department of Transportation (the US Agencies which oversee the framework), can select standard corporate contracts (sometimes called model contracts), or Binding Corporate Rules (which are subject to direct DPA approval) as a means of transfer.

What all these transfer mechanisms have in common is that they ensure the appropriate safeguards are in place for data protection, including the appropriate security measures, in addition to providing for enforceable data subject rights and effective legal remedies for individuals. As with the entirety of the GDPR, the focus is on the individual and protection of their rights, not curtailing global business operations for the sake of keeping data in the EU.

If there was any doubt about the legislative intent and enforcement prerogatives, we also have guidance from the European Data Protection Board (EPDB) on the derogations for data transfer under GDPR Article 49 in specific reference to circumstances for cross-border discovery and the necessity for transfer. The derogations are exemptions for limited, non-repetitive data transfers in specific situations where no other transfer mechanism applies, and Article 49(1)(e) provides an exemption for transfers “necessary for the establishment, exercise, or defense of legal claims.”

The EPDB guidance on this provision states that this derogation is intended to cover a range of activities, including for the purposes of formal pre-trial discovery procedures, civil litigation, and administrative investigations, such as in the anti-trust context. Accordingly, we have evidence here that not only are regulatory authorities aware of the fact that data transfers are an inevitable result of cross-border discovery, but they are in fact providing a clear means with which to carry out those transfers in a lawful manner, given the appropriate conditions and safeguards for data subjects.

It should also be noted that remote access to data located in the EU is considered a transfer under the best understanding we have at the moment through limited European Court of Justice case law and WP29 opinions that pre-date the GDPR. That said, given what we know about DPA awareness of cross-border discovery transfer requirements and the free flow of data under the GDPR, there is a strong argument to be made that limited access to EU data by US-based processing and/or IT service teams is permissible transfer, provided that access is adequate, relevant, and limited to what is necessary for the cross-border discovery process.

Clear implementation of protections for data subjects, documented considerations of risk remediation, and strictly limited access and oversight protocols will be substantial indicators of thoughtful consideration of the compliance requirements at play when determining an appropriate approach to remote access.

Serenity Now – Fostering Cross-Border Discovery through Careful Consideration of Data Protections

GDPR requirements are neither prescriptive nor proscriptive, and in a wave of uncertainty regarding what compliance frameworks should look like, how data transfers should be appropriately handled, and potential sanctions for non-compliant discovery operations, organizations have been quick to consider in-county processing, hosting, and review as the only answer to meeting GDPR compliance.

However, a compliant approach to GDPR really requires a carefully documented analysis and consideration of the impacts for data subjects, and implementation of the best-suited security protections and appropriate safeguards given an organization’s litigation profile and cross-border operational structure. A degree of assurance and certainty can then be achieved with these measures in place. While some in-country data processing may still be necessary to ensure that personal data subject to cross-border discovery is indeed adequate, relevant and limited, there is nothing to suggest a prohibition on transfer is necessary or required. Further, limiting cross-border litigation expense and operational impacts is possible through a mindful approach to discovery. Namaste.