Month: February 2017

3 Quick Tips To Improve Email Security

Do not hack.General counsel, IT professionals and CEO’s frequently lose sleep worrying about data security, including email security. Worldwide, people send approximately 205 billion emails each day! The average business user sends and receives 125 emails. Today, businesses rely on email for the majority of their communications, including those transmitting sensitive information.

Email was developed when the internet was a much smaller place. At that time, its inventors never intended that email become the primary form of business communication. As such, email security was not a concern.

A brief explanation of the internet illustrates why email is so vulnerable. During transmission, an email encounters multiple points of vulnerability along the internet. Once you hit the send button, your email travels through a series of switches and routers, likely owned and operated by different entities. Hackers can read your email if only one of these points is not secure. Scary stuff!

Consider how many of your emails contain sensitive information. For example, emails with outside counsel frequently contain non-public information about publicly-traded companies. Emails in employment cases often contain personally identifiable information or personal healthcare information. Hackers relentlessly pursue this type of information.

Now that you are properly frightened, what can you do? Short of instituting a system that encrypts all of your email with outside counsel, there are three easy ways that you can better secure your email.

3  Easy Ways to Improve Email Security

  1. Do not include sensitive data in the body of an email. Instead, include it only in an attachment, encrypted with a password. Microsoft Office makes it easy to encrypt documents. You simply go to File>Info>Protect Document and select Encrypt with Password. Next, create a password and press enter. You have now encrypted your document!
    How to encrypt a Microsoft Office document with a password.
    How to encrypt a Microsoft Office document with a password.

    Be sure to then send the password to the recipient in a separate email or, preferably, by voice or text. Otherwise, including the password in the same email as the attachment defeats the purpose of encryption!

  2. Encrypt PDF’s in Adobe Acrobat before sending them by email. To do this, open the PDF and choose Tools>Protect>Encrypt>Encrypt with Password. If you then see a box asking whether you want to change the security settings on the document, click yes. Next, click the box labeled, “Require password to open the document.” Then, enter a password at the top of the encryption box.

    Improve email security of a PDF document through encryption.
    How to encrypt a PDF document with a password in Adobe Acrobat.
  3. Although not as secure as encryption, a final method for securing a document sent by email is to zip the document and require a password to open the zip file. A variety of low cost or free programs are available online to add this feature. This approach does not provide encryption, but it is more secure than sending the document without any protection.

No method provides foolproof security.  Nonetheless, a little effort goes a long way to protecting your sensitive information and helping you sleep better.

Photo courtesy of Christoph Scholz on Flickr.

You Were Just Appointed General Counsel – Now What?

Ben W. Heineman, Jr., former Senior Vice President and General Counsel of General Electric Company
Ben W. Heineman, Jr., former Senior Vice President and Chief Legal Officer of General Electric Company

You worked for years to reach this goal – your first general counsel position. There were countless sleepless nights as you planned how to get here. Now that you have arrived, you still can’t sleep. In fact, your insomnia has grown worse as you grope around, uncertain of your role in the company. You are not alone!

The general counsel’s job has become extraordinarily complex. On the one hand, GC’s are charged with ensuring that their companies stay within the boundaries of the law. On the other hand, corporations are in business to make money. If a general counsel raises too many objections and consistently says no, his company’s business may suffer. Not to mention, the c-suite will no longer look to the general counsel as a trusted adviser and partner.

The stakes are high for businesses that focus on profits over sound risk management. For example, in the days following the Deepwater Horizon oil spill, BP gas station owners reported a 10 to 40 percent drop in salesShareholder value also plummeted 55% within two months of the spill. In total, the spill cost BP $61.6 million.

Ben Heineman, General Electric’s GC from 1987 to 2005, has carefully considered this conundrum in his book, “The Inside Counsel Revolution: Resolving the Partner-Guardian Tension.” According to Ben, general counsel must embody four principles to succeed in the job.

Four Principles for an Effective General Counsel
  1. Corporate mission. The corporate mission must fuse high performance with high integrity and sound risk management.
  2. Lawyer-statesman. The general counsel must serve as an advocate, not just for what is legal but also for what is right.
  3. Partner-guardian. The general counsel serves as a partner to the CEO, as well as the protector of the corporation. This is, perhaps, the most difficult role to balance and requires independence and courage on the part of the general counsel. It also requires alliances with key corporate leaders, and a close relationship with the board and CEO.
  4. Culture of Integrity. Finally, a GC must foster a culture of integrity.

Ben notes that, for a general counsel to succeed, the CEO must share the same vision of the GC’s role. Otherwise, conflict is inevitable, and the general counsel must be prepared to leave.

David Lat, managing editor of Above the Law, has also offered sound advice to new GC’s. His article, “10 Tips For A New General Counsel,” is a must-read for any general counsel, new or experienced, offering real insight into the role.

Congratulations on becoming general counsel. Now, download Ben’s book, read David’s article, and sleep well tonight.

Photo courtesy of Widener University Delaware Law School on Flickr.

Data Breaches, Part 4 – Are Your Vendors A Weak Link?

Woman entering data into old computer system as example of vendors.For the first time in weeks, you slept well last night, confident that your expensive consultant found every hole in your company’s data-security program. The board of directors was thrilled with your report on the robust, new data-security policy that you personally approved. But, did your consultant look deep enough? Did she realize that although your company encrypts emails containing personally identifiable information, one of your vendors does not encrypt their responsive emails containing the same information? Did she understand your business well enough to realize that a service provider collects and stores customers’ personally identifiable information on its servers through the app it designed for your company?

Implementing reasonable security measure to avoid civil and regulatory liability requires a careful audit of all points of vulnerability. One of those points is your vendors. As such, any data-security audit should examine your vendors’ data security protocols.

Not every company is that careful, however. We routinely read in the press about companies facing scrutiny because their vendors exposed sensitive customer information. For example, Allison Grande at Law360 recently reported that a vendor breach exposed the names, dates of birth, and social security numbers of more than 5,000 patients of a health care provider.

Regulators have taken note, though, and are going after vendors responsible for data breaches. One such enforcement action occurred in 2016, when the FTC required a dental-practice software vendor to pay $250,000 to settle FTC charges that it falsely advertised the level of encryption it provided to protect patient data.

Many companies are pushing back against vendors who refuse to improve their data-security systems. In the February 2017 edition of Financial Planning Magazine, Suleman Din, Managing editor of SourceMedia’s Investment Advisory Group, wrote a great article discussing how financial advisers can ensure that their vendors adequately protect client data. According to the article, the financial advisory firm Heron Financial Group regularly reviews its vendors’ data security practices. The article reports that Heron is unwavering and has fired vendors whose security was inadequate.

Five Key Steps to Protect Data Shared with Vendors

Although you can never be certain about your vendors’ practices, there are ways to better protect your data:

  1. Perform due diligence. How much do you really know about your vendors’ data security systems? Ask questions and verify the answers.
  2. Limit third party access. Only grant access to data that your vendors must have to service your business. When doing so, provide access solely through a secure, encrypted portal. Additionally, segment that portal from the rest of your network. Finally, limit the number of vendor employees granted access to your data.
  3. Encrypt communications. Require that your vendors encrypt all emails containing sensitive data.
  4. Verify compliance. Don’t just take their word for it. Instead, perform periodic audits of your vendors’ data-security systems.
  5. Put it in writing. Include provisions in vendor contracts to protect your data. These clauses should establish minimum data-security standards. Your contracts should also permit audits of your vendors’ data-security protocols. Importantly, these contracts should require that your vendors immediately report all data breaches.

These are just a few steps to consider. However, they will go a long way toward better protecting sensitive information shared with vendors. In future posts, I will offer useful data-security clauses for your vendor agreements.

Photo courtesy of wistechcolleges on Flickr.

Data Breaches, Part 3 – Hackers Can’t Steal What You Don’t Have

Does your company collect and keep only the information that is essential for your business? If not, your company is exposing itself to unnecessary risk in the event of a data breach. Data breaches often cause unnecessary liability because companies did not carefully consider what information they actually needed.

Many past data breaches had two consistent themes: 1) companies collected data that was unnecessary for their business; and 2) companies kept sensitive data longer than necessary.

Over-Collecting Data

In the early days of e-commerce (and perhaps even more recently), many companies collected as much customer information as possible. Why not? The marketing department was thrilled at the prospect of collecting that much demographic information about your customers. All of this data created unprecedented targeted-marketing opportunities. And, in the event you had to chase a delinquent customer, your collections department knew everything about them since they were in first grade.

Unfortunately, criminals quickly recognized this treasure trove of data. Today, nearly every business connected to the internet is the target of hackers trying to steal information.

Regulators also took note of this over-collection of data. For example, in 2012, the FTC filed a complaint against Rockyou, Inc., alleging that the company violated numerous statutes by collecting users’ email addresses and passwords and storing them in clear text. According to the FTC, Rockyou had no legitimate business need for that information. Rockyou settled the case with a lengthy consent decree, instituting a detailed compliance and monitoring program. Rockyou also agreed to pay a $250,000 fine. All of this was in addition to the legal and investigative costs to respond to the breach.

Unnecessarily Keeping Data

Liability doesn’t just arise from collecting unnecessary data. Your company also faces liability if it keeps customer data longer than necessary. In 2005, the FTC filed a complaint against BJ’s Wholesale Club, alleging that BJ’s created an unnecessary risk by storing customers’ credit card information for up to thirty days when it no longer had a business need to do so. BJ’s resolved the case with a consent order with the FTC.

Lessons Learned from Past Data Breaches

There are a number of lessons learned from data breach cases brought by the FTC:

  1. Only collect customer information that is essential for the transaction.
  2. Keep customer information for no longer than necessary for the transaction.
  3. Do not collect sensitive information, such as social security numbers, unless you have a legitimate business need for the information. If collected, encrypt this sensitive data and purge it as soon as possible after the transaction concludes.
  4. If your company uses a mobile app, ensure that the app only accesses the data and functionality that it needs.
  5. Do not keep customers’ credit card numbers or expiration dates longer than necessary. Also, encrypt this data so that only employees with a critical need can access it.
  6. Limit access to data. Employees should have access to the least amount of data necessary to do their jobs.
  7. Don’t use real customer information in training sessions or for development of new applications. Instead, use fictitious information.

Prevention is far cheaper than a regulatory complaint or a class action lawsuit. As such, your business units should seek legal department approval for the types of information that they want to collect from customers. Legal should also review and approve policies for storing and purging customer data. These two changes will go a long way toward reducing your liability in the event of a breach.

Photo courtesy of Blue Coat Photos on Flickr.

Data Breaches, Part 2 – “Reasonable Security Measures” Will Protect More Than Just Your Data

There once was a time when in-house lawyers could sleep soundly and let the computer experts stay up at night worrying about IT issues. Those days are long gone (if they ever really existed at all)!

Courts and regulators require that companies take “Reasonable Security Measures” to protect personally identifiable information and personal healthcare data. But, what exactly does that mean? How do you know if your company’s data security measures will be deemed reasonable? These are questions squarely within the legal department’s wheelhouse.

There is no one-size-fits-all solution to data security that will satisfy every court and regulator. However, several government and private organizations have published data security standards. Following these standards will go a long way toward protecting your company, both from experiencing a data breach and defending itself in the event one occurs.

Numerous statutes require that companies provide reasonable security for sensitive, personal information. These statutes include, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, HIPAA and the Federal Trade Commission Act, among others. Also, nearly every state has now enacted some form of data-privacy statute. While there are certain central concepts for data security that apply regardless of the industry and data, each of these acts may require additional steps to maintain reasonable personal data security.

The Federal Trade Commission

The Federal Trade Commission has taken the position that a data breach can constitute an unfair and deceptive trade practice. As a result, since 2002, the FTC has brought approximately 60 cases against companies alleged to have put consumers’ personal data at unreasonable risk. These cases have led to fines in excess of $1 million, as well as injunctions. In one case, LifeLock agreed to pay $100 million to consumers to settle FTC contempt charges that the company violated the terms of a 2010 federal court order that required the company to secure consumers’ personal information.

All the news coming from the FTC is not bad, however. In an effort to assist companies in protecting consumer information, the FTC has issued written guidance in two documents explaining how companies can protect consumer data and, thereby, avoid liability.

Protecting Personal Information, A Guide for Business

The first FTC guidance document is called, Protecting Personal Information, A Guide for Business. According to this document, “a sound data security plan is built on 5 key principles.”

FTC Principles for Data Security
  1. Take Stock. Know what personal information you have in your files and on your computers.
  2. Scale Down. Keep only what you need for your business.
  3. Lock It. Protect the information that you keep.
  4. Pitch It. Properly dispose of what you no longer need.
  5. Plan Ahead. Create a plan to respond to security incidents.

The guide provides further detail for each of these five principles, and I strongly encourage you to study it.

Start with Security, a Guide for Business

The second document, Start with Security, a Guide for Business, contains ten lessons learned from more than 50 FTC cases. These lessons provide concrete steps to protect sensitive data. And, the FTC discusses them in greater detail than the five FTC principles mentioned above. Thus, every chief legal officer and chief information security officer must consider them.

Ten Lessons on Data Security
  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

Other important Standards for Establishing Reasonable Security MEasures

The FTC is not the only organization that has issued standards for data security. Courts and regulators may also consider the following documents when deciding whether a company implemented reasonable security measures:

  1. NIST Cybersecurity Framework.
  2. SEC OCIE 2015 Cybersecurity Examination Initiative.
  3. California Attorney General’s 2016 Data Breach Report.
  4. National Association of Corporate Director’s Handbook on Cyber Risk Oversight.
  5. Center for Internet Security Critical Security Controls (CIS Controls).

As you can see, what constitutes “reasonable security measures” is a complicated question, with no single answer. Moreover, the answer depends, to a certain extent, on the type of data involved. Nonetheless, companies today cannot avoid seeking the answer to this question. The financial and reputation risks are too high to do otherwise.

Chief legal officers also no longer have the luxury of claiming that they are not “tech-savvy” and deferring to the information technology department. The issues extend beyond technical concepts into questions that merge the technical with the legal. As such, chief legal officers must immerse themselves in this topic to protect both their companies and their careers.

Photo courtesy of Blue Coats Photo on Flickr.