Tag: Data Breach

3 Quick Tips To Improve Email Security

Do not hack.General counsel, IT professionals and CEO’s frequently lose sleep worrying about data security, including email security. Worldwide, people send approximately 205 billion emails each day! The average business user sends and receives 125 emails. Today, businesses rely on email for the majority of their communications, including those transmitting sensitive information.

Email was developed when the internet was a much smaller place. At that time, its inventors never intended that email become the primary form of business communication. As such, email security was not a concern.

A brief explanation of the internet illustrates why email is so vulnerable. During transmission, an email encounters multiple points of vulnerability along the internet. Once you hit the send button, your email travels through a series of switches and routers, likely owned and operated by different entities. Hackers can read your email if only one of these points is not secure. Scary stuff!

Consider how many of your emails contain sensitive information. For example, emails with outside counsel frequently contain non-public information about publicly-traded companies. Emails in employment cases often contain personally identifiable information or personal healthcare information. Hackers relentlessly pursue this type of information.

Now that you are properly frightened, what can you do? Short of instituting a system that encrypts all of your email with outside counsel, there are three easy ways that you can better secure your email.

3  Easy Ways to Improve Email Security

  1. Do not include sensitive data in the body of an email. Instead, include it only in an attachment, encrypted with a password. Microsoft Office makes it easy to encrypt documents. You simply go to File>Info>Protect Document and select Encrypt with Password. Next, create a password and press enter. You have now encrypted your document!
    How to encrypt a Microsoft Office document with a password.
    How to encrypt a Microsoft Office document with a password.

    Be sure to then send the password to the recipient in a separate email or, preferably, by voice or text. Otherwise, including the password in the same email as the attachment defeats the purpose of encryption!

  2. Encrypt PDF’s in Adobe Acrobat before sending them by email. To do this, open the PDF and choose Tools>Protect>Encrypt>Encrypt with Password. If you then see a box asking whether you want to change the security settings on the document, click yes. Next, click the box labeled, “Require password to open the document.” Then, enter a password at the top of the encryption box.

    Improve email security of a PDF document through encryption.
    How to encrypt a PDF document with a password in Adobe Acrobat.
  3. Although not as secure as encryption, a final method for securing a document sent by email is to zip the document and require a password to open the zip file. A variety of low cost or free programs are available online to add this feature. This approach does not provide encryption, but it is more secure than sending the document without any protection.

No method provides foolproof security.  Nonetheless, a little effort goes a long way to protecting your sensitive information and helping you sleep better.

Photo courtesy of Christoph Scholz on Flickr.

Data Breaches, Part 4 – Are Your Vendors A Weak Link?

Woman entering data into old computer system as example of vendors.For the first time in weeks, you slept well last night, confident that your expensive consultant found every hole in your company’s data-security program. The board of directors was thrilled with your report on the robust, new data-security policy that you personally approved. But, did your consultant look deep enough? Did she realize that although your company encrypts emails containing personally identifiable information, one of your vendors does not encrypt their responsive emails containing the same information? Did she understand your business well enough to realize that a service provider collects and stores customers’ personally identifiable information on its servers through the app it designed for your company?

Implementing reasonable security measure to avoid civil and regulatory liability requires a careful audit of all points of vulnerability. One of those points is your vendors. As such, any data-security audit should examine your vendors’ data security protocols.

Not every company is that careful, however. We routinely read in the press about companies facing scrutiny because their vendors exposed sensitive customer information. For example, Allison Grande at Law360 recently reported that a vendor breach exposed the names, dates of birth, and social security numbers of more than 5,000 patients of a health care provider.

Regulators have taken note, though, and are going after vendors responsible for data breaches. One such enforcement action occurred in 2016, when the FTC required a dental-practice software vendor to pay $250,000 to settle FTC charges that it falsely advertised the level of encryption it provided to protect patient data.

Many companies are pushing back against vendors who refuse to improve their data-security systems. In the February 2017 edition of Financial Planning Magazine, Suleman Din, Managing editor of SourceMedia’s Investment Advisory Group, wrote a great article discussing how financial advisers can ensure that their vendors adequately protect client data. According to the article, the financial advisory firm Heron Financial Group regularly reviews its vendors’ data security practices. The article reports that Heron is unwavering and has fired vendors whose security was inadequate.

Five Key Steps to Protect Data Shared with Vendors

Although you can never be certain about your vendors’ practices, there are ways to better protect your data:

  1. Perform due diligence. How much do you really know about your vendors’ data security systems? Ask questions and verify the answers.
  2. Limit third party access. Only grant access to data that your vendors must have to service your business. When doing so, provide access solely through a secure, encrypted portal. Additionally, segment that portal from the rest of your network. Finally, limit the number of vendor employees granted access to your data.
  3. Encrypt communications. Require that your vendors encrypt all emails containing sensitive data.
  4. Verify compliance. Don’t just take their word for it. Instead, perform periodic audits of your vendors’ data-security systems.
  5. Put it in writing. Include provisions in vendor contracts to protect your data. These clauses should establish minimum data-security standards. Your contracts should also permit audits of your vendors’ data-security protocols. Importantly, these contracts should require that your vendors immediately report all data breaches.

These are just a few steps to consider. However, they will go a long way toward better protecting sensitive information shared with vendors. In future posts, I will offer useful data-security clauses for your vendor agreements.

Photo courtesy of wistechcolleges on Flickr.

Data Breaches, Part 3 – Hackers Can’t Steal What You Don’t Have

Does your company collect and keep only the information that is essential for your business? If not, your company is exposing itself to unnecessary risk in the event of a data breach. Data breaches often cause unnecessary liability because companies did not carefully consider what information they actually needed.

Many past data breaches had two consistent themes: 1) companies collected data that was unnecessary for their business; and 2) companies kept sensitive data longer than necessary.

Over-Collecting Data

In the early days of e-commerce (and perhaps even more recently), many companies collected as much customer information as possible. Why not? The marketing department was thrilled at the prospect of collecting that much demographic information about your customers. All of this data created unprecedented targeted-marketing opportunities. And, in the event you had to chase a delinquent customer, your collections department knew everything about them since they were in first grade.

Unfortunately, criminals quickly recognized this treasure trove of data. Today, nearly every business connected to the internet is the target of hackers trying to steal information.

Regulators also took note of this over-collection of data. For example, in 2012, the FTC filed a complaint against Rockyou, Inc., alleging that the company violated numerous statutes by collecting users’ email addresses and passwords and storing them in clear text. According to the FTC, Rockyou had no legitimate business need for that information. Rockyou settled the case with a lengthy consent decree, instituting a detailed compliance and monitoring program. Rockyou also agreed to pay a $250,000 fine. All of this was in addition to the legal and investigative costs to respond to the breach.

Unnecessarily Keeping Data

Liability doesn’t just arise from collecting unnecessary data. Your company also faces liability if it keeps customer data longer than necessary. In 2005, the FTC filed a complaint against BJ’s Wholesale Club, alleging that BJ’s created an unnecessary risk by storing customers’ credit card information for up to thirty days when it no longer had a business need to do so. BJ’s resolved the case with a consent order with the FTC.

Lessons Learned from Past Data Breaches

There are a number of lessons learned from data breach cases brought by the FTC:

  1. Only collect customer information that is essential for the transaction.
  2. Keep customer information for no longer than necessary for the transaction.
  3. Do not collect sensitive information, such as social security numbers, unless you have a legitimate business need for the information. If collected, encrypt this sensitive data and purge it as soon as possible after the transaction concludes.
  4. If your company uses a mobile app, ensure that the app only accesses the data and functionality that it needs.
  5. Do not keep customers’ credit card numbers or expiration dates longer than necessary. Also, encrypt this data so that only employees with a critical need can access it.
  6. Limit access to data. Employees should have access to the least amount of data necessary to do their jobs.
  7. Don’t use real customer information in training sessions or for development of new applications. Instead, use fictitious information.

Prevention is far cheaper than a regulatory complaint or a class action lawsuit. As such, your business units should seek legal department approval for the types of information that they want to collect from customers. Legal should also review and approve policies for storing and purging customer data. These two changes will go a long way toward reducing your liability in the event of a breach.

Photo courtesy of Blue Coat Photos on Flickr.

Data Breaches, Part 2 – “Reasonable Security Measures” Will Protect More Than Just Your Data

There once was a time when in-house lawyers could sleep soundly and let the computer experts stay up at night worrying about IT issues. Those days are long gone (if they ever really existed at all)!

Courts and regulators require that companies take “Reasonable Security Measures” to protect personally identifiable information and personal healthcare data. But, what exactly does that mean? How do you know if your company’s data security measures will be deemed reasonable? These are questions squarely within the legal department’s wheelhouse.

There is no one-size-fits-all solution to data security that will satisfy every court and regulator. However, several government and private organizations have published data security standards. Following these standards will go a long way toward protecting your company, both from experiencing a data breach and defending itself in the event one occurs.

Numerous statutes require that companies provide reasonable security for sensitive, personal information. These statutes include, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, HIPAA and the Federal Trade Commission Act, among others. Also, nearly every state has now enacted some form of data-privacy statute. While there are certain central concepts for data security that apply regardless of the industry and data, each of these acts may require additional steps to maintain reasonable personal data security.

The Federal Trade Commission

The Federal Trade Commission has taken the position that a data breach can constitute an unfair and deceptive trade practice. As a result, since 2002, the FTC has brought approximately 60 cases against companies alleged to have put consumers’ personal data at unreasonable risk. These cases have led to fines in excess of $1 million, as well as injunctions. In one case, LifeLock agreed to pay $100 million to consumers to settle FTC contempt charges that the company violated the terms of a 2010 federal court order that required the company to secure consumers’ personal information.

All the news coming from the FTC is not bad, however. In an effort to assist companies in protecting consumer information, the FTC has issued written guidance in two documents explaining how companies can protect consumer data and, thereby, avoid liability.

Protecting Personal Information, A Guide for Business

The first FTC guidance document is called, Protecting Personal Information, A Guide for Business. According to this document, “a sound data security plan is built on 5 key principles.”

FTC Principles for Data Security
  1. Take Stock. Know what personal information you have in your files and on your computers.
  2. Scale Down. Keep only what you need for your business.
  3. Lock It. Protect the information that you keep.
  4. Pitch It. Properly dispose of what you no longer need.
  5. Plan Ahead. Create a plan to respond to security incidents.

The guide provides further detail for each of these five principles, and I strongly encourage you to study it.

Start with Security, a Guide for Business

The second document, Start with Security, a Guide for Business, contains ten lessons learned from more than 50 FTC cases. These lessons provide concrete steps to protect sensitive data. And, the FTC discusses them in greater detail than the five FTC principles mentioned above. Thus, every chief legal officer and chief information security officer must consider them.

Ten Lessons on Data Security
  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

Other important Standards for Establishing Reasonable Security MEasures

The FTC is not the only organization that has issued standards for data security. Courts and regulators may also consider the following documents when deciding whether a company implemented reasonable security measures:

  1. NIST Cybersecurity Framework.
  2. SEC OCIE 2015 Cybersecurity Examination Initiative.
  3. California Attorney General’s 2016 Data Breach Report.
  4. National Association of Corporate Director’s Handbook on Cyber Risk Oversight.
  5. Center for Internet Security Critical Security Controls (CIS Controls).

As you can see, what constitutes “reasonable security measures” is a complicated question, with no single answer. Moreover, the answer depends, to a certain extent, on the type of data involved. Nonetheless, companies today cannot avoid seeking the answer to this question. The financial and reputation risks are too high to do otherwise.

Chief legal officers also no longer have the luxury of claiming that they are not “tech-savvy” and deferring to the information technology department. The issues extend beyond technical concepts into questions that merge the technical with the legal. As such, chief legal officers must immerse themselves in this topic to protect both their companies and their careers.

Photo courtesy of Blue Coats Photo on Flickr.

Data Breaches, Part 1 – How Prepared Is Your Company?

Computer hacking and data security became central issues in the 2016 presidential election as a result of several, high-profile data breaches. Although the public may have been surprised to learn how vulnerable electronic data actually is, corporate chief legal officers regularly toss and turn at night worrying about their organizations’ data security. According to the Association of Corporate Counsel’s 2016 Chief Legal Officer Survey, data security has ranked among the top three concerns of Chief Legal Officers for several years running.  The ACC survey found that twenty-two percent of CLO’s experienced a data breach within the last two years. Astonishingly, forty-nine percent of healthcare CLO’s experienced a data breach within the last two years, followed by forty-five percent of education industry CLO’s.

Data breaches can be extraordinarily expensive. Response costs can quickly mount into the millions of dollars. Resulting government investigations can lead to significant legal expenses, as well as potential fines. However, the damage will likely go well beyond the initial financial costs. A high-profile data breach can inflict significant damage on a company’s brand, impacting the bottom line far more than the initial legal and investigative costs. Such damage may take years to repair. Beyond the financial damage, a high-profile data breach can often wreck the careers of CEO’s, CLO’s and information technology professionals.

So, the question becomes, how well-prepared is your organization for a data breach? Advance preparation is crucial. Waiting until a data breach is discovered is a recipe for disaster.

Preparing for Data Breaches

To reduce exposure in the event of a data breach, your company must prepare for a breach in advance. This includes instituting security and prevention measures, as well as creating an incident response plan, in the event a breach occurs. In upcoming posts, I will offer help on both fronts. These posts will examine the following topics, all of which your organization must consider before a data breach occurs:

  1. Has your company taken “reasonable security measures” with respect to data security?
  2. Is your company collecting and keeping sensitive information unnecessarily?
  3. Are your vendors and service providers a weak link in your data security plan?
  4. Does your organization have an up-to-date incident response plan?
  5. Has your company purchased adequate insurance covering both the response costs and resulting liability?
  6. Have you prepared your board of directors for a data breach?

I hope these posts prove helpful and would love to hear how your company has prepared for, and responded to, a data breach.

Photo courtesy of Zakwitnij on Flickr.