As the risk of a data breach edges from whether to when, it is more important than ever that companies do all the little things – and a few big things – to ensure they are prepared. In the interview below, DiscoverReady Chief Technology Officer Phil Richards explains why that includes assuring in-house leaders are ready, willing and able to ask the right questions of their IT security teams. His remarks have been edited for length and style.
MCC: There seems to have been a fundamental shift in how companies plan their technology in expectation of a data breach (as well as litigation). How has this new landscape evolved?
Richards: First, and probably most importantly, I’ve seen the discussion shift from not if but when there is going to be a data breach. The IT and security sides are focusing not only on building higher walls and deeper moats of physical and logical security but also on a data-centric approach. They want to manage the data on the network and reduce the value of the data to intruders – what’s called protecting data in place. Companies want to build out their capabilities to identify and categorize sensitive information, whether it’s PII, NPI, trade secrets or intellectual property.
Companies also need to actively monitor employees to ensure they are actually following the security policies and not, say, downloading the entire human resources database into a spreadsheet and throwing it on a laptop, or downloading all of the source code out of the source code vault and emailing it to yourself. Those types of activities need to be quickly identified.
I’ve seen a shift in emphasis regarding incident response. There’s a lot of pressure to truly be ready for a potential breach. Security, data management or incident response – they’ve become important topics for the C-suite and boards of directors.
MCC: What should our readers know about the physical, logical and procedural controls that should be in place to ensure compliance for sensitive data? How does this vary from industry to industry and across borders?
Richards: Each organization needs strong physical and logical security controls. That hasn’t changed, and it’s not going to change. Beyond that, each organization needs to conduct an individualized assessment of what constitutes sensitive data internally. This sensitive data is different for a dating website versus a charity organization versus a financial transaction-processing group or an energy company. All of those companies store and hold information in different ways and for different reasons.
People want to really understand their data – where it’s stored, why it’s important – and then build a protection strategy around that. It’s known as a protect-in-place strategy or a data-centric strategy. You can protect in place and it can provide large benefits to reduce either the vulnerability or the value of that data to hackers. Companies can tokenize, redact, encrypt, delete, remediate and so forth in addition to simply shoring up the physical and logical security.
MCC: Data can be difficult to locate, and discovery requests can go way beyond email into call history, text messages and audio files. How can companies locate and continuously monitor their sensitive data?
Richards: Locating and securing sensitive data is different than making that data available for discovery. That's an important point. One big question for corporate legal teams is: Does knowing where your data exists and what it contains make it automatically discoverable? There are two different workflows. One is to identify the data on the system, figure out if it's sensitive, and protect it in place to the best of your ability regardless of whether that's in email or text messages or audio files or call histories or any of those types of things. After assessing the data and understanding what data exists within an enterprise the second question is to assess that and deem if it should be considered readily accessible, if its burdensome to collect, if it's relevant, what are the discovery protocols that should apply, and those types of things.
I think there are many in-house counsel groups that try to answer that second question about the implications for discovery without knowing a lot about all of the data that actually exists inside the enterprise. By working on that first question – what data exists? – they can actually provide real data back to the general counsel or to the chief legal officer to help them with that second question about what's discoverable and how that should be used in the discovery process. We have seen that really help with building out defensible discovery protocols. The new federal rules actually discuss this a little bit. Just because a company knows where their data exists and what's in that data and how that data is stored doesn't necessarily mean that it will meet the new proportionality threshold. A real important message is you don't let the federal rules and the changes to those stop you from actually categorizing your data and knowing about it. People don't need to be afraid to know what data exists on the system.
So locating and monitoring sensitive data is an area in which we receive many, many requests from our clients. It’s actually quite difficult for organizations to know where their data exists, even if they are following all of the right data protection procedures and know where employees are storing that data or how they are using that data.
When we work on this particular problem, we organize two separate workflows. One is for structured data, like databases, and the other is for unstructured data, like file shares and emails. There are different techniques and technologies to deal with each type, and both types require continuous monitoring.
It’s interesting because locating and monitoring these data types can be very similar to the electronic discovery work that legal counsel are used to. We’re assessing millions of files and records, then categorizing that data into a future treatment. That future treatment in discovery could be production or redaction, but in the data protection world, you could also say, “I need to remediate that data or better protect it in place using tokenization or encryption.” This similarity between locating and monitoring and e-discovery can help inside counsel understand the process being used to identify and protect sensitive data.
MCC: Companies are generating so much data that needs to be both compliant and available for discovery in the event of litigation. It is no longer enough to just store the data. What are some of the best practices to ensure both compliance and cost-efficiency? Are there additional steps needed for disaster recovery?
Richards: In general, data should be stored inside a company while it still has business value, until the value of that data is less than the risk of actually keeping it. My experience is that companies keep too much data where the business value is low and the risk of keeping it is high. Keeping that type of data drives up the risk in litigation and the cost of discovery.
The biggest thing that a company can do is figure out how to identify and delete data that no longer has significant business value – that’s most critical in building best practices into a data retention policy. The best practices for companies are to actually enforce those policies, and then from a legal hold perspective, retain the data when it comes under legal hold, not before that point. Data under legal hold should definitely have a disaster recovery capability.
One thing that’s important to know, especially for internal counsel who are advising on these matters, is that the recovery points and recovery times associated with discovery data should fit the legal needs of the system, not necessarily the same requirements as the main operational systems. For example, some businesses, like those processing financial transactions, can handle only a few milliseconds of downtime on their systems while switching over to disaster recovery. In many cases, legal hold systems and discovery systems don’t require that level of recovery capability, but they do require that the data is not lost, and it can become available in a more reasonable time frame. Companies can control their costs in this area by making sure that their disaster recovery meets the reasonable timeline and not the actual operational timelines of revenue-generating systems.
MCC: We’ve recently been reading about spearfishing, which the FBI has identified as a global threat. How can our readers secure against these attacks and how should they respond if they are victims of such an attack?
Richards: Spearfishing can be a very scary attack because the emails can look legitimate, and they can come from someone you know and trust, or someone in a position of authority in the company. These types of fishing attacks can even contain personal information. Protect yourself, first and foremost, with training. We need to train our teams as to what spearfishing is, what it looks like and some of the tells that identify an odd email or situation.
Closely related to this, we need to teach people to verify strange or nonstandard requests with the actual requester by using a different mechanism than just hitting reply to a suspicious email. If your system administrator sends you an email saying, “Send me your password,” call that person and ask, “Is that really what you want?” Closely related to this, never send passwords or log-in information or any type of authentication information to anyone in any format. IT systems are built today in such a way that you don’t need to tell somebody what your password is or what your log-in information is to have them help you.
Also, always keep your web browser and operating system patched and up-to-date so that if you click on links, they won’t exploit vulnerability. Another important one is to use dual-factor authentication on corporate and sensitive systems. That is a very strong protection mechanism. IT security departments can develop in-bound and out-bound scanning to help identify threats too.
MCC: How can general counsel and chief legal officers best help their in-house legal teams and company-wide employees adopt new technologies and best practices?
Richards: Remember that if your company makes data security promises, your company needs to keep those promises. Internal counsel can be very valuable in helping everyone understand the implications of client-facing security promises.
Most discussions on this topic are with the IT team and focus on the technical risk and remediation, but there is a real and very important legal risk that also needs to be articulated with regards to data security, remediation plans and data protection. Executives and board members will be just as interested, if not more interested, in the legal risk discussion as they are in the IT risk discussion. General counsel and chief legal officers are critical in helping articulate the legal risk.
Many lawyers may say that they’re not technologists, and they want to delegate tech-related issues and thinking to the IT teams or technical teams. General counsels and chief legal officers who avoid this tendency are in a far better position to help the company. They need to remember that the skills they’re very good at – building logic, questioning, determining fact patterns, finding gaps in reasoning – are exactly the skills needed to help make sure that the system is secure. Don’t delegate the tech and security discussion to just the technologists.
And don’t let the tech guys bury you in jargon and confusing detail. Really, if a technologist can’t explain an issue to an intelligent executive-level lawyer, it probably means that security person doesn’t understand the solution well enough to implement it properly.
The last thing I would say is that everyone needs to remember there is no easy button for security and data protection. We need to train our teams to not accept simple solutions. Team members need to be educated and trained enough to be contributing members on this discussion, and the skill set that legal professionals bring to the security discussion will ensure that we have much better implementation of data protection procedures.
Phil Richards, Chief Technology Officer at DiscoverReady. [email protected]
Published November 30, 2015.