Archive | Data Security RSS feed for this section

Opening a Pandora’s Box – Collaboration, Social, and Litigation

By on May 7, 2013 in Blog, Data Security, Social Networking

I was reading an article about best practices in compliance as it pertains to eDiscovery and litigation. It was a good article and written in English, not legalize. This led me to ask the question if collaboration, social type enterprise tools have not really caught on is there a link to non-compliance and litigation exposures? Does part of the reluctance stem from opening a Pandora’s box of problems? In our increasingly litigious business and personal world does upper management feel the risk isn’t necessary, and does it present a ‘fear’ of what could be exposed. Collaboration and social tools can generate a ROI, but is it worth the risk?

What do you think?

Comments { 0 }

Bribery, Corruption, & Espionage – just another daily responsibility

By on May 2, 2013 in Blog, Data Security, Enterprise Metadata Management, Information Governance

If you are moving into the global economy, or have multinational operations chances are you are beginning to address bribery, corruption, and espionage or have been for a while. Interesting topic. As an example, under the Foreign Corrupt Practices Act, compliance rules are aimed at preventing bribery of foreign government officials in an effort to obtain or retain business. This is quite complicated, as multinationals often deal with hundreds of third parties and ensuring compliance is enough to pull your hair out. Audit rights, anti-bribery, and corruption clauses are now being used in contracts that clearly spell out the rules for third parties. All very well and good, the challenge is actually conducting an audit on third parties where business books and records are not always in the traditional form.

Wrapped up in all of this is the protection of trade secrets. For example, the Chinese are becoming well known for hacking of confidential data across organizations in multiple industries. Although the Economic Espionage Act was expanded in 2012 in an effort to protect trade secrets for US companies, it is the companies themselves that are the front line of defense. Security protocols and procedures may need to be addressed in real-time, and quickly.

Organizations need to determine exactly what data they have, where it is stored, and whether they need to keep it and assign the appropriate security. Finally, we now retreat back to the end users. A culture that educates and communicates the importance of compliance has to be implemented so all staff realize the importance of compliance.

Do you have GRC initiatives that address these potential issues? How have you handled?

Comments are closed

Be careful who you sue – your Facebook page can and will be held against you.

By on May 2, 2013 in Blog, Data Security, Enterprise Metadata Management, Information Governance

I have talked about unknown privacy exposures lurking in companies regardless of size. I am often surprised that potential damaging, confidential, and privacy exposure related content is not more actively protected. The cost of eDiscovery and litigation continues to soar. Even when unavoidable, the time and human resources needed to find all relevant information increases the risk associated with the desired outcome. In a recent conversation, a company incurred process failures which required going through terabytes of information to document what went wrong and address compliance and federal regulations. So it’s not just litigation.

Although personal lawsuits, in two recent cases, social media site (Facebook) was used to counter the plaintiffs’ claims of inability to perform previous activities. In the first instance, the plaintiff had fallen down a parking garage stairwell and claimed she sustained permanent injury and was in constant pain, yet her Facebook page showed her as a bridesmaid, vacation pictures, off-roading, and drinking a large cocktail at a restaurant (maybe that was due to the pain?). The second instance was a woman who claimed that an auto accident prevented her from playing sports and the pain was worse in cold weather. Her Facebook page showed pictures of her skiing, which were taken after the accident. In both cases, the court accepted the Facebook pages to determine the outcome of the lawsuits.

Back to business. Emails are continuing to rise as a culprit in costing global companies considerable amounts of money. The same scenario and issues also apply to enterprise collaboration/social networking applications. With courts now accepting all different forms of content as admissible for corporate litigation including tweets, blog postings, comments, organizations are going to have to take a more pro-active role in identifying and securing information they don’t particularly want shared with the world. If it came from your company it can and will be held against you.

Although our technologies address this problem, it is still a large project to tackle as each business group may have ‘confidential’ information they want protected. On the other hand, ‘malicious insiders’ account for 38% of data exposures so the organization is once again at the mercy of end users.

How does your company handle, if at all? If not, why?

Comments are closed

We have been victimized by a hacktivist 416 days ago!

By on April 16, 2013 in Blog, Data Security, Information Governance, SharePoint 2013

The US Congress is dangling its toes in the water towards requiring companies to admit they have been hacked. The proposal regarding data breaches is a component of a larger draft bill being circulated in the House Judiciary Committee. In addition to raising the maximum penalty on cyber crime, it is suggesting that a business must disclose a security breach within 14 days from when it was discovered. In the case of a “major” breach, that window shrinks to a mere 72 hours, and involves the FBI or the Secret Service.

HP just released a report, HP 2012 Cyber Risk Report which stated that it takes 416 Days to detect a breach. Hmmm…somewhere the math doesn’t quite make sense. If 416 days is typical to identify a data breach, I guess reporting it within 14 days after the realization is not so bad.

Cyber crime, data breaches, and just plain old hacktivists are on the rise. The basic problem is there is no single law addressing data breach notification. For many industries they are regulated differently depending on the state they do business in. A similar situation exists in Europe, where E.U. officials have introduced their own draft regulation on data breaches, saying the mostly voluntary system it has now is “too fragmented” and leaves the region more vulnerable. Opponents have argued the proposal is burdensome because of its requirement that notifications take place within 24 hours of a data breach. If the European plan gets approved, it could boost the chances that the US Congress will pass something like it, although this isn’t the first time Washington has tried dealing with data-breach notifications and has done nothing.

I do get concerned that my data has been breached. It has happened to me several times now and I wasn’t notified for several months which I think is totally unacceptable. But on the other side of the coin, the state of Massachusetts has just ruled that zip codes are Personally Identifiable Information (PII).  The whole topic doesn’t appear to be as straightforward as one might think.

I do have a problem that a company doesn’t know that a data breach occurred in 416 days? Really?

Where do you stand?

Comments { 0 }

Get in the Fast Lane Grandma the Bingo Game is ready to Roll!

By on April 16, 2013 in Blog, Data Security, Information Governance

I just read a snippet of marketing for a new report from Forrester entitled, ‘Building Data Stewardship Is A New Customer Intelligence Imperative’ (fee required unless you are a Forrester client). It’s a subject that is near and dear to our hearts. Forrester recommends a data steward. The data steward’s raison d’étre is to keep track of data collection, governance, and privacy, which would include global imperatives (obviously if the company is global). I perceive that as not only a tremendous task but also high risk position, especially with the potential of failure.

The first hurdle is related to the tracking and implementation of governance, compliance, and privacy laws. According to the report there were ‘more than 150 pieces of privacy legislation pending in the US Congress as well as more than 90 other policies from international governing bodies’. Even if you do business only in your country there are still compliance and mandates that fall under different jurisdictions such as state, county, etc. I see this as the first hurdle to keep up with changes (all changes) and start them through the implementation process.

The second hurdle is the actual implementation of the compliance mandates throughout the organization, and potentially in a short time frame. I’m not sure how flexible and agile organizations are to incorporate these changes. I know in the US you typically have a window of time to implement but for the organization, implementation can touch many different functional areas including legal, finance, etc. all the way down to the end user.

Taking on the role of a data steward sure doesn’t seem like a stress free job. Not that all our jobs are stress free, but this one seems particularly so. I am curious if your organization has a data steward? What is their role? If you know, what is their background. Or am I all wet and it’s as easy as matching the numbers in a bingo game?

Comments { 0 }

Cloud Services – You own it – you protect it!

By on April 10, 2013 in Blog, Cloud, Data Security, Information Governance

Data privacy exposures happen all the time. Most go unreported. Data, either stored in the cloud or within your four walls is your responsibility. Most cloud vendors and cloud application vendors will provide some level of protecting your data, but for the most part you are on your own. Without adequate information on the security and compliance profile of the data, including its ownership, access controls, audits and classification, cloud initiatives can fall short of expectations and put sensitive data at risk. Understanding the data owners, the authorized users, and user activity is critical to garnering organizational input, which in turn, is critical to defining the security and compliance profile of the data for internal datacenter and for the cloud.

The other issue surrounds privacy/protection laws in different countries. Issues can arise such as privacy/protection laws among government, regional, and even local authorities. In some countries there are strict restrictions on whether information can be stored outside of the country. Privacy laws can differ widely depending on the country. If you have employees crossing geographical boundaries what must be done in each scenario to remain compliant with potentially widely different restrictions?

Jurisdiction matters immensely on where the data is stored, as different laws may be applicable across multiple jurisdictions. From a legal point of view, location matters. For example, if data is being stored off-shore the laws may not have any effect. Cloud vendors can store your information on a variety of servers across the world. For example, the Patriot Act in the US allows the government to subpoena all data stored within the country, the EU Data Protection Directive does not allow personal information to be transferred to any outside country, the Massachusetts Breach Law, US, specifies that citizens’ private information must be protected and has specified strict guidelines around storage, access, and transmission of personal information. A cloud environment by nature has no boundaries requiring careful thought on who might be accessing the content.

Another issue is who is to notify people of compromised personal data, the service provider or the organization? Who pays those costs? If an internal end user posts data that can be compromised, again who is responsible? It would appear that in all cases you are.

Comments { 0 }

Information Governance – Nice idea but we really don’t care.

By on April 8, 2013 in Blog, Data Security, Information Governance

As a vendor we push the importance of information governance, not that we sell information governance just provide technologies that help. So information governance is something we believe all companies should be taking the time to thoughtfully plan, deploy, and manage.

The link between information governance, E-Discovery, and litigation support are closely intertwined. We have a very large client who was burned to the tune of billions (and billions) of dollars for not having an effective information governance plan (or even a plan at all). A pretty hefty price to pay.

In a recent research report by 451 Research, ” E-Discovery and E-Disclosure 2013: The Ongoing Journey to Proactive Information Governance” the results indicated that only 32% of senior management felt that information governance was important. It appears we are not all on the same page here.

For the sake of conversation because I am obviously on the wrong track here, is information governance important to your organization? If so, how did you deploy, is it working? Do you feel that the enterprise is better able to face litigation, E-Discovery, and compliance issues? Or are you like the other 68% that really doesn’t care?

Comments { 0 }

Planting a flower or a garden – is that your metadata?

By on March 6, 2013 in Blog, Data Security, Enterprise Metadata Management, Information Governance, Records Management, Search

The other day I was reading a report from a conference (which I didn’t attend) but one of the recommendations was to “liaise with business staff to ensure that the metadata they create is accurate, useful and meaningful”. Now that is a very good objective. I think we can all agree easier said than done.

Metadata appears to be popping up more and more from a business perspective as how it can improve (or bust) applications such as search, records management, protection of data, etc. But there is also an associated organizational information risk associated with metadata – meaning the lack of, erroneous, and/or subjective.

Let’s take it out of the day-to-day context of performing business task and look at it from an enterprise perspective. Is metadata a source of risk? Worst case scenario is a data privacy exposure where confidential information is not found and secured and ends up being posted externally. I think we can all agree that it is a risk and quantifiable. But what about the so called ‘soft’ risks that are not so easily quantifiable? The inability to make corporate decisions based on out-of-date information or information that would be critical to the decision process but it is never found? Or the migration of content where it is done in mass, not based on the content within each item, such as content that should be archived, records that were never declared, data security exposures that are just migrate and not protected? These are just a few examples of how ‘metadata’ can be a corporate risk.

Organizations are planting flowers to address single business issues. But I think in many organizations the information risks are not addressed. In other words no gardens. Does your organization proactively identify and address risks surrounding the metadata issue?

Comments { 0 }

Throwing Security Over the Wall

By on February 11, 2013 in Cloud, Data Security

Although it’s common knowledge that most cloud vendors do not accept responsibility of your data – you do. The Amazon AWS web services terms of service stipulate that the cloud vendor doesn’t accept liability for lost or altered data, and that customers are responsible for “taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.”

Ok, let’s assume the cloud vendor gets attacked by the ‘next generation of malware’ (like Flame) or just plain old gets compromised. Some may think they can retreat to the cloud vendor, who has already said they are not responsible for the safekeeping of your data.

Other issues can arise such as privacy/protection laws among government, regional, and even local authorities. In some countries there are strict restrictions on whether information can be stored outside of the country. If you look at the US only, privacy laws can widely differ depending on whether the environment is federal, state, or local.

Jurisdiction matters immensely on where the data is stored, as it may be applicable across multiple jurisdictions. From a legal point of view, location matters. For example, if data is being stored off-shore the US laws may not have any effect. Cloud vendors can store your information on a variety of servers across the world.

Another issue is who is to notify people of compromised personal data, the service provider or the organization? Who pays those costs? If an internal end user posts data that can be compromised, again who is responsible? It would appear that in all cases you are.

Interesting subject. Any thoughts or real-life experiences? Have you dealt with this issue with your cloud vendor if you have one?

Comments are closed

A Game of Tug and War – Is your content protected in third party hands?

By on February 11, 2013 in Data Security, Information Governance

An interesting article I just read illustrates the importance of making sure confidential information is protected when in the hands of third parties. It has nothing to do with breaches but holding confidential content hostage in a game of tug of war between a client and a vendor. I had actually never thought of this before.

The dispute is between Glaxo SmithKline and a litigation and eDiscovery vendor named Discovery Works. Discovery Works was withholding up to 50 terabytes of confidential information, including trade secrets, patent portfolio data, pricing information, sensitive communications among top executives, and privileged work product that belonged to Glaxo. It also appears that Discovery Works was facing insolvency and in a rather emotional moment, the CEO Harry Debari sent the following to Glaxo and their legal team: “Wire $55,000 to a secret account or its “bombs away.” The vendor allegedly threatened to destroy hundreds of millions of documents belonging to GlaxoSmithKline unless that sum was paid.

The article brought up a good point in saying “The case makes a strong argument for a “buyer beware” warning to even large corporations. London-based Glaxo is among the world’s biggest pharmaceutical companies with revenues of about $27 billion. Some may wonder how a conglomerate that is constantly in litigation would entrust so much sensitive data to a company of modest means and few employees.”

The suit has been resolved, but how it was resolved is not available to the public. According to Glaxo, “If [confidential data is] disclosed, the genie could not be put back in the bottle,” Glaxo said.

Even though there was a contractual agreement to return the confidential information it obviously had no impact in this situation. I am wondering what you do for due diligence. As the author pointed out why would Glaxo entrust their confidential data to Discovery Works. Although rather an odd occurrence, are there any precautions your organization takes in this scenario? Is it possible to take any precautions?

Comments are closed