LITIGATION SUPPORT TIP OF THE NIGHT

When using cloud based software, it's important to ask questions about what the provider does with the data that it hosts for you.

The Tip of the Night for May 26, 2021 discussed Trello, the project management tracking collaboration software.

Trello's developer Atlassain does not allow data to be stored locally, so it will store the names of task boards, and other content you add. Its privacy policy posted here, states that:

"Content also includes the files and links you upload to the Services. If you use a server or data center version of the Services, we do not host, store, transmit, receive or collect information about you (including your content), except in limited cases, where permitted by your administrator: we collect feedback you provide directly to us through the product and; we collect content using analytics techniques that hash, filter or otherwise scrub the information to exclude information that might identify you or your organization; and we collect clickstream data about how you interact with and use features in the Services. Server and data center administrators can disable our collection of this information from the Services via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level."

So by default data is collected even though Atlassian has processes in place which anonymize it. An admin can prevent the collection of data.

Atlassian complies with the General Data Protection Regulation of the European Union, but also processes personal data, and tranfers data to Amazon AWS data centers located in the United States. It does have Privacy Shield certification, the new mechanism for allowing for the transfer of personal data between the US and the EU after the invalidation of the prior safe harbor agreement. This certification can be viewed here.

It also uses EU Controller to Processor Standard Contractual Clauses as an additional mechanism to be in place in case the Privacy Shield is invalidated.

Cloud based software, Software as a Service (SaaS) allows organizations to forego the cost of servers and support services. Some SaaS providers will not take responsibility for securing user data and guaranteeing access to it. Data breaches may be regarded as the customer’s fault. Take the following steps to ensure cloud data security.

1. Use Cloud Access Security Brokers (CASB) to audit the cloud services used on a network.

2 Use role based permissions. Identity and Access Management should be used to limit the files and software that particular users in an organization can use.

3. Ensure that both data at rest and in transit is encrypted.

4. Data Loss Prevention software should be used to block malware from downloading data.

5. Monitor sharing of data through email and FTP sites.

6. Confirm that cloud service providers use MFA, and implement data segregation policies

When inquiring about the security measures for a document repository, ask whether or not the admin will monitor user activity for landspeed violation logins. These occur when a user accesses his or her account from two different locations within a time period in which it is not possible for the user to have travelled from one location to the other.