Electronic Discovery Institute Course - Class 18 - Information Security 101
Here's a continuation of my postings about the Electronic Discovery Institute's online e-discovery certification program, that you can subscribe to for just $1. I last blogged about this program on February 4, 2018. Go to https://www.lawinstitute.org/ to sign up for it.
This course on information security is taught by Lisa Sotto, the managing partner of Hunton & Williams; Corey Hirsch, the CIO of Teledyne LeCroy; and Renee Meisel, a legal director at Dell specializing in cybersecurity.
Introduction & Overview
Cybersecurity is emerging as at the top risk area for many companies. Post-Target (in December 2013 there was a data breach effecting more than 100 million Target customers) there has been a heightened focus on cyber security issues. This event caused a CEO to resign for the first time. The increase in regulation has also led to increased focus on cyber security issues. The newly revised NIST standards and Defense Federal Acquisition rules have also caused people to be more aware of cyber security issues.
Legal Risks with Information Security
The regulatory landscape has changed. Legal risk is a moving target. The expectations of legal regulators may change over time.
Information security laws dictate security requirements. Data breach notifications law are a separate category that require businesses to notify individuals if their personal information was acquired by an unauthorized person.
There are flow down requirements in government sourced contracts. Export control laws may lead to punishment for allowing data to be hacked. It is not clear which insurance protections will pay out under which circumstances involving data breaches.
Different countries have different spam regulations, but email addresses usually no longer specify the nationality of a recipient.
The Intersection of Data Privacy & Data Security
Privacy goes hand in glove with data security. There are three different kinds of attacks - confidentiality; availability; and integrity. Pursing one factor as a priority may lead to strength in another area being compromised.
The Ashley Madison hack involved a breach of data on a dating site that was published on the dark web. The individuals whose data was posted were susceptible to blackmail.
Data privacy concerns what needs to be protected, but information security focuses on how to protect the information.
Assessing the Information Security Risks
No industry is exempt from cyber security threats. Hackers will go after any kind of company. Each organization should know what its active gird threat looks like. They should know to what extent ransomware and business email compromise can prevent it from reaching its business objectives. Law firms may have data that will have a high market value on the dark web. Companies will face great pressure to pay ransomware.
Companies that protect customer information, such as credit card information or healthcare information, will need to focus on information security practices. Any company whose value is based on intellectual property will have to make an effort to protect its data secrets and will have a duty to its shareholders to do so.
Types of Security Threats
There are three types of actors:
1. Traditional hackers.
2. Nation states - advanced persistent threats.
Insiders can fall into any of these categories. Rogue actors at vendors may have access to protected data of great value. Losses related to advanced persistent threats total more than $500 billion. More than 4,000 ransomware attacks are made daily.
Phishing has become as big of a concern as brute force attacks.
International Data Security
Hirsch related a story of an elderly professor in the UK who did not come into work one day. The faculty checked to see if he had logged into his email over the weekend in order to confirm that he had not experienced a health problem. This led to a conviction for a breach of privacy.
The first breach notification law became effective in the United States in 2003. There has been effort to pass laws imposing information security requirements on businesses. China just enacted cyber security legislation recently.
Compliance may be difficult when there is a patchwork regulatory framework. There are often aspirational guidelines rather than specific rules. There can be variances in the time to issue notifications about data breaches. Individual country notifications may be necessary in addition to the need to notify the EU data protection authority.
Information Security & eDiscovery
Access to broad, distributed databases and the ability to preserve data that may be deleted are important concerns in the electronic discovery field. Security controls over information are an important consideration. Third party vendors may have control over important information. Records should be kept of which information is deleted.
Safeguarding Information During Discovery & Litigation
Roles based access controls should be enforced, and communicated to vendors that have access to confidential data. Access control lists should show who has rights to read, write and edit data. Non-disclosure agreements should be implemented. Encryption should be used for cloud services as well as multi-factor authentication.
Government Agencies Involved in Information Security
The Federal Trade Commission is the federal agency which has taken the lead in information security concerns.
Responding to a Data Breach
When an issue comes in the door, it must be escalated appropriately. There should be a hotline so the right people can be contacted.
The legal department can help bolster risk assessments and business cases. Its very important that the legal department be embedded from the start. It's also necessary to determine if a legal hold should be implemented. It's important to understand what data will be needed from a regulator in order to do a data breach analysis. External parties, including law enforcement and bloggers, may be the first to notify a company that its data has been breached.
Table top exercises should be conducted so employees know how to respond to a data breach.
A cyber incident response playbook should be prepared to deal with scenarios such as the loss of email communications or the need to access backed up data. The need to preserve evidence should not be neglected. In the event of a ransomware attack, a file server should not be taken offline before the infected host is located. There should be predefined data back strategies. Companies should be prepared to respond to data breaches without the use of important electronic systems.
Further Education & Conclusions
Black Hat and Ignite offer immersive training in how to deal with cyber security issues. Attorneys should spend time with their information security professionals.