Data security: a growing problem

Data loss and other data security issues have become top concerns for corporate secretaries and general counsel on the heels of high-profile hacking incidents at media outlets like the New York Times and data breaches at popular social media companies Twitter, Pinterest and Tumblr. Corporate trade secrets and customer information are the targets of these attacks, and the frequency of such incidents has grown at an alarming rate.
A recent Data Loss Barometer report from audit, tax and advisory firm KPMG says data theft attacks have affected more than 1 billion people over the last five years, and with the growing use of mobile devices for business purposes, those numbers are not likely to decline. Companies in the healthcare and professional services industries need to be especially alert, as they generally support the largest databases of personal information. The KPMG report says 60 percent of all data loss incidents involve hacking, suggesting that the frequency and sophistication of these types of attacks now pose greater enterprise and reputational risks for companies than ever before.
In fact, in a 2012 survey conducted by Corporate Board Member and FTI Consulting regarding the most pressing issues for senior corporate executives, cyber-security and data protection ranked highest for the first time. The poll, which surveyed 1,957 general counsel and 11,340 corporate directors, revealed that cyber concerns had overtaken perennial priorities such as the Foreign Corrupt Practices Act.
‘Instead of a company staying ahead of aggressive breaches in data systems, the threat of severe data loss is getting ahead of the current security, which is a dangerous trend,’ says Greg Bell, a partner at KPMG who serves as its global and Americas service leader for information protection. ‘Executives and boards need to be a part of the discussion around the most effective way to protect this information from all types of data loss, as it can mean irreparable damage to a firm.’
A high price
The cost of a data breach can be considerable. Last year, the Ponemon Institute and Symantec released a study looking at data breach costs for 2011. It states: ‘For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194… This decline suggests that organizations represented in this study have improved their performance in both preparing for and responding to a data breach. As the findings reveal, more organizations are using data-loss prevention technologies, fewer records are being lost in these breaches and there is less customer churn.’
That said, there is evidence suggesting the increased frequency of attacks and the added costs of responding to and containing data breaches have sent the cost of dealing with them soaring again. The 2012 Cost of Cyber Crime report released by Hewlett Packard and the Ponemon Institute shows a 6 percent rise in the cost of dealing with a data breach, to $8.9 million, as companies spend more time and money recovering from increasingly sophisticated attacks. The Ponemon Institute agrees that the cost of dealing with data breaches is increasing, but believes it will level off as technology catches up with the hackers.
Many firms unprepared
Foley & Lardner attorney Adam Losey, who also founded and directs the online not-for-profit IT-Lex, isn’t surprised by the results of the surveys. ‘Information security and privacy issues are being litigated more and more, and high-profile security breaches are in the news almost daily,’ he says. ‘Keeping data secure isn’t just a legal necessity – it is also a business necessity, on a national and international level.’
Unfortunately, most companies are unprepared when it comes to digital security, Losey notes. ‘Keeping a business secure requires a level of organizational discipline and know-how that is often too low on the corporate priority list,’ he points out.
That contention is supported by yet another recent survey from global consultancy Consero Group, which reveals that 30 percent of general counsel polled say their companies are not prepared to handle a major cyber-security threat. If that number is accurate, it doesn’t bode well for the future because experts expect cyber-security concerns to continue multiplying.
‘The coming decade will be explosive for privacy and information security because of two factors: more data than ever before to manage, and more threats to it than ever before,’ says Harriet Pearson, a partner with Hogan Lovells who joined the firm after nearly two decades with IBM’s corporate law department, primarily as one of its chief privacy officers and security counsel.
Richard Finkelman, who directs the e-discovery practice at Los Angeles-based Berkeley Research Group, says general counsel must play a role in helping protect their employer’s electronic data. ‘Something will happen,’ he warns. ‘Don’t assume you are impenetrable, even if you have procedures in place.’
While incidences of hacking draw the biggest headlines, there are other issues that lead to data loss that companies must also address. A significant proportion of data-loss incidents involve the actual theft of computers, laptops, portable hard drives, CDs and DVDs. Negligence by employees in this area is a major concern for all companies. ‘The volume of company data stored on personal and mobile electronic devices needs to be a major consideration when devising a comprehensive security plan,’ notes Bell.
‘The biggest threat to me as a general counsel is that my own employees will do something to compromise data,’ adds Matthew Knouff, general counsel and e-discovery counsel for Manhattan-based Corporate Discovery Source.
Employee errors
That’s also the view of Roy Snell, chief executive officer of the Society of Corporate Compliance and Ethics, who says the majority of data breaches are caused by ‘employees leaving paper out in the open, walking away from computers while they are logged in, using laptops that are not encrypted and doing computer work on airplanes while others are watching. This is primarily an education, monitoring and auditing issue – we have to tell people what to do, and see whether they are doing it.’
According to Snell, any software system that is used to prevent hacking and other types of electronic data breaches should be handled by IT but overseen by the company’s compliance department to make sure it is working. An effective data breach prevention program should then be implemented – and maintaining that should be the responsibility of the compliance officer, too.
There is always the possibility that employees could accidentally (or deliberately) leak confidential information to outsiders, or unknowingly let intruders into your systems. Jonathan Karchmer, a senior manager at iDiscovery Solutions who conducts computer forensic examinations and e-discovery engagements for civil litigation, says ‘all staff should be trained in the basics of recognizing social engineering attempts – Hey, I’m from upstairs. What’s my password again? – avoiding opening email links or attachments that are suspect, and refraining from browsing websites that are not related to work.’
Some companies will find they need to improve their internal security. Corporate legal departments are advised to work with their company’s IT gurus to create and implement protocols designed to prevent data leaks and also to respond to them should they occur (see Responding to a network attack, below). ‘It’s important to have the corporate management group make the initial assessment’ of the type of e-data loss suffered by the legal department, says Knouff.
According to Finkelman, the company’s compliance department should create written policies regarding data protection and leaks that can be easily communicated to others within the company. ‘The most prepared companies hold actual training seminars annually that employees must complete and become certified to prove competency when it comes to data security and privacy,’ he says. That can be accomplished through video and online training in addition to the traditional method of lecture and discussion.
Michael Curran, general counsel and vice president of Flex Discovery in Austin, Texas, is a huge proponent of the encryption of passwords or sensitive data when it’s transmitted electronically. One of the most secure uses of this technique occurs when a secret password is needed to send data, and its recipient must also enter an encrypted password to receive and read the information. Another safeguard for transmitting electronic data is the use of anonymous email addresses – for example, creating a unique, albeit innocuous email address for a particular client so that transmissions from that client do not seem, at first glance, as anything other than spam to an outsider.
Monitoring employees’ electronic devices
The growing trend of ‘bring your own device’ (BYOD) troubles Pearson because she worries about how deeply a legal department can delve into an employee’s private electronic devices, even if they contain sensitive work materials. Each day an increasing number of companies have to deal with employees using their own personal electronic devices for work.
A ‘significant opportunity for data loss and data breach’ arises when employees use their own devices for work, says Knouff. In an attempt to prevent those losses, his company provides each employee with a BlackBerry for work and requires security measures to be implemented on personal cell phones.
There are several issues legal departments need to consider when they establish a BYOD policy, says Losey. For example, if an employee’s personal device is hooked up to the company grid, is the company permitted to sweep the device for malware or viruses? And how should a legal department respond if a privately owned device containing sensitive corporate information is lost or stolen?
‘Case law varies on these issues, but the business answer is to think about these things beforehand and codify what your company will do in a policy that employees are obliged to acknowledge,’ says Losey. ‘If there is an issue later, there will be no surprises for the employee about what devices they have an expectation of privacy on at the workplace.’
Liabilities for not protecting e-data
In many cases, an electronic security breach will trigger litigation. As soon as litigation is initiated or even threatened, the legal department should send out legal hold notices to anyone who might possess related data, says Finkelman. Meanwhile, the company’s IT department should not destroy or compromise potential evidence that could be used at trial.
While there is no consistent policy requiring notifications to individuals at the federal level, legislation has been introduced in Congress several times to create nationwide rules for handling data breaches. Right now, different states have different requirements related to security breach notifications. Four states do not have data breach notification laws – they are Alabama, Kentucky, New Mexico and South Dakota. Many states, such as Texas, have rules that require notification only when certain personal information is disclosed following a data security breach, says Curran.

RESPONDING TO A NETWORK ATTACK

Jonathan Karchmer, senior manager of iDiscovery Solutions, suggests companies put together ‘incident response teams’ to deal with network attacks and data breaches. He stresses that co-ordination between the IT, security, legal and HR departments is crucial in developing defenses against network attacks. Incident response teams including people from all of these groups should be used by organizations large or small to handle, triage and prevent network attacks. All companies should develop written policies and procedures for handling network security incidents. The incident response team will also actually investigate and respond to the incidents.
Karchmer says the basic steps of network attack response are as follows:

• Planning for attacks: develop policies and procedures, establish the steps the organization will take for handling attacks, post warning banners on all systems, monitor network traffic and system inventory, create and maintain ‘known good’ sets of system files and back-ups of key systems, and train staff on acceptable computer use as well as adhering to secure principles, passwords and communication inside and outside the organization.

• Identifying the attack: assign responsible teams or individuals, and have the incident response team identify and assess the attack.

• Containing the attack: preserve and triage affected systems, determine the danger level of using potentially compromised systems, and change passwords on affected systems.

• Eradicating the attack: remove the cause of the attack, identify the attack vector – the method by which the attack was executed – and vulnerabilities, and implement measures to prevent the attack from occurring in the future.

• Recovering from the attack: restore affected systems back to normal ‘production’ use and continue to monitor them.

• Follow up: fully report the incident to management (including IT, legal and HR), recommend changes to management, and implement those changes.

‘There is no such thing as ‘perfect’ security,’ Karchmer emphasizes. ‘Organizations must balance their business needs, budget and reasonable risk when developing their plans for responding to and handling network attacks. The best incident response plan involves co-ordination across departments to take the appropriate steps to prevent network attacks, while also proactively monitoring systems and planning for the attack that is yet to come.’