We are all learning to navigate the new and complex data security protocols and procedures, and we at InhouseGo2 thought that our experience as a firm might be helpful to our in-house clients and colleagues. We interviewed both Ilene Sunshine, our chief privacy officer and Nancy Wahl, our director of IT. They have recently led Sullivan & Worcester through a state-of-the-art data security training and have set up procedures for dealing with a data breach.
1. What do you know now that you wish you had known when you first became the firm’s chief privacy and data security officer?
Ilene Sunshine (Chief Privacy Officer): I wish I’d known how complex and scary this topic is – I might have respectfully declined the job!
2. What are the top three mistakes that employees can make that compromise a company’s data?
Nancy Wahl (Director of Information Technology): 1. Falling victim to Phishing Attacks and Social engineering tricks!
Regardless of the type of information hackers might be after, they’re always looking for the path of least resistance to gain access, and that continues to be through email with attached malware or embedded links that “phone home” somewhere. It’s important to keep in mind that hackers are often just looking for an open door so they can look around and see what they can access.
But it also not always about email. There are any number of schemes that involve calls coming from Helpdesk or customer service from major companies that are designed to get people to share all types of confidential information, not just login credentials, but also are designed to get detailed inside information about a company.
2. Storing company information on personal devices, computers, personal email accounts and consumer based file-sharing services.
These are NOT secure and can be easily accessed either through innocent actions or maliciously. Employee “negligence” in the form of lost or stolen devices that are not secured, and hacked personal accounts are among the primary causes for reportable data breaches.
3. Bad Password etiquette.
This includes not using passwords on personal devices and home computers and/or using dumb passwords for work, for personal mobile devices, for personal email accounts, which ties directly back to mistake number two. Also common and potentially dangerous is sharing passwords with others or posting password/login information where it's easily visible. Traveling with a secured encrypted laptop doesn’t count for much if you have a yellow sticky on the laptop that has the login information.
3. Which privacy and data security policies are lawyers most prone to ignore?
NW: Storing data outside of the firm in personal email accounts, on personal device and/or in personal cloud sharing services.
4. What is the “next wave” of security concerns?
NW: The Internet of Things or the Internet of Data. There are millions of devices (or more likely billions) that are connected or will be connected to the Internet that collect all sorts of information: business information, personal information. Information about what we’re doing, where we are, who we are. This is all data driving today’s business growth and development, but all of that information is stored and shared across a wide variety of systems for which there are no universal standard security protocols. So the challenge on the data security front is in recognizing, authenticating and protecting that data, much of which doesn’t easily fit into the standard current “IT” centric mode of security.
5. What are the first things a company should do if they discover a data breach?
NW: Before an event happens, a company should have in place an Incident Response Plan. When something happens it’s not the time to figure out what you should do! But based on our current IRR plan (yes we do have one) these are some of the key to dos:
The first is to know there is a data breach. Under-reporting is an issue. Employees are often the first to recognize or be aware of a data breach but are afraid to report it – so the first step is to report a specific event that has occurred such as a lost laptop, or to report any behavior or event that is suspicious, or is cause for concern – such as another employee violating company policy.
Assess the situation, identify the scope and validity of the breach.
Notify all internal staff, relevant company personnel and specialized external resources required to develop and implement appropriate steps to contain the situation or event and manage the associated communications needed immediately and subsequent to the event.
Notify any appropriate external parties such as law enforcement.
Determine and implement an eradication strategy.
Once incident is under control, COMMUNICATE to the company, to clients/customers about the nature of the event, steps taken to address it, and services available to those impacted.