The Internet user privacy debate is raging on multiple fronts lately, and some big names in the technology industry are getting in on the action. In the past few weeks, Facebook saw a European privacy group challenge the social media giant’s data use policy, Microsoft lost a battle over its user data stored abroad and Google used email scans to clue police in on a child abuser’s identity. The debate probably won’t end any time soon, either, warned a recent HP study on the mounting susceptibility of data on connected devices.
Facebook faces lawsuit from EU privacy group
The privacy advocacy group Europe vs. Facebook has instigated an international class action lawsuit against Facebook’s Irish subsidiary, Facebook Ireland, in the latest chapter of a years-long legal battle.
The class action suit now has approximately 11,000 participants, Europe vs. Facebook told TechCrunch, and targets a number of Facebook business practices that the group says violate privacy and consent policies under the EU Data Protection Law. The suit accuses Facebook of violations that include enacting a legally invalid data use policy, passing unauthorized user data onto external applications and tracking user activity on external websites via “Like” buttons.
The lawsuit seeks €500 (about $668) in damages per user. “We are only claiming a small amount, as our primary objective is to ensure correct data protection,” said Europe vs. Facebook’s leader Max Schrems, an Austrian lawyer and activist. “However, if many thousands of people participate, we would reach an amount that will have a serious impact on Facebook.”
U.S. judge rejects Microsoft’s protection of overseas data
U.S. Federal Judge Loretta Preska has ruled against Microsoft’s challenge to a search warrant seeking an unidentified user’s emails and records stored in an Ireland data center. Microsoft argued that U.S. prosecutors do not have the authority to seize data stored in Ireland without permission from the local government because U.S. law does not apply there. The company has also argued that emails are a personal form of communication that belongs to the user. “What is at stake is the privacy protection of individuals’ email and the ability of American tech companies to sustain trust around the world,” Bradford L. Smith, Microsoft’s general counsel, told the New York Times.
However, Preet Bharara, U.S. Attorney for the Southern District of New York, argued that Microsoft’s analysis is wrong, and that overseas records must be turned over domestically when a valid subpoena, order or warrant is presented. Judge Preska concurred, declaring that because Microsoft is able to control the information without physically entering Ireland’s sovereignty, it must comply with a warrant for said data. Preska put the ruling on hold while Microsoft files an appeal. Major technology companies, including Apple, Verizon and AT&T, have filed briefs supporting Microsoft’s argument.
Google alerts authorities of child abuse after email scan
Another recent event illuminated Google’s role in policing the Web: After Google allegedly detected explicit images of a young girl in a user’s email, it alerted the National Center for Missing and Exploited Children. The Center then informed Houston police, who arrested and charged 41-year-old convicted sex offender John Henry Skillern with possessing child pornography.
Google works with the Internet Watch Foundation to help identify and remove child abuse images from its search engine and subsequently report them to authorities. The arrest, however, raised email privacy questions. While many know that Google automatically scans its users email accounts to produce targeted ads within Gmail, “Gmail users will certainly be interested to know what action Google proactively takes to monitor and analyze Gmail messages for illegal content,” said Emma Carr, acting director of privacy lobby group Big Brother Watch.
HP study cautions that many common IoT devices at risk
As the Internet of Things (IoT) proliferates, privacy issues will likely spread as well: A recent study conducted by Hewlett-Packard (HP) found that about 80% of IoT devices raise privacy concerns, and about 70% are vulnerable to getting hacked or compromised.
The study tested 10 of the most common smart devices, including TVs, webcams and home thermostats. Each device, the study claims, had approximately 25 vulnerabilities. Many of the study’s findings were related to insufficient password strength and poor data protection: 70% of the devices did not encrypt communications to the Internet and local network; 80% failed to require passwords of adequate length or complexity; 70% used unencrypted network services; and 80% put their users’ data at risk of being intercepted through cloud services.
“While these devices have made life easier, they’ve also created new attack vectors for hackers,” read the report regarding IoT devices. Gartner predicts that there will be 26 billion IoT devices by 2020, which HP warned will open even more avenues for hackers.
Organizations of all stripes are feeling the impact of mounting risk. In the past few weeks alone: Wall Street’s big banks reacted to a changing regulatory landscape; a new survey found that many companies do not have an adequate enterprise risk management strategy; and chief information security officers (CISOs) reported that their role is among the most challenging in their organization.
Banks cut assets, boost compliance efforts in response to Dodd-Frank
Pressure from federal regulations such as the Dodd-Frank Act and from the Federal Reserve’s yearly “stress tests” are driving Wall Street’s larger banks to pull away from short-term funding activities. This includes cutting back on certain types of trading, as well as selling profitable businesses and assets that could attract further regulatory scrutiny, The Wall Street Journal reported.
Morgan Stanley slashed its assets by one-third since 2008’s financial crisis and has downsized its fixed-income trading activities. Bank of America Corp. has cut more than $70 billion worth of businesses and assets since 2010, including private-equity investments and some credit-card businesses.
Large banks are also hiring more employees focused on regulatory and compliance efforts. J.P. Morgan Chase, for instance, will add 13,000 staffers dedicated to regulatory compliance by year’s end, while Citigroup plans to end 2014 with about 30,000 compliance-focused employees on its payroll — a 33% increase from 2011.
While these extra compliance efforts might appear promising to bank regulators, many lawmakers worry that more severe measures are necessary as some banks engage in perceived high-risk behavior to compensate for slow economic growth, the WSJ reports. Certain policymakers feel that harsher legislation is needed to counteract banks that are “too big to fail.” Current legislative proposals range from breaking up megabanks to imposing additional taxes on large financial companies.
Survey: Enterprises need stronger risk management strategy
A survey by nonprofit business research firm APQC polled almost 100 senior financial executives from large public and private companies and found that while the majority of these companies have strategic risk management processes in place, fewer than one in five effectively manage them. These “strategic risks” include regulatory and cybersecurity threats, supply chain interruption and failure to innovate.
Furthermore, two-thirds of these organizations reported lacking a method to ensure that their strategic plans account for these risks, and 43% said they don’t have a concrete process for reporting strategic risks to board members.
To avoid problems that could arise from strategic risks, APQC recommends teaching board members and executives a common risk language, as well as improving processes for monitoring, assessing and reporting business risks.
Many CISOs view their job ‘thankless’
The CISO role didn’t exist at many companies a decade ago, but it is becoming an increasingly common — and challenging — job at most organizations. These executives bear the blame in the event of a security breach and must also stay ahead of increasingly sophisticated cybercriminals from all over the globe, ensure compliance with mounting regulations, and manage BYOD, to name just a few responsibilities. On top of these hurdles, many new security products available to CISOs fail, making it tough to discern which tools to trust.
These challenges have made the CISO post more critical than ever, and companies are offering annual salaries that range from $188,000 to $1.2 million. Still, many view the job as a thankless one, The New York Times reported. According to a Ponemon Institute study conducted last year, many CISO respondents rated their job as “the most difficult” in their organization, and most said their job was a bad one or the worst they’ve ever had.
The post is so high-pressure that many CISOs end up leaving it after two years — either voluntarily or not, according to the study. High-profile examples of post-data breach resignations include the CISOs of the state of Utah and Yahoo.
To prepare themselves for the CISO position, candidates ought to accept that there is no cybersecurity cure-all and that their best bet for success is a combination of effective technologies, hiring the best talent and good luck, according to the Times. The CISO must also be ready to communicate to board executives the inevitability of breaches and the need to allocate an adequate percentage of the IT budget to security.
Data privacy continues to make waves, both in the U.S. and abroad, as recent tech headlines highlighted the Obama administration’s promise to extend data protection rights to European citizens and a Supreme Court cell phone privacy ruling. Also attracting attention in recent weeks: how increasing consumer data risks and compliance regulations are driving demand for GRC professionals.
U.S. pledges data protection for EU citizens as Microsoft pushes for user privacy
Last week, the Obama administration promised legislation to grant EU citizens the same data privacy rights that U.S. citizens enjoy under the Privacy Act. U.S. Attorney General Eric Holder said that under the proposed bill, European citizens would have the right to “seek judicial redress” from the U.S. government if their private information is intentionally released or misused. Holder made the announcement at last Wednesday’s EU-U.S. Ministerial Meeting on Justice and Home Affairs in Athens.
The bill would apply to EU citizens being transferred to the U.S. for law enforcement purposes. It would be part of a data protection agreement the EU and the U.S. have been negotiating since 2011 as part of their efforts to combat terrorism, including investigations into foreign fighters traveling to Syria.
The announcement was met with skepticism by both the EU and human rights groups, which considered it a welcome development, but deemed the promise vague and in need of more concrete legal action. “Words only matter if put into law,” EU Justice Commissioner Viviane Reding said in a statement. “We are waiting for the next legislative step.” Human rights and privacy groups said that the promise does little to address other issues created by the mass global surveillance conducted by the NSA and its partners.
Microsoft is among the many technology companies that have also been critical of U.S. data collection practices. The tech giant’s general counsel has been on a months-long public campaign calling for the U.S. government to take legal measures to preserve citizens’ information privacy rights. Microsoft’s Brad Smith said last Tuesday that the Obama administration must significantly reform U.S. surveillance practices so that people can feel comfortable using technology to store their information. Earlier this year, Smith used Microsoft’s blog to inform users that it will no longer examine private information in their email accounts, even if the company is examining its own intellectual property theft.
Supreme Court’s cell phone ruling could impact health industry
A U.S. Supreme Court unanimous ruling last Wednesday found warrantless cell phone searches for law enforcement purposes a violation of the Fourth Amendment, in part because of the devices’ potential to hold personal healthcare data. The court decided that cell phones are different from other physical evidence due to their large storage capacities and ability to access information stored in the cloud. “There is an element of pervasiveness that characterizes cell phones but not physical records. Prior to the digital age, people did not carry a cache of sensitive personal information with them as they went about their day,” the opinion stated.
The ruling covers sensitive, private health data that might be contained in cell phones, The Washington Post‘s Morning Mix blog pointed out. For example, warrantless cell phone searches could reveal an individual’s private browsing history that might include searches for “symptoms of a disease, coupled with frequent visits to WebMD,” the ruling noted. Mobile devices could also disclose certain drug addictions or a person’s pregnancy status.
The decision could affect the healthcare industry from a patient privacy standpoint, iHealthBeat commented. For example, the ruling could provide more guidance over who has access rights to patients’ data and medical records.
Companies hire more GRC officers in response to breaches, regulations
There is increasing demand for data governance and risk management professionals to protect organizations from serious legal implications or financial fallout in the event of a data breach. A contributing GRC factor is data protection legislation expected to be enacted sometime this year, according to the Data Protection Commissioner’s Statement of Strategy for 2014 to 2016, which outlines which organizations it will audit and the standards they must follow. These increasing pressures, as detailed in the Silicon Republic, have led to the corresponding rise in demand for GRC professionals, particularly IT auditors.
As regulatory pressure stemming from the 2008 financial crisis continues, financial institutions have responded by hiring more senior-level risk officers, increasing their compensation and arming them with more leverage in the business’ decision making, the Wall Street Journal reported. Senior risk officers earn 40% more than they did a few years ago, according to a report from the Office of the Comptroller of the Currency (OCC). Additionally, three times as many people passed a risk management exam from 2010 to 2013 than from 2004 to 2007, according to the Global Association of Risk Professionals. Such developments are very costly for financial organizations, given recent dips in trading revenue and slow loan growth. But they have little choice in the matter, given Dodd-Frank and other post-crisis regulations enacted to limit these institutions’ risk taking.
Regulations issued in February require that by 2016, the largest bank-holding institutions in the U.S. must appoint a chief risk officer and establish a risk committee within their board of directors. These rules also require large banks to produce detailed statements on the type and quantity of risk they’re willing to take to meet financial goals, and risk officers are encouraged to lead the charge on investigating large losses.
Big data was (unsurprisingly) in the spotlight in recent headlines, with a particular focus on consumer data privacy.
‘Privacy paradox,’ compliance costs challenge data-driven companies
The proliferation of smartphones and the convenience of such Internet services as online marketplaces have both consumers and data-driven businesses elated — but only to a point, says New York Times Bits blogger Steve Lohr, drawing from a recent study on global privacy survey. As consumers clamor for even more easy-to-use online services, 87% of respondents “strongly agree” that the government should step in and prohibit businesses from brokering data without their opt-in consent, according to the EMC-sponsored study. Additionally, 51% of this global pool of 15,000 consumers pointed to “businesses using, trading or selling my personal data for financial gain without my knowledge or benefit” as the leading threat to their online privacy (above “lone/crazy hackers” and “my government spying on me”).
This “privacy paradox” doesn’t bode too well for businesses that already struggle to allocate huge amounts of resources to ensure compliance with privacy regulations, perhaps at the expense of R&D. A recent report by the Competitive Enterprise Institute found that compliance with federal regulations cost businesses $1.86 trillion in 2013 — more than the GDP of Canada and Mexico. But while most companies oppose regulations that restrict data collection and usage, they must self-regulate data practices to cultivate the trust their customers prize.
Email privacy reform gains steam
Last week, the Email Privacy Act garnered majority support when it received its 218th co-sponsor in the U.S. House of Representatives. The bill would prohibit law enforcement officials from accessing stored emails without a warrant. The development has spurred tech companies such as Google and advocacy groups including the American Civil Liberties Union and the Center for Democracy — both of which have long lobbied for Electronics Communications Privacy Act (ECPA) reform — to push for Congress to pass the bill, The Hill reports.
Google’s Senior Privacy Counsel David Lieber wrote in a blog post that passing this legislation would “send a clear message about the limits of government surveillance by enacting legislation that would create a bright-line, warrant-for-content standard.” Other pro-ECPA-reform groups are also hailing the bill as a milestone in protecting electronic communications from government intrusion. As the 1986 law now stands, law enforcement is allowed to obtain emails that have been stored for more than 180 days without a warrant.
Federal Trade Commission calls for data broker transparency
As part of its efforts to educate the public on privacy among data brokers, the Federal Trade Commission issued a report last month calling for federal legislation that would increase transparency across the industry and make it easier for consumers to access information. The report, titled “Data Brokers: A Call for Transparency and Accountability,” recognizes data brokering’s value to companies and consumers while cautioning against consumer harm due to information misuse. To prevent the latter, the report provides legislative recommendations and industry best practices such as creating a centralized online portal to identify which data brokers maintain information on certain customers. Other recommendations include providing customers with “opt-out” tools, narrowing data brokers’ collection efforts and implementing data disposal guidelines.
Four years ago, the Securities and Exchange Commission announced an initiative that offered incentives for assisting with SEC investigations and enforcement. The goal was to help investigators gain first-hand evidence to build strong cases, and to act quickly on them. The initiative included “cooperation tools” including non-persecution agreements (NPA) under which the SEC would not pursue enforcement actions against those that report violations and provide assistance to the agency.
The SEC has entered NPAs with corporations since the initiative was enacted, but it took much longer for the agency to go the same route with people: At the end of April, the SEC entered its first NPA with an individual when a trader provided what the SEC called “extraordinary cooperation” during an insider trading investigation. Others that provided information during the SEC investigation received reduced penalties.
“The reduction in penalties for those tippees who assisted us, together with the non-prosecution agreement for one of the traders, demonstrate the benefits of cooperating with our investigations,” said Andrew J. Ceresney, director of the SEC’s Division of Enforcement, in a statement. “The increased penalties for others highlight the risks of impeding our work.”
Whether or not individuals or companies cooperate with investigations has become a much bigger part of SEC enforcement efforts since the 2008 financial crisis. By pushing transparency and a willingness to cooperate with investigations, the SEC focuses not only on what a company does to stay regulatory compliant, but also how they do it.
As a result, corporate culture has become part of the traits the SEC examines during investigations and enforcement. A company that shows good faith with proactive compliance processes and policies distributed to all employees is less likely to receive harsh punishments than one that blatantly circumvented compliance rules.
SEC Chairwoman Mary Jo White reiterated this standpoint during a speech this week at the New York City Bar Association’s White Collar Crime Institute. Assessing whether a corporation acted negligently involves comparing the corporation’s conduct — as carried out through its employees — to the actions of a more “reasonable” corporation in similar circumstances, White said.
“Holding the entity responsible for the misstatements is the right thing to do if the evidence demonstrates that the entity’s conduct fell below the standard of reasonable care,” White said during her speech.
In other words, corporate culture plays a huge role during SEC investigations. “Transparency” and “ethics” are other traits high on the SEC’s list when looking at infractions. This is not always easy, however, especially for companies with a corporate culture built around sales and financial gain rather than an emphasis on business ethics.
“The SEC is focusing on ‘did you do enough?'” said Tony Jordan, a partner in Fraud Investigation & Dispute Services at Ernst & Young, during an April Directors Roundtable Institute discussion in Boston on SEC enforcement.
“Doing enough” to stay compliant is particularly difficult in the global economy, where businesses operating in different cultures often have much different views on corruption and risk. There’s also no question that nefarious business activity is more common in some areas of the world than it is in others. This raises difficult questions during joint ventures and acquisitions about who should be in charge of ethical behaviors at international outposts.
When starting an investigation for potential compliance violations, Roundtable panelists encouraged attendees to seek maximum internal oversight and control. By getting a jump on disclosure and reporting, companies provide material to stakeholders to assist compliance with federal securities laws. Cooperating with regulators also could help avoid SEC enforcement actions — or at least mitigate penalties, Roundtable presenters said.
Public disclosure does have risks: Roundtable panelists cautioned that jumping the gun on disclosure could cause the organization to lose control of the investigative process, create delays when trying to close the investigation and initiate business disruptions. Disclosure could also result in parallel litigation that invites class action complaints and stakeholder derivative demand.
Despite these risks, the outcome from proactive compliance stance is likely much better than the alternative: huge fines and regulatory fallout stemming from SEC enforcement.
“You have to make sure you have a very clear audit trail so that when the government investigates the investigation, they don’t see that as a lost process,” said R. Todd Cronan, a partner at Goodwin Procter LLP, during the Roundtable. “You don’t want to pay twice: Once for the misconduct and again for the inadequate investigation.”
The recent news that a former Microsoft employee was being charged by federal prosecutors for providing confidential company software code to a tech blogger raised interesting questions. While the former employee’s acts were certainly criminal, there was also controversy concerning Microsoft’s tactics to identify the software leak.
The Microsoft news spotlighted the fuzzy line between corporate data protection, information privacy and security in the digital age. It also reminded me of when I was in Boston last month for the annual GRC Summit, where I ran into one of my sources and asked if he would be available to answer a few questions on camera for a video we were shooting. I knew the answer before I even asked. When interviewing this person in the past, they were required to jump through hoops with his organization’s executive team to ensure he wasn’t revealing anything controversial that could come back to hurt him–or his company.
This has become common, as companies increasingly want to go through comments for the media with a fine-toothed comb to make sure no trade secrets or other sensitive information is leaked. And, well, because sometimes people are stupid.
This relates to a common theme at the GRC Summit — and no, I’m not referring to the “people are stupid” part. The theme was communication and transparency was key to proper governance, risk management and compliance, and to making sure employees understand their roles in these processes.
In short, a cross-disciplined, company-wide focus to maintain a “mature” GRC strategy is necessary to corporate success–and a big part of these efforts is making sure employees know their GRC strategy role.
This is sometimes difficult as business data commonly travels and is stored all over the world. A universal GRC strategy is made more difficult for global companies with sometimes conflicting privacy and compliance rules for different international offices, said GRC Summit presenter Duke Alden, vice president of global information governance at Aon plc.
As a result, making sure each and every stakeholder understands their role in the information security and risk management processes is vital to these programs’ success, Alden added.
“Unless you have some kind of program to adhere those steps and various elements to someone’s day job, then you are setting yourself up for failure,” Alden said. “Put together some kind of network to manage information risk at a ground level.”
Risks stemming from information management processes such as bring–your-own-device (BYOD) policies are no different, said Gretchen Herault, vice president of site standards and user safety and deputy chief privacy officer at Monster, during her GRC Summit presentation.
“Making sure people have that level of awareness is very important,” Herault said.
It’s also important to be clear about what the information security objectives of the company are and what it is trying to achieve with the BYOD policy, Herault added.
Implementing a top down, “pro-GRC culture” should begin with identifying IT and compliance-related threats unique to the company. The process should be a proactive and ongoing, and business leaders need to adapt as new threats evolve, said Brian Barnier, a principal analyst and adviser at ValueBridge Advisors LLC and keynote speaker at the GRC Summit.
“Training, communication and planning are really crucial,” Barnier said. “It’s important to understand the range of crises that can occur.”
(This blog post was written by Christina Torode, Editorial Director of SearchCIO Media Group)
I spent a whirlwind trip to the RSA conference this week in San Francisco hanging out in the Information Systems Security Association (ISSA) booth, catching up with the group’s members as they popped in. We talked about many things: cyber warfare, the need for collective security intelligence, how important being a member of a group such as ISSA is to a career, Edward Snowden, how much system access security vendors should give the government, how threats are becoming increasingly political in nature.
This post would be extraordinarily long if I went into all the discussions, but here are few snippets of the conversations where ISSA members and industry luminaries describe threats the security profession need to pay more attention to:
Marcus Ranum, CSO of Tenable and developer of the first commercial firewall
“The threats aren’t really new or emerging ones. We’re always up against mistakes we made 10 or 15 years ago. We’re really just now starting to cope with problems raised by distributed computing, which is kind of sad. We haven’t even gotten to transitive trust. Hackers are starting to understand transitive trust and we’re going to have a serious problem when that happens.”
Howard Schmidt, professor at Idaho State University, consultant with Ridge-Schmidt Cyber and former White House cyber advisor for Presidents George W. Bush and Barack Obama
“The mobile environment. When there were just a few BYO devices, there wasn’t a lot of connectivity so they weren’t really a threat to the environment. Now virtually everything has an IP address and is connected to a network to network through the home or work environment. We really haven’t thought that through. Some software is well vetted, but other software can be downloaded with malware, that piece of extra piece of extra software that can pull out your PII.
What people pay even less attention to is all the devices in the home. The TV is becoming an Internet device looking to control access to a lot of things. Hopefully we won’t go down the path [with home devices such as the TV] and make the same mistakes we have with other systems. We know that there are vulnerabilities, we need to get them fixed and go to the manufacturer and say ‘It’s great that you have this application, but it also exposes me.'”
Dave Cullinane, former eBay CISO and founder of SecurityStarfish
“The level of attack sophistication is getting incredibly scary. Ebay was a technology company so we had the resources and kind of money to be able to access shared information and intelligence on what’s going on across the industry and businesses. Small and mid-size companies don’t have those resources. Access to good intelligence [analytics] on what to look for and what to do about [a security threat] helps you invest the right way.
Another area that can help is software-defined perimeters. Coca-Cola and the Cloud Security Alliance are working with open standards, some technology that has been around for a while, that has the capability to eliminate the potential for huge groups of attacks.
Another helpful measure? If your customers pose a threat to your own security, teach them how to defend themselves and give them the tools to do it. Ebay gave its customers Microsoft Security Essentials, which allowed their customers to uncover a lot of hidden threats.”
Gene “Spaf” Spafford, professor of computer science at Purdue University
“I don’t think I’ve seen anything that I would consider a new attack. Many of the things occurring are attack technologies and behaviors that have been known about for decades, but practitioners in the field today don’t know about them. Certainly an awful lot of organizations that have been attacked have not bothered to make appropriate investments in security, so when these attacks occur everyone goes ‘wow that’s a surprise,’ but it isn’t really.
The recent series of attacks on POS terminals to collect credit card numbers, that’s not new. It’s malware, going after personal information and these organizations were ignoring the warnings.
What we are seeing that’s a little bit different is larger scale and a little more politically motivated element to attacks. The Syrian Electronic Army, for example. Those are disturbing because we don’t have a coordinated international response to the wide scale cybercrime and the politically motivated behavior.”
Christina Torode oversees coverage and special projects for SearchCIO.com, SearchCIO-Midmarket.com and SearchCompliance.com. She has been a high-tech journalist for more than a decade. Before joining TechTarget, she was a reporter for technology trade publication CRN, covering a variety of beats including security, networking, telcos and the channel. She also spent time as a business reporter and editor with Eagle Tribune Publishing in eastern Massachusetts.
(This blog post was written by Marilyn Bier, chief executive officer for ARMA International.)
All organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance and monitor strategic initiatives. This critical information resides in the organization’s business records.
Good information governance controls are difficult enough to apply inside an organization, even when it is using its own best practices tool set. While it is possible to manage aspects of the lifecycle and disposition of the information that resides in the cloud, these rules become more difficult to enforce.
“Proper information governance requires a centralized control point, as well as effective enforcement, for an organization’s records management tool set to be effective,” said Brent Gatewood, owner of consultIG, in a recent issue of Information Management magazine. “Today, the controls in place with most SaaS [Software as a Service] providers are too non-specific. The controls in place are collection-focused and largely managed according to the provider’s rules, not those of the organization whose information is being stored.”
To satisfy the information governance needs of most organizations, control and management of data in the cloud should reside inside the organization itself and extend to cloud-based repositories. A centralized tool managing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. These tools need to have a complete view of the information owned by the organization to be responsive to internal and external requests.
According to Gatewood, “The reality is this: The tools may not exist, but organizations are moving — or have already moved — data into the cloud. Data relationships and management controls inside of organizations are more important than ever. Unless the management controls are already in place, it is unlikely that individuals are going to seek advice about extending controls to cloud-based repositories.”
Cloud computing is not going away. It can be a valuable tool, but a tool that needs to be understood and managed. Applying information governance controls, with the proper relationships in legal and information technology and services, can help to reasonably manage information in the cloud.
Information governance controls: cloud provider accountability
Gatewood recommends that organizations considering a cloud-based initiative — or reviewing a solution already in place — find answers to the following questions about contracts, audit controls and integration points:
- What service are we contracting for and what are the vendor’s records management and compliance obligations?
- What kind of data controls does the vendor have in place?
- How is information destroyed?
- Can we set minimum and maximum retentions and at what level?
- Are there secure destruction options?
- What are the vendor’s policies for backups, replication or failover?
- How do we confirm disposition takes place on a timely basis and according to our rules?
- What is the provider’s internal audit process?
- How often is the provider audited by external agencies?
- What standards is the provider held to?
- Is the vendor open to being audited for compliance? (If not, this may be a sign of bigger issues.)
- Is the vendor open to integration with our systems and applications?
- Has the vendor integrated with any systems that provide a structure for compliance?
Organizations must also consider if the vendor’s policies and procedures related to the handling and management of information are acceptable. If they are not, Gatewood believes the organization should either move the data elsewhere or require an auditable change that meets its needs.
Gatewood also recommends that organizations require a data map that details where the information resides. Data maps can be complicated because they detail what is often a complex infrastructure that might involve third-party relationships specific to your data, but the effort to review them is definitely worthwhile.
Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000-plus global members and countless external customers the education, publications and resources they need to be able to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to their organization’s goals.
Big data presents numerous data governance challenges: Regulatory compliance, information security and risk management and are all complicated by the amount of data generated by the average business today.
Law firms are very affected by this exponential data growth and the increased importance of information governance processes. Clients increasingly require — and demand — higher standards for how lawyers secure their data and manage access to it.
“It’s becoming important to law firms because clients are making it important to law firms,” said Rudy Moliere, director of records and information at Morgan Lewis & Bockius, LLP. “There is an increasing need for them to manage their information.”
Moliere is one of the authors of two new reports titled “Building Law Firm Information Governance: Prime Your Processes” and “Emerging Trends in Law Firm Information Governance” that focus on how the legal field manages, secures and accesses information. The reports were written by a handful of information management professionals from U.S. law firms, and published by Iron Mountain, Inc.
The reports are designed to provide law firms a blueprint for creating information security policies and processes, and making data readily available to both staff and clients. The reports were developed during a symposium held earlier this year.
“In the legal environment, information governance is becoming more of a requirement than an option, especially as more clients want to know how their information is being protected,” said Brianne Aul, senior manager of Firmwide Records, Reed Smith LLP, and a member of the symposium steering committee, in a statement.
“Clients have very valid expectations that their outside counsel will have policies and protocols for keeping information secure.”
In addition to clients making these information governance and security demands, they are also auditing firms to ensure firms are meeting regulatory and security requirements. New and expanding compliance regulations are forcing those in the legal field to closely examine their approach to information governance. The HIPAA Omnibus rule, for example, extends Health Insurance Portability and Accountability Act compliance to business associates of the typical covered entities directly involved in patient care, including law firms.
This increased focus on data management as it relates to staying compliant is having a major effect on legal information governance, said Carolyn Casey, Esq., senior manager, legal vertical for Iron Mountain.
“In the past, law firms were of the mind that they advise clients on regulatory compliance,” Casey said. “I think, more and more, it’s really turning back to the law firms itself.”
Another driver of this trend is the increased scope of cyberthreats, and the federal government’s reaction to them. Earlier this year, President Barack Obama signed an executive order requiring federal agencies to share cybersecurity information with private companies.
The order also requires the creation of a cybersecurity framework designed to reduce risks to U.S. companies that provide critical infrastructure.
“In correlation with that new executive order, [it] stepped up interest by clients in just how law firms are managing that sensitive information that corporate clients entrust to them,” Casey said.
A new approach to information governance has huge benefits to the law firms themselves, according to the reports’ authors. These include operational efficiencies and a reduction in data management costs, as well as mitigating the law firms’ risk of security breaches and non-compliance.
As the amount of information law firms are responsible for continues to grow, the need to quickly access, classify and protect that information becomes a key issue from a legal standpoint. By making information governance processes a bigger part of everyday operations, law firms can make sure data is readily available and protected, said the reports’ authors.
“Proliferation of information has been happening for quite some time,” Molier said, but until recently “we didn’t have a clear understanding what exactly information governance meant in a law firm environment.”
Gaping holes in U.S. cybersecurity — especially vulnerabilities relating to trade secrets — remain a top concern for the Obama administration as it struggles to get industry on board with digital security efforts.
Consider these reports: Last week, a New York Times article estimated U.S. research universities suffer “millions” of hacking attempts weekly. Many of these attacks are believed to stem from China, but the increased sophistication of hackers makes it difficult to determine the exact origin. Earlier this year, Alexandria, Va.-based security firm Mandiant Corp. reported that since 2006, a Chinese military unit within the People’s Liberation Army has been using cyber-espionage to steal “confidential data from at least 141 organizations across multiple industries.” In May, a research firm uncovered an India-based cyber-espionage network designed to gather intelligence from a combination of national security targets and private-sector companies across the globe.
In addition, a report released earlier this month by the Center for Strategic and International Studies, co-sponsored by software firm McAfee Inc., estimated that cybercrime and theft of intellectual property costs the United States up to $100 billion in losses annually.
Despite these obvious concerns, the Obama administration and other boosters have struggled to pass sweeping cybersecurity measures, mostly due to bureaucracy: Budget constraints forced the Department of Homeland Security to cut a number of cybersecurity-related training sessions with utility companies, the Wall Street Journal reported this week. Business groups, including the U.S. Chamber of Commerce, have argued against past U.S. cybersecurity bill iterations, with the biggest argument being the regulations would put undue burden on industry.
The state of foreign relations is not helping matters. At the annual U.S.-China Strategic and Economic Dialogue in Washington, D.C., earlier this month, cybersecurity regulations were a major topic. Coming to a cybersecurity compromise proved difficult, however, especially because the leaks surrounding the National
Security Agency’s PRISM program and its associated online surveillance activities make U.S. efforts to curb cyberattacks seem hypocritical. In addition, Chinese government officials continue to deny involvement in state-sponsored cyberattacks on foreign soil.
The question is: Do U.S. businesses realize the tenuous state of their online information? POLITICO reported earlier this week that President Obama is considering tax breaks and other benefits to entice businesses, especially those involved with critical infrastructure, to make cybersecurity improvements.
One thing is certain: Cybercrime and determining a path to cybersecurity continues to be a growing problem on a global scale. Hackers are only getting more sophisticated, and often seem one step ahead of efforts to curb them. As a result, protecting state secrets, business data and citizen information are a priority for not just the U.S., but for countries all over the world. Improving cybersecurity will require collaboration between the U.S. government, businesses and possibly even other countries. Without this cooperation, hackers will continue to gain the upper hand and put sensitive information at risk.