The year 2013 was pretty terrifying when it comes to data security. Amid the fears created by the breaches at Adobe and Target, plus the knowledge that big brother really has been watching us through the NSA, every corporate counsel ought to be concerned about data security at their organization. However, as the senior manager of IT Operations for Legal Tracker, a SaaS (software as a service) e-billing and matter management company, Anne-Marie Scollay explains that there is no "silver bullet that provides an impervious layer of security around data." Anne-Marie frequently collaborates with legal departments and their IT teams as they evaluate Legal Tracker's cloud solution and shares insights regarding data security.
So what's a non-technical corporate counsel to do?
While your IT department is constantly working on data security, Anne-Marie finds that in the increasingly fast and social digital environment, data security is the responsibility of every employee. As a member of the legal department, your role is more important than most. She offers five actionable suggestions for you and your department to start doing now.
1. There is no "one-size-fits-all" solution to data security
"Data, whether it is stored behind the company's firewall or in a cloud application, is vulnerable to theft," explains Anne-Marie. "No information is absolutely secure – whether from hackers or from trusted employees – despite what precautions may be in place to protect data." Anne-Marie suggests data classification standards that can help an organization determine the value of different types of data. Classifying data helps define the potential risk for that data and whether it is stored in-house or off-premise.
Anne-Marie shared some common types of data classification:
- Public: General information that is accessible to the public; information that has a low risk to the company's reputation. For example, a company's public internet site.
- Sensitive or confidential: Data that is viewed as having a moderate level of sensitivity and adverse impact to the company's reputation if the data is distributed. Examples may include unauthorized disclosure of 1) data covered by a non-disclosure agreement; 2) competitive market research, and others.
- Restricted: Data in this category is considered the most sensitive and highest risk to a company's reputation if the data were distributed. Examples of this type of data include information that falls under HIPPA, PII, and more.
2. Information security should be at the forefront of your employee's thoughts
"Information security is no longer the sole responsibility of the technology professionals," states Anne-Marie. It is within everyone's best interest to partner with the chief technology professional in your organization (CISO, CIO, CTO) to develop an annual security awareness training for all employees, with the purpose of "continuing to educate your employees about their role in securing company data, wherever it resides," explains Anne-Marie. "Too often, the legal department becomes involved when there is a crisis or breach," states Anne-Marie, "but corporate counsel can have a proactive role to play even without an occurrence by partnering with the chief technology professional." Together they can set an agenda of regulatory and security topics that are relevant to the business and employees and therefore worth highlighting through training programs and corporate communications.
3. The cloud is neither inherently insecure nor inherently secure
Anne-Marie feels that "in a time where employees are being required to do more with less, they are clamoring for the efficiencies offered by cloud applications that are targeted to solve the specific challenges faced by those employees." Regardless if your organization has made the decision to be in the cloud or not, your employees will drive the business there. Anne-Marie recommends that in assessing a cloud application, understand what it is intended for, how that data is secured, and the impact to the business if the application were unavailable or compromised. Shares Anne-Marie, "Embrace the benefits that the cloud has to offer – scalability, availability, and, yes, security."
When considering Cloud service providers, Anne-Marie recommends giving consideration to those that have achieved certifications from recognized organizations. Some examples include the SOC family of reports (SOC 1, SOC 2, and SOC 3), ISO 27001, NIST 800-53, and CSA's Security, Trust & Assurance Registry (STAR). Additionally, look for service providers that regularly perform penetration tests. Anne-Marie explains these are tests performed by an independent third party as a form of ethical "hacking" to identify risks in the application, so that the cloud service provider can remedy the risk before a real hacker leverages the vulnerability.
4. You should be aware of technology solutions adopted by your business and the reasons why
You can no longer expect just your CISO/CIO/CTO to worry about data security and other technology issues. "As cloud adoption expands throughout business, it will require partnership among the entire C-suite to understand the potential ramifications and benefits of cloud adoption for the business. The General Counsel's input is necessary to provide guidance on data sovereignty, regulatory requirements, privacy concerns, and more," explains Anne-Marie. Look to the CISO/CIO/CTO instead to inform others and provide the necessary updates related to the technology trends, certification standards, and security hot-buttons.
"While having an expert in both legal and security would be helpful, in many cases companies may not have the budget to create such a hybrid position," states Anne-Marie. A strategic partnership between the legal and technology departments would facilitate knowledge sharing between the departments to ensure that trends in both areas are identified and tracked. For example, the legal department can share privacy trend information and the technology team can share hacking trend information.
5. How to be a savvy technology user – professionally and personally
Whether reading work or personal email, answering a phone call, Tweeting, Facebooking, online banking, or wherever else your digital life takes you, be vigilant. "Those looking to steal data (yours or your company's) are waiting to lull you into a sense of safety – by sending an email posing as a known sender but instead including a link to take you to a bad site, by phoning you under the guise of being an employee at your bank and asking for your personal information, and so much more," explains Anne-Marie, "All they need is for you to leave the proverbial front door unlocked, and they will turn the knob and walk in." Whether or not you consider yourself knowledgeable about technology, vigilance is the best protection possible in an era where technology is ubiquitous.
Follow and share these tips from Anne-Marie to become a tech-savvy user:
- Mind your passwords! Create strong passwords, do not use the same password for more than one site or application, and manage them through a secure utility.
- Use trusted sources to download software; if you are uncertain if a source is trusted, talk with your technology professionals and they will be happy to guide you to reputable sites from which to download software.
- Verify that antivirus software is installed and running on your computer and that firewalls are running (these services are typically handled by company technology teams, however are less frequently deployed in home settings).
- Lock your computer before walking away (CTRL+L for Windows computers). Do not leave data on removable media. Physical security is the easiest way for data to walk out of your company and your home.
Order from chaos
Anne-Marie describes her specialty as "creating order from chaos," something inherent in the concept of information technology. She has become intimately familiar with the concept of data security through her work for Legal Tracker, a Thomson Reuters company, for the past five years, after positions at various other organizations. In addition to overseeing the technology requirements for SaaS at multiple locations, she also manages Legal Tracker's information security responses and enjoys talking with legal and technology departments about their information security questions related to SaaS solutions. Anne-Marie has found that when assessing SaaS solutions, it is easy to make a unilateral decision based on how well the solution appears to solve a problem. However, it behooves companies to take a holistic approach, including the legal and other departments, in assessing such solutions to ensure that regulatory and security concerns are covered.
Watch for more tips and recommendations from Anne-Marie in coming issues of Corporate Counsel Connect.