Posted by Chris MacNaughton on Wed, Feb 24, 2010
Remember when company data rarely left the corporate network? The files you created were stored on either your desktop computer's hard drive or on a server inside the building. Backups of these files were created on physical tape drives which were securely stored in fireproof boxes. Today, company data isn't neatly contained. Your firm's attorneys likely have laptops and PDAs. Your employees, especially telecommuters, may share data through online file sharing and collaboration sites like Google Documents. Employees may take files home on USB thumb drives. Your main server may backup data to an online data backup service. Technology has allowed your firm greater mobility; however, is your data safe and secure?
While corporate networks are not immune to security breaches, each piece of data that is stored outside of the company's network is vulnerable. What if an attorney's laptop is stolen? What if a telecommuter stores a file online and forgets to mark it "private"? What if an employee loses a USB thumb drive containing confidential files? What if the online storage provider's system is compromised?
Whenever you allow data outside of the corporate network, you lose control over it. This is a problem companies of all sizes and industries are grappling with. Of particular concern is data subject to confidentiality restrictions. While losing a document covering a staff meeting's agenda would be a short term problem, losing confidential data related to a pending case would be devastating. In addition, specific acts such as the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, regulate how certain types of information can be transferred and stored.
Assuming that your firm's data is stored according to any applicable regulations, how safe is it? Is the data encrypted as it travels from one computer to the next? Are data backups encrypted when stored online? Is the physical building where your online data resides secure? Even with safeguards in place, online service providers can encounter problems. We've all heard of stolen laptops and major hacker attacks that have compromised credit card and social security numbers of millions of individuals. In addition, last March, Google discovered its Documents and Spreadsheets application had experienced a breach where some documents had been shared with unauthorized users.
So, what should you do? First, evaluate your firm's current data patterns. Where is data created? Where is it stored? How is it transmitted? How is it secured at all points? You may need to invest in technologies designed to secure mobile data or contract with regulation-compliant partners. If using online backup or collaboration services, you'll need to review all privacy policies to make sure that the provider has appropriate safeguards in place.
Once you have a better understanding of where your firm's data originates, how it is transmitted, and how it is stored along with a plan for securing any areas of weakness, consider creating a formal data policy. For example, is it okay for an attorney to take a USB drive home to work on files on her personal computer over the weekend? If so, is she allowed to save a local copy on her home PC? If so, what types of security measures should her personal computer have in place? As you draft your data policy, you'll run into even more questions like these, reinforcing the need for restricting and securing firm data.
Technology has made the mobile workforce a reality, bringing with it both benefits and new challenges. Recognizing that data is at risk is an important first step in ultimately securing it.
Posted by Chris MacNaughton on Mon, Jan 11, 2010
When we send an email, whether it's to a friend, colleague, or client, we expect that the email will arrive, uncompromised, to the intended recipient. We also expect that the email will not be redistributed to others without our consent. However, once we hit the send button, the message is largely out of our control. Will it arrive as intended? Will hackers intercept the message? Will the recipient keep the message to himself? How secure are your emails? How can you be sure that your message won't be altered and recirculated? How can you maintain data integrity and confidentiality?
It's becoming increasingly common for individuals to append a confidentiality clause or disclaimer to messages. An example of such a clause is:
"Any information contained in or attached to this e-mail is intended solely for the use of the intended recipient(s) and may contain information that is confidential or legally privileged. If you are not an intended recipient of this e-mail, please notify the sender of the delivery error and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this e-mail is expressly prohibited."
While it's smart to include such a disclaimer, it's even smarter to use digital signatures and digital encryption tools to protect your confidential e-mail messages. In fact, depending on the nature of the email message or regulations governing your firm, your messages may need to be encrypted in order to comply with regulations such as HIPAA, SOX, or GLBA.
Various technologies are used to encrypt email messages and digitally sign messages. Regardless of which technology your firm uses, the idea is that an encrypted message can only be viewed by those holding the "keys" to unlock it. An encrypted message is scrambled before being transmitted. Your recipient must have the "key" in order to unscramble the message. This is usually done through the use of digital IDs which verify an individual's identity through a third party vendor. Once each individual has obtained a digital ID, they send each other digitally signed messages which add the individual's digital ID to the contact's information in the email program. These digital IDs are also known as "public keys" and can be shared with the general public.
Sharing each other's "pubic keys" may not sound terribly secure. However, the public key is only half of the equation. When you want to send an encrypted email to a person with a digital ID or public key, you would use the provided digital ID or public key to encrypt it. The individual holds a second key, which is never shared, that deciphers the message. In general, the keys are set up on the individual's computer in their email programs and a pass phrase used to open the message.
Once the digital identities have been established, it becomes possible to send encrypted messages to one another. This ensures that your message is only viewable by the intended recipient. If a system administrator stumbles onto the e-mail in the system, the administrator cannot view it. If a hacker intercepts the message, he cannot open it. If a co-worker sneaks into your office, she cannot open the message unless she knows your secret pass phrase.
Adding a digital signature to your emails is also an excellent way to establish that the email is really from you and not from an imposter. For example, if you're concerned that someone might set up an email account in your name and then pose as you, start digitally signing your messages to establish which emails are definitely originating from you and which ones are questionable. Likewise, receiving digitally signed e-mail messages from your colleagues and clients ensures that what you are receiving originated with those individuals.
Encrypting and digitally signing messages is a bit clumsy to set up at first but well worth doing to ensure data integrity and confidentiality.