How Safe is Your Data?
Posted by Chris MacNaughton on Wed, Feb 24, 2010
Remember when company data rarely left the corporate network? The files you created were stored on either your desktop computer's hard drive or on a server inside the building. Backups of these files were created on physical tape drives which were securely stored in fireproof boxes. Today, company data isn't neatly contained. Your firm's attorneys likely have laptops and PDAs. Your employees, especially telecommuters, may share data through online file sharing and collaboration sites like Google Documents. Employees may take files home on USB thumb drives. Your main server may backup data to an online data backup service. Technology has allowed your firm greater mobility; however, is your data safe and secure?
While corporate networks are not immune to security breaches, each piece of data that is stored outside of the company's network is vulnerable. What if an attorney's laptop is stolen? What if a telecommuter stores a file online and forgets to mark it "private"? What if an employee loses a USB thumb drive containing confidential files? What if the online storage provider's system is compromised?
Whenever you allow data outside of the corporate network, you lose control over it. This is a problem companies of all sizes and industries are grappling with. Of particular concern is data subject to confidentiality restrictions. While losing a document covering a staff meeting's agenda would be a short term problem, losing confidential data related to a pending case would be devastating. In addition, specific acts such as the Privacy Act of 1974, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, regulate how certain types of information can be transferred and stored.
Assuming that your firm's data is stored according to any applicable regulations, how safe is it? Is the data encrypted as it travels from one computer to the next? Are data backups encrypted when stored online? Is the physical building where your online data resides secure? Even with safeguards in place, online service providers can encounter problems. We've all heard of stolen laptops and major hacker attacks that have compromised credit card and social security numbers of millions of individuals. In addition, last March, Google discovered its Documents and Spreadsheets application had experienced a breach where some documents had been shared with unauthorized users.
So, what should you do? First, evaluate your firm's current data patterns. Where is data created? Where is it stored? How is it transmitted? How is it secured at all points? You may need to invest in technologies designed to secure mobile data or contract with regulation-compliant partners. If using online backup or collaboration services, you'll need to review all privacy policies to make sure that the provider has appropriate safeguards in place.
Once you have a better understanding of where your firm's data originates, how it is transmitted, and how it is stored along with a plan for securing any areas of weakness, consider creating a formal data policy. For example, is it okay for an attorney to take a USB drive home to work on files on her personal computer over the weekend? If so, is she allowed to save a local copy on her home PC? If so, what types of security measures should her personal computer have in place? As you draft your data policy, you'll run into even more questions like these, reinforcing the need for restricting and securing firm data.
Technology has made the mobile workforce a reality, bringing with it both benefits and new challenges. Recognizing that data is at risk is an important first step in ultimately securing it.