By: Elizabeth Khalil, Member, Dykema Gossett PLLC
Elizabeth Khalil is a partner in the Chicago and Washington, DC offices of Dykema Gossett PLLC. Her practice focuses on financial institutions regulation and privacy and data security.
If asked to think of a data security threat, many might picture a cyber-hacker: a technologically savvy criminal, brilliant and evil, scheming around the clock in some far-flung land to break into the world’s databases. When these nefarious plots succeed, the result can be the theft of millions of electronic records, account credentials, identities, and dollars.
And yet these James Bond villains aren’t the only ones to worry about. It’s not just sophisticated outside hackers that threaten sensitive data — and it’s not just electronic information at issue. Threats can come from the ways we ourselves handle paper and other hard-copy records, as well as the ways we guard access to our electronic media and systems. While it’s vital to secure our networks against external hackers, it’s also important to keep in mind how our everyday actions might help protect — or threaten — information we want to keep safe.
Understanding Applicable Laws and Rules
It’s essential to understand the various requirements that could apply to each type of information a business collects, maintains, uses, and discards. Each office’s policies and procedures for information security and management — including training for personnel — should incorporate the requirements of all applicable laws, regulations, policies, and industry standards.
Admittedly, while that sounds like a simple directive, it often is not. In the U.S., there is no single data protection law that covers all types of data. Instead, we have a patchwork quilt — some might say a crazy quilt — of federal and state laws that might apply. To give just one example —or, rather, about 50 examples — there are state data breach notification laws, which vary in their coverage and requirements and may apply broadly to information of consumers from the relevant state, even if the data breach in question took place elsewhere. There are also state data security laws. There may also be industry standards to consider, as well as professional responsibility and ethics rules, such as those applicable to attorneys’ safeguarding of client information.
Some laws and rules focus on specific industry sectors, such as healthcare or financial services — but beware of concluding that they can never apply to you just because you don’t operate in that sector. Take, for instance, the federal Health Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule and Security Rule, which cover certain types of entities in the healthcare space as well as “business associates” of covered entities. Companies outside the healthcare space, such as law firms, can be covered by HIPAA requirements as business associates by holding, using, or disclosing “protected health information” (PHI) that came from a covered entity or another business associate.
Financial institutions are subject to information security guidelines that incorporate provisions of the federal Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA), and are expected to incorporate their service providers — which are often nonbank companies — into their information security programs pursuant to those guidelines.
Laws that, on their face, do not relate to privacy or data security can also be relevant. For example, the Federal Trade Commission Act and many state analogues prohibit unfair or deceptive acts or practices. Any business that makes “promises” to consumers about privacy or data security and fails to live up to those promises could face claims that they have committed an unfair or deceptive act or practice.
Thus, due to the patchwork of authorities potentially covering information in this country, it’s important to fully look into what could apply. Providers of data risk insurance or malpractice insurance may also have best practices and guidelines to share.
More Paper, More Problems
Even in the electronic age, businesses seem talented at generating paper. Some of us gaze out at the world from behind a fortress of binders, accordion files, and loose sheets stacked ceiling-high. As the paper stacks up, so do the obligations to safeguard information in those stacks that should be kept confidential. And keep in mind the particular ways paper can be vulnerable. For one thing, unlike electronic data, it can’t be encrypted.
How best to safeguard paper? Some offices favor a clean-desk policy — leaving nothing in plain view that should not be accessed by others’ eyes, with all sensitive paper records locked away in drawers and cabinets. That may not be practical for every business. In particular, I can already hear some attorney friends, whose desks are always buried in paper, shouting, “Objection!” to that idea.
But if you don’t keep papers out of plain sight, be sure that your office space is secure. For instance, lock your office door when you leave — or be certain that your larger office space is inaccessible to anyone who should not have access. Think carefully about who can enter that space, particularly after hours or unsupervised, such as cleaning staff. Don’t forget that you may not know whether information in paper form has been improperly accessed — someone could snap a photo of a document with a smartphone and leave the original paper seemingly undisturbed. This is also a reason to consider what you leave written on whiteboards others can see.
Also, if you use a shared printer, consider who has access to the printer and the risks of failing to quickly retrieve sensitive printouts.
When it’s time to dispose of physical documents — paper or other media like compact discs —containing anything confidential or sensitive, they should be shredded or otherwise disposed of securely. This may seem obvious, but apparently it’s not, because confidential files continue to periodically show up in public garbage bins or other places they shouldn’t.
A popular tool for collecting sensitive documents to discard is a locked dumpster-like shred bin, which is where documents go to die — or at least remain locked away until shredded, burned, or perhaps pulverized into microscopic dust. But in order for that secure destruction to take place, the documents must first make it into that bin. Placing papers in a neat pile next to the secure receptacle is, alas, not almost as good as actually putting them into the secure receptacle. It’s a bit like taking money to the bank and leaving it in a neat pile next to the teller station.
You Can’t Take It With You
Well, you can, but should you? Some of our risky practices stem from admirable motives. For instance, to make the most of our commuting time, we might print out a draft document to mark up by hand on the train. But on crowded public transit, papers could be jostled out of your hands and left behind. Wandering eyes could also be looking over your shoulders as you read, whether on paper or on a device’s screen (and those plastic privacy overlays don’t work from every angle — otherwise, you wouldn’t be able to read your screen with one in place).
If you must bring work with you, take extra care to shield the information from the sightlines of others, and be sure to leave nothing behind. Or use data security as a perfect excuse to do some non-work-related reading on the commute — one reason to feel less guilty about catching up on celebrity scandals or sports scores.
Can You Hear Me Now?
Speaking of trains, I’m often an involuntary party to one side of a work-related conversation when not in the haven of a Quiet Car. Add in the need to shout over the noise of the train, and I’ve heard more details about pending deals or other client business than I care to know. (I’d prefer to listen in on juicy gossip, personally, but as an eavesdropper you take what you can get.) Even hearing only one side of a discussion may allow listeners to put together confidential details that should not be discussed in public.
No Mobile Device Left Behind
This risk also comes from our desire to remain connected 24/7 — even while attending to personal needs. If I had a dollar for every BlackBerry or iPhone I found next to a toilet or restroom sink, I’d be rich. Well, at least I’d have lunch money. For now, I’m merely rich in the knowledge that mobile devices should not be left in bathrooms. Just in case it does fall into the wrong hands, be sure to adjust settings, too, so that the screen quickly locks behind a password (and not 1234).
While threats to documents and computer systems can come from malicious insiders, many come from unwitting ones. It’s important that all employees understand applicable policies about taking work home, using external drives to transfer information to and from work computers, and so on.
Social engineering is a common way that nefarious outsiders gain entry through unsuspecting insiders. By now, we’ve probably internalized the warnings from our IT staff and others not to click on links in unfamiliar emails. And yet, at one time or another, many of us still click.
But emails with links in them are not only the ones that pose dangers. Some phishing emails target specific types of businesses and attempt to lure people in with very simple language that sounds plausible — or at least more plausible than the old Nigerian scam emails claiming to be from exiled royalty looking for help in unfreezing their assets.
Instead, these emails purport, for instance, to be from potential law firm clients, asking whether the firm handles a certain type of matter or can provide a referral. Some of these can be difficult to distinguish from legitimate inquiries since the messages tend to be short and simple. In this case, skepticism as well as common sense can be helpful tools.
The existence — and continued success — of social engineering schemes underscore the need for awareness training across an enterprise. Staying abreast of current threat intelligence — learning about schemes others have encountered — will help cultivate the ability to identify suspicious activities.
CTRL+ALT+DEL Before You Leave Your Seat
Office workstations can be vulnerable in several ways. There’s the ever-popular “passwords-on-sticky-notes-stuck-to-computer-monitor” approach, which never seems to go out of style. People also go home for the day and leave their computers on and unlocked rather than locking the screen, restarting, or powering off. When I pass by an empty office where the occupant has left their computer open with an email program open on the screen, I envision, fleetingly, how I could send the occupant an email from him- or herself warning not to leave the computer open. I wouldn’t actually do that, of course. Would I?
Moving Forward, Using All Our Common Sense
As a larger issue for businesses, it’s important to create and maintain a culture of data sensitivity. This includes education of everyone in the office to ensure awareness of all legal requirements, ethical rules, and standards that may apply to the information being handled.
And on an individual basis, it’s worth remembering that there are some specific steps we can take to avoid being our own worst data enemies. Even if we can’t stop every sophisticated outside attack on our systems, we can improve the way we ourselves treat the information under our control.
Dykema Gossett PLLC