As loyal Apple Inc. fans upgrade to the newest iPhone 6, beware of potential security faux pas, as data may linger on an old phone unless it has been affirmatively removed.
Corporate data is removed from an old device during the upgrade process, said Scott Christensen, director of technology and information security at Edwards Wildman Palmer. Although the process is not the same as a full wipe, which is done when a mobile device has been lost, the effect is similar.
On the Android side, if someone with a Galaxy SIII wants to upgrade to a Galaxy S5, both devices are brought in to his IT team, Christensen said, and all corporate data on the old device are removed. The new device will then begin synchronizing data (e.g., email contacts, calendars).
“Even if the data on the old device was not actively removed, the policies in place at most firms will effectively cause that data to ‘fall off’ and be eliminated within a month or less,” Christensen said.
Technical differences, such as the type of devices, how they are connected (e.g., ActiveSync) and if a mobile device management system is in place, will play a role in how a device upgrade and wipes will be handled, said Christensen.
Err on the side of caution when updating to a new phone said Brian Brown, vice president of technology and security at Austin-based e-discovery company RenewData Corp. “There are several potential concerns with updating to the iPhone when sensitive information is on your existing one,” said Brown.
Brown shared four tips to verify that data is cleared out of your old phone:
Never hand over your device (new or old) to someone not on your IT team.
Restore your new phone using a backup saved on your laptop computer.
Safeguard your old device until it is forensically wiped.
Guard your backups. Make sure you maintain physical control over any disk/media where a backup resides.
With an iPhone, the safest way to transfer data is via an iTunes backup, Brown said. Handing a device over to a store clerk to transfer the data “introduces vulnerability and a potential for a malicious employee to siphon data from your device,” he said.
Another potential vulnerability lurks in the time lapse between decommissioning an old phone and when it’s forensically wiped, Brown said. The data on a mobile device is generally unencrypted, he said, and there is a risk of a “malicious actor mounting the device and copying all the data off the phone.”
The test is designed to help law firms, corporate legal departments and government entities take stock of their e-discovery processes to improve them, said a Sept. 24 announcement.
The E-Discovery Maturity Self-Assessment Test, dubbed eMSAT-1, is an Excel spreadsheet with 25 questions, or worksheets, divided into seven categories. The categories include:
Data identification, preservation and collection.
Data processing and hosting.
Data review and analysis.
The self-assessment questions include: How would you describe your handling of information governance? How would you describe your ability to identify potentially responsive data? How would you describe your processes for managing data once a matter has concluded?
The result in each category is one of five outcomes:
1. No process, reactive. 2. Fragmented process. 3. Standard process, not enforced. 4. Standard process, enforced; and 5. Actively managed process, proactive.
When the test is complete, a summary of results appears at the top of the spreadsheet for each category, above the results for individual categories and their related questions. Click image to enlarge.
Questions and summary results are accompanied by blue and green visualizations that chart answers from "no process" to "actively managed process."
“The more people an organization involves in its self-assessment, the more meaningful the results will be,” Socha said.
A four-person EDRM team collaborated for about seven months to develop the eMSAT-1 questions. The team consisted of: Atlanta-area based Evan Benjamin, an e-discovery consultant at Protiviti Inc., a subsidiary of staffing company Robert Half; Tiana Van Dyk, manager of e-discovery and litigation support at Calgary-based Burnet Duckworth & Palmer; andBrett Livingood, associate professor at Bryan University in Tempe, Ariz., and an e-discovery consultant at Robert Half Legal. Matthew Knouff, e-discovery counsel at New York City-based e-discovery company Complete Discovery Source, headed the team.
Saint Paul, Minn.-based EDRM creates frameworks, standards and resources related to e-discovery and information governance.
Assume for a moment that you’re involved in the security of all data contained within your organization. You could be corporate counsel for a multinational corporation. Or you’re in the legal department of a nationwide conglomerate of interconnected healthcare facilities. Or somehow you’ve advanced to the position of CIO or the most recent C-Suite fad—Chief Information Security Officer. Or you’re the managing partner of a large law firm.
To say the least, these are far from easy times for a lawyer or other legal professional to be in such a position. On the one hand, you face the internal pressures to advance the efficiency, and thereby the profitability, of your organization by adopting the latest broad-ranging technology.
On the other, we currently live in a very unsettled world. For political and societal reasons beyond anyone’s control, there exist highly-motivated and determined individuals and organizations both within the U.S. and without who are primed and well-funded to attack the American way of life.
Their primary target is our economic system. Among our greatest vulnerabilities are the flaws inherent in any organization’s poorly planned, poorly executed, and poorly maintained technology choices which have made it increasingly easy for remote attacks to readily succeed.
Think this is just the imaginary fodder for modern fiction-writing? That such story lines exist solely to make great novels and movies? A few recent real-life situations will dispel that suspicion.
Evidence is amassing to support the belief that the remote cyberattacks who recently perpetrated numerous businesses (Target Corp., The Neiman Marcus Group, P.F. Chang’s China Bistro Inc., The Home Depot Inc., to name just a few) used a single form of malware created by a couple of teenagers in Russia. The malware was designed to attack the “Point-of-Sale” technology used today by almost every retail provider of goods and services—the number of customers already identified as affected total in the hundreds of millions.
In August, Tennessee-based Community Health Systems, Inc., which operates 206 hospitals in 29 states, announced a data breach exposing 4.5 million patients’ personal information. CHS is blaming the incident on Chinese hackers.
These incidents are merely the tip of the proverbial iceberg. Consider the June 2014 report of the Center for Strategic and International Studies that calls cybercrime a “growth industry” where “returns are great, and the risks are low.” The report approximates that recent yearly losses to the worldwide economy are conservatively estimated at $375 billion and as much as $575 billion—and are only likely to increase significantly in the years ahead.
The governments of the world are, as anyone would expect, drawn into this vortex like a solar system caught in a black hole. Their respective citizens expect not just a response, but a fix. We can only wonder if the recent flurry of legislative and regulatory activity occurring worldwide— predominantly in countries with the most to lose economically—are desperate times calling for desperate measures.
The Health Information Technology for Economic and Clinical Health Act of 2009 was Congress’s first major foray into rewriting the regulatory landscape to secure personal digital data. It substantially expanded the Health Insurance Portability and Accountabilty Act reach to include more enforcement agencies (each state's attorney general), more affected entities (a healthcare provider’s business associate and its subcontractors), and greater fines (from a prior maximum of $50,000 per violation to $1.5 million).
Probably the greatest game changer was the creation of a new breach notification rule. It is modeled after several of the states’ rules in the business and government world of compliance. The burden of who is responsible for announcing data breaches has shifted from the regulatory agencies previously conducting the investigations to the entities actually breached. In effect, the entity—which is at phenomenal financial risk re: publicity of a breach—is now required to be the party that announces the breach.
This year, Congress has shown a renewed interest in enforcing cybersecurity. Both Houses have passed numerous bills awaiting presidential approval. Congress also demanded testimony from Target and Neiman-Marcus executives regarding their POS attacks. On Sept. 9, Rep. Elijah Cummings (D-Md) sent a letter to the House Oversight Committee Chair demanding a legislative investigation of the recent CHS breach.
The European Parliament is considering a Data Protection Regulation that will update the Data Protection of Directive of 1995. If approved, it will make numerous changes in the network of privacy rules and regulations existing throughout the 28 member states of the European Union.
The directive currently in effect is only advisory. The regulation will instead be the minimum mandatory standard for all member nations. It will impose previously non-existent breach notification, a novel “right to be forgotten” upon request of the data owner, and will apply not only to businesses physically present in the E.U. but to those that do business there. It will also set a maximum fine of 2% percent of a business’s global revenues for noncompliance.
The Best Answer?
Are these potentially desperate measures the best answer? The reality is that these are the times we live in, and these are the challenges we, as attorneys and legal professionals, face. The only true question that must be immediately answered is "how do we respond?"
• Don’t relinquish responsibility for technology decisions to the IT department.
• Don’t be afraid to ask questions when you don’t understand a technology.
• Don’t just accept the word of the people you’re supervising. Do your own research, and learn the answers for yourself.
Ultimately, the reasons for the chosen technology should make good common sense. If they don’t, never give up until you can find options that do. Once you find the right and sensible choices, fight for them even when the bean counters say they’re not economically wise for your organization. Document every decision whether supportive or not. Make sure you do everything in your power to stay at the front of the learning curve of the statues and regulations that affect your organization.
Never forget that you also have a significant stake invested in how this ultimately plays out. Like it or not, once the responsibility for these decisions has fallen on your broad shoulders, everything above those shoulders is at risk of being chopped off when things go wrong. This is not fantasy fiction-writing, it's a reality.
The FTI study, which examined electronic data discovery and forensic investigations in Asia, polled 70 lawyers at Asian-based law firms and corporate EDD departments (14 from 14 corporations and 56 from 20 law firms). Responses were collected between September 2013 and January 2014; 65 responses were via a 20-question online survey; five people participated by phone.
• The largest challenge was managing data privacy laws and confidentiality concerns, the report states. New laws in China create challenges that will “impact the management of electronic data in legal review,” said 40 percent of respondents. FTI analysts suggested that the long-standing Law of the People’s Republic of China on Guarding State Secrets, initiated in 1988, remains “broad and vague.” For example, the law requires documents to be greenlighted by the government before leaving China.
• Most data collected for an investigation, arbitration or litigation matter in the region comes from China (60 percent), participants said. The U.S. and Hong Kong were tied with 42 percent, and Japan came in fourth with 40 percent.
• Prices are still foggy: 29 percent of respondents could not put a price tag on the costs for their organization's multinational electronic document collection and review matters.
• The best method to handle document review, said 83 percent of respondents, is to join forces with local counsel, IT providers, law departments or global services providers for local collection services.
• Sixty-seven percent said regulatory investigations are the biggest driver of e-discovery, the report noted. They attributed much of that to ongoing enforcement of the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, as well as regulators and company-driven internal compliance reviews.
The report was conducted in collaboration with Asian Legal Business magazine.
Despite the rocky forecast, e-discovery in Asia is gaining traction. There is an increasing presence in the region. Last year Catalyst Repository Systems opened a shop in Seoul. Its CEO, John Tredennick, noted in January that e-discovery is just beginning in Asia. “While electronic data discovery is becoming more accepted and localized worldwide, with numerous foreign domicile corporations taking review in-house and local counsel playing a more prominent role in EDD decisions, it's still in its infancy in both Korea and Japan.”
Another player in the arena is UBIC Inc. The Japan-based company offers e-discovery and digital forensics services in Asia and beyond, and last month received two patents in Japan and the U.S. for predictive coding.
“With Asia being a big part of economic globalization, e-discovery in Asia will become something that companies will have to confront on an increasing basis,” said Veeral Gosalia, a senior managing director in the technology segment at FTI Consulting.
The National Institute of Standards and Technology is working on guidance in the privacy risk management sector, according to a post on the Inside Privacy blog by Elizabeth Canter, associate at Covington & Burling. The institute is known for its work in the security risk management arena. NIST publishes standards security and application standards for public and private entities, said Canter. Earlier this week she reported they’re now considering drafting privacy definitions for programmers.
NIST’s focus for this new project is “on providing guidance to developers and designers of information systems that handle personal information,” said Canter. She said it can also reduce privacy risk and help make decisions on on computer resource allocation and security controls.
The three-tiered focus of the standards comprises predictability, manageability and confidentiality. Regarding predictability, it will outline the rational for collecting personal information. The standards also seek to explain how and when to modify personal information and how to preserve confidentiality within the data.
The comment period for the draft privacy engineering objections is open until October 10.
Last month's International Legal Technology Association annual meeting in Nashville was jam-packed with amazing sessions, brilliant speakers, endless networking opportunities and of course a little honky-tonk!
Cybersecurity and client privacy demands are two major reasons why law firms are now taking information governance seriously. This reality was illustrated quite well by the robust information governance track at ILTA, with several sessions designed to help firms get their info/gov programs off the ground.
Rod Beckstrom’s Aug. 23 keynote address, “It’s a Mad, Mad, Mad Cyber World: Imagine What You Can Do,” made it clear that there is absolutely no privacy in today’s information workplace. Beckstrom's resume includes the former president and CEO of the Internet Corp. for Assigned Names and Numbers, and the founding director of the U.S. National Cybersecurity Center.
Despite the ballroom full of attendees, Beckstrom's presentation was effectively interactive. He engaged the audience by getting everyone into three-person groups that tackled a series of hypotheticals and questions.
Here are highlights from four other panels:
"Build Enterprise Information Governance from the Ground Up," Aug. 18.
Where to start? That’s the biggest question facing law firms when embarking on an info/gov initiative. A theme among panelists: take a three step approach:
1. Collaborate with key stakeholders from IT, practice groups, business units, etc. Make sure everyone understands why info/gov is important and how it affects their day-to-day activity.
2. Break down silos. Too often departments work independently of each other. This is a major roadblock that needs to be eliminated.
3. Concentrate on “low hanging fruit.” Look for short-term projects with fast return-on-investment projects (data remediation, box storage reduction, etc.) that are measurable. That can help you create a culture of "success" and defuse anxiety when more difficult projects are considered.
• “It doesn’t matter if you’re a 20-attorney firm or 2,000 attorney firm, the challenges and the risks are the same. You don’t have to be perfect, the key is to keep it simple and start somewhere,” said Rudy Moliere, director of records and information at Morgan Lewis & Bockius.
• “Choose an existing committee rather than creating a new one. It gives you an opportunity to help with governance-related projects that may exist already,” advised Dana Moore, manager of records and information compliance at Vedder Price. “Following this advice has helped me identify the key players and quickly learn the firm’s hierarchy and best approval routes,” she said.
"Managing IG Expectations Across Generations," Aug. 18
Every generation has different work styles and expectations, which create collaborative opportunities, but also challenge existing models of training, information management and information security. Panelists shared experiences and provided insights on how to manage all these generations while mitigating risk.
Erik Schmidt, manager at HBR Consulting, shared three reasons why he feels understanding the role generational characteristics play in IG is critical:
• Gaining support and approval for info/gov programs requires understanding the mindset of traditionalists/Baby boomers (post World War II) and how to get them to consider changing their established habits.
• Getting adoption from rank-and-file staff requires understanding Generation X (born in 1960s to '80s) so you can train them in ways they will respond to and accept (i.e., self-service, e-learning and short videos).
• To win over Millennials (aka Generation Y, birth dates ranging from early 1980s to early 2000s) requires understanding that they have very different concepts of what is private, personal or confidential in the workplace. Proactive education will not only help generate compliance but potentially prevent significant damage to firm reputation.
"Ungoverned Information Equals Litigation Disaster: What Your Firm Should Do," Aug. 19
Client data often enters a law firm through the litigation support process. It is the firm’s responsibility to engage the right people, implement practical processes and use its technology, to ensure proper governance of client information. This panel competed through a game of “Information Governance Jeopardy,” showcasing their knowledge, experience and lessons learned at their respective law firms.
"Law firms may manage vast amounts of client electronically stored information collected in response to requests for production. Having a system in place to systematically track, retain and, at the end of the matter, dispose this information is a vital component of a well-executed litigation plan," said Brian Jenson, director, litigation and e-discovery services at Orrick, Herrington & Sutcliffe said. "By establishing a repeatable process that can be communicated to the appropriate stakeholders (those that come in contact with client ESI) and audited for compliance, firms minimize the risks surrounding handling client ESI.”
"Aligning Records, Privacy, Cyber Security & eDiscovery Programs to Mitigate IG Risk," Aug. 20
Successful development of an info/gov strategy incorporates the four dimensions of information risk management: records management, privacy, cyber security and e-discovery. Panelists shared their expertise on each dimension and provided real life experiences of how they integrated setting privacy controls, reduced costs and improved compliance at their firms.
"Identifying the key information related processes at the firm (or company) is a crucial first step in creating an information governance strategy to understand and then mitigate the risk associated with these processes," said Bryn Bowen, principal at Greenheart Consulting Partners. Cybersecurity, privacy, e-discovery considerations and proper records management are all significant elements to be considered in this assessment step, as well as in crafting [options] consistent with a sound information governance strategy."
ILTA has paved the way for law firms to be successful in executing info/gov programs. Clients expect that its data will be protected against external threats, and lawyers' ethics rules reinforce this requirement. By applying info/gov concepts law firms will position themselves well to help clients mitigate risk and maximize the value of its information.
Have you implemented an info/governance program? Where did you start? How has your firm benefited? Please share in the comments section below, and/or visit Law Technology News' Linkedin group (http://at.law.com/LTNgroup) and continue the conversation.