Posts Tagged ‘data governance’

Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?

When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.


Read Full Post »

For years now, I have spoken with colleagues in the legal profession over the necessity of implementing a data governance program for their law practice.  The overwhelming response, to date, is one that most would probably not expect from practicing lawyers who have an ethical duty to keep client information confidential – that being one of apathy.  The reason for this is two-fold: (1) the business benefit is hard to realize for most lawyers in the profession since a majority of firms are made up of less than 10 practitioners; and (2) the mindset of a lawyer is that their training has provided them with a suitable talent to react to any material adverse effect on their practice.

Last week, the Seattle Public Schools sent out a notice that it has “severed” its relationship with a law firm over that firm’s handling of mission critical information.  In responding to a complaint filed against the Seattle Public School District (“SPS”), the law firm inadvertently delivered personally identifiable information of about 7,400 special education students.  Although the information was inadvertently delivered to only one person, SPS felt that it needed to take corrective action and dismiss the law firm of Preg O’Donnell & Gillett from representing the school district in the complaint.  Preg O’Donnell & Gillett, who have offices in Seattle, Portland, and Anchorage, did not respond to request by the media to be interviewed.  A review of the law firms website would show that there are 7 members of the firm, all of whom would presumably have authority to create and implement a data governance program for the firm, especially if there are multiple offices throughout the region.

Data Governance is, and always will be, a “tone at the top” issue, and a paradigm shift in the legal profession needs to take place.  Due to the average size of most law firms, much like any small business in America, hiring full-time IT staff cost-prohibitive, but a data governance program is not just about technology, it’s also about PEOPLE and PROCESSES.  Law firms, and small businesses alike, have an ethical obligation to keep their proprietary data confidential.  Start by training and educating your staff and clients at least twice a year on proper safeguard protocols – this is one proactive way to keep clients and therefore make money.  From there, firms can assess and review exactly what other protocols need to be implemented internally and externally, as there is no one-size-fits-all approach to data governance.

Read Full Post »

The Wall Street Journal reported yesterday that several software antivirus companies are reinventing their business models after decades of trying to prevent hackers from penetrating its customers IT infrastructure.  According to Mr. Brian Dye, Senior Vice President of Information Security, at Symantec, Corp., the antivirus “is dead” from a money-maker perspective.  Rather than try to thwart hackers, by keeping them out of a business’s IT network, software antivirus companies now assume hackers can get in (or are already there!), and, for a fee, will sell products and services that will provide customers with intelligence briefings that tell them two things: (1) their business is under attack; and (2) why their business is getting attacked.  However, what a customer really wants to know when it’s IT network is under attack is, how do we make it stop?

While, in and of itself, the new business model shift may create an overall issue of product integrity for the software antivirus industry (e.g. the intended purpose is not capable of being met), there is a silver lining in the message being sent.  Namely, on its face, software antivirus products and services alone will not prevent mission-critical business data from being released in an unauthorized manner.  A holistic comprehensive corporate data governance model is still the proper risk management step for organizations to employ.  Antivirus detection services from IT security companies like Symantec, Corp., Juniper Networks, Inc., FireEye, Inc., and Shape Security, Inc., are important, but should not be solely relied upon by the business organization.

Read Full Post »

Verizon recently released its 2013 Data Breach Investigations Report, and the outlook for organizations trying to protect their intellectual property is dire.  Cyber-based corporate and industrial espionage has risen so dramatically in the last year that intelligence officials are asking boardrooms across the U.S. to be more vigilant against cyber-criminals who are motivated by financial gain to steal intellectual property and trade secrets.  Former U.S. intelligence chief, John “Mike” McConnell stated that “unless urgent action is taken, the U.S. faces a ‘cyber’ equivalent of the World Trade Center attack.”

The Chinese and U.S. economies are so inextricably linked that China naturally is the main culprit for targeted theft of confidential business information and proprietary technologies.  However, there are many other state-sponsored and political “hacktivist” groups that are actively stealing corporate digital assets.  The proliferation of employee-owned mobile devices in the workplace, along with antiquated network systems, has allowed cyber-criminals to access corporate databases at unprecedented levels.  Saudi Arabian oil producer, Aramco, was recently a victim of a massive cyber-attack where 30,000 desktop PCs were wiped in what some can only presume was designed to disrupt oil production.  Additionally, JP Morgan Chase, Wells Fargo, and Bank of America were victims of a sustained distributed denial of service (DDoS) attack that appears to have been commenced overseas.

What frustrates investigators most when a breach of corporate data occurs is the lack of internal and external controls within the organization.  While readily available technology allows organizations to address security issues, it is often a failure to properly train and educate employees that makes theft of intellectual property so easy for cyber-criminals to obtain.  Technology alone will not prevent the theft of intellectual property.  Organizations must have a tone at the top mentality when it comes to awareness training and policy creation around cyber-security.

Read Full Post »

As the U.S. intelligence community prepares to militarize its cyber-units for warfare in a virtual world, the rest of us are left to wonder how can we protect our asset resources from a “virtual-attack.”  Cyber-warfare and espionage have now supplanted terrorism as the greatest threat to our national infrastructure.  As a result of more mainstream media coverage, the daily digital assault on our government and private sector IT infrastructure has begun to show the level of vulnerability perpetrated by advance persistent threats (“APTs”), and the economic impact to the U.S. economy is in the tens of billions of dollars.  Intelligence officials testified Tuesday that computer technology is evolving faster than security experts can respond, and if the anticipated budget cuts from the Sequestration are allowed to proceed, then the outlook for preventing a cyber-attack becomes more challenging. 

The reality of our cyber-world today is a Dr. Seussian-like “thinga-ma-jigger” of patches and fixes that dissuades a direct attack, but allows the resulting response, by the perpetrators, to flank the targeted organization or individual.  The negatives to this existing mind-set is namely (1) very costly to keep updated; (2) costly to consumers; and (3) other areas of the organization become underfunded.  Our existing IT infrastructure fails miserably at securing mission-critical data, because it is too rigid and static.  Because of this, a “Maginot Line” of useless fortifications and obstacles has been constructed by our military and technical leaders.


The Maginot Line is named after the French Minister of War, Andre Maginot (1877-1932), and was a line of concrete fortifications, tank obstacles, artillery casemates, machine gun posts, and other defenses, which France constructed along its borders with Germany and Italy, in light of its experience from World War I, and in the run-up to World War II. The Maginot Line was considered state of the art at its time, and was impervious to most forms of attacks, however, a weakness of it was its ability to be flanked, and the rest, as they say, is history.

In order to better prepare for a cyber-attack, the U.S. government and organizations should consider a paradigm shift in responding to threat vulnerabilities.  The shift should be from a defensive, or reactive, policy management structure of Dr. Seuss-like readiness, to a proactive comprehensive data governance framework that underscores our commitment to the preservation and protection of our mission-critical data, good will, intellectual property, trade secrets, and other proprietary information.  A proactive data governance policy framework is a realistic outcome that private organizations and individuals can work towards. 

From the outset, a data governance framework requires active C-level participation in order to create accountability and ownership to the various stakeholders, regulators, and general public at-large.  The message is one of commitment  that senior management is actively engaged in its daily management functions.  Moreover, in “leading by example,” senior management is in the best position to (1) articulate the importance of mission-critical data protection; (2) define the scope and objectives fundamental to the framework’s success; and (3) quantify the business value of the framework  to the employees and business partners.  Upon successful implementation of such a framework, private organizations (for-profit and non-profit alike) will have created a compliance-based culture, centered on information protection, which will increase productivity and embolden consumer confidence.

Read Full Post »

The New York Times reported that login credentials of a Dropbox employee were stolen from an unrelated hacking incident, and led to a spam attack within its own network.  The incident occurred when hacker’s used a stolen password to log into the Dropbox employee’s account that had content which contained Dropbox user information.  From that point, the hacker’s launched a spam attack on the e-mails contained within the account.  This latest data breach highlights the value proposition for why hacker’s want to hack into data systems.  As quoted in TNYT, “at first glance, [the usernames and passwords] may not appear to contain any valuable financial or personal information. Then, [the hackers] will test those credentials across the Web sites of financial organizations, brokerage accounts and, apparently, Dropbox accounts, where potentially more lucrative information may be found.”

Then, [the hackers] will test those credentials across the Web sites of financial organizations, brokerage accounts and, apparently, Dropbox accounts, where potentially more lucrative information may be found.”

When speaking to an audience regarding data governance, I am constantly having to remind the crowd that the problem is more than just updating your anti-virus, firewalls, WiFi, or encryption methods.  It is about being vigilant, and educating yourself, and employees, on the latest trends in securing mission-critical information (i.e. not having a universal password for work/personal Web sites, etc.).  The Dropbox incident highlights the use of universal passwords by individuals, and how hacker’s can take advantage of this to their benefit (and the user’s detriment).  Human instinct relishes convenience, and we are creatures of habit – that is what adversarial actors are banking on in the 21st Century.

Read Full Post »

It appears that the Commissioners at the Federal Trade Commission (“FTC”) will be voting sometime within the next couple of weeks to approve  a settlement between Facebook and the U.S. government over charges that the social media giant was unfair and deceptive in how it used customer personal information.  The Wall Street Journal reported that the terms of the settlement would require Facebook to obtain the users’ consent before making a “material retroactive change” to its privacy policy.  Thus, it comes down to simple contract law – the customer originally agreed to terms and conditions that cannot be unilaterally changed without “express” consent.  Or, put another way, different terms and conditions means different contract.

From an industry perspective, this settlement will have repercussions across many businesses who engage in online behavioral advertising.  The WSJ goes on to report that the Facebook settlement is “part of a broader government push to hold companies more accountable for the personal data they collect, store, and trade.”  The FTC and its Commissioners have made enforcement of privacy policies a top priority in its agenda, and that it would be wise for businesses to start implementing a comprehensive data governance policy within its organization.

Read Full Post »

Older Posts »