Businesses and other organizations are increasingly aware of the serious adverse consequences of disclosure of their data. The threat posed by criminals, computer hackers, and other malicious parties has been widely documented. The revelations presented by National Security Agency (NSA) whistleblower, Edward Snowden, have also highlighted the threat to proprietary data posed by government authorities, including law enforcement and national security agencies. In an environment in which both the bad guys and the good guys are aggressively pursuing the data of individuals and organizations, several basic protective measures should be applied. Legal counsel play a critical role in developing and implementing these important data security measures.
Each organization should develop, enforce and update a comprehensive data security plan. That plan should include an inventory of the different categories of data collected, stored, processed or communicated by the organization. Security policies and procedures for each category of data should be clearly defined and expressed. Those policies and procedures should include the following topics: 1.) definition of required security measures (including those designed to protect the security of the data and those intended to provide for the physical security of the computers and other devices that store or access the data); 2.) identification of the parties who are authorized to access the data; 3.) description of authorized uses of the data; 4.) actions to be taken in the event of service failures and service outages involving communications and computer networks; and 5.) training programs for employees and other authorized data network users to foster compliance with the data security policies and procedures.
The data security plan should also specifically address actions to be taken in the event of an actual or potential security breach. Those actions should include: 1.) defensive measures to stop or prevent the breach; 2.) documentation of the breach for evidentiary and remedial purposes; 3.) notification procedures for law enforcement authorities, individuals affected by the breach, business stakeholders (e.g., investors), and business partners; and 4.) remedial actions to be taken to repair damages caused by the breach and to prevent similar breaches from occurring in the future.
The data security plan should address responses to data requests and demands made by government authorities. The plan should identify a single individual within the organization who is responsible for responding to the government data demand. It is a good idea to have that individual be one of the organization's lawyers. As a matter of course, organizations should ask the authorities to present all such data demands in the form of a court-issued warrant. Each demand should be reviewed carefully for accuracy and the organization should require that the government correct all inaccuracies prior to providing the data at issue. The organization should exercise all rights of review and appeal available to it when the data requested are particularly sensitive (e.g., proprietary or customer information).
Data security plans should require the use of strong encryption for sensitive data. Strong encryption is generally considered to include 128 or 256 bit ciphers available in a variety of forms, including "GnuPG." Data should be stored and communicated in encrypted form. When external parties are used for data storage purposes, the data should be encrypted before being passed to those parties, even if they can provide encryption services. We have learned that the NSA and law enforcement authorities commonly require providers of data storage and communications services to provide them with encryption keys and other information necessary to decrypt targeted data. In this environment, it is best to use your own encryption systems so that you can secure the data more completely, instead of relying totally on encryption provided by service providers which may be readily decrypted by government authorities.
In addition to use of encryption, there are options for communicating sensitive data more securely than is possible through use of conventional Internet-based e-mail. For example, the "Tor" system uses multiple computers provided by volunteers in different locations to create greater anonymity and security to e-mail communications. Individual messages are encrypted and re-encrypted multiple times by different computers in the process of transmitting the message to its destination. This system makes it more difficult for third parties to monitor Internet communications and to access message content. It may be appropriate to use this type of more secure data communications system for particularly sensitive content.
Data security plans should require use of access controls. Those controls should include measures such as passwords, authentication requirements (e.g., challenge questions to verify user identify), and biometric systems (e.g., fingerprint readers). Multiple authentication systems should be used. Data security policies and practices should recognize that the effectiveness of user authentication systems such as passwords is dependent on the conduct of all authorized users. For example, if a single user loses control of his or her password, the entire network and all of the data it handles are potentially compromised. Systems such as firewalls should be applied to manage access to the core data network from the Internet and from mobile devices.
Data security plans should provide policies and procedures for use of outside parties for data storage, communications, and processing functions. The plans should identify the situations under which such outside data service providers can be used and the categories of data that can be processed using those service providers. They should ensure that the data security measures applied by the service providers are adequate to meet the organizations data security plan and all applicable legal and regulatory requirements associated with the data. The performance records and service offerings of all data service providers should be carefully reviewed in advance. Terms of service and service agreements with data service providers should include legally enforceable provisions related to key data security topics. Those critical topics include: 1.) description of security measures and security level commitments; 2.) procedures for handling security breaches; 3.) notice to be provided in the event of security breaches and demands for data disclosure made by government authorities; 4.) processes for handling service outages; and 5.) ownership of and rights of access to stored data.
Date security plans should identify data considered to be so sensitive that it should not be stored on computers accessible to the Internet or other computer networks. It is possible that, for security reasons, some highly sensitive data should not be stored on computers that can be accessed from the Internet. It is important that each organization specifically evaluate all of the different types of data it handles to determine if some of that data should be kept off computers that can be accessed remotely.
Critical data of all organizations is threatened by malicious parties, inadvertent incidents, and government authorities around the world. The consequences of data security breaches can be devastating for any organization. Accordingly, data security should be an important element of your organization's overall strategic planning and risk management analysis. Legal counsel has a vital role to play in that planning and analysis.