Biscom Delivery Server

Video Run Time – 2:26

Law firms face the daily task of protecting themselves and their clients from breaches of confidential data that could lead to noncompliance with government regulations, large fines, damaged reputations, and loss of business. What some firms are not aware of is that the most ordinary tools and practices – from emails to software configurations – can open a legal organization up to breaches.

Biscom is hosting a webinar on the issue of law firm security and the hidden dangers that lurk within firms. Our Legal Practice Director, Charlie Magliato, will be joined by Jeffrey Brandt, Editor of the Pinhawk Law Technology Daily Digest and noted legal technology thought leader. They will discuss the vulnerabilities posed by the proliferation of mobile devices, the consumerization of technology and cloud computing.  In addition, they will also talk about the following which can be helpful to a law firm as they assess their security program:

• High-profile data breaches  - law firms are no longer immune.
• Culture and technology pressures that contribute to increased risks
• The increasing demands of both national and state government regulations
• How  employees, clients and vendors  contribute to data breaches
• Current and emerging security best practices

Webinar Details:

Date: Wednesday, January 25, 2012

Time: 12:00 pm – 1:00 pm EST

Register Now

The International Legal Technology Association (ILTA) just published its March issue of Peer to Peer magazine. You’ll find an article I authored on data breaches, privacy laws, and how secure file transfer can help companies distribute their confidential information while complying with various legal requirements. You can also use this link to download the specific article as a PDF.

During my research into the new MA law on data privacy, I also found this law (Public Act No. 08-167) which became effective on October 1, 2008. The act is aimed at protecting social security numbers. The interesting thing about this act is that it’s not just businesses that are required to adhere — individuals will be held responsible as well. Here’s a quote from the actual act:

Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

It’s a $500 civil penalty per violation, and maxes out at $500,000 per event. By the way, personal information doesn’t just include social security numbers, but also driver license numbers, passport numbers, credit or debit card numbers, and health insurance identification. I love that they added this extremely important item too: “account number” — is it just me or is that just a wee bit vague?

Catchy title? Well, maybe not, but it’s a new privacy and security law in Massachusetts that takes effect May 1, 2009 (postponed from January 1, 2009).

The purpose and scope, as described on the Mass.gov site:

(a) Purpose
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

(b) Scope
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

While this sounds quite onerous for many companies, and has pretty far reaching implications on IT data management processes and procedures, it’s a step in protecting against the increasing incidence of identity theft and other data leaks. Was this law spurred by the TJX breach of 45.7 million credit cards or when 4.2 million credit card numbers were nicked from Hannaford Foods in 2007? The cleanup efforts far outweigh the investment in security that might have prevented these data breaches (some estimates put TJX at $4.5 billion in accumulated costs in fines, legal fees, notification expenses, and brand damage).

I see stories like these, and dozens of other high profile breaches, as the tip of the iceberg. I doubt there’s going to be any law or compliance legislation that will protect 100% of individual and company data from being lost or stolen, but it does make sense for companies to reassess their data storage and transmission policies to harden their defenses against this.

Companies must look holistically, however, and can’t overlook the fact that data must be protected from many angles. In the introduction to the book Practical Cryptography, the authors, Niels Ferguson and Bruce Schneier, mention scores of companies obsessed with building robust and highly protected network security to foil hackers, but ignored internal concerns, both malicious and unintentional, akin to installing a huge steel front door in your house, but having an unlocked screen door in the back.

With this law, the pendulum has swung quite a bit in requiring companies to have implementations in place to protect personal data, but I hope solutions built for this have both the technical aggressiveness to maintain security, but provide it in a way that is not so complex and hard to use that individuals dismiss it and look for alternative methods that may compromise security.