Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Section 5(a) of the FTC Act (15 USC §45), for example, prohibits “unfair or deceptive acts or practices in or affecting commerce.” This includes online advertising and product endorsements. The FTC has issued several guidance documents addressing “unfair or deceptive acts” in online advertising, such as its 2013 revised guidance “Dot Com Disclosures, a guide to online advertising” and online “FAQs” for “Endorsement Guidelines”.

These guidance documents all highlight the same basic principles:

1.     Endorsers should substantiate all product claims.

2.     Endorsers should disclose whether they receive compensation for their endorsement from a sponsor.

3.     Disclosures should be included in the endorsement itself, through hashtags on social media posts (#ad) or direct disclosures next to the product image or review.

4.     Simply disclosing a connection to the sponsor on a website or profile page is not enough—the connection between sponsor and endorser must be displayed as close to the advertisement as possible.

Applying this logic, bar associations should substantiate all claims regarding technology service products. Bar associations should also disclose any consideration received for positive reviews and product endorsements—as close to the review and endorsement as possible—and not on a separate webpage, newsletter, or bulletin. Finally, bar associations should consider disclosing other non-monetary connections to technology service providers (e.g., shared board or leadership positions, exclusive arrangements) that may affect consumer perception of a review or endorsement.

Liability for False and Deceptive Advertising?

Though bar associations are generally 501(c)(3) or 501(c)(6) organizations, they cannot rely solely on their tax-exempt status to avoid potential liability under the FTC Act and similarly written little FTC acts. In California Dental Assn. v. FTC, 526 U.S. 756 (1999), the Supreme Court found that the FTC had jurisdiction over a nonprofit association of local dental societies. The Court highlighted that the nonprofit provided substantial economic benefits to their for-profit members, through desirable insurance and preferential financing arrangements, and lobbying, litigation, marketing, and public relations services. These “commercial” activities were enough to trigger FTC jurisdiction, despite the California Dental Association’s nonprofit status.

Furthermore, bar associations must be careful about offering advertising services to any service providers (technology vendor or not), if they wish to maintain their 501(c)(3) or 501(c)(6) status. By receiving compensation for advertising services—beyond ordinary charitable sponsorships—bar associations risk corporate tax treatment for “unrelated business income” or the loss of their tax-exempt status altogether.

Keeping the Click-Through

“Terms of Use” or “Terms and Conditions” (“terms”) generally govern the relationship between consumers and online service providers. These terms usually disclaim implied warranties, set limitations on the liability of the technology provider, and set other boundaries on consumer expectations. In situations where consumers “assent” to the terms, either through a click-through agreement, expiration of a return period, or some conspicuous disclosure of the terms prior to agreement, court will generally enforce these disclaimers (see Scott v. Bell Atlantic Corp., 282 A.D.2d 180 (1st Dept 2001) (warranty disclaimer in the terms and conditions governed, even when advertisements for DSL Internet promised fast and reliable service)).

In contrast, courts have been reluctant to enforce terms that are unreadable or hidden on an online platform (see Specht v. Netscape Commc’ns Corp., 306 F.3d 17, 23 (2d Cir. 2002) (terms unenforceable where they “would have become visible to plaintiffs only if they had scrolled down to the next screen”); In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 893 F. Supp. 2d 1058, 1064 (D. Nev. 2012) (“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use”)).

Liability for the Terms?

Bar associations may be tempted to “uberize” their online presence and create web-based portals for legal service providers. This runs the risk, however, of creating implied warranties that the technology vendor is suitable and appropriate for attorneys. Though terms generally disclaim such implied warranties, as noted above, the bar association may inadvertently modify or hide third-party terms, making these disclaimers unenforceable. This creates a potential liability risk for the bar association and technology vendor.

In addition, if bar associations contract to use, distribute, or resell technology services (through group licenses or otherwise)—they may be required by contract to pass on third-party terms to their membership. Failure to incorporate these terms may constitute a breach of contract with the technology vendor. Furthermore, the vendor may try to seek indemnity from the bar association, if the bar association’s actions led to third-party claims against the vendor.

Consequently, it is up to bar associations to either direct attorneys to third-party vendor terms before attorneys use their services, or appropriately incorporate these terms into their agreements with members. Bar associations may look to several American Bar Association (ABA) resources to create valid online agreements (see, e.g., Christina L. Kunz, Heather Thayer, Maureen F. Del Duca, and Jennifer Debrow, “Click-Through Agreements: Strategies for Avoiding Disputes on Validity of Assent,” Business Lawyer, November 2001 (57:1), at 401).

Cybersecurity and Confidentiality

When it comes to cybersecurity, ignorance is no excuse for attorneys. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous e-mail hacks of Cravath and Weil Gotshal. Last year, a UK-based cybersecurity firm reported that almost 800,000 UK and global law firm e-mail addresses and affiliated passwords were available on the dark web.

To respond to the growing specter of law firm data breaches, the ABA has issued Formal Opinion 477R concerning the security of confidential client information, and Formal Opinion 483 concerning attorneys’ ethical obligations following a data breach. In addition, Comment [8] to ABA Model Rule of Professional Conduct 1.1 Duty of Competence states that a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

At their core, these opinions and ethics rules require attorneys to implement “reasonable” administrative, technical, and physical security measures to protect client confidentiality and monitor attorney networks and systems. This includes ongoing risk assessments of an attorney’s exposure to cyber incidents and business interruptions, in light of the sensitivity of client data, existing technical safeguards, and the cost and difficulty of implementing new safeguards (ABA Formal Opinion 483).

The ABA recognizes, however, that attorneys may need assistance with evaluating and implementing technology solutions. According to ABA Formal Opinion 477R, “[a]ny lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.” Bar associations can fulfill their natural role of training lawyers by providing CLEs and written materials from members and third-party IT and security experts on technology competence. Bar associations may also provide similar guidance to Formal Opinion 477R on basic cybersecurity hygiene for attorneys, such as the use of encryption for sensitive files, VPNs, multifactor authentication, antivirus software, and firewalls.

To protect their members—and the public at large—bar associations should also conduct cybersecurity due diligence for all technology service providers before promoting, offering, or otherwise displaying the services of these providers on bar websites and other media. Ideally, this due diligence would occur on an ongoing basis, or at least annually, to account for changing cybersecurity risks. It should be clear to all parties involved, however, that the bar association’s role in cybersecurity due diligence is limited to screening for minimum security requirements, and that these minimum requirements do not necessarily meet the “reasonable security” requirements of the Model Rules.

This caveat is important. Attorneys cannot completely outsource their cybersecurity obligations, nor can bar associations operate as outsourced IT providers. This is because the “reasonability” standard of the Model Rules is fact-specific, and attorneys bear the responsibility for assessing the sensitivity of their clients’ files, understanding their technological needs, and appropriately training and supervising their staff on client confidentiality. In addition, attorneys need to conduct separate inquiries into their privacy and cybersecurity obligations under new and existing laws—whether it is the General Data Protection Regulation (GDPR) in Europe, the domestic alphabet soup of CCPA, HIPAA, GLBA, or FedRAMP, or laws in other jurisdictions. These laws may impose more stringent standards than what is required by Model Rules 1.1 or 1.6.

As a result, bar associations cannot represent that any particular service provider or technology product has adequate security safeguards for its membership as a whole. And even if such a miracle technology existed, attorneys would still be responsible for properly configuring the technology to their computers and networks, keeping their access credentials secure, and maintaining regular software updates on their systems.

Conclusion

Technology cycles move very quickly, hence the famous catchphrase “move fast and break things.” Bar associations and attorneys alike can easily get caught in the fervor of short product cycles and the next, best product, thinking—all the while—that it will improve the prospects of the legal community and the public at large.

While technology can improve the public’s access to justice, not all technology vendors are equal. Bar associations need to remember that their guidance on technology may impact the decision making of an entire generation of lawyers. So before proceeding, their motto should be—for lack of a better phrase—“move slowly and fix things.”

Technology Vendor Due Diligence Checklist

Security and Internet standards to protect client confidentiality

o   Encryption (in transit and at rest, where appropriate to the sensitivity of data)

o   Access controls (including multi-factor authentication and strong passwords)

o   Backup and disaster recovery systems

o   Antivirus

o   Firewall

Contractual obligations

o   Notification of security breaches

o   Confidentiality of client data and/or limitations on service provider’s ability to share or use data

o   Check for incorporation of third-party terms or requirements to provide notice of third-party terms

o   Check for indemnity and limitation of liability clauses

Service-level commitments to prevent business interruption

o   Service-level availability/uptime commitments

o   Provision of regular updates/software patches

o   Integrations with popular operating systems and software

Trust accounting capabilities for any billing provider, or disclosures concerning whether attorneys will need to do separate configurations for trust accounting–Lily Li
Owner of Metaverse Law, CIPP/US, CIPP/E, CIPM
https://www.metaverselaw.com

CONFIDENTIALITY NOTICE: This e-mail has been sent by a lawyer. It may contain information that is confidential, privileged, or proprietary. If you are not an intended recipient of this email, do not read, copy, use, forward or disclose the email or any of its attachments to others, and notify us immediately at info@metaverselaw.com.

Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

Lock in "cyber security" word circle and other dot circles

Cybersecurity Ignorance is No Excuse for Tax Professionals

Image Credit: Pete Linforth from Pixabay

Co-authored with Lily Li and Kenny Kang. Mr. Kang is a Certified Public Accountant (CPA), Charted Global Management Accountant (CGMA), and Certified Fraud Examiner (CFE) with a wealth of experience in public accounting and industry.

CPAs and other tax professionals collect their client’s crown jewels: sensitive financial data. This makes them prime targets for cybercriminals. For hackers looking to make a quick buck, or engage in more sophisticated identity theft and tax fraud schemes, tax professionals are a treasure trove of social security numbers, tax ID numbers, bank account numbers, confidential agreements, and other personally identifiable information. Consequently, 3-5 tax practitioners get hacked each week, according to a 2017 webcast by the IRS criminal investigations unit – a number that has likely increased over the last couple of years.

In July 2019, IRS released its own statistics relating to identity theft:

IRS Individual Filing Article “Identity Theft Information for Tax Professionals”

[Page Last Reviewed or Updated: 24-Jul-2019]

An estimated 91 percent of all data breaches and cyberattacks begin with a spear phishing email that targets an individual. The criminal poses as a trusted source, perhaps IRS e-Services, a tax software company or a cloud-storage provider, or the criminal poses as a potential client or professional colleague. The objective is to get the tax professional to open a link or PDF attachment. This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer. 

In light of the rise in cyberattacks against tax practitioners, the IRS has taken notice. For this year’s PTIN renewal season, the IRS has revised Form W-12, IRS Paid Preparer Tax Identification Number (PTIN) (Rev. October 2019) by adding Line 11, which included a mandatory checkbox for tax preparers, requiring them to confirm their awareness of their data security responsibilities. Line 11, Data Security Responsibilities, states:

 As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information.  Check the box to confirm you are aware of this responsibility.

This affirmative checkbox applies to licensed tax attorneys, CPAs, enrolled agents, enrolled actuaries, enrolled retirement plan agents, state regulated tax return preparers, certifying acceptance agents, and it should not come as a surprise for tax professionals.

As early as 2008, the IRS released Publication 4557 “Safeguarding Taxpayer Data” under the federal security requirements of the Graham-Leach Bliley Act of 1999 (GLBA). In 2018, the IRS updated Publication 4557 in recognition of the growing crisis of tax preparer data breaches.

In an IRS news release (IR-2018-175, Aug. 28, 2018), the IRS noted that “protecting taxpayer information isn’t just good for the clients and good for business – it’s also the law…tax return preparers must create and enact security plans to protect client data.”

Furthermore, over the 2019 summer, the IRS published a series of news releases: “Tax Security 2.0 – A “Taxes-Security-Together” Checklist” [IR-2019-122, IR-2019-127, IR-2019-131, IR-2019-136, IR-2019-140, IR-2019-143] for tax practitioners to consider as a starting point for analyzing data security. 

IRS, states and industry outline ‘Security Six’ protections to help tax professionals and taxpayers be safer online

IR-2019-127, July 16, 2019

WASHINGTON — Using a new “Taxes-Security-Together” Checklist, the Internal Revenue Service and the Security Summit partners urged tax professionals to review critical security steps to ensure they are fully protecting their computers and email as well as safeguarding sensitive taxpayer data.

The Security Summit partners – the IRS, states and tax industry – urge tax professionals to take time this summer to give their data safeguards a thorough review. To help the tax community, the Summit created a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security.

By failing to enact security plans, and violating the FTC Safeguards Rule (the implementing regulation for the GLBA), the IRS noted this could result in a:

Violation of IRS Publication 3112: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers.

Violation of IRC, Section 7216: Criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures.

Violation of IRC, Section 6713 – This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.

Violation of Rev. Proc. 2007-40 – This procedure specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure. (See 2007-26)

Now, with an affirmative checkbox, tax professionals cannot claim ignorance of the rules. Instead, they will now have to make a representation of their security compliance. Since Form W-12 is signed under penalty of perjury, making false or misleading information may result in criminal penalties and/or the denial or termination of a PTIN. 

So where should tax professionals start? First of all, the IRS has provided handy resources for tax preparers to understand the FTC Safeguards Rule and their obligations (see links below). Second, per these resources, tax professionals should conduct security risk assessments of their systems (potentially in conjunction with counsel) to mitigate current risks. Third, and finally, stay alert! As hackers get more sophisticated, risks change, and it is up to the tax professional to stay updated on the latest cyber risks or seek the assistance of third parties to manage these ongoing risks.

Publication 4557, Safeguarding Taxpayer Data

Publication 5293, Data Security Resource Guide for Tax Professionals

Identity Theft Information for Tax Professionals

*Disclaimer* This article is not legal advice or legal opinion, and the contents are intended for general informational purposes only. Circumstances may differ from situation to situation. All legal and other issues must be independently researched.

******

******

Women in Cybersecurity – Metaverse Law Interviews Malia Mason

Image Credit: Pete Linforth from Pixabay

Metaverse Law recently interviewed Malia Mason, co-founder and president of the Southern California Chapter of Women in CyberSecurity, Navy veteran, and business owner. A transcript of the conversation is available below:

Lily Li: Women make up only 15% of today’s cyber security workforce.  Today, I have brought my good friend, Malia Mason, who’s trying to get that number to 50%.  Malia, thanks for joining me today and talking a little bit about women in the cyber security and tech community.  To get started, can you let us know a little bit about how you got involved in cybersecurity? 

Malia Mason: Yeah, so, my career in cybersecurity actually began in the military when I was in the Navy years ago. I served active duty for four years and worked to secure our nation’s secrets. When I got out of the military, that’s when I wanted to continue to help secure data and decided to get into the cybersecurity realm and I’ve worked as a consultant for a few years and actually, this year, just founded my own small cybersecurity consulting firm called Integrum. We’re working to help secure small businesses, especially in nonprofits. 

Lily Li: Another thing that you’re very involved with is women in cybersecurity. So, tell us a little bit about what that organization does and what’s been happening lately in that space. 

Malia Mason: Yes, so, Women in CyberSecurity is a national nonprofit that was founded in 2012 and I am actually the co-founder and president of the Women in CyberSecurity SoCal chapter.  We boast over a hundred members so far and we have a chapter as well in San Diego and our launch event actually brought over 50 attendees, both women and allies, and it was great to see the community come together and we’re hosting a big Cyber Career Day on October 19th; which should be really, really fun and try to help more people get into this industry, especially women.

Lily Li: In addition to Women in CyberSecurity, there are a lot of other groups that are promoting women in cybersecurity and in tech.  Can you let us know about a few of the other resources in the area? 

Malia Mason: Yeah, so, one of my favorite organizations, and that I’m a member of, in addition to WiCyS, is Women’s Society of Cyberjutsu. It was founded by my good friend Lisa Jiggetts and they work to provide a lot of technical training and a lot of technical resources and, again, try to get that number of women in cybersecurity to at least 50%.  Another awesome national nonprofit is WITI Women in Technology International.  They do a lot of good getting women in technology and, just recently, I was named the Chair of the Technology Committee for AnitaB.org.  They are the national nonprofit that runs Grace Hopper; which is the largest gathering of Women in Technology in the world.

Lily Li: One of the things I know that you’re passionate about is cyber defense and there’s a great project that you’re working on right now.  So, can you tell everyone a little bit more about that?

Malia Mason: Yeah, so, I was actually inspired by my friend who works in social work and she brought up that, you know, she’s also passionate about technology and a lot of her victims of domestic violence, it’s no longer good enough to secure them physically. We also need to be worried about are they being tracked on Facebook or Instagram or how are they being tracked, even through Google, and so I’ve created a cyber defense course that anyone can utilize and it’s accessible to anyone and just showing them how to protect themselves, how to protect their data, and just really simple tips and I’m working on getting it translated into Spanish, as well, and I want to present this course so that anyone can teach anyone else how to protect themselves, how to protect their families, and how to be a better owner of your own private data. 

Lily Li: Well, it sounds like you have a lot of projects going on and there are a lot of great resources in this area.  So, if anyone wants to reach out to you and learn about how they can get involved and how they can help you, how should they reach you?

Malia Mason: Yes, so, you can actually find us through, if you Google WiCyS SoCal,  that’s WiCyS SoCal, we are building our website right now that’ll be WiCyS-SoCal.org. We also have a good LinkedIn page and a lot of good discussions on there and I always reach out.  Anyone can reach out to me on LinkedIn.  I mentor quite a few folks and I am just always impassioned about getting more people involved in cybersecurity, especially women and minorities.

Lily Li: All right. Thanks for coming here today. 

Malia Mason: Yeah, thank you for having me.

Image of gears directing arrows to shield.

The 2019 Capital One Breach Compared to the 2017 Equifax Breach: Evolving and Improving Attitudes toward Data Security, Breach Detection, and Breach Notification

Image Credit: Khanittha Yajampa via Dreamstime.com

On September 7, 2017, Equifax announced that it had suffered a data breach that exposed the personal data of nearly 147 million people. Two years following the Equifax breach, Capital One also suffered a data breach nearly as massive in scope, affecting approximately 100 million users in the United States and 6 million users in Canada.

A casual observer might think that the two breaches are similar. After all, they both affected a large financial institution and encompassed over a million financial records. The similarities end there, however. Capital One implemented security measures to protect its customer data and engaged in a speedy response to an insider threat. Equifax failed to implement even basic data protection measures and was laggardly in reporting the inevitable breach.

Only time will tell what the full repercussions will be of these two breaches. But based on the facts in front of us, Capital One’s quick response to this breach will ultimately protect more customers in the long run. Comparing the circumstances surrounding the two breaches show a positive trend toward companies taking their customers’ data more seriously and mindfulness of ever-increasing consumer vigilance about their own data.

The Timeline of Each Breach – Head in the Sand v. Speedy Responder

In the case of Equifax, the company detected a breach on July 29, 2017, but failed to notify the public until September—40 days later.

To make matters worse, the breach was not detected until several months after the actual breach, even though the security vulnerability was reportedly known to Equifax. Months prior to the actual breach, a security researcher attempted to inform Equifax about the researcher’s inadvertent and unauthorized access to millions of Equifax customers’ sensitive personal data records. This included social security numbers and birthdates. Although it would have taken a matter of hours or minutes to deploy a fix, Equifax never addressed the reported vulnerability until after the breach had occurred.

In comparison, the Capital One breach occurred when former Amazon Web Services (AWS) employee Paige Thompson stole customer data and posted it to her GitHub, a repository for software development coding and programs. 

On July 17, 2019, a security researcher alerted Capital One to this potential breach, by emailing Capital One through an address exclusively reserved for “ethical” hacker disclosures. Based off the information in this email (i.e., Thompson’s GitHub account), Capital One launched an internal investigation of the breach. That led to detection of the breach on July 19. On July 29, 2019, Capital One announced to the public the details of its investigation.

All told, only 10 days passed from the moment of detection to notification of the public in the Capital One breach. Capital One’s quick response may have been influenced by public resentment of how long it took for Equifax to notify its customers of a breach—long enough for senior executives to collectively sell millions of dollars’ worth of stocks within days of detecting the breach in 2017.

Recently, the FTC announced a settlement with Equifax for at least $575 million for damages relating to its data breach in 2017. While a substantial amount to be sure, many have also criticized perceived inaction by both legislators and the Consumer Financial Protection Bureau (CFPB) in response to the Equifax breach. There is substantial public opinion that Equifax got off easy with an FTC settlement that essentially equates to a “cost of doing business.” 

Better Security Control—Protecting What’s In Your Wallet

Following the announcement of Equifax’s data breach, Equifax was lambasted in media reports for its egregious security practices, in particular, its storage of administrative credentials and passwords in unencrypted plain text files. By using plain text instead of encryption, Equifax exposed its sensitive data to hackers without protection. 

In contrast, Capital One encrypted all customer data as standard practice. Due to the circumstances of the breach, Thompson was also able to decrypt the data. However, Capital One also noted in its press release that it tokenizes select fields that are particularly sensitive, including Social Security numbers and account numbers. Tokenization provides an additional layer of protection by replacing the sensitive field with a unique “token” or “cryptographically generated” placeholder. The original sensitive information is stored in a different location and remains protected. Capital One’s practice of tokenization likely protected over 99% of its held Social Security numbers and bank account numbers. Capital One’s adoption of stronger security measures, beyond basic encryption, shows its awareness of and protection against increasingly sophisticated hacks.

While breach incidents are unfortunately becoming more common, Capital One’s response to its recent breach shows that incident response plans are becoming more robust. Corporate attitudes are trending toward privacy and security teams being an integral part of an organization, as well as investments in technical and operational security controls having great value.

Breaches in the Future?

Looking forward, we can all use the Equifax and Capital One breaches to inform us with respect to all businesses’ privacy and security obligations. As just a few high-level takeaways:

  1. Properly encrypt all personal data held on customers and employees, based on the data’s level of sensitivity.
  2. Assess whether your current privacy and information security team needs additional support and/or training to handle your organization’s size and sensitivity of data.
  3. Implement proper security controls, including access permissions and physical facility controls.
  4. Don’t forget that “insider threats” caused by employee and ex-employee handling of data is just as problematic as outside hacks.
  5. Promptly investigate “ethical hacker” or security researcher notifications about your company’s security.
  6. Have an incident-response plan in place to guide decision-making following a detected breach.

Above all, be prepared! Organizations of all sizes now handle massive amounts of data collected both on physical servers and on cloud databases. It is critical that they understand not just the current minimum data protection obligations imposed upon them, but also learn from past security incidents and realize that the bar for compliance is continually in motion with every breach.

1 2