April 01, 2014

iWitness: Securing Your Data in a World of Remote Access

This overview of privacy and technology policies may help firms avoid malpractice charges.

Frank Sommers

Download a printable PDF of this article (membership required).

This issue of Litigation, dealing with privacy, highlights how technology and law have become so intertwined that whether we are committing malpractice by failing to implement privacy and technology policies for our firms and clients needs to be a threshold question.

When I started with IBM in 1978 as a systems engineer, security was easy: Turn off the computer and lock the door to the computer room. Log-in passwords were sometimes considered belt and suspenders, and a bit much for users to remember. Today the computer room has been all but driven out the door onto the cloud, and we have not only the desktop computer to secure but the full range of devices users want to use to access the data, be they laptops, tablets, and cell phones, at all times of the day and night. If we can no longer turn off the computer and lock the door to the computer room, how can we prevent the dreaded M word—malpractice—from rearing its ugly head?

First we need to ask if we have put in place reasonable log-in security procedures that are actually followed. If we are storing data off-site in the cloud, what due diligence have we performed to reassure ourselves that the data are, in fact, secure? What kind of outside access do we permit our employees? And how secure are those “wormholes” into our business systems?

When assessing an office network, whether for the purposes of your own security or a client’s privacy exposure, consider how users sign in through third-party systems such as at airports, cafés, and hotels. This connectivity requires each computer to get access permission from the server, a “port” that can be hacked from the outside. This is generally something that the users know nothing about and therefore take no trouble to protect. “Oh, that’s for the IT guy to handle” is the most common response. So your best question to remember is “how are the network sign-ons handled?” And its close cousin, “how often are the sign-on passwords changed?” (PS—this goes double for that wireless router in your home using the default passwords it came with that are well known to the lowliest hacker wannabe.)

The issue of password protocol provokes passionate argument. One end of the spectrum is “passwords never change”—which means everyone gets to know everyone else’s password. The other is “mandatory monthly changes enforced by deactivating everyone’s password if they don’t change within three days”—which, ironically, results in the same, as no one can remember such frequently changed passwords, so they write them on little slips of paper stuck to their keyboards. You, as counselor, as opposed to the you who wants his or her office to run smoothly, will of course favor the “more secure, though more of a pain” protocol.

The issue of where information is stored, on the server and/or on the terminal, adds more layers of complexity. Every network should have a backup drive, often changed, with at least one copy taken out of the office in case of fire and the like. So you need to find out where those drives are, how often backups are run, and how they’re physically protected. Many systems also have internal backup servers or nodes (other physical sub-servers) on the network that store all traffic and data as fail-safes in the event of internal mechanical problems, and these run without user intervention so no one but the “IT guy” knows they exist.

When the issue is internal mis- or malfeasance, a nontechnical employee trying to cover his tracks, for example, may not realize that erasing his email store or even the backup drives will not reach this internal node, which will faithfully reproduce the old data when correctly tickled. Similarly, asking the other side in litigation how their system works and tracking down the existence of these internal backup locations can often result in discovery of valuable information.

When you start considering outside connections to the database, things get even more complicated. This is especially true if your client has become a devotee of the cloud, with the result that the personal computers (PCs) on everyone’s desks are connected to a server farm in Omaha. Or Singapore, depending on the price quote of the month. So let’s take outside access from simplest to most daunting.

Outside Access

The simplest is “logging on from home” or on the road, through a hotel system. This is just a variation of the “PC as office terminal problem.” How does the hotel control access codes? Have you considered whether there is storage on that remote PC and copies of documents that are “officially” supposed to reside on the office system and, if so, how is that dealt with? Does your backup protocol reach those remote computers? Does your litigation hold letter? You should also be aware that if the hotel is using a third party, traces of the information sent and received may linger in the middle.

Email begins the nightmare of web connectivity and consequent loss of control over your data. Not only are emails and attachments stored on your computer, but your Internet service provider, or ISP, keeps backup copies for its own purposes, as may services used to transfer files too large for email—FTP (file transfer protocol) or “file-to-file transfer” sites. These are often used by lawyers and secretaries rushing to get information to the other side, and many firms do not even realize that huge volumes of protected data are being uploaded to the web for download by the other side. As a result, there are often no procedures requiring monitoring and scrubbing after receipt.

This introduces the third-party problem—how can you do due diligence to be able to assure your clients that their data are safe? Many of these third parties are extremely unwilling to reveal their data protection systems, on trade secrets grounds. Getting copies of the data before litigation is somewhat easier, as it is ostensibly “customer data,” but many companies will not release copies, even to their own customers, absent court process.

The fast-growing “cloud service” industry allows customers to outsource their entire network to third parties for storage on remote servers. In effect, we’ve come full circle—from the refrigerated machine rooms of IBM’s large corporate data servers to the air-conditioned server farms of Amazon. The point for you as lawyer for the client is the same: (1) What precautions are in place to protect the data from intrusion, and (2) what does it take to be able to review the data in pre-litigation investigations? You start, as before, with password security at the client level but then run into the wall of the cloud provider’s mantra: “Your data are safe with us but we can’t tell you our proprietary methods.” Your due diligence may end at this point, or your client may have the leverage to cause the provider to reveal more, allowing you to help create procedures that show you or the client at least tried.

Cell phones bring the same concerns presented by laptops—i.e., access codes and internal storage, discussed above. But they also create an entirely new issue when they send your location to the phone company (and thence to the National Security Agency (NSA)) as well as to every application on your phone to which you have given permission to use “location data.” If you, like me, rely on being able to ask your phone for navigation help, you have authorized it to send your location information to the application (such as Google Maps) that’s helping you stumble home. The problem is that far more applications ask for this permission than need it to perform their function, because marketers aggressively seek this information “the better to sell to you, my dear,” to paraphrase the Big Bad Wolf. So ask yourself, “Do I or my clients care?” Depending on your area of practice, the answers may differ.

Software Encryption

Putting all your data only on hard drives in cyphered form provides a very strong backup to threats of data theft. For several industries, notably finance and health care, it is fast becoming a “required best practice” in the wake of numerous incidents involving employees taking entire customer databases on their laptops and then leaving them in a car or train, thereby exposing the company to serious liability, even without proof that the thief or finder could even get past the sign-in ID.

So how do you encrypt? For emails, you just select “encrypted” and many email systems do a basic coding. For sensitive email, you need to pick some version of “public key” encryption, in which you send the recipient a “key” that allows him or her to decode your message (and verify that it comes from you). For encrypting the entire hard drive, you have to install software that talks to all your other applications (such as Microsoft Word) and codes and decodes your documents as you save and retrieve them. If you are running a large hospital system or bank, for example, this becomes a significant system load that slows response time during normal use. As a result, users are quite reluctant to implement this level of protection for any but the most significant data, and often not even that. If you bring up the issue during a review and are able to insist on encryption for storage that is being physically transported, you will have done better than many of your peers.

Finally, it is only fitting to discuss the issues raised by last year’s Snowden-storm about the NSA “seeing all and knowing all.” Indications are that the NSA is tracking every call, email, and data transfer in the country and that under the Patriot Act and its successors, various agencies such as the FBI have the power to ask third parties for your data and not notify you. This gives rise to an argument that there is no more attorney-client privilege if you have used the telephone or the Internet (or work on a network connected to the same) because your data have been disclosed to a third party, and you know it. (Or now you do. Sorry about that. . . .) As of this writing, the shockwaves of the initial disclosures have not yet settled, but I don’t believe we’re going to resolve this by only using data couriers with thumb drives implanted in their forearms to transmit important documents à la Johnny Mnemonic. Rather, the profession will probably resolve the matter by agreeing to pretend the issue doesn’t exist, just as it did 30 years ago when faxes became indispensable—even though a fax did not, technically, satisfy the Federal Rules’ requirements to be considered a “copy” in the same manner as a photocopy did. If we all agree to pretend the elephant isn’t there, no one will be filing any motions using “NSA” and “waiver of attorney-client privilege” in the same sentence. Good luck.

So what’s the takeaway? First, consider these issues for your own firm as well as for your clients. Depending on what kind of work you do, you can create letters and documents with various levels of detail to show that both your internal procedures and your advice to the client are consonant with reasonable care of data security. Afterward, there’s the fun of discomfiting your opponents in discovery to look forward to.

As citizens, we need to decide whether we care about the rapid and perhaps irreversible changes taking place in our society with respect to the acquisition and storage of “our” data by both government and commercial entities. I would suggest that a very strong argument can be made that the NSA is the least of our worries, in that the commercial acquisition and analysis of data have gone so far as to render the government’s acquisition a matter of secondary concern. At the same time, however, there are very different risks and protections presented by government capture of citizens’ data. While I may not care if Google knows what I shop for or where I’m walking so it can send me ads, my response may be entirely different if the inquirer is the FBI. These questions, however, are for another column.

Frank Sommers

The author, an associate editor of Litigation, is with Sommers & Schwartz, San Francisco.