On March 10th, Hillary Clinton held a press conference to defend her use of her own email server for State Department communications (see our March 11th blog). One of the things she said during that press conference was that she was sure the clintonemail.com server had never had a security breach. Clearly Ms. Clinton doesn’t realise that it is possible for the server to have been hacked, and not discovered.
Case in point. Last week, Premera Blue Cross, who provides health insurance in the U.S. Pacific Northwest and Alaska, announced that they had suffered a hack in May, 2014, exposing claims and clinical data affecting 11 million customers. The breach was apparently uncovered on January 29 of this year, seven months after the incident occurred it was only discovered after a related insurer discovered that they too had been breached, causing Premera to check its own servers for tattletale signs.
Cybersecurity professionals are increasingly saying that the emphasis should be placed on catching attackers in the act rather than trying to prevent them from breaching the walls in the first place, since it’s becoming apparent that the walls won’t always prevent the attack.
Setting traps and catching hackers in the act is fine, but only if you detect the breach in the first place. To truly protect information, it has to be secured even if it’s stolen. This is where information governance comes into play. By eliminating what you don’t need (so it’s not there to steal) and identifying your crown jewels (so that you can lock them away using encryption), if an attack is not detected in time, you can still rest assured that all the hackers stole was a bunch of undecipherable gibberish.
Read what Susan Wortzman has to say about why document review is generally legal work in the March 23, 2015 Law Times article “Lawyers Confused at Stance on Document Review”. In the article, Wortzman says that “(t)he document review that Wortzmans typically does involves making assessments of relevance, privilege, significance, and maybe classifying documents by issues”. In those cases, she says “what we have are lawyers exercising or using their legal judgments to make determinations as to whether particular records are relevant and/or producible in litigation. So in my view, that’s legal work.” Click on this link to read the whole article:
Target has reached a settlement of the class actions brought against it as a result of the data breach the company suffered in November 2013. On March 19, 2015, a US court granted preliminary approval to a proposed settlement that would see Target pay US$10 million to class members as well as implement measures to better protect customer data (see In re: Target Corporation Customer Data Security Breach Litigation, 2015 U.S. Dist. LEXIS 34554 (D. Minn. 2015)). The final hearing to approve the settlement will be in November 2015.
Under the proposed settlement, affected customers are eligible for damages up to a maximum of $10,000, provided they have documentary evidence of actual losses that were ‘more likely than not’ caused by the data breach. The settlement also requires Target to implement business measures to protect customer data. The company has agreed to appoint a Chief Information Security Officer, maintain an information security program and procedures for monitoring and responding to information security events. It has also agreed to implement employee training about why and how to secure customers’ personal information.
The costs of the settlement are a drop in the bucket compared to the initial costs of responding to the breach that Target reported last August. At that time, those costs were reported at $148 million. Release of that information was quickly followed by a drop in Target’s share price (see: http://www.forbes.com/sites/samanthasharf/2014/08/05/target-shares-tumble-as-retailer-reveals-cost-of-data-breach/).
There is a high price to data breaches. Being proactive, rather than reactive will reduce that risk. Organizations should implement information management and security measures before those unnecessary costs are incurred.