Our quickly evolving workplaces make it easier than ever to get things done on the move and on the fly. Colleagues can “ping” each other from their phones with with late-night ideas, or review important docs from a tablet while flying over the Atlantic. But the increasing diffusion of corporate data also raises significant cybersecurity concerns, risks of lost data should a phone go missing, or the "shadow duplication" of high-value documents.
Logikcull recently spoke to Chad Wolfsheimer about how companies, and in-house legal departments in particular, can balance the need for greater cybersecurity with a limber, mobile culture. Wolfsheimer, who studied computer science at Brown University, has over sixteen years of financial industry experience managing teams in technology, operations, software architecture, product management, business intelligence, cybersecurity, and compliance. He is currently the Chief Information Security Officer, responsible for issues of cybersecurity, data governance, and privacy at The Motley Fool.
(Wolfsheimer will also be speaking at an upcoming Logikcull Corporate eDiscovery and Cybersecurity User Group on May 18th, in Washington, D.C. Register now if you haven’t already!)
When it comes to business today, you no longer need to be chained to your desk to get your job done. Cloud-based services can handle everything from eDiscovery (ahem) to email, to gif-heavy intra-office messaging. A single company may use Google for emails, Slack for messaging, Box for file sharing, Microsoft Office 365 for productivity software -- the list goes on and on. With each of these third-party services potentially handling sensitive client or customer data, how can in-house attorneys make sure such data is properly protected?
“It's clear that many of the most effective, available, reliable, and secure services are built in the cloud, with more being established every day,” Wolfsheimer says. “As maintaining sensitive client or consumer data solely on our hardware on our own premises becomes unjustifiable, we have the added challenge of making sure the unique practices of every third party service meets our own standards and requirements.”
"In-house attorneys should work with their product, technology, and business development teams to create vendor assessment guidelines and checklists about how to protect company and client data."
“In-house attorneys should work with their product, technology, and business development teams to create vendor assessment guidelines and checklists about how to protect company and client data,” Wolfsheimer advises. Those guidelines need to be balanced between rigorous requirements, “enough to start extended, intensive conversations and research for handling data in major, complex relationships,” Wolfsheimer says, “but also simple enough to assess less critical partnerships and minimal data exchange in just a couple hours.”
When reviewing third party vendors, he explains, “I often approve use for a specific purpose but stipulate that if we want to pursue additional services with more sensitive data, we'll need to discuss that in advance and possibly take additional steps to protect sensitive data.”
BYOD policies can add a few wrinkles to protecting such data. BYOD, or “bring your own device,” policies allow employees, business partners, and others to use their personally owned devices, such as smartphones or laptop computers, to access company information or applications. Indeed, even when no policies are in place BYOD is becoming increasingly widespread, as employees simply take it upon themselves to transfer documents to their personal emails, phones, etc. The benefits are increased productivity and mobility, with obvious drawbacks when it comes to controlling company information.
BYOD “complicates oversight of where data is located,” Wolfsheimer notes. To keep information from being stored where it shouldn’t be, he recommends providing “training and access to corporate setups of cloud-based services,” such as the Google G Suite. That way, “people are less likely to use their personal accounts, particularly when those might already be set up on their BYOD system.”
As for actually controlling company data that’s spread across a variety of devices, Wolfsheimer says companies need to “have technology solutions in place to remotely delete corporate data from workers' devices, if not to wipe entire devices, and make sure your workers sign policies that allow you to search, copy, and delete corporate data from their devices.” He recommends requiring, where possible, mandated password and screen locking use, along with restricting the use of sensitive data on unencrypted devices.
"Keep language simple, minimize specific rules to only the most important, and ask people to seek help and support from people on qualified teams or serving relevant data security roles."
When it comes to creating effective data security policies, there’s no “perfect answer,” Wolfsheimer readily admits. “Cybersecurity recommendations evolve quickly and often boil down to specifics of numbers and acronymic specifications: 2048-bit, SHA512, AES, RSA, DSA, TLS 1.3, etc. It can be difficult even for technologists to keep up or understand the differences,” he explains.
“While the most secure practice may be to implement rigorous specifications, frequent reviews, and in-depth audits,” Wolfsheimer says, “a common-sense approach to policies is probably more effective: Keep language simple, minimize specific rules to only the most important, and ask people to seek help and support from people on qualified teams or serving relevant data security roles.”
Chad Wolfsheimer will be discussing eDiscovery, cybersecurity, and the challenges facing businesses and attorneys at Logikcull’s Corporate eDiscovery and Cybersecurity User Group, May 18th in Washington, D.C.
Register now to join him and other experts for an engaging discussion around steps corporate legal teams can take, including working with outside counsel, to secure their most valuable data.
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org.