[BreachExchange] Another Day, Another Data Breach — an Update on Data Security

Wed Nov 13 10:15:39 EST 2019

https://www.jdsupra.com/legalnews/another-day-another-data-breach-an-76012/

According to the 2019 Mid-Year QuickView Data Breach Report, the first
half of 2019 saw 3,813 data breaches involving 4.1 billion records.
The majority of those records — 3.2 billion, or nearly 75% — were
exposed in just eight mega-breaches. Email data was exposed in 70% of
the breaches, and passwords in another 65%.

Risk Based Security, which compiled the report, concluded that data
breaches are getting worse rather than better, with this year’s
numbers representing a more than 50% increase over last year’s.
Meanwhile, Yahoo’s data breach resolution is working its way through
settlement proceedings, DoorDash saw 4.9 million customer records
leaked, through an “unauthorized third party,” and 5.3 million credit
and debit card accounts were exposed through a malware attack at
Hy-Vee supermarkets and gas stations.

It’s not just major stores or social media giants that are at risk.
While “many businesses wrongly assume they are too small to be on the
radar of the threat actors[, t]he truth is that it is all about the
data, and small businesses often have less well-guarded data stores.”
In short, if you have valuable data, someone is probably trying to
access it.

According to statistics compiled from UK data, human error remains the
biggest factor, with 60% of data breaches reported in the first half
of 2019 the result of simple mistakes. Of those, about half (43%) were
caused by incorrect disclosures, with about 20% mistakenly sending
data to the wrong recipient.

The risk of cybersecurity attacks has been increasing every year.
IBM’s CEO recently called cybercrime “the greatest threat to every
company” not just in the U.S. but also globally. Indeed, hackers keep
hitting sensitive political, financial and legal targets.

Generally, when legal teams don’t aggressively protect their data,
they play with fire. That’s because legal departments manage the type
of sensitive information, especially during discovery, that hackers
want. Rather than comb through a company’s entire database for useful
information, hackers can zero in on the legal department to hit a
jackpot of valuable assets.

As you’re building your technology stack, remember that the best, most
sophisticated purpose-built software in the world doesn’t help you if
your overall data system is not secure or if your employees aren’t
careful. That means that each component must be rigorously defended
and your people must be well trained and constantly vigilant. Data
breaches may be getting worse, but we can all do better to protect
ourselves — and our clients and customers — from them.

Choose Your Partners Wisely
Don’t assume that your data will be secure in the hands of ediscovery
vendors, third-party service providers, or law firms. Audit any
ediscovery partner both before retaining its services and
periodically, perhaps annually, thereafter. The vast majority of
ediscovery professionals overlook this critical step; only 19 percent
conduct security audits with their ediscovery service providers. In
addition to audits, ask the following questions:

- Where will you store ediscovery data?
- How do you protect that data at rest and in transit? Ensure that the
partner uses adequate encryption methods and other security measures,
such as firewalls.
- Who is allowed to access data, and from where or on what type of
device? How do you control that access? Look for login credentials,
pre-employment screening, and reliance on Tier 4 data centers.
- How do you monitor your systems to detect unauthorized access?
- How do you test and audit your security, and how often do you self-test?
- What is your policy for reporting breaches to customers? According
to the American Bar Association’s 2017 Legal Technology Survey Report,
only 11 percent of breached law firms notified their clients of those
breaches. Include a specific breach-notification policy in your master
service agreement.
- To assess security measures rapidly, ask what certifications the
partner has obtained.
Best-in-class security certifications include SOC 2 Type 2 and ISO
27001. Be sure that the partner protects data both within its
application and in its hosting.