The Snowden and Manning affairs illustrate that we have entered an era that a contributor to this month's issue describes as one of “radical transparency” in which a corporation’s most confidential assets are vulnerable. Such assets may range from intellectual property to individual information of a private nature, trade secrets and strategic plans. The concern about safeguarding these assets in an era of radical transparency is at an all-time high as evidenced by the number of articles and interviews in this issue addressing that concern.
It has been said that an experienced hacker can break into the data stored in any computer – it is only a matter of time. Also, data may be accessible to employees and other users, and can walk away in USB drives, smartphones and tablets.
Failure to protect a company’s assets from unauthorized external or internal intrusion, tampering or loss can have serious consequences for your company. The failure of the company adequately to protect its assets will result in immense damage to its reputation. Derivative actions may be brought by shareholders if the intrusion results in the avoidable release of trade secrets or other highly sensitive information. If privacy has become compromised by the unauthorized release of protected health information, HIPAA provides for civil and criminal penalties. Government investigations may be triggered if the information suggests possible violations of law. Exposures of this nature make it imperative that directors be kept fully informed with respect to the measures being taken to protect company information.
In cooperation with their companies' security and technology departments, legal departments need to be part of the team advising their companies about the steps that should be taken to protect vital company assets from disclosure and loss. A company's entire collection of data can be periodically checked at reasonable cost and at high speed for tampering, theft or fraud, and an attempt can be made to identify the perpetrators. Also, don’t forget to get assurances that appropriate checks are also being conducted by those who have access to your data, such as law firms, accountants and other third parties.
Such checks can be done of virtually any type of stored asset, including such items as specifications, pictures, charts, telephone calls and other items. The most important step to protect a company’s data from intrusions is to have a system that permits employees, contractors and others who work with its data (users) only to have access to those portions of it that they need to use in their work. Because authorized users are in the best position to steal, destroy or otherwise wrongfully affect data, a company may also wish to take other steps.
In addition to a thorough background check, the company may wish to explore having some or all users agree in writing to have their company and private emails monitored and provide their passwords to any social media or other websites that they have visited in the recent past or plan to visit in the future. Data leakage audits can be done where a company can see the domains to which users’ emails are going. Thus, if a user is sending emails with attachments going to his or her Gmail address (and you are not a corporate Gmail platform user), the attachments might include confidential company data.
A company should, if possible, keep its sensitive data behind a firewall that is as secure as possible and may wish to take other measures to protect it – such as encryption. It has also been suggested that it is best if data is kept in clouds located in countries in which the information was generated. Given the immense economic growth in the Far East and of subsidiaries of Asian companies and other global corporations in the U.S., an increasing amount of data uses Asian characters. Predictive coding is available that enables that data to be retrieved, translated and checked.
In an August 20 letter to the White House signed by leading organizations within the technology industry, those organizations recommended that appropriate transparency be implemented with respect to national security programs, supported reforms to the Electronic Communications Privacy Act that would enhance privacy in law enforcement investigations and promoted policies that would allow for unimpeded cross-border data flows such as the U.S.–EU Safe Harbor Framework.
We are encouraging those who supply us with interviews and articles to keep our readers advised of further developments.
Published August 22, 2013.