Information Security

The story of North Korea allegedly hacking into Sony's IT infrastructure and sending Sony a threatening e-mail that led it to cancel the distribution of a new film, The Interview , a comedy-adventure film about two Americans who land an interview with North Korean leader Kim Jong-un, dominated the news as 2014 winded down. At the time of this writing, the United States was contemplating what action to take in response, and President Obama, who compared the Internet to the “Wild West,” called for international cooperation in forging agreements and creating agencies to police Internet conduct around the globe.

Since there has been, for the past few years, considerable public discussion about the need for law firms to address information security, or InfoSec, issues with their clients with regard to e-discovery and other vendors that house firm data and within the firms themselves, InfoSec can hardly qualify as the next big thing. However, the Sony story has brought the issue front and center and, as we get further into 2015, we can be sure that the issue will only grow. With that in mind, a look at some recent changes to California's law regarding duties that arise when a party (think here an e-tailer ) receives data personal to another party (think typical electronically stored information), segues into a more general discussion of the e-tailer's obligations regarding InfoSec.

The California Law

California Civil Code Section 1798.81.5 (b), unamended, requires that a “business that owns or licenses personal information about a California resident ' implement and maintain reasonable security procedures and practices ' to protect the personal information from unauthorized access, destruction, use, modification or disclosure.” For those outside of California, note that the law pertains to information “about a California resident,” regardless of where that information is stored. This type of law, protecting a state's residents' information regardless of whether that information is stored within or outside the state, is common. So, e-commerce firms, ask yourself how many matters you are involved in where you are storing, for litigation or other legal services purposes, information of California residents. The law applies to you. Also ask yourself, regarding all of the other matters where you are storing ESI, whether you know the residency of all of those people whose ESI you are storing. If you don't, you must assume that those matters as well fall under the statute.

The recent changes amend the phrase “business that owns or licenses personal information” to read “owns, licenses or maintains personal information.” In typical litigation matters, the e-commerce firm does not own or license the personal information, but there is no denying that the firm maintains it. Thus, the amendment was put in place to remove the escape valve for all sorts of businesses ' businesses that maintain the credit card information of clients or the Social Security numbers and other personal information of their employees, for example, and not simply, or principally, firms that neither own nor license that information, but certainly maintain it.

As well, Subsection (c) requires that a “business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party,” such as a law firm providing client ESI to an e-discovery vendor for hosting, have in place with that third party a “contract” requiring the third party to “implement and maintain reasonable security procedures and practices ' to protect the personal information from unauthorized access, destruction, use, modification or disclosure.” Thus, firms cannot simply assume that their clients' data is safe because it's in the cloud, but must vet their vendors for security practices and choose vendors willing to be contractually committed (and insured sufficiently to make the contract worth something) to InfoSec.

Section 1798.82 of the same code governs the protocols that a “person or business that conducts business in California” must follow to disclose security breaches. This includes not just businesses located in California, but all those who do business there, such as firms with California clients (or opponents), or those involved in matters in California courts. The amendment to Section 1798.82 adds Section (G) to the aforementioned protocols. It reads:

If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity-theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information. (http://bit.ly/1xYd5bu)

Thus, if the firm, or the hosting/storage vendor used by the firm, is the source of a breach, the firm must offer “to provide appropriate identity-theft prevention and mitigation services” at no cost to the person whose personal information was within the compromised electronic repository.

This amendment imposes a considerable responsibility upon firms that store client data (not to mention their own human resources data and other data containing personal information). As with the previously discussed amendment adding people or businesses that simply maintain personal information to protections under the statute, the requirement to provide aid to the personal information holders forces firms to work backward from imagining a breach to the point well prior to it where steps could have been taken to prevent it or decrease considerably the likelihood of its occurrence. This exercise, as with the prior one involving the previously discussed amendment, leads to the ineluctable conclusion that firms must be far more involved in putting into place InfoSec measures where they store ESI in-house and make sure that hosting/storage vendors have such measures in place.

This working-backward exercise should lead firms to consider whether they should continue to host anything in-house ' whether they have both the InfoSec guards and the insurance in place (they will need both) to, respectively, try to prevent and to cope with a breach. Typically, the first questions from someone vetting a vendor's InfoSec measures concern what certifications the vendor has, in particular the certifications issued by the International Organization for Standardization after the vendor has gone through rigorous inspection. These ISO certifications are costly to a vendor, not simply because of the hardware and applications to be purchased and constantly updated, but because of the in-house expertise needed to make sure all hardware, applications and personnel protocols are in place and working to top efficiency. Such expertise is neither something a firm typically possesses nor an area firms would like to expand, despite the fact that such is needed for them to function; as with providing medical insurance rather than building hospitals, they would prefer to vend out these requirements, which would mean moving all client data, regardless of how small the matter, to a hosting vendor that is properly certified. This would mean storing HR records in a secure environment as well.

The final amendment is one that prohibits the sale of a person's Social Security number. This amendment needs no discussion; suffice it to say that an e-commerce firm that is in the business of selling its clients' Social Security numbers has bigger problems than InfoSec.

Looking Into the Future

Many factors lead to the conclusion that sophisticated attacks on collected data, which will include data hosted by firms either in-house or through a vendor, as well as any other data kept in the cloud, will increase, and that the number of protection statutes, such as California's, with which firms will have to comply, will increase. As data sizes continue to increase (big data is another next big thing that has been around too long to be “next”), data gets increasingly centralized, whether within a firm or with a storage vendor.

As discussed, hosted solutions should provide the firm not simply with the service of robust storage for this ever-growing data, but also with InfoSec tools that the firm simply could not provide itself, without a huge investment of time and money. However, despite the considerable discussion in the legal world of the big-data phenomenon, e-commerce firms (as well as many other businesses) have treated the InfoSec threats as theoretical or simply distant. Firms that send out requests for proposal demanding “War and Peace”-sized descriptions of a vendor's IT security typically do not demand from themselves the same protective measures they demand from vendors. The possible silver lining in the Sony matter is that it may get firms to recognize that, unless they protect their in-house data as strongly as they demand vendors protect their hosted data, or simply move their in-house data to a well-protected vendor, the question for them is not whether they will be a target of a hack, but when.

Finally, if reality does not get anyone's attention, the likely increase in state laws such as California's will. Forty-seven states already have breach notification laws, but fewer have laws that, as California's does, require the breached host to pay the expenses accrued by the data holder to stop or minimize resultant damages. If incidents such as the Sony breach spark an acceleration of states amending their laws as California did, firms and all of the other businesses that host personal information will take notice.

Conclusion

President Obama's call for international cooperation and law to defeat or punish attacks such as North Korea's attack on Sony will most certainly not be heeded quickly, if at all, which means that the Internet will remain the “Wild West” for the foreseeable future ' a place where everyone has to defend themselves. Such is the world of those that host or store personal information. Hopefully, 2015 will see more data hosts making smarter choices to take InfoSec more seriously.

Leonard Deutchman is vice president and general counsel of LDiscovery LLC, a firm with offices in McLean, VA, New York City, Philadelphia, Chicago, Atlanta, San Francisco and London that specializes in electronic discovery, data hosting, managed review, collections and digital forensics. This article originally appeared in The Legal Intelligencer, an ALM sibling of e-Commerce Law & Strategy.

The story of North Korea allegedly hacking into Sony's IT infrastructure and sending Sony a threatening e-mail that led it to cancel the distribution of a new film, The Interview , a comedy-adventure film about two Americans who land an interview with North Korean leader Kim Jong-un, dominated the news as 2014 winded down. At the time of this writing, the United States was contemplating what action to take in response, and President Obama, who compared the Internet to the “Wild West,” called for international cooperation in forging agreements and creating agencies to police Internet conduct around the globe.

Since there has been, for the past few years, considerable public discussion about the need for law firms to address information security, or InfoSec, issues with their clients with regard to e-discovery and other vendors that house firm data and within the firms themselves, InfoSec can hardly qualify as the next big thing. However, the Sony story has brought the issue front and center and, as we get further into 2015, we can be sure that the issue will only grow. With that in mind, a look at some recent changes to California's law regarding duties that arise when a party (think here an e-tailer ) receives data personal to another party (think typical electronically stored information), segues into a more general discussion of the e-tailer's obligations regarding InfoSec.

The California Law

California Civil Code Section 1798.81.5 (b), unamended, requires that a “business that owns or licenses personal information about a California resident ' implement and maintain reasonable security procedures and practices ' to protect the personal information from unauthorized access, destruction, use, modification or disclosure.” For those outside of California, note that the law pertains to information “about a California resident,” regardless of where that information is stored. This type of law, protecting a state's residents' information regardless of whether that information is stored within or outside the state, is common. So, e-commerce firms, ask yourself how many matters you are involved in where you are storing, for litigation or other legal services purposes, information of California residents. The law applies to you. Also ask yourself, regarding all of the other matters where you are storing ESI, whether you know the residency of all of those people whose ESI you are storing. If you don't, you must assume that those matters as well fall under the statute.

The recent changes amend the phrase “business that owns or licenses personal information” to read “owns, licenses or maintains personal information.” In typical litigation matters, the e-commerce firm does not own or license the personal information, but there is no denying that the firm maintains it. Thus, the amendment was put in place to remove the escape valve for all sorts of businesses ' businesses that maintain the credit card information of clients or the Social Security numbers and other personal information of their employees, for example, and not simply, or principally, firms that neither own nor license that information, but certainly maintain it.

As well, Subsection (c) requires that a “business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party,” such as a law firm providing client ESI to an e-discovery vendor for hosting, have in place with that third party a “contract” requiring the third party to “implement and maintain reasonable security procedures and practices ' to protect the personal information from unauthorized access, destruction, use, modification or disclosure.” Thus, firms cannot simply assume that their clients' data is safe because it's in the cloud, but must vet their vendors for security practices and choose vendors willing to be contractually committed (and insured sufficiently to make the contract worth something) to InfoSec.

Section 1798.82 of the same code governs the protocols that a “person or business that conducts business in California” must follow to disclose security breaches. This includes not just businesses located in California, but all those who do business there, such as firms with California clients (or opponents), or those involved in matters in California courts. The amendment to Section 1798.82 adds Section (G) to the aforementioned protocols. It reads:

If the person or business providing the notification was the source of the breach, an offer to provide appropriate identity-theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached if the breach exposed or may have exposed personal information. (http://bit.ly/1xYd5bu)

Thus, if the firm, or the hosting/storage vendor used by the firm, is the source of a breach, the firm must offer “to provide appropriate identity-theft prevention and mitigation services” at no cost to the person whose personal information was within the compromised electronic repository.

This amendment imposes a considerable responsibility upon firms that store client data (not to mention their own human resources data and other data containing personal information). As with the previously discussed amendment adding people or businesses that simply maintain personal information to protections under the statute, the requirement to provide aid to the personal information holders forces firms to work backward from imagining a breach to the point well prior to it where steps could have been taken to prevent it or decrease considerably the likelihood of its occurrence. This exercise, as with the prior one involving the previously discussed amendment, leads to the ineluctable conclusion that firms must be far more involved in putting into place InfoSec measures where they store ESI in-house and make sure that hosting/storage vendors have such measures in place.

This working-backward exercise should lead firms to consider whether they should continue to host anything in-house ' whether they have both the InfoSec guards and the insurance in place (they will need both) to, respectively, try to prevent and to cope with a breach. Typically, the first questions from someone vetting a vendor's InfoSec measures concern what certifications the vendor has, in particular the certifications issued by the International Organization for Standardization after the vendor has gone through rigorous inspection. These ISO certifications are costly to a vendor, not simply because of the hardware and applications to be purchased and constantly updated, but because of the in-house expertise needed to make sure all hardware, applications and personnel protocols are in place and working to top efficiency. Such expertise is neither something a firm typically possesses nor an area firms would like to expand, despite the fact that such is needed for them to function; as with providing medical insurance rather than building hospitals, they would prefer to vend out these requirements, which would mean moving all client data, regardless of how small the matter, to a hosting vendor that is properly certified. This would mean storing HR records in a secure environment as well.

The final amendment is one that prohibits the sale of a person's Social Security number. This amendment needs no discussion; suffice it to say that an e-commerce firm that is in the business of selling its clients' Social Security numbers has bigger problems than InfoSec.

Looking Into the Future

Many factors lead to the conclusion that sophisticated attacks on collected data, which will include data hosted by firms either in-house or through a vendor, as well as any other data kept in the cloud, will increase, and that the number of protection statutes, such as California's, with which firms will have to comply, will increase. As data sizes continue to increase (big data is another next big thing that has been around too long to be “next”), data gets increasingly centralized, whether within a firm or with a storage vendor.

As discussed, hosted solutions should provide the firm not simply with the service of robust storage for this ever-growing data, but also with InfoSec tools that the firm simply could not provide itself, without a huge investment of time and money. However, despite the considerable discussion in the legal world of the big-data phenomenon, e-commerce firms (as well as many other businesses) have treated the InfoSec threats as theoretical or simply distant. Firms that send out requests for proposal demanding “War and Peace”-sized descriptions of a vendor's IT security typically do not demand from themselves the same protective measures they demand from vendors. The possible silver lining in the Sony matter is that it may get firms to recognize that, unless they protect their in-house data as strongly as they demand vendors protect their hosted data, or simply move their in-house data to a well-protected vendor, the question for them is not whether they will be a target of a hack, but when.

Finally, if reality does not get anyone's attention, the likely increase in state laws such as California's will. Forty-seven states already have breach notification laws, but fewer have laws that, as California's does, require the breached host to pay the expenses accrued by the data holder to stop or minimize resultant damages. If incidents such as the Sony breach spark an acceleration of states amending their laws as California did, firms and all of the other businesses that host personal information will take notice.

Conclusion

President Obama's call for international cooperation and law to defeat or punish attacks such as North Korea's attack on Sony will most certainly not be heeded quickly, if at all, which means that the Internet will remain the “Wild West” for the foreseeable future ' a place where everyone has to defend themselves. Such is the world of those that host or store personal information. Hopefully, 2015 will see more data hosts making smarter choices to take InfoSec more seriously.

Leonard Deutchman is vice president and general counsel of LDiscovery LLC, a firm with offices in McLean, VA, New York City, Philadelphia, Chicago, Atlanta, San Francisco and London that specializes in electronic discovery, data hosting, managed review, collections and digital forensics. This article originally appeared in The Legal Intelligencer, an ALM sibling of e-Commerce Law & Strategy.