Where's My Data? 5 Important Places to Look for Starters
Even when data is being handled by well-regarded service providers, poor planning or a lack of user awareness can lead to serious breaches from seemingly secure systems.
May 01, 2018 at 08:00 AM
6 minute read
If your law firm is thinking about adopting cloud-based workflows, one of the first questions you are probably asking is, “How will I get my documents into the cloud quickly and securely?” That's a good start, and we've worked with many Am Law 100 firms and managed service providers in the legal industry to help make sure that even huge amounts of document and video data get where they need to go quickly and securely.
But in doing so we have seen another key question that is often overlooked: “Where is my data?” This question does not just apply to cloud workflows. Even if your firm is not officially using any cloud services, the odds are very good that sensitive client documents are in cloud storage right now. Figuring out where your data is, and how to keep it from going places it shouldn't, is critical to maintaining client security and confidence regardless of your cloud plans.
The legal industry, in particular, tends to involve a lot of ad-hoc data movement and personal devices. Documents frequently move between attorneys, assistants, clients, and all their various devices with little or no formal control over methods or services. This can lead to unintentional data leaks which can be difficult to predict and impossible to track. Even when data is being handled by well-regarded service providers, poor planning or a lack of user awareness can lead to serious breaches from seemingly secure systems.
Here are a few areas where data leaks can hide:
Email: Email is the most popular way to exchange legal documents, especially between attorneys and clients. Obviously, there are concerns about the security of the email servers and systems themselves. Every time an email passes through a server or device, a copy is left behind at least temporarily. But a much more common source of email leaks is user error. One wrong key-stroke can instantly turn a sensitive document into a public document. Worse, email tends to be persistent and accessed from multiple devices, meaning that a leak can easily occur months or years after a document was last handled.
Automated Backups: Everyone knows they should frequently backup every computing device they own. Many of these backups occur automatically, sometimes within minutes of new data appearing on a device. Most find their way into cloud computing systems. If, for example, an attorney views a document on their desktop, phone, and laptop, then not only are there copies on those devices, but also copies on all of those devices' backup systems. Backups from personal devices may place sensitive data on insecure or poorly regulated systems.
Legacy Backups: Once a document has been backed up, it may be nearly impossible to delete it. Depending on the service or media, snapshots of a system may persist for years. Cloud systems have their own internal backups and redundancies, creating further copies. Deleting a file may remove the most immediate version from some backups, but earlier versions may persist without a concerted effort to purge them. Even then, the best backups are kept offline where they may persist indefinitely. Once a document moves into a consumer cloud service like Google Docs or iCloud, you can never really be sure you've deleted it.
Geographic Redundancy: Whether as a backup or part of an information service, once a document leaves your device it could be going anywhere in the world. This can create jurisdictional problems, since the data may end up being stored in regions that are subject to governmental intrusion or simply lax controls. As a direct customer of a cloud service vendor, you are likely to have disclosure and control over where the data you explicitly store is located. But data that leaks into other systems may propagate around the world, making it impossible for you to certify which jurisdictions actually have access to any given document.
Hardware Disposal or Theft: A stolen laptop is an obvious problem, but what happens when a service provider simply upgrades their equipment? Are those hard-drives securely wiped, or do they end up in a used-equipment sale on eBay with your sensitive documents included? Here again, the good practices and intentions of reputable providers may be defeated by unintentional leaks through personal devices and media. For example, what ever happened to that USB thumb-drive that your assistant used to carry scanned documents between the office copier and your desktop?
Each time a document is stored somewhere, even briefly, it may be subject to all these forms of replication. For example, a temporary copy of an email copy might be backed up to a sub-contracted cloud provider and then replicated to a foreign jurisdiction where a decommissioned hard-drive could be resold to anyone in the world. None of those steps should happen, even in a well-controlled environment, but there is nothing to prevent any or all of them from happening.
If you are getting the idea that you might as well assume any data that leaves your physical control could end up anywhere in the world, you are absolutely correct. Awareness of these problems, strong user education, and clear policies for document handling can help. But information systems exist to make communicating data easy, and that means policies alone can't keep your documents under control.
Fortunately, there is one way to keep sensitive data safe: encryption. Storage encryption is often overlooked or poorly considered. It is not like transport encryption, which is mostly just on or off thanks to standards like TLS and IPsec. Encryption of documents at rest requires careful key management, and a solid document tracking and management system. Combined with knowledge of the leak vectors above, such a system can ensure that even if data leaks, it is still secure because the data itself is worthless without the keys that are much simpler to control than the documents themselves.
Most cloud vendors offer a variety of encryption options, but keep in mind that if the vendor is managing your keys, then you are only protected against compromise of their physical storage media not against compromise of the account credentials or applications. For comprehensive security, seek out document management systems capable of addressing the entire list of potential data leaks. For help getting your data quickly and securely into those systems, the cloud, or anywhere else, seek out data transport acceleration software that is capable of working within document management workflows.
Seth Noble, PhD, is Founder and President of Data Expedition, Inc. and the creator of the patented Multipurpose Transaction Protocol (MTP) technology. He has a dual BS-MS degree from Caltech, and a doctorate in computer science from the University of Oklahoma for work developing MTP.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Biden Vetoes Bill to Create More Federal Judgeships
- 2Memories of a Straight Shooter
- 3It Was a Wild Ride: Check Out the Top In-House Stories of 2024
- 4People in the News—Dec. 27, 2024—Stevens & Lee, Chartwell Law
- 5How I Made Practice Group Chair: 'It's Essential to Have a Clear Vision,' Says Matthew Carey of Marshall Gerstein
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250