Edward Snowden has become a household name in the United States and around the world for disclosing the National Security Agency’s warrantless collection and use of the telephone records.[1] Above and beyond the national security dialogue and 4th Amendment debates, I think the Snowden affair presents a cautionary tale to any business when it comes to safeguarding sensitive information, be it customers’ personally identifiable information customers or company intellectual property. What transpired with Snowden can take place at any company doing business today, and the prudent CEO would do well to take notice of ways her company can safeguard against similar risks. Here are but a few things to consider in light of the Snowden matter.
People
Technology gets all the attention and I will discuss it here, but data privacy and security begins and ends with people. Snowden was a civilian government contractor to the NSA, one of hundreds, maybe thousands. A company’s greatest resource is its people. Conversely, they also present the company’s greatest risk.
- Contractors and Third Parties. Depending on the nature of the relationship, a company should have policies of varying degrees to manage the risk associated with contractors (non-employees), to include what work is reserved exclusively for employees and what can be assumed by contractors. The policies should include background checks, access permissions, policies and contractor agreements with the individual or the individual’s sponsoring company. Such agreements and policies should include clear requirements for what is acceptable and unacceptable work practice and use of information.Furthermore, a company should demand from contractor companies the same level of information security and privacy compliance it provides, to include assisting the company in mitigating any harms resulting from a breach or other act by the contractor or its personnel. Snowden’s employer is currently under scrutiny for past breaches and what it should or could have done in the Snowden matter.
- Employees. The truth of the matter is employees can be just as much a risk as contractors. In many cases, the benefits of having long term employees with a detailed knowledge of the company and its practices are counterbalanced by the risk that comes with people having such knowledge (or too few people holding that same knowledge).This is to say nothing of the risk that comes from such veteran employees’ comfort and familiarity leading to a let down in failing to follow established security practices. In other words, long time employees know all the “short cuts” from legacy systems and policies, and often may think the new polices “really do not apply to me.” Companies should have clear policies and procedures for all employees and regularly train and audit compliance with those policies and procedures to make sure employees are not letting the horse out of the barn (intentionally or unintentionally).
Access Control Policies
- People. Companies should limit access to physical offices, suites, conference rooms and storage areas in line with an employee or contractor’s business duties. Just because someone has an ID badge does not mean they should have access to every room in the building. People should have access to physical space in accordance with their business duties. Additionally, companies must have ability to terminate such access in a moment’s notice. Centralized access control is essential, especially in the ever expanding work space of today’s offices.
- Technology. Likewise, companies should limit personnel access to information based on the employee or contractor’s “need to know.” A secretary or customer service associate often does not need the same information access as a CEO or IT Manager might need. Information technology “doors” should be locked and monitored the same way as those to any office suite. Again, centralized control is essential.
Mobile Devices
- Authorized company devices. Companies should know which devices are accessing their networks and information, and have centralized control of such access. This should go without saying. However, in the rush to get more work out of employees in more locations at every time of the day, mobile devices are often implemented quickly and security is considered after the fact.At a minimum, safeguards should be in place to ensure mobile devices that are authorized to access the network likewise have the necessary safeguards in place from password requirements and encryption at the device level. Centrally, the company should have the ability to track the device and wipe it clean, if lost or stolen.Lastly, let’s not assume mobile devices only mean cellular phones, smart phones, or tablets. Thumb drives, like those often used in corporate espionage and yes, even by Mr. Snowden, are mobile devices too. Companies should decide how such drives will be used, if at all, and implement the necessary administrative and technical safeguards to control such downloading of information off fixed computers.
- Bring Your Own Device (“BYOD”). Now, take everything from 3.a. above and triple it to account for the risk, operational requirements and forethought required to enable employees or contractors to use their personal mobile devices on a company network. Furthermore, administrative and technical policies need to be updated and enforced to ensure proper use of such devices, what privacy an employee or contractor can expect and who owns what.
Information in Use
- Types of Information. Organizations need to understand what information they truly need for business purposes (current and prospective) and what information should be disregarded, if not collected in the first place. Administrative and technical policies should be implemented to support the use of information in accordance with those business purposes while providing the controls needed to avoid improper use.
- Minimal Use. Once a company decides what information it needs (now and in the reasonable future), it must implement the necessary controls to limit the amount of information to the minimum necessary to complete any transactions. Do you really need someone’s phone number or address to let them purchase batteries? Companies should know by transaction level what sensitive information is truly needed and what is “nice to have.”
- Clear communication and transparency. With the types of information defined and the minimum use principles in place, a company’s policies must be drafted or revised accordingly. This includes external, customer facing policies in plain language detailing how information will be collected stored, used and shared. Such transparency leads to not only a better response in the face of such a breach; it engenders more trust with customers and regulators alike.
Culture Change
Lastly, implementing good information security practices involves a departure from old habits, especially in established companies. There is often fall-out and hurt feelings when such access control partitions and personnel policies are put in place with any security program, especially with long-time employees losing access they had previously. However, such an allocation and control of access mitigates the resulting harm when a breach takes place. There is no way around it. Good information security risk management often comes down to numbers - the less people with access means the lesser chance of someone breaching the information security. With the tools available today, such controls can be put in place cost effectively, often transparently, and with increasing flexibility to adapt to the next threat(s).
As with any blog, it is not possible to cover everything implicated by such a high profile breach. But a situation like this brings the critical points to the forefront and an opportunity for proper reflection and evaluation. To be sure, a company does not need a breach or issue rising to the level of the NSA scandal to find itself in hot water with its customers and the press. In the end, every company needs to understand the information it possesses and information it truly needs to be viable or competitive. A company needs to understand and communicate its information management practices, make sure employees and contractors comply with that understanding, implement and enforce policies, and communicate openly and honestly with their business partners and customers. Doing so puts a company in the best position possible to respond to a breach when (not if) if happens.
[1] O.K. Let me stop and say, like everyone else, I was offended, outraged and concerned about where we are headed with this balancing of security and privacy. As a citizen, it blows my mind when I see this kind of stuff. But, then I have to stop and remind myself, as an attorney, this is all legal. People always ask me what I think about it and say,“Surely there must be a law against this.” Well, this practice, like many conducted by the government and indirectly by large purveyors of information, is sanctioned by your U.S. Congress on an annual basis. Recent bills trying to implement controls on such surveillance were killed in the House of Representatives in a rare bi-partisan effort. We’ll discuss this debate about federal privacy law next month.