About that information leak: It’s coming from inside the organization
Law firms are often considered a soft target when it comes to data security: one in five law firms was hacked last year and six major law firms were hacked in recent history.
Law firms are high value targets because they hold troves of clients’ most sensitive information, such as trade secrets related to future product plans, sales and marketing strategies, privileged and confidential information, regulatory filings, NPI, PHI, PII, and more. According to a recent Ponemon Institute research report, more than 30 percent of data breaches come from inside the organization. To remain competitive and comply with data regulations, law firms need to do more to protect client data and close existing security gaps inside and outside the organization.
This was the topic of the recent OpenText™ eDOCS user group hosted by Kasowitz Benson Torres LLP. The user group, comprising major corporations and law firms, focused its discussion around the latest eDOCS Defense security enhancements to help organizations implement data security measures. In keeping with that discussion, let’s take a look at direction from regulatory bodies and the courts, and best-practices data security features to look for to lock down data at the document level and pre-empt a breach.
Direction from regulatory bodies and the courts
Protecting data has becoming increasingly challenging amid stricter regulation. Organizations are no longer just required to announce that their systems have been breached, but also may have to pay fines up to four percent of their annual turnover if data belonging to European Union citizens are involved, in accordance with the General Data Protection Regulation (GDPR).
Add into the mix stricter U.S. regulatory oversight, such as the Health Insurance Portability and Accountability Act of 1996, HIPAA Privacy Rule and the HIPAA Security Rule which require, among other things, covered entities ensure the confidentiality, integrity and availability of all electronic Protected Health Information (ePHI) created, received, maintained or transmitted, and ensure compliance by their workforce. Or consider, on a state level, New York’s Department of Financial Services (NY DFS) cyber regulation. This regulation requires DFS regulated entities to adopt the core requirements of a cybersecurity program, which includes meeting application security requirements (presumably to detect and mitigate a breach).
Even the courts are weighing in on data security, with one recent court decision holding businesses liable for not taking “reasonable” steps to ensure information is protected, including encryption. See Dittman, et al v. UPMC, et al, 2018 PA Sup Ct. W.D. 17. This follows earlier suits involving Sony (In re: Sony Gaming Networks and Customer Security Breach Litigation, in which the U.S. District Court for the Southern District of California recognized the legal duty to provide security, including encryption), Home Depot, Adobe and others. These cases have set precedence for future lawsuits.
Best-practices security features
Given stricter guidance on data security, law firms and their clients are adopting legal content management platforms that offer additional security layers that protect data at the document level itself (not just the device level). This goes beyond features such as two-factor authentication, metadata security and informational transmittal via secure socket layer (SSL), and authorizing user access, sharing, editing and viewing of documents. Available technology, such as OpenText eDOCS and its document security module, OpenText™ eDOCS Defense, offers additional protection at the document layer, thus pre-empting an internal data security breach. Not only are these layers increasingly considered best practices; in some regulated industries, they may in fact be required.
Here’s how to close the security gap left by encryption at the device level and pre-empt and internal breach with monitored activity alerts.
- Document level encryption at rest
Roughly 25% of internal data breaches are from system administrators that have access to the back-end databases. Unlike encryption at the device level, where sensitive information can still be viewed via server access, content management systems such as OpenText eDOCS and the eDOCS Defense module delivers document level encryption at rest. This ensures that not even system administrators can see the contents without authorization from the eDOCS user interface. Whether in the cloud or off-cloud, data is protected at the document level, and when content is backed up, the documents are encrypted on the backup media. If the media is stolen, the content is still encrypted.
- Activity alerts
Irreparable damage already may have occurred by the time a data breach is uncovered; the industry average is nearly 200 days from incident to discovery.[1] With OpenText eDOCS Defense, organizations can identify a potential problem as it occurs by sending templated alerts before and after sensitive information has been locked down, to further mitigate the risk and cost of a data breach, and even safeguarding information from authorized users. Alerts are flexible and configurable (e.g., detecting user activities that may indicate a data loss, such as the deletion of multiple documents, or the checking out of multiple documents outside of business hours), and can be sent to designated individuals at various stages of a potential breach. These warnings can pre-empt a breach, lock out a user when they breach a rule, limit damage and, with stored system logs, can help organizations easily meet required regulations.
With a growing number of data breaches initiated internally, achieving complete security of sensitive data, along with meeting regulatory requirements, requires new and tighter levels of security — which increasingly include measures to protect against internal data breaches.
The post About that information leak: It’s coming from inside the organization appeared first on OpenText Blogs.