Thoughts from the RSA Conference
As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes:
- We all need to work together, and we can. Legal, Information Security, Privacy, Compliance, IT, and the affected business units. Now more than ever, it is essential that ALL the stakeholders join forces, as early as possible, to address security and privacy risks, assess and vet business deals, and put in place appropriate procedures - RFPs, due diligence, contract negotiation - to address the risks.
- Cloud, cloud, cloud, yada, yada, yada. Hold up - the technology is not new - but usage and the business model have changed dramatically. I have been having this argument with my information security and technology friends for months. OK, I get it. "Cloud" technology in some form or another has been around for 30 or 40 years. What is new is the massive scale, availability and changes in usage and the business model - in part driven by the economics. Guess what? Those business model changes make the legal risks even more pervasive. Going back to (1) above, all of the stakeholders need to be in the room (or on the phone or videoconference) discussing the issues BEFORE the decision is made to enter into a cloud arrangement. ANY cloud arrangement. Not after the RFP is issued. Not after IS does its due diligence. Not after the contract negotiations have begun. And not after the contract is inked. The same due diligence and attention to risks that would apply in a traditional outsourcing/offshoring relationship must be applied here, too. The cost savings are illusory if the short-term and/or long-term risks are significant. Think about the kind of data at issue. What are the risks? Evidence preservation, data security, breach response, enforcement rights, indemnification. And before we even get to those - can the data be transferred across borders in the first place? Think about it early. And then talk about it before decisions are made.
More after the jump.
- Privacy is the next frontier in Information Security. Wait, what? I have to admit that my initial reaction to this was - seriously? Privacy regulations have been here for some time. That's true, and the privacy profession has been growing for the last 10-15 years. But the privacy profession is in its infancy as compared to information security and IT. Why is the privacy profession growing? In part because the regulatory environment has exploded. But Information Security and Privacy care about the same thing -- data management and governance. We can help each other find creative solutions to mitigate risk.
- The regulatory scheme is becoming more complex, at breakneck speed. What regulations do information security professionals and the businesses they serve need to understand and address? Many - international, federal, state, and local. And things are changing constantly. Just this week the Massachusetts data security regulations became effective. And last week the FTC filed its notice of appeal of the District Court's ruling that the FTC cannot apply the Red Flags Rule to attorneys.
Information Security and Privacy, together with Legal, should consider all potentially applicable laws in evaluating security risks. What are those laws? Well, depending on your industry, and where your customers and employees reside, a few, but not all, might include FTCA, GLBA, HIPAA (including the HITECH Act), state data security laws (such as the new Massachusetts data security regulations and Nevada's encryption and PCI law), Sarbanes-Oxley, Red Flags Rule, FACTA Disposal Rule, ECPA, E-Sign, FERPA, the Federal Rules of Civil Procedure and Evidence, the PATRIOT Act, PIPEDA, the EU Data Protection Directive, EU member country laws, other foreign laws across the globe, state breach notification laws, and Social Security number protection statutes. But there are many more. And that's not even getting into contractual standards such as PCI-DSS.
- Lawyers need to embrace technology. I was fortunate enough to attend a CLE last week, pre-RSA, hosted by the Entertainment Law and Intellectual Property Section of the Los Angeles County Bar Association. Roland Trope, who moderated the panel on social networking issues, raised a tremendously important question: Are lawyers "competent" if they do not keep track of, and understand, changes in technology? The ABA is considering changes to the Model Rules of Professional Conduct to address this question. Some take the position that no changes are necessary and that the requirement can be read into the existing Rules. In any event, what better place than RSA to reflect on that question and the future of the legal profession and its relationship with technology.
That's it for now - back to work, and preparing for my next cloud presentation tomorrow. In the meantime, I encourage our readers - the lawyers, the information security professionals, and the privacy professionals - to weigh in.
Trackbacks (0)
Links to blogs that reference this article
Trackback URL
http://www.infolawgroup.com/admin/trackback/189430
http://www.infolawgroup.com/admin/trackback/189430
Post A Comment / Question
Use this form to add a comment to this entry.
Send To A Friend
Use this form to send this entry to a friend via email.
Good report on RSA...
Glad there are others out there that know/understand that cloud technology is not new, just a remarketing effort.
I have to disagree about Information Security and Privacy caring about the same thing. A Privacy Breach is a failure of Information Security. If I have a knife and stab someone, that person bleeds. Bleeding is not the problem that needs to be fixed, it is a symptom. The person needs armor, to prevent the knife from going in. If the knife is ineffective, the armor wins out, the person remains protected.
In our situation, the enterprise is the body, the bleeding is a privacy breach.
Information security goes back 4000 years. It is Information technology or information systems security that is new.
In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).
Re: Cloud, cloud, cloud
I think it is an oversimplification to say that this is simply old wine in new bottles or as Schankin puts it a remarketing effort.
I think there is a qualitative difference between between timesharing on an IBM mainframe or DEC VAX served by private data lines, and today's cloud offerings where everything is connected via the internet, with all its inherent vulnerabilities, and organizations rely on distributed applications as diverse as Google Apps and Salesforce.com. In addition to the privacy/information security connundrum, which you have captured very well, there are issues of reliance on external providers and formats, vendor lock-in, disaster recovery, service levels and many other risk factors which need to be addressed.
Thanks for the excellent summary.
Great post, Tanya. Many of us in "privacy leadership" roles have been saying for years that the inclusion of the term "privacy" in an executive's title can often hinder his or her success, due to role ambiguity and the perception that "privacy" is unavoidably an impediment to certain core business activities. Myself and Michael McCullough, working together at IBM several years ago, tried to promote a transition to an alternative term, such as "Data Governance" or "Data Stewardship". More recently, I've tried to coordinate privacy, compliance, IT security, and records management programs under a global "enterprise information management framework", overseen by a cross-functional group of senior executives (the "Privacy and Information Risk Council"). This then aggregates perspectives and supporting data on information risks, opines on sufficiency of existing controls and potential mitigations relative to current strategy, and presents this as a unified "risk portfolio" to the Board or other relevant governance body. I don't see any other path to success, long-term. I know Nuala O'Connor Kelly has been doing related and innovative work at G.E., calling the effort "Information Governance". The next few years will be very interesting, as the information risk field continues to mature, and the "privacy officer" role either morphs into a one that, like any other, is expected to deliver demonstrable value to the business (whether through verifiable risk avoidance, or otherwise), or is folded into another function with a business mission that can be more clearly understood.