E-Discovery & Compliance NewsBrought to you by www.law.com
The word "information" may sound simple and boring, but the owners of information have access to power, money, and immense competitive advantage. It's not surprising, then, that companies devote significant time, effort, and resources to protecting their proprietary and valuable information.
Thus, all of this increased electronic activity requires larger and more detailed databases. With so much valuable information now residing in the digital space, it is crucial to understand the factors contributing to the risk of cyberbreaches. Here are five of the most common risk factors:
If it has not been done already, it would be worth your while to take the above list to internal IT and risk management professionals to discuss your company's awareness of and vulnerability to each risk, and to get a clear picture of protections that are currently in place. Your organization might be a leading data protection pioneer that has already developed a comprehensive approach to dealing with each of these contributing factors, but in all likelihood, your company has been more reactive to changing information protection risks and has not created specific, proactive, plans that have been vetted by a cross-functional team.
Importantly, shareholders and lending institutions expect a robust data security program to be in place. That program, as mentioned above, should include an insurance component. Woefully, companies are increasingly finding that their expectations of being properly protected after a cyber-event fall well short, and the financial impact is far greater than expected. So it is important to highlight the basic types of coverage that can be obtained via the growing number of specialized cyber-risk insurance products. They can be separated into two major categories, with various options therein:
Clearly there is a financial and resource limitation to protecting against each and every possible data breach or cyberattack, but it is critical for organizations to develop awareness and stay informed of the evolving options for managing these risks and putting the above strategies in place.
Chicago-based kCura launched Relativity 8, adding key new features including email threading, an easier method to calculate precision and recall, and the ability to process EnCase Logical Evidence Files.
The e-discovery software maker claims Relativity's new search architecture decreases index build times by up to 70 percent and returns search results up to 20 times faster. KCura also says back-end structural improvements in version 8 accelerate document-to-document viewing while reducing server utilization.
Relativity Analytics, an add-on module, now includes email threading as well as near-duplicate detection, language identification, and automatic detection of repeated content to help users build analytic indexes.
KCura has also made improvements to its technology-assisted review. Relativity 8 supports seed sets with previously coded documents and provides the option to use a control set to calculate precision, recall, and an F1 Score or f-measure.
Navigating in Relativity 8 includes a new Favorites feature and an overhauled image viewer. The improved user interface also has new features for redactions, including full-page and inverse redactions, which allows a review attorney to select responsive content and automatically redact the remainder of a document. The new Relativity also supports tokenless two-factor authentication and has better Active Directory integration, which gives organizations more options to secure access to Relativity and provide granular content review.
Relativity 8 can directly process EnCase Logical Evidence Files (L01) and automatically decrypt files for processing and imaging. KCura has unified its application program interfaces to make for a more consistent development interface and now supports an AppDomain isolation, which allows applications and custom code to run in their own sandboxes.
For more information on Relativity 8, see kCura's website.
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its "2013 Cost of Data Breach: Global Analysis" study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record.
Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches 63 percent resulted from either negligence or system glitches.
Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial, and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.
Faced with continuing front-page stories of cyberattacks and data breaches, all entities must avoid a "who would want my data" approach to issues of data security and breaches, and instead adopt a "when, not if" mind set. The good news, as confirmed by the Ponemon study, is that implementing robust IT systems such as intrusion detection or protection systems and business processes to minimize and mitigate the risk of a data breach really pays off.
An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.
Steps organization should take to manage and mitigate the risks of a data breach include:
Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.
The policies and procedures must be distributed to, and followed by, employees.
A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.
A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.
Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, mandate these types of training programs. The value of adequate training cannot be overstated, particularly in light of the Ponemon finding employee negligence accounted for 33 percent of breach incidents.
Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least 1/3 of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.
Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach.
As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.
Law enforcement is "outmanned and outgunned" by criminals using the latest technology to commit white-collar crimes, according to attorney Maranda Fritz, a former senior counsel in the Manhattan district attorney's office.
The speakers and the law firm also produce regular updates on their white-collar crime blog.