CEIC 2012: The Confluence of Law and Information Security

John M. Blumenschein

While most of the panels during the 2012 CEIC e-discovery talking track were attended primarily by attorneys, the final day was kicked off with a lively discussion that included a very engaged audience composed primarily of IT security and incident response (IR) professionals. I had the good fortune to moderate this fascinating discussion entitled “Legal Issues Stemming from Data/Security Breaches.” The panel consisted of two highly knowledgeable attorneys, Brent Kidwell, Partner and Chief Knowledge Counsel at Jenner & Block LLP, and Tom Lidbury, Partner at Drinker Biddle & Reath LLP, as well as the Director of Investigative/Legal Discovery at one of the most respected healthcare facilities in the world, Frank Krahn of the Mayo Clinic.

The discussion started off with Brent giving an overview of some high-profile breaches, as well as a statistical breakdown of who are the most common perpetrators of these breaches and how they are conducted. He also discussed how organizations face threats from both the inside (e.g., disgruntled employees, departing employees, opportunistic employees, etc.) as well as the outside (e.g., competitors, nation-state actors, criminals organizations), and how this dichotomy often dictates the reason for, and manner in which, breaches are conducted.

Next, they discussed entities that are particularly at risk, and two that were on the list, healthcare institutions (as holders of patient data) and law firms (as holders of client data), allowed for the panelists to talk about some of the steps their organizations have taken to combat these threats. From there, they discussed some of the federal and state data breach statutes and regulations, and Frank was able to use this topic to discuss his own experience at the Mayo Clinic in dealing with one of the most widely-recognized statutes to address the issue of protecting personal information—the Health Insurance Portability and Accountability Act (HIPAA).

One of the persistent themes of the discussion (and the one that seemed to prompt the highest number of heads nodding in approval whenever it was raised) was that of having legal and IT security/IR actively working together in order to address the issue of data breaches. Never was it more apparent than when the panel came to the topic of managing legal risk, i.e., what an organization should do to both prepare and respond to a data breach. Some examples of preparing included developing an IR plan and team (which legal needs to be a part of), conducting audits/reviews of security, tracking/mapping data, and having a legal compliance program. Some examples of responding included the proper handling and preserving evidence of a data breach, involving an organization’s legal department or outside counsel and possibly notifying law enforcement. This lead to the concluding topic on how and when to involve law enforcement, where Frank talked about his own experience at Mayo working with agencies such as the FBI and Secret Service, and what evidence needs to be presented/documented in order to ensure a successful prosecution.

The panel today prompted many interesting questions from audience members, and topics such as “bring your own device” and “the cloud” were also discussed. With their unique hybrid legal/technical perspectives and firsthand experiences grappling with the issue of data breaches, Brent, Frank and Tom provided the audience with comprehensive, nuanced and practical advice on how to deal with these ever-growing threats

No comments :

Post a Comment