by Paul Rudo on 09/12/10 at 6:58 am
Benjamin Wright is an attorney based in Dallas, Texas. A graduate of the law school at Georgetown University, he has been practicing law since 1984.
Since 1988, he has focused on technology law, including privacy, e-commerce, data security, cyber investigations and e-records management. On these topics, he advises organizations around the world (corporations, governments, non-profits). He is also the author of numerous tech law books, including “Business Law and Computer Security” published by the SANS Institute.
Benjamin maintains an active matrix of blogs accessible from benjaminwright.us, and also teaches a data security course at the SANS institute.
The SANS Institute is one of the premier outfits for educating IT security professionals. Under SANS he teaches an intensive 5-day course called “The Law of Data Security and Investigations.” He teaches security professionals, investigators and lawyers how to perform their jobs better in a tsunami of fast-changing law and technology. Ben addresses such topics as how to draft security policies, technology contracts and investigation reports. The course covers crime, ethics, evidence, property, liability and more.
How has the WikiLeaks controversy affected you personally, in your line of work?
I have been preaching for some time that it is increasingly difficult for any kind of organization to keep a secret. Before WikiLeaks, I was using Climategate (leaked emails at University of East Anglia) as my blockbuster example. When one is trying to really wake people up to a danger, it helps to have a current, very famous example. The present WikiLeaks controversy is fits that description. I referred to the WikiLeaks story just last week when teaching CPAs in North Carolina.
What are some of the main privacy laws that businesses should be concerned about, and what do these laws require of businesses?
Virtually all businesses and other organizations are now operating on a global basis because they have at least one web page. All organizations are interacting with people around the world.
Viewed from a global perspective, privacy law is an absolutely massive topic. It’s a massive topic even if you confine your view to just the US. Legal expectations for privacy have been rising quickly in the past decade.
Example US laws are HIPAA in the healthcare field, Gramm-Leach-Bliley in financial services and the many state laws requiring data holders to notify individuals if the security of their private data (such as name plus social security number or credit card number) is compromised.
A major law in the European Union is the Data Protection Directive, which requires that sensitive personal information be kept secure.
Generally speaking privacy laws around the world are giving all data holders increased incentive to protect private individual information.
And as a general rule, organizations around the world, especially the US, are increasingly required to notify individuals if the security of their private information is compromised. Hence today many data breach notices are mailed to consumers around the country every day.
I could write a whole book on privacy law, but I’m not sure what you are looking for. Please let me know what more you need on the topic.
Can you please explain “Contracting for Data Security”?
Often data holders like insurance companies or hospitals will outsource data management to third party data processors. The data holders can take a number of steps under a contract with these third parties to get more assurance that sensitive data will be protected. One example: require by contract that the data processor have a proper security policy and periodically get certified by an auditor that the processor is complying with the policy.
What steps should companies in establishing a cyber security program within their organizations?
This is a massive topic. The SANS Institute offers dozens of courses on different aspects of cyber security programs. Obviously, companies need security policies, security technology and the services of trained/supervised security professionals. I can say more if you can tell me more specifically what interests you.
Let’s talk for a second about how an organization can avoid the kinds of leaks that the US State Department has recently suffered at the hands of WikiLeaks. For corporations, the type of information at risk of leaking is trade secrets, such as product plans or financial records. On that topic, here are suggestions:
- Reduce the quantity of information you need to keep secret. If you don’t need sensitive information, don’t collect it. If you do collect and store sensitive information, get rid of it as soon as you can (keeping in mind that certain laws punish organizations for destroying records prematurely).
- Strive toward more openness and transparency. If you reveal lots of information about your company as soon as possible, you have fewer interesting secrets that can leak out.
- Have employees sign non-disclosure agreements. Better yet, cultivate in employees a belief that you are an open and transparent organization that reveals information about itself as soon as possible. Help employees feel that the little bit of information you keep secret is justified. Periodically educate employees about secrecy, and interview them on the topic as they exit the organization.
- Label secret records as “confidential.” The law is more likely to enforce confidentiality when data have been marked as confidential.
- Tell employees that you have a program for monitoring their access to data and their activities on company IT equipment. But don’t tell employees details on all of your monitoring activities. By keeping employees in the dark about the details of your monitoring, you keep employees guessing about how the company might catch them if they abuse data. If you keep them guessing, they are deterred from stealing or leaking the data.
- Post no-trespassing banners on web sites and network systems to warn snoops away. The banners should warn snoops that they are not entitled to your data, that you are monitoring them and that you give the fruits of your monitoring to law enforcement.
- Maintain a credible hotline (phone number, email address) so that employees, vendors, customers and others can complain about problems and legal/ethical lapses at your organization. If employees have a place to complain, and see that complaints are investigated and remedied, then they are less likely to take matters in their own hands and become whistleblowers who leak to the media or the Internet.