Shield your knowledge in distant working hours
Ed. Note: This is the latest in a series on changing legal practice. Click here for the previous rate.
As the world lives online more than ever due to the COVID-19 pandemic, privacy is becoming an increasingly serious issue.
Above the law He was recently put in touch with Kelvin Coleman, Executive Director of the National Cyber Security Alliance, for an insight into the many issues surrounding data security and privacy.
Coleman has two decades of cybersecurity experience, having held positions in the White House and the US Department of Homeland Security, as well as in the private sector.
Here he sheds light on biometrics, the regulatory landscape and how long-standing tactics such as “phishing” remain an ongoing threat.
This interview has been edited for length and clarity.
ATL: Because everyone is talking about the pandemic, we’ve heard a lot about biometrics and protecting people’s privacy in relation to this type of data. Is something happening on this front?
Coleman: The pandemic brought telehealth, telemedicine and biometrics to the fore, but we knew before the pandemic that we had to protect this information on two levels.
One of them is the cybersecurity level. This means that you want to make sure that any information you collect is safe from malicious actors so that they cannot break into your systems to get that information.
The second point about telemedicine and telemedicine is that certain people can treat your information like money, right? Health information is of tremendous value to bad actors. That’s why we’ve really encouraged individuals and businesses to treat information like money and protect it for their businesses.
ATL: Remote work has exploded. Has this brought any particular privacy concerns related to remote work technology to the surface?
Coleman: It only expanded what we already fought against. Cyber attacks took place but increased by at least 200 percent with the pandemic. Some might be scammers saying, “Hey, click here to find out more about the appeal,” right? Or click here to learn more about vaccines or click here to find out where you can be tested.
When a natural disaster happens on a national level, bad actors will use this as an opportunity to hurt people. This activity has increased in many ways.
[In the past few years] We have seen a number of massive data breaches affecting remote operational structures – healthcare, schools, things like that. What the bad actors are getting right now is a purposeful environment because so many people work from home. They may have a chief information officer or network administrator to help them protect this information.
For the students, they are all for their own safety. So it has changed, but only in the sense that you are seeing so much more activity.
ATL: So the type of attacks are the same, but are they more common?
Coleman: That’s true. When I speak to reporters and others, they want me to tell them about the great, shiny, new threat that is out there.
And I hear crickets when I mention phishing. But it works.
Why change tactics, tools, or techniques when they work? And so, phishing for bad actors is still at the forefront, especially in times of COVID.
ATL: Given the target environment, are there best practices based on remote work structures that companies can use to make their remote work devices as secure as possible?
Coleman: Absolutely. And again, it’s not as exciting as you’d expect.
First, passwords are still relevant. Having a robust alphanumeric password is an important step in preventing bad actors from completing their mission to get onto your network.
Second, multi-factor authentication gives you a lot more protection.
Third, make sure you update your machines and devices. You need to keep up with the latest updates. And these things usually come automatically. If you need to click Update Now, we recommend that users make sure they do.
I think those three things alone can have a huge impact on making you less of a target. You are 40 percent less likely to be attacked.
ATL: Suppose you were playing the role of a legal advisor to a company and had to go to the top and say, “This is what we should do to protect privacy.” What kind of advice would you give?
Coleman: Three things come immediately to mind to reduce the risk of attack.
Insurance policies are one of them. They’re pretty important in the event a breach occurs. Would your policies cover ransomware payments, damage to digital assets, etc.? And for law firms, they have personally identifiable information about their clients, information that clients don’t want others to know. Hence, it is very important to review these insurance policies.
Two, [companies and law firms] need to develop and implement a cyber attack protocol. Having an effective incident response procedure is critical to businesses. You need to make sure that you are prepared.
Third, testing your cyber attack log is very important. You can hire a certified ethical hacker to conduct routine company audits, simulate a cyber attack and identify vulnerabilities.
These three things alone are important, but I have a few other things they could do, including storing data on-site and inventorying digital assets.
We know from the Capitol Rebellion, right? If the offices never took an inventory of the digital assets, they wouldn’t know what’s gone. When something happens to a physical injury or some type of data breach, you need to know what to consider.
[You also need to] Train your employees to cultivate a culture of cyber hygiene and education. Make going through cybersecurity responses, logs, and threats a part of company culture.
Any company that believes it is not a potential target for hackers is mistaken.
ATL: Do you think it’s important these days for companies to have a dedicated data protection advisor? Do you recommend people create these positions?
Coleman: The short answer is yes, but that’s not surprising when you come from the Executive Director of the National Cyber Security Alliance. Better protecting data every day and all day is a smart move.
And you know, for larger companies, this may not be a problem at all. You can do that in no time and you probably already have these positions. But I’ve talked to small firms that have tried to get a head start like everyone else. And I realized that one data protection officer can serve and help several small businesses.
But the short answer? Absolutely. I fully support this goal.
ATL: California’s new law, the Consumer Privacy Rights Act, has a separate data protection authority, and California is often a trendsetter when it comes to law. Do you think independent regulators and stricter data protection regulations are the way forward? Do you think something like this will be nationwide anytime soon?
Coleman: Absolutely, we’ll see. [Laws have been passed] in Washington, Michigan, and I think in Texas. So California leads the way, and we see other states do the same.
[During the NCSA’s recent Data Privacy Day event] I spoke to Senator Marsha Blackburn (R-Tennessee, co-sponsor of federal privacy laws) and we talked about how it’s nearly impossible for companies to break the various laws. I think Congress will step in or step up at some point to say, wait a minute, maybe we should have national law or legislation to make companies meet one standard rather than 50 different standards.
I look forward to the interview and am very encouraged by the public-private collaboration in this area. Now there are sure to be some conflicting views for the private sector and government to deal with, but it is a big change that the conversation is taking place.
ATL: What are the issues everyone is talking about in connection with data protection?
Coleman: Education. I think it’s very important that people understand exactly what privacy is and what information needs to be protected, but it’s also a generational thing, right?
When you talk to Millennials or Gen Z or Gen X, these people have different views on privacy. And we’ve seen that over and over again.
We need to make sure people understand what this conversation is about because to make an informed decision you need to have the right information. Like I said, [data privacy] is divided into three categories: products, processes and people in a particular case. I think we have to focus a lot more on the human part, on education and awareness. That is certainly the biggest piece in my head.
ATL: When you talk about the younger generation, are you referring to their willingness to be open about their personal information? How do they not even seem to think about it?
Coleman: Yes, and I am a perfect example. When I go out, I usually turn off the persecution. You know the mechanism [on a smartphone] This can help you get better deals or get a suggestion for a good restaurant.
My daughter, she makes it possible because she wants her friends to know where she is and for suggestions. And of course we had family conversations about how to be safe with it and how to use it wisely.
However, we have different views on data protection. Probably the younger you are, the less interested you are in anything like that.
Elizabeth M. Bennett was a business reporter who switched to legal journalism while covering the Delaware courts, a blow that inspired her to study law. After spending a few years practicing law in the Philadelphia area, she retired to the Pacific Northwest and returned to freelance reporting and editing.