Protection of Non-Meta Data

Written By James Oliver

The focus of data and privacy attorneys usually is within the context of cybersecurity.  Businesses may utilize third-party servicers to send out fake phishing emails to their employees in hopes of training them on how to properly confront such attacks. Others may employ storage techniques for ensuring data is not taken off-network and subject to breach outside its own firewalls. The handling of data over silicon is a top concern for business and individuals alike. However, social engineering and lackadaisical handling of critical information is equally, if not a superior threat to business.

            Social engineering likely has a uniform definition that most would agree on; but in practical terms, it’s manipulation.  To a victim, I explain what I am trying to achieve then lie or make up reasons as to why it should be achieved and explain the blunders in why I’m unable to comply with security protocols. When I was younger, my friends and I would ride bmx bikes at the local community college. Occasionally, we’d be stopped by a staff member or security.  After being made aware we weren’t permitted on the property, we’d try to explain that we were waiting for my sister to get out of class so we could tell her to go home because my mom needed her, or whatever poor excuse we could conjure up.  It would rarely work because invariably, someone who witnessed us jumping off the stairs would walk by and tell security what we were doing.

            How a business may be vulnerable to social engineering depends on the type of information they maintain.  I’ll focus on law firms as that’s where my background lies. In personal injury matters, it is sometimes necessary to include a Plaintiff’s social security number on a subpoena to a medical provider. When that information isn’t contained in our file, I’ve made occasion to call opposing counsel’s office, usually get redirected to a paralegal, and ask them for that information. To my surprise, this strategy works with moderate frequency. Having never met or even worked with some of these individuals before, they’d read the social over the phone like they were confirming a telephone number for Chinese take-out.

            A dose of skepticism would benefit business and individuals alike. Trusting voices over the phone in advance of providing sensitive information should be cautioned against and alternative means in place via policy by employers. A policy of verification, placing the desired information in a share-link for credentialed access, or making sensitive data available for pick-up after providing an I.D. are simple yet effective means.  This concept should not be undervalued. As technological systems increase in complexity, bad actors who aren’t as computer-savvy may shy away from malware and pursue exploiting a workers’ trust. 

            Similarly, emphasis on protection of physical data, including usernames, passwords, account numbers, server maps.  At one of the banks I utilize, a teller’s station has an account and routing number on a piece of paper clipped to the side of the cubicle completely within the visibility of any customer that comes forward.  What do those figures represent? Do they compromise the bank? A customer? I don’t know, but I’m positive the bank would rather me not know that information and they surely don’t want me publishing or selling that information online. It’s feasible the bank employee uses that information routinely and thus has written the information down for quick access, but given its location, anyone else could copy it too.

            Businesses should have a policy for auditing and correcting their employee’s workspace with respect to what is accessible to the eye.  There are at least three reasons for this: first, businesses may hire third-party entities to perform cleaning services to their offices.  This necessarily means that non-employed personnel are traversing the office and lack any accountability to the business or its customers.  Second, to the extent Employee A wouldn’t typically have access to the information of Employee B, then such shouldn’t be visible to Employee A, much less anyone else.  Intra and inter personnel are a potential threat for which a well-crafted privacy policy and adequate enforcement could resolve.  Third, corporate buildings don’t necessarily have means of prohibit anyone from accessing floors.  A fire escape stairwell isn’t locked and is a good place to start if an elevator may be locked by RFID. Numerous times, I’ve gone to a colleagues’ office for the first time and gotten lost. Now I’m wondering the halls of a marketing firm without anyone batting an eye.

            This isn’t to suggest usernames and passwords should be stowed in a vault each night when an employee goes home – just don’t make it so obvious what your credentials are by placing them on a sticky mounted to a computer monitor.  The cost of correcting this practice is negligible compared to the risk of loss considering the breadth of data privacy laws triggered by a breach. In conclusion, develop a policy for disclosure of information and train staff on the policy; hide or store credentials to accounts; and police internal policies.   

James Oliver
Previous

Grammar Matters - App Crashing for PII