Whither Cloud Computing?

If you’ve heard of cloud computing and all the security issues that surround it, and if you’re wondering if you should trust the security of your sensitive and confidential data to a third party service provider, well, all I can say is that you’re like the old timer who hoards his wad of cash in crumpled bills under his mattress, believing that that’s the safest place for them simply because it’s within eyesight range. It’s an old school of thought that if you can see it, you can protect it. And although we have come a long way since the system of banking was invented and we accustomed ourselves to it, we’re still cavemen at heart who would prefer to keep our valuables close by.

Arguably the most valuable asset any enterprise has today is its data; without information, they’re nothing. And they must provide this data with the best safeguards there are in the business. This is why levels of security and passwords were invented, so that data is protected from prying eyes and the wrong hands. But your entire setup is only as strong as the weakest link, and here, it’s the human factor. If one employee can be tempted to compromise their principles and ethics, for money, revenge or any other reason, then it’s time to say goodbye to the usefulness of proprietary security measures. Human beings are also prone to errors, and because of that, we have data breaches through stolen and misplaced laptops or computers left unprotected through oversight.

Cloud computing is a pretty safe bet when you consider such issues – your data is not in your hands, which makes internal security lapses a moot issue. But there are other aspects that you must consider – the popularity and efficacy of the service provider you choose. Take Google for instance; the search engine giant is extremely popular, and as such, an attractive target for hackers. They know that if they target the cloud, they can bring down a host of sites with one blow. And so they’re going to try harder in their efforts to do so.

But organizations would be willing to stick with Google because they know what it’s capable of; they know that it has a reputation to live up to, and that there’s a certain aspect of trust involved when you’re putting all your eggs in one basket. Cloud computing is exactly that – putting all your eggs in one very protected basket. But if the basket does break, you’re in an unholy mess with egg all over your face! It’s a tricky proposition, deciding whether or not to go with cloud computing, a decision that your needs and budget must dictate.

The idea is still in its early stages, so we must wait and watch to see if any further security issues crop up. And crop up they will, because where there’s a target, you can bet your last dollar that there will be a hunter hidden in the bushes somewhere.

This post was contributed by Datakos guest author Holly McCarthy, who writes for the online college. Holly can be reached at hollymccarthy12@gmail.com.

Protecting Privilege — New Rule 502 mitigates the risk of inadvertent e-discovery disclosures

By Michael Kozubek

Published in the 2/1/2009 Issue of Inside Counsel.

Privilege review has been a major culprit in the skyrocketing cost of e-discovery. With hundreds of thousands of documents subject to discovery in numerous cases, attorney-client communications and work-product information frequently end up in the hands of the opposing party. Because the production of privileged documents during discovery waives the privilege, discovery teams scour through documents trying to ensure nothing slips through that could damage their case. Still, with the volume of electronically stored information, inadvertent disclosure is almost inevitable, with potentially devastating results.

“Cases have been lost in part because of inadvertent disclosures,” says Bobby Balachandran, CEO of Exterro, a legal hold and workflow software provider.

But that risk diminished when Rule 502 of the Federal Rules of Evidence (FRE 502), originally drafted by the Judicial Conference Committee on Rules of Practice and Procedure, recently became law. The new rule is designed to mitigate the expense of privilege review while protecting companies from potentially large liabilities arising from inadvertent disclosures of privileged communication.

The rule provides that privilege is not waived when privileged communications are inadvertently disclosed, provided the holder of the privilege took “reasonable steps” to prevent disclosure and to rectify the error.

Litigators celebrated the enactment of FRE 502 while warning that it is not a panacea and does not remove the need for sound e-discovery management practices.

“The new rule is welcome news for litigants,” says David Lender, a partner at Weil, Gotshal and Manges. “An inadvertent production will not result in the waiver of the privilege as long as reasonable steps are taken to preserve the privilege before production.”

Continue reading

New Data Breach, Privacy Bills in Congress

Richard Adhikari

One year after trying unsuccessfully to introduce legislation on data breaches and protection of individual privacy, California Senator Dianne Feinstein (D-Calif.) is trying again.

This week, she introduced Bills S.139, the Notification of Risk to Personal Data Act and S.141, the Social Security Number Misuse Prevention Act.

Bill S.139 would require federal agencies or businesses to notify both the media and victims whose personal data has been breached without unreasonable delay, although limited exemptions are allowed for law enforcement and national security reasons.

It says the U.S. Secret Service must be notified if more than 10,000 individuals’ records are breached, or the database breached contains more than one million entries, or is owned by the federal government, involves national security or law enforcement.

For more see internetnews.com.

A Mark to Market Rule for Lawsuits?

The Financial Accounting Standards Board (FASB) has proposed a new standard for public disclosure of pending lawsuits. This raises interesting legal technology and management questions for general counsels.

Reporting Rights in the January 2009 issue of InsideCounsel reports on FASB Statements No. 5 and 141[R]. These now-delayed rules would lower

“the threshold for reporting the potential loss from a lawsuit from the current ‘probable’ to anything short of ‘remote.’ …. Currently, because many loss contingencies are reasonably possible rather than probable, companies usually deal with significant litigation by describing it and stating that an estimate of loss cannot be made. That’s a far cry from the detailed liturgy FASB’s original proposal mandated, a liturgy that critics say will not only fail to work as intended, but will prejudice companies in a variety of ways.”

It strikes me that you could view the proposed FASB standard as the moral equivalent of financial mark to market rules. Failure to mark financial assets to market contributed to the current economic crisis. If corporations now have to report more financial assets at market (rather than book) values, why not also the moral equivalent for lawsuits? I wish the article had analyzed whether the mark to market debate will affect the FASB rule-making.

For more see prismlegal.com.

E-Discovery Trends in 2009 — New developments in e-discovery will affect enterprise general counsel and compliance officers, law firms serving corporate clients, and IT departments

By Christine Taylor, January 9, 2008, 12:10 PM

A few years ago, the Taneja Group coined the term “Information Classification and Management” (ICM) to describe the technology of locating and classifying data throughout the enterprise. ICM covered sub-technology sectors such as e-discovery, compliance, data security control, and data management. However, we saw the term “e-discovery” trump the more comprehensive name as rabid attention turned from ICM to the specifics of civil litigation software tools. We are now seeing the e-discovery term itself take on a fuller usage, more akin to ICM. People do use the term when talking about civil litigation, but are also expanding it to encompass compliance, corporate governance, data classification, and even knowledge management.

In this broad sense we have looked at the trends of the e-discovery market as they impact its largest stakeholders: the enterprise general counsel and compliance officers, law firms serving corporate clients, and IT.

The crux of the matter is that e-discovery and its related areas will be extremely hot for litigation and compliance, especially those related to the financial meltdown. The market increasingly understands the necessity of e-discovery software tools and systems, and will move toward proactive e-discovery adoption. A more reactive approach will remain alive and well as many companies will still avoid implementation until driven to it by a lawsuit or federal investigation. But companies will increasingly understand that the e-discovery solution phenomenon is much more than a litigation aid. It also has major effects on federal compliance and internal governance, and potentially on data management throughout the enterprise.

For more see byteandswitch.com.

E-Discovery Requirements Are About to Hit Canadian Firms

As Canadian firms brace for new e-discovery rules, they can look to their U.S. counterparts for technology lessons.

By Anne Rawland Gabriel

Time is growing short for Canadian securities firms to prepare for the scheduled April enforcement of the new Canadian National Instrument 31-103 (NI 31-103), regulation that significantly expands record keeping requirements for electronic communications. Fortunately NI 31-103 substantively mirrors U.S. regulations already in place, which means Canadian firms have the opportunity to learn from others’ experiences.

“NI 31-103 is very similar to SEC and FINRA requirements in the U.S.,” substantiates Carolyn DiCenzo, a Gartner research VP. “It’s important to remember that the spirit of the law is communications and not just one particular type of communication, such as e-mail or instant messaging.”

For more see wallstreetandtech.com.

Data breaches rose sharply in 2008, study says Most of the lost data was neither encrypted nor password-protected

By Jeremy Kirk

January 7, 2009 (IDG News Service)

More than 35 million data records were breached in 2008 in the U.S., a figure that underscores continuing difficulties in securing information, according to the Identity Theft Resource Center (ITRC).

The majority of the lost data was neither encrypted nor protected by a password, according to the ITRC’s report.

It documents 656 breaches in 2008 from a range of well-known U.S. companies and government entities, compared to 446 breaches in 2007, a 47% increase. Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law.

Data breach notification laws vary by state. Some companies do not reveal the number of data records that have been affected, which means the actual number of data breaches is likely much more than 35 million.

“More companies are revealing that they have had a data breach, either due to laws or public pressure,” the ITRC wrote on its Web site. “Our sense is that two things are happening — the criminal population is stealing more data from companies and that we are hearing more about the breaches.”

The data breaches came from a variety of mishaps, including theft of laptops, hacking, employees improperly handling data, accidental disclosure and problems with subcontractors.

For the rest of this story, see computerworld.com.