All posts in Data Security Best Practices

Law Firm Cybersecurity: An Industry at Serious Risk

Daniel Solove
Founder of TeachPrivacy

Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.

Continue Reading

Attorney Confidentiality, Cybersecurity, and the Cloud

Daniel Solove
Founder of TeachPrivacy

Law firm data security

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Continue Reading

New Resource Page: How to Make Security Training Effective

Daniel Solove
Founder of TeachPrivacy

Effective Security Training

I recently created a new resource page —  How to Make Security Training Effective.  The page contains my advice for how  to make security training memorable and effective in changing behavior.

Training the workforce is an essential way to protect data security, but not all training endeavors are successful.  Poor training is akin to shouting into the void.  This resource page is designed to provide some tips and advice about training that I’ve learned from being an educator for more than 15 years.  Continue Reading

New Resource Page: Security Awareness Training FAQ

Daniel Solove
Founder of TeachPrivacy

Security Awareness Training FAQ 01

What laws require security awareness training?  What topics do the laws require to be covered?  What should be covered?  How frequently should training be given?

I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more.  I discuss various legal and industry requirements for security awareness training.  I also discuss best practices.  I hope that you find this resource to be useful.

Continue Reading

Blogging Highlights 2015: Cybersecurity Issues

Daniel Solove
Founder of TeachPrivacy

Cybersecurity Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about security:

The Worst Password Ever Created

worst password ever created

Should the FTC Kill the Password?
The Case for Better Authentication

title image

Continue Reading

Phishing Your Employees: 3 Essential Tips

Daniel Solove
Founder of TeachPrivacy

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.

1. Be careful about data collection and discipline

Think about the data that you gather about employee performance on simulated phishing.  It can be easy to overlook the implications of maintaining and using this data.  I look at it through the lens of its privacy risks.  This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences.  How long will the data be kept?  What will be done with it?  How securely will it be kept?  What if it were compromised and publicized online?

Continue Reading

PCI Training: Reducing the Risk of Phishing Attacks

Daniel Solove
Founder of TeachPrivacy

PCI Training Payment Card Data Risks

PCI Logo PCI TrainingThe Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.

A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.

PCI Training Phishing Statistics

According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”

Continue Reading

Start with Security: The FTC’s Data Security Guidance

Daniel Solove
Founder of TeachPrivacy

FTC Start with Security 03

Recently, the FTC issued a short guide to what organizations can do to protect data security.  It is called Start with Security  (HTML) — a PDF version is here.  This document provides a very clear and straightforward discussion of 10 good information security measures.  It uses examples from FTC cases.

Continue Reading

Going Bankrupt with Your Personal Data

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

This has long been a problem, and I’m glad to see it receiving some attention.  The issue arose in one of the early FTC cases on privacy about 15 years ago.

Continue Reading

Cybersecurity: Leviathan vs. Low-Hanging Fruit

Daniel Solove
Founder of TeachPrivacy

Data Security Training Low-Hanging Fruit

by Daniel J. Solove

There are certainly many hackers with sophisticated technical skills and potent malicious technologies.  These threats can seem akin to Leviathan — all powerful and insurmountable.

Leviathan 01

It can be easy to get caught up focusing on the Leviathan and miss the low-hanging fruit of cybersecurity.  This low-hanging fruit consists of rather simple and easy-to-fix vulnerabilities and bad practices.

Continue Reading

The OPM Data Breach: Harm Without End?

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:

If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. “The data is sold off, and it could be a while before it’s used,” said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. “There’s often a very big delay before having a loss.”

Continue Reading

Use of Encryption Is Increasing — Albeit Slowly

Daniel Solove
Founder of TeachPrivacy

old metal numbers

by Daniel J. Solove

According to a survey commissioned by Thales e-Security, the use of encryption by organizations is increasing.  Ten years ago, only 15% had an enterprise-wide encryption strategy. Now, 36% have such a strategy.

Chart Encryption Increase 01 Some other interesting findings from the survey also found, according to a ZDNet article:

Continue Reading

Cybersecurity in the Boardroom

Daniel Solove
Founder of TeachPrivacy

??????????

by Daniel J. Solove

A few days ago, I posted about how boards of directors must grapple with privacy and cybersecurity.   Today, I came across a survey by NYSE Governance Services and Vericode of 200 directors in various industries.

According to the survey, about two-thirds of directors are less than confident about their company’s cybersecurity.  This finding is not surprising given the frequency of data breaches these days.  There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.

Plague 01

Continue Reading

Troublesome Password Practices and the Need for Data Security Training

Daniel Solove
Founder of TeachPrivacy

login  password on lcd screen macro

By Daniel J. Solove

A recent study by TeleSign revealed that many people engage in some troublesome password practices. Some of the most alarming findings from the report include:

— 73% of accounts use duplicate passwords.

— Nearly half of consumers have a password they haven’t changed in 5+ years

— “Consumers have an average of 24 online accounts, but use only 6 unique passwords.”

— “Only 30 percent of consumers are confident that their passwords will protect the security of their online accounts.”

These findings demonstrate why better authentication is needed. Enforcing good password practices is tremendously difficult. People have so many passwords that they must memorize, and if they must be long and complex, this compounds the challenge.  Alternative means of authentication — such as two-factor authentication — should be explored, as they can be affordable and efficient.

Continue Reading

Law Firm Cyber Security and Privacy Risks

Daniel Solove
Founder of TeachPrivacy

Title image

By Daniel J. Solove

Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.

This is not time for firms to keep calm and carry on. The proper response is to freak out.

Continue Reading

The Worst Password Ever Created

Daniel Solove
Founder of TeachPrivacy

worst password ever created

by Daniel J. Solove

People create some very bad passwords. In the list of the most popular passwords of 2014, all of them are terrible. Just look at the top 10:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. Qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football

Continue Reading

The Most Alarming Fact of the HIPAA Audits

Daniel Solove
Founder of TeachPrivacy

hipaa audits 1

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.

What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.

Continue Reading