Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:

Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.

If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:

As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.

Decision Advantage: Operational Risk Strategic Vision...

When the Board of Directors asks for a report on the Operational Risk Strategic Vision for the enterprise, will you have it ready?  The execution of strategy with the discipline of Operational Risk Management (ORM), requires a look "Over-the-Horizon" (OTH).  Why?

You have to realize the pace at which technologies are advancing.  You have to realize how your competitors are creating a decision advantage.  How will you apply the use of new data science, advanced hardware and software capabilities to augment your Human Capital, to replace Human Cognition?  So what are some of the categories that you should be researching, testing and implementing?   New strategic systems to secure, protect and improve the situational awareness or resilience of your organization?

Many of the places you will need to address, have to do with enhanced processing and management of data, from disparate places:

• Coping with Scale - Advanced Analytics
• Very Large Dataset - 4D Visualization
• Data Standards and Governance - Sensor Priority Processing, Optimized Data Movement

Bringing tools to the data, data trust and provenance tracking, are a subset of governance.  Machine translation and wire speed language recognition, are subsets of a Multi-lingual textual data processing platform.

So what?  Why is all of this innovation required in the modern Operational Risk domain and why is it so important?  The simple answer is, international competition, from your adversaries.  Dynamic, Smart Metadata, metadata relationships and data that finds the analyst, are challenging areas today.  Natural language processing techniques and wire speed data tagging are vital.

"Data Mining will bring us "Cyber Situational Awareness", "Human-Assisted Machine Learning" and "Pattern of Life modeling".  Decision and intelligence advantage, is the key to many of these strategic initiatives."

Again, from a business perspective, so what?  If your organization is in the Information Technology Sector, then of course you understand that the competition is tough and your new advanced VM and/or shiny systems "Box" does need to stand out, with it's unique features and differentiators in the marketplace.  It must have some value-proposition to the customers, that few or no one else can provide at the moment.  Otherwise, why would you spend the money on educating the market, writing a check to Gartner, advertising, sales and business development?  Right?

The Board of Directors today might just understand the concept of "Decision Advantage."  What if you went to the next meeting of the outside directors and provided a narrative and presentation on "Decision Advantage"?  You want them to authorize the substantial budget for your own Operational Risk R&D.  You are asking them to invest in the future risk mitigation of the enterprise, that they have a fiduciary responsibility to safeguard for the shareholders.

You see, you are way behind the international competition.  When you view this visual of the current state-of-play going on this hour, this minute and this second, you really don't have the time to waste on authorizing more resources, to address many of the areas previously discussed here.  The future of your enterprise and the livelihood of your country is at stake.

The Research & Development (R&D) budgets for Operational Risk Strategy execution are tremendous.  Add it all up.  The question is, how effective is it for the enterprise to spend risk management and mitigation funds in each individual department of IT, HR, Marketing, Sales, Finance and Facilities.  Without a complete understanding and vision of how the spectrum of risks, threats and mitigations, are all interconnected and what tools, processes or technology are actually interdependent.

When something such as Enterprise Risk Management or even National Security is so mutually dependent,  (depending on each other) you have to ask the Board of Directors to pause, and to require the Operational Risk Strategic Vision.  Once completed, you will see what new technologies to invest in for your total budget of Research & Development funds, and where to spend it.

Perhaps the most important reason for this vision, is also to ensure your "Intelligence Advantage"...