Loader
Mitratech - Connecting People, Knowledge, Process Connecting People, Knowledge, Process
Home » Solutions » TeamConnect GRC » Data Loss Prevention Basics Solutions:

Data Loss Prevention Basics

Corporate governance principles have always included the protection of intellectual property (IP). With applicability to legal, compliance and IT departments, TeamConnect GRC is the foundation for your Data Loss Prevention program.

Fusing Legal, Compliance, and IT to proactively protect intellectual property

While protecting client Intellectual Property (IP) and Confidential Information (CI) is a routine task for inside and outside counsel, the electronic nature of such data coupled with easy, almost ubiquitous access to electronic networks, has created the need for a systematic approach to IP/CI protection and consequently requires close cooperation among counsel, IT security practitioners, internal auditors and others. Furthermore, it requires an organization-wide acknowledgement of the importance of protecting such information and the imposition of controls and routine audits in order to measure performance and close vulnerabilities. Most importantly, it requires a commitment from the organization’s leaders and the assignment of direct responsibility to team managers for protection program compliance. 

Enforcement of IP rights and CI protection agreements in the courts is usually an option for organizations and, in fact, are a relatively common phenomena with commensurate media coverage in particularly egregious cases. However, at that point, the damage to the organization is most likely done.  Instead, organizations should pursue protection of IP and CI as they would any critical regulatory compliance requirement. 

Protecting intellectual property and confidential information

The idea that a corporation’s portfolio of IP—patents, copyrights, trade secrets—represents the vast majority of that organization’s market value has become an article of faith in the legal and economic professions. The more that a corporation’s work product is in electronic form—software or information—the greater the proportion of its value rests on its IP portfolio. Corporations annually expend substantial resources in pursuit of IP protection, including patent development, policing of the use of copyrights and the identification and physical protection of trade secrets from outsiders. As such, they typically have well-defined processes to manage the development and protection of IP from those perspectives. Most, however, do not have a mature, comprehensive process to protect and prevent such IP from escaping or leaking out of their physical premises or information network. 
 
Trade secrets are particularly fragile, since their publication on a website or some other media destroys their protected status, even with accidental publication. Trade secrets are protected at the state level in most states by the Uniform Trade Secrets Act (UTSA), such as California’s implementation found at Civil Code 3426 et seq. Key to the successful imposition of civil liability for violation of the Act is the owner’s reasonable efforts to protect the trade secret in question. Such efforts do not have to be extraordinary but should be commensurate with the value of the trade secret. The Act provides for exemplary damage awards in the case of willful violation and for attorney’s fees; however, if the violator is judgment proof, this is of little help to the owner of the secret. Trade secrets are protected at the federal level by the Economic Espionage Act (EEA), a criminal statute that has enhanced penalties for theft of trade secrets that benefit foreign nations but does not provide a private right of action. Like the UTSA, the EEA requires reasonable efforts to protect the secret and according to the federal prosecution manual for the EEA, such efforts will be a critical component of the case or the decision not to prosecute the alleged offender. With respect to both civil and criminal statutes, valuation of the secret is very important. 
 
The limitation of these statutes, however, is that they are primarily designed to combat deliberate misappropriation of trade secrets, rather than accidental loss. The ways in which secrets can be lost is extensive: not shredding documents, disposing of computers without destroying the hard drive, leaving critical documents in airplanes, sending e-mail to the wrong person, etc. Employees with Internet blogs who wish to talk about all of the great things their department is working on are an especially rich source of trade secrets. In this respect, poor internal controls on sensitive information is the greater threat than outright theft. 

Organizations also possess substantial amounts of CI, such as data about clients, employees, contractors, business partners, and members of the public, and need to protect such data just as vigilantly as do their IP, if not more so. Third-party compliance agreements, for example, are usually used when one party stores or processes CI for another, and require the third party to adhere to strict requirements for storage, processing and destruction of CI. A complete process to protect IP and CI, then, is necessary not just against deliberate theft but against accidental loss. 

Protecting consumer information

In the last decade, a constellation of consumer privacy regulations have appeared governing privacy practices at the state, federal and international level, often as a result of some newsworthy privacy breach. Statutes governing consumer privacy in the United States, specifically, Personally Identifiable Information (PII), tend to fall into one of three categories: 

  1. Secure disposal. These statutes require the secure disposal, such as physical destruction of media containing PII. Examples include California Civil Code § 1798.80-82 and the federal Fair and Accurate Credit Transactions Act of 2003 (FACTA).

  2. Information security. These statutes require that administrative, physical and technical safeguards be put in place to protect the integrity of PII. Examples include HIPAA’s Security Rule and Massachusetts’s 201 CMR 17.00.

  3. Breach notification. These statutes require that when there is reason to believe that the PII in question may have been exposed, the owner or controller must notify affected parties as soon as practicable. Examples include California’s SB 1386 and HIPAA’s Breach Notification Rule.


Breach notification regulations has grown rapidly since 2002, with at least 46 jurisdictions now having them. Another enforcement mechanism is through the punishing of unfair or deceptive trade practices, namely, the failure to protect consumer data. The Federal Trade Commission and state law enforcement authorities regularly use such means to address consumer data losses that do not implicate industry-specific or “sectoral” regulations such as those described above.  Finally, for companies doing business overseas, especially in the European Union, the consequences of failing to protect employee and consumer data can be severe, including the imposition of criminal liabilities on the officers of a corporation. 

As a practical matter, protection of all forms of sensitive data should be the included in the organization’s overall compliance and risk management efforts. For public companies, a lack of such capability may even represent a material weakness with respect to their financial controls, as defined by SOX §404. For any organization, the damage to their brand and reputation may have long-term effects. The identification of the vectors of loss of IP and CI and a means to manage the overall control process are components of the larger organizational compliance and risk management process. 

Data Loss Prevention

Data Loss Prevention, also called Data Leakage Prevention, or DLP is the joint sub-discipline of legal IP/CI protection and corporate compliance as it relates to a corporation’s information security and privacy posture. DLP is a relatively new sub-discipline, developed roughly over the last three years, with an emphasis of preventing irreparable harm to the corporation from loss of IP and confidential information. Such loss can occur through a variety of vectors:

  • Network intrusions

  • Physical intrusions

  • Theft or loss of laptops, mobile devices or media

  • Outbound e-mail

  • Outbound paper mail 

Historically, emphasis on defending a network or a physical premises tended to be purely defensive, using a model called Defense-in-Depth, which relied on a series of concentric, heterogeneous layers of protection. One implementation to protect a network, for example, might utilize border routers, a firewall, the closing of network ports not in use, and incorporating host-based intrusion detection system. Conversely, there has been little emphasis on creating an analog of Defense-in-Depth to keep IP inside the electronic and physical borders of a corporation. A crucial difference between protecting data from intruders and from loss by employees is that in the latter case, data can be lost accidentally by employees without their ever realizing it, such as comments in e-mail messages or blog postings, or sending an attached document to the wrong party. 

The protection strategy and process

Protection of IP and confidential information needs to be executed as part of a larger strategy for protecting the entire organization’s information infrastructure, which, in turn, should be thought of as another corporate compliance and risk management requirement. One compelling study of network intrusions concluded that, in the majority of cases where sensitive data was stolen, the victim organization did not know they even possessed such data in the first place.
 
Steps include:
 
  • Identification and classification of an organization’s data;
  • Establishment of administrative, physical and technical controls commensurate with the class of data being protected;
  • Identification of metrics and collection of metric data to determine control effectiveness; and
  • Holistic management of the entire process.
The last step, holistic management, represents the biggest challenge in this process. There exists in the marketplace thousands, if not tens of thousands, of problem-specific or “point” solutions that address a particular threat and generate reports on noteworthy events but don’t otherwise integrate into an organization’s compliance and risk management overall view. The vast majority of the reporting capability is never utilized because managers responsible for evaluating the solutions’ performance do not have time to run all of the available reports, resulting in the loss of valuable intelligence in which compliance and risk officers would be interested.  In order for an organization to fulfill its DLP-related compliance obligations proactively, there needs to be a means to:
 

  • Manage data protection and related policies;

  • Map data protection policies to regulations and regulations to controls;

  • Have all compliance and risk management metrics stored in a de-normalized database so as to prevent performance drains from regular queries; and

  • Have those metrics roll up to one dashboard that is automatically generated without requiring a responsible manager to manually create a new query.

When some type of loss event does occur, litigation or regulatory action is possible, and therefore there also must be a means for all team members to:

  • Track a suspected or actual loss as an independent matter from the time the incident occurred to the time when the statute of limitations for legal action relating to the incident has expired or a time prescribed by a regulatory body;

  • Generate reports that summarize pending loss responses by type, regulation, geography, responsible party or other desired criteria;

  • Determine what actions particular employees, such as security response teams, took and when they took them;

  • Allow parties from other departments and business units to access the matter and add pertinent data and analysis;

  •  Allow outside counsel, outside experts and service providers to access the matter and add pertinent data and analysis;

  • Allow electronic submission of invoices in a way that prevents duplicative billing or billing for items that are contrary to the retainer agreement;

  • Issue, maintain and modify “holds” on data about the incident issued by the legal department, such as documentary data or communications;

  • Track handling of data preserved as part of a particular legal hold; and

  • Track the Service of Process for notices related to pending litigation and regulatory review.
In addition, the system that supports these functions needs to allow each team member access to only the parts of the matter that are necessary for them to perform their function and integrate with existing access control methodologies, such as Single Sign-On (SSO). All of these functional requirements need to be united by a common principle that enables the entity to carry out its many response duties consistently and in a way that protects the integrity of those processes. That uniting principle is called Collaborative Accountability.
 

Proactively protect, demonstrate compliance, respond appropriately

Collaborative Accountability Applications (CAA) enable organizations to proactively protect IP/CI by aggregating and reconciling compliance with multiple regulations, the policies that result from them, and the processes that ultimately protect. CAA also greatly assists in the management of the effectiveness of those controls by enabling precise tracking and reporting. When confidential information is compromised, CAA enables team members inside and outside the enterprise to securely work in concert while enabling leaders to track actions by members in a manner that can be safely offered into evidence during a legal proceeding. By preventing documentary evidence from being accidentally destroyed and preserving evidence from the incident in a forensically sound manner, the organization not only fulfills its discovery obligations but strengthens its defense posture should the matter ultimately go to trial or face review by regulatory bodies. Giving all team members ready access while limiting that access to only those that require it allows the team to move swiftly while preventing data from being altered accidentally. Finally, in the event that errors are made by team members during a particular breach response process, the ability to forensically deconstruct those errors can demonstrate that, overall, the process was reasonable in light of the circumstances and the errors did not have a material effect on the outcome.