Edward Snowden has become a household name in the United States and around the world for disclosing the National Security Agency’s warrantless collection and use of the telephone records. Above and beyond the national security dialogue and 4th Amendment debates, I think the Snowden affair presents a cautionary tale to any business when it comes to safeguarding sensitive information, be it customers’ personally identifiable information customers or company intellectual property. What transpired with Snowden can take place at any company doing business today, and the prudent CEO would do well to take notice of ways her company can safeguard against similar risks. Here are but a few things to consider in light of the Snowden matter.
Technology gets all the attention and I will discuss it here, but data privacy and security begins and ends with people. Snowden was a civilian government contractor to the NSA, one of hundreds, maybe thousands. A company’s greatest resource is its people. Conversely, they also present the company’s greatest risk.
Access Control Policies
Information in Use
Lastly, implementing good information security practices involves a departure from old habits, especially in established companies. There is often fall-out and hurt feelings when such access control partitions and personnel policies are put in place with any security program, especially with long-time employees losing access they had previously. However, such an allocation and control of access mitigates the resulting harm when a breach takes place. There is no way around it. Good information security risk management often comes down to numbers - the less people with access means the lesser chance of someone breaching the information security. With the tools available today, such controls can be put in place cost effectively, often transparently, and with increasing flexibility to adapt to the next threat(s).
As with any blog, it is not possible to cover everything implicated by such a high profile breach. But a situation like this brings the critical points to the forefront and an opportunity for proper reflection and evaluation. To be sure, a company does not need a breach or issue rising to the level of the NSA scandal to find itself in hot water with its customers and the press. In the end, every company needs to understand the information it possesses and information it truly needs to be viable or competitive. A company needs to understand and communicate its information management practices, make sure employees and contractors comply with that understanding, implement and enforce policies, and communicate openly and honestly with their business partners and customers. Doing so puts a company in the best position possible to respond to a breach when (not if) if happens.
 O.K. Let me stop and say, like everyone else, I was offended, outraged and concerned about where we are headed with this balancing of security and privacy. As a citizen, it blows my mind when I see this kind of stuff. But, then I have to stop and remind myself, as an attorney, this is all legal. People always ask me what I think about it and say,“Surely there must be a law against this.” Well, this practice, like many conducted by the government and indirectly by large purveyors of information, is sanctioned by your U.S. Congress on an annual basis. Recent bills trying to implement controls on such surveillance were killed in the House of Representatives in a rare bi-partisan effort. We’ll discuss this debate about federal privacy law next month.