Could the GDPR be Weaponized?

I will be participating in a webinar on the General Data Protection Regulation (GDPR) on November 9th along with ZL Technologies and Viewpointe (you can sign up for it here).

In one of our planning meetings for this event, the topic of Subject Access Requests (SARs) was discussed. One of the presenters wondered if SARs could somehow be used by anarchists or others to cause massive disruption to an organization. Given that data subjects in the European Union have the right to request any information about them that a data controller possesses, usually without a fee, and that requests must be processed within a month, what would happen if an organized group (are anarchists, by definition, organized?) flooded an organization with SARs in a very short period of time. There are situations in which data controllers are not obligated to provided data under an SAR, such as GDPR Article 23 which allows the Legal Professional Privilege (LPP) as an exemption to fulfillment of an SAR. However, this is a fairly limited exemption and would not prevent the type of planned disruption that might be made possible under the GDPR.

The potential for causing mass disruption using SARs is not as far-fetched as some might consider it to be. Given that it will take several hours to process a single request for a company that has not implemented an appropriate classification and archiving capability for all of the potentially relevant organization it has on data subjects, the potential for disruption is enormous. For example, if we very conservatively assume that just two person-hours would be required to process an SAR and someone wanted to “attack” an organization with 5,000 SARs in a single week, that would obligate a data controller to spend 10,000 person-hours — about five person-years — processing these requests in a very short period of time. While such a scenario against any single entity is unlikely, the likelihood that it will occur to some company is rather high, as is the risk: few organizations’ legal or IT teams have such an excess of labor available to them to deal with this type of occurrence.

This is just one of the topics we will be discussing at the webinar on November 9th. I hope you can join us.

Monitor Your Social Media Exposure

Social media is an amazingly useful tool to share meaningful information (along with lots of drivel, humblebrags and photos of that amazing breakfast your friends are about to eat in Cancun). However, the ease with which social media can be used as a vehicle for sharing good information enables users to share some really stupid things, as well. The most recent case in point is the (now former) CBS Vice President and senior counsel who posted some very insensitive comments on Facebook about the victims of the horrific shooting in Las Vegas earlier this week. In 2016 a (now former) faculty member of York University in Toronto posted links on Facebook to anti-Semitic web sites and made a number of derogatory comments about Jews. Also in 2016, a (now former) employee of Express Oil Change and Tire Engineers in Alabama posted on Facebook that the wildfire victims of Gatlinburg, Tennessee are, “….mouth-breathing, toothless, diabetic, cousin-humpin, mountain-dew-chuggin, moon-pie-munchin, pall-mall-smoking, trump-suckin pond scum.” In 2013, the (now former) communications chair of the Democratic Party of Sacramento County, California tweeted to the senior communications adviser to Ted Cruz, “May your children all die from debilitating, painful and incurable diseases”.

These types of posts represent a lack of self-control, something of which the vast majority of us are guilty at one time or another (but, hopefully, in less public ways). But they also represent a massive liability for a company’s brand. In each case, the offender was fired by his or her employer, but that does little to mitigate the enormous damage that these types of posts can inflict on the innocent employers who get caught up in the firestorm that normally ensues after these types of posts go viral.

As an employer, what can you do about this? Here are some suggestions:

First and foremost, establish detailed and thorough policies about what constitutes acceptable and unacceptable employee behavior, both during and after work hours. Obviously, an employer has less control over their employees when they’re not at work, but some reference to acting like a decent human being on a 24×7 basis while employed by the company is a good starting point.
To back up these policies, provide good training for employees about how to respond to social media posts, how to avoid making inappropriate comments on social media, and how to escalate sensitive issues like customer complaints.
Implement good monitoring, DLP and scanning technologies for all work-related systems, including social media. The goal is not only to identify intentionally inappropriate and mistaken posts from employees, but also to protect against data loss and malware infiltration through the social media channel, to identify if a social media account has been hacked, or to identify if someone is falsely purporting to be a representative of your company/brand.
Archive content from your social media channels, including any employee posts made using company infrastructure. Having a good archive of social media content will enable decision makers, counsel, etc. to review social media posts for inappropriate content after the fact, and can be useful as part of litigation efforts and regulatory audits.
For social media accounts under company control, enable appropriate access controls to minimize the potential for inappropriate posts.
Where necessary, implement a supervisory program (something akin to what financial services firms do for broker-dealers) that will sample employee social media posts to look for violations of corporate policy.

We will shortly be publishing a white paper and survey results focused on social media security and archiving. Let us know if you’d like to see an advance copy of the survey results or the paper.

Why Don’t We Change?

In July, Ashton Kutcher attempted to start a dialogue about gender equality in the workplace and was roundly savaged for his trouble:

“This is grossly offensive”, noted one person.
Joelle Emerson, the founder and CEO of Paradigm tweeted, “Yikes. These are definitely *not* the right questions. Most rely on flawed assumptions and perpetuate problematic myths.”
Someone else commented, “Aston [sic], you embarrass yourself for a very good reason. Your questions tell me more (again) about how you perceive women, not how women are! Please pull together the correct questions, and a dialogue that deals with the issue, instead of reiterating the sexist view in the workplace will begin to heal us.”

While not addressing the specifics of Kutcher’s comments, I’m troubled by the fact that people are permitted less and less to posit ideas or do new things without being trashed for their trouble. One of the fundamental rules I learned many years ago about brainstorming sessions — the goal of which is to foster an environment in which people are encouraged to present ideas to help solve problems — is never to criticize ideas as they’re presented. It’s fine to present alternative or contradictory ideas, but criticizing the brainstormer is antithetical to the ultimate goal of solving the problem because it discourages people from trying to be innovative. Sadly, in our hyper-politically correct environment, we are moving ever further away from the ideal of encouraging people to be innovative or disrupting the status quo. And without that kind of disruption and a culture that supports it, we just can’t solve our problems.

This is also the case for ideas in the workplace that have nothing to do with third-rail issues like politics, gender equality or immigration. Early in my career I did not have a computer on my desk and didn’t have email (the dinosaurs had just recently gone extinct and we just weren’t as technologically savvy in those days). The first company (a leading market research and consulting firm) I worked for out of university used a Wang word processing system and we were expected to dictate our reports into a handheld recorder, hand the tapes to the word processing staff, and wait for the printouts to appear on our desks. When I opted to do my own word processing, I was severely criticized by not only the word processing staff, but even made the company president quite upset. Two years later, all of the analyst staff were expected to do their own word processing.

If you’re a change agent, and if Vendor X is firmly entrenched in your enterprise and you suggest migrating to Vendor Y that offers a better user experience, you might be shut down without getting a hearing about the merits of your suggestion. Perhaps you want to deploy a social network that allows people to share information with the goal of increasing employee engagement, but management believes that people surfing the web and sharing articles with others is a waste of time — be prepared for a rough ride in many organizations. The good news for change agents in those types of organizations is that you probably won’t be working for that company for very long.

The bottom line is that we need to be open to new ideas, be polite to those who share them, and be willing to change. Innovative people and companies do that — those who orbit the status quo don’t.

BYOD OK?

We have recently completed a survey of IT decision makers that are knowledgeable about security issues in their organizations, and we found something surprising: the concern about “shadow IT” — employee use of unauthorized cloud apps or services — is significantly lower in this year’s survey than it was just over a year ago. While there can be variability between surveys because of sampling and other issues, the difference we found is not explained by sampling variability, but instead represents a significant shift of concern away from the problem of shadow IT and BYOD/C/A (Bring Your Own Devices/Cloud/Applications).

Why?

Three theories:

First, we have not seen big, headline-grabbing data breaches result from the use of personally owned smartphones, tablets, laptops and other employee-owned and managed devices, cloud applications and mobile applications. While these breaches occur and clearly are a problem, the horror stories that were anticipated from the use of these devices have been few and far between.

Second, senior management — both in IT and in lines of business — have seemingly acquiesced to the notion of employees using their own devices. They realize that stopping employees from using their own devices to access work-related resources is a bit like controlling ocean surf with a broom.

Third, there are some advantages that businesses can realize from employees using their own devices. While lower business costs are an important advantage because IT doesn’t have to purchase devices for some employees, another important benefit is that IT doesn’t have to manage them either. For example, when an employee leaves a company and company-supplied devices need to be deactivated, some organizations aren’t exactly sure who’s responsible for doing so — IT, the employee’s manager, HR or someone else. A survey we conducted some time back asked, “when an employee who had a company-supplied mobile phone leaves your employment, how confident are you that you are not still paying for their mobile service?” We found that only 43 percent of respondents were “completely confident” that the mobile service was deactivated, and 11 percent either were “not really sure” or just didn’t know. Employees using their own devices and plans gets around this problem nicely.

To be sure, unfettered and unmanaged use of employee devices in the workplace is not a good idea. It can lead to a number of problems, such as the inability for IT to know where all of a company’s data is stored, the inability to properly archive that data, the inability to produce all of it during an eDiscovery effort or a regulatory audit, lots of duplicate data, a failure to establish an authoritative record for corporate data, a greater likelihood of data breaches if a device is lost, and the potential for not being able to satisfy regulatory obligations.

That last point is particularly important, especially in the context of the European Union’s General Data Protection Regulation (GDPR). A key element of the GDPR is a data subject’s “right to be forgotten”, which translates to a data holder’s obligation to find and expunge all data it has on a data subject. If an organization cannot first determine all of the data it holds on a data subject and then cannot find all of that data, it runs the risk of violating the GDPR and can pay an enormous penalty as a result.

In short, BYOD/C/A offers a number of important advantages, but it carries with it some serious risks and should be addressed as a high priority issue in any organization.

You Need to Archive Mobile Text Messages

Osterman Research has found that roughly one-third of the typical information worker’s day is spent working on a mobile device, and an even greater proportion of work-related content is accessed using mobile devices. The impetus for the growing use of mobile devices is driven by a number of factors, although the use of personally owned devices is a key factor in their adoption in the workplace. As shown in the following figure, the use of company-owned and personally-owned smartphones is on the increase.

The use of messaging applications on mobile devices, such as email and SMS/text messaging, are among the most common applications of mobile devices in the workplace. The vast majority of users who employ a smartphone for work-related uses employ some type of messaging-related application on a regular basis.

There are a number of difficulties associated with the archival of text messaging content. For example:

Text messages sent using telecom carriers are often retained only for brief periods, and so these providers cannot be relied upon a source of archived text messages for long periods.
Since some companies operate in multiple countries using carriers that often do not provide any sort of text messaging archival service, enterprises often employ different methods to archive text messages, such as doing a physical backup of a device.
Further complicating the archival of text messages is the lack of commonality for archiving content depending on the device in use. Some solutions pull content directly from the server (e.g., with the BlackBerry Enterprise Server), while others install an app on the mobile device that transmits text messages to the archive. Other tools, such as SMS Backup+ for Android devices, will move text messages into a user’s Gmail account where they can be backed up or archived indirectly.

The bottom line is that organizations using various and inconsistent methods for archival of text messages makes the process inefficient, expensive and prone to error. The result can be incomplete archives of text messages and the consequences that go along with this level of inconsistency. Therefore, it’s essential to choose the right vendor that can provide a consistent and unified method for text message archival.

We have recently published a white paper on text messaging archiving that you can download here.

Is the Cloud Always Cheaper?

Office 365 and Exchange Online are good offerings – they provide useful functionality, a growing feature set, pretty decent uptime, and they’re relatively inexpensive. Microsoft, in this third major iteration of cloud services, has done a good job at offering a comprehensive set of applications and services. (We use Exchange Online internally and are quite pleased with it.)

From Microsoft’s perspective, the primary reason to move their customers to the cloud is to make more money. In 2015, Microsoft told Wall Street financial analysts that moving its customers from a “buy” model to a “rent” model will generate anywhere from 20 percent to 80 percent more revenue for the company. As evidence of how right Microsoft was, the company’s Office 365 revenue for the fourth quarter of 2017 is now greater than its revenue generated from traditional licensing models.

From a customer perspective, one of the key reasons for migrating to Office 365 is to reduce the cost of ownership for email, applications and other functionality. Our cost modeling has demonstrated that this actually is the case.

So, Microsoft makes more money from the cloud, but its customers spend less when migrating to the cloud. On the surface, that doesn’t seem to make much sense until you realize that the cost savings for customers are coming primarily from the labor that you no longer have to pay to manage an on-premises system, and from the stuff you no longer have to buy to maintain it, especially when considering hardware and software refresh cycles.

But what if you’re a small organization that wasn’t spending much on labor because you have an easy-to-manage email server, for example, and your hardware requirements to run it are not significant? Let’s go through an example comparing Exchange Online Plan 1 with Alt-N Technologies’ MDaemon Messaging Server for a three-year period for a 50-user organization:

Exchange Online Plan 1

$4.00 per user per month
$7,200 for 50 users for three years

MDaemon Messaging Server (with priority support)

$2,433.04 initial cost, or $1.35 per user per month for three years

MDaemon Messaging Server (with priority support, Outlook Connector and ActiveSync)

$4,678.43 initial cost, or $2.60 per user per month for three years

So, the on-premises platform will save a 50-seat organization anywhere from $2,522 to $4,767 over a three-year period. If we assume that an on-premises email system like MDaemon could be managed by an IT tech making $35,839 per year (the national average for that position according to Glassdoor), that means the tech could work anywhere from 4.1 to 7.7 hours per month on the MDaemon infrastructure to bring its cost up to that of Exchange Online Plan 1, although it’s unlikely that much of a time investment would be required. Of course, I have not factored in the cost of the hardware necessary to implement an on-premises email system, but most organizations already have that hardware on-hand already.

The point here is not to abandon consideration for Exchange Online or other cloud platforms, since they offer a number of important benefits and there are good reasons to go that route. But for organizations that need to get the most bang for their buck, they will be well served to consider using on-premises solutions, especially if their hardware and software refresh cycles are longer than three to four years. That’s especially true for things like desktop productivity platforms like Word, Excel and PowerPoint, where the average refresh cycle is quite long (one survey found that Office 2010 remained the most popular version of Office in use five-and-a-half years after its release.)

Automatic Monitoring of Key Systems

One of the problems that IT often has with business systems — especially those on which users or customers are dependent for real-time or near real-time interactions or transactions, such as email or eCommerce systems — is that users are often the “canary in the coal mine” in determining when a problem has occurred. For example, IT will often learn about an email downtime only when there’s a spike in traffic to the corporate help desk, or calls to a help line will be the trigger that notifies IT that a customer-facing system has gone down or is providing unacceptable performance.

dinCloud has introduced an interesting offering called “James“, what they’re touting as a virtual robot designed to monitor systems on a 24×7 basis. James is designed to monitor a wide variety of systems, such as eCommerce platforms, corporate email, databases and a variety of other systems that support business processes and workflows. The basic goal of James is to monitor systems continually for events like outages, system errors or performance that drops below a predetermined threshold, and then alert IT about the problem so that the issue can be rectified as quickly as possible. The example below, from dinCloud’s web site, is a basic example of how James works.

james-login-example

Although James can be used in any environment, it seems especially well-suited to smaller organizations that may not have the technical expertise or other resources needed to monitor key systems on a continual basis. dinCloud offers a turnkey approach for customers, helping them determine what to test and providing services around configuration and deployment of the system. James also supports a real-time dashboard that enables decision makers to keep an eye on system performance and receive alerts when problems are discovered.

While I’m not crazy about the name “James” as it applies to this offering (perhaps something like “Virtual System Monitoring Robot” might be more descriptive), I really do like what dinCloud is doing here. Downtime and poor system performance are the bane of online systems because even small glitches can create major problems. For example, an older study found that about 40 percent of US consumers will give up on a mobile shopping site that won’t load in just three seconds, and a 2016 study found that the cost of unplanned downtime for a large organization will cost an average of nearly $8,900 per minute. Our own research finds that email outages of even just 10 minutes can create problems.

In an era of ransomware, DDoS attacks, hacking and other threats that can create significant levels of downtime in addition to the more traditional causes like server crashes or application faults, system monitoring should be high on every IT manager’s priority list.

Open Questions About the GDPR

The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. In short, the GDPR will provide data subjects (i.e., anyone who resides in the EU) with new and enhanced rights over the way in which their personal data is collected, processed and transferred by data controllers and processors (i.e., anyone who possesses or manages data on EU residents). The GDPR demands significant data protection safeguards to be implemented by organizations, regardless of their size or their geographic location. You can read the full text of the GDPR here, as well as our recently published white paper and survey report on the subject here and here.

The goal of the GDPR is quite clear: to protect the privacy rights of EU residents and to ensure that they have a right to be forgotten by any organization that possesses data about them. However, there are some situations in which legal jurisdictions and whose rights should prevail are not yet clear. For example:

US organizations have an obligation to apply a legal hold on relevant data if they have a reasonable expectation that a legal action may be forthcoming. But what happens if some of the data that a company is obligated to hold includes data on an EU resident that has asked for that data to be expunged?
Broker-dealers and others under the jurisdiction of FINRA must retain various types of communications, such as communications between registered representatives and their clients. What if a client of that representative ends the relationship, but immediately wants his or her data to be deleted?
Manufacturers routinely keep customer information in support of warranties that they offer on their products. If a customer in the EU asks that all of their data be forgotten, does that relieve the manufacturer from their obligations to honor the warranty?
Will governments be permitted to retain data on visitors from the EU, such as the data provided on the embarkation forms that visitors are obligated to complete upon entry to a country, if those visitors ask that the data be deleted?

As with any new regulation there are always unanswered questions, unique situations that had not been contemplated when the regulation was written, and various unintended consequences — the GDPR is no different in that respect. What is different are the consequences of getting things wrong, which can include fines as high as €20 million ($23.7 million), or four percent of an organization’s annual revenue, whichever is higher. For a company with $1 billion in annual revenue, that would be a $40 million fine!

Will the EU impose such large fines shortly after the May 25, 2018 implementation of the GDPR? That’s an open question, but given the EU’s aggressive stance toward companies like Google and Facebook, my guess is that they will seek a test case to let everyone know that they mean business.

Do You Manage Social Media Well?

Some actual social media posts:

“….we need to hold this f%#@er and all his racist supporters accountable.”
“Threatened with a $200k lawsuit from idiot client who misrepresented the scope of their project and took longer than originally planned.”
“What a stupid client, how can he be an engineer for so many years!”
“I have 2 moods. 1) I love working let’s get moneyyyy 2) I never want to work again I want to kill every customer.”

Given that somebody’s employees have already posted these comments, what would you do if it was your employee that did so?

Nothing.
Accept the fact that employees can do what they want on their own time, regardless of the consequences for your company?
Communicate with your employees about the importance of considering what they post on social media before they do so.
Remind employees about the importance of following your company’s social media policy that specifically addresses identifying their employer on their personal social media pages.

Any company can choose a, b or c, but many companies can’t opt for option d because they don’t have a social media policy – or at least one that is sufficiently thorough or detailed that would address a situation like these.

Even with the best tools in place to monitor and review social media, this issue has implications beyond just those that are focused on technology and policies. Should employees be allowed to tweet anything they want while in your employ? Should employers have the right to restrict employee activities on social media after-hours? Should courts or regulators have the right to access employees’ social media posts?

We will be writing a white paper shortly on the importance of managing social media well – not only from the perspective of providing robust security capabilities so that social media can’t act as a conduit for malware, phishing or other threats – but also from the perspective of establishing good social media policies, monitoring what people are saying via social media when using the corporate network, and archiving business content in social media posts.

How to Deal With the Travel Ban on Laptops and Tablets

On March 21st, the Department of Homeland Security (DHS) announced that any personal electronics larger than a smartphone cannot be carried in the passenger cabin on US-bound flights originating from Jordan, Qatar, Kuwait, Morocco, United Arab Emirates, Saudi Arabia, and Turkey. The airlines affected, all based in the Middle East, have 96 hours to implement the appropriate changes to ensure that non-compliant electronic devices are carried only in checked, not carry-on, luggage. The UK followed suit, implementing essentially the same policy for flights to the UK originating from Egypt, Jordan, Lebanon, Tunisia, Turkey and Saudi Arabia.

The reasons for the new policy by the US and British governments were not made entirely clear, but the US raid on Al-Qaeda forces in Yemen in January of this year apparently yielded intelligence about the terrorist organization’s development of “battery bombs” that could be large enough to destroy a commercial aircraft. Also cited were the destruction of a Russian A321 over the Sinai Peninsula in October 2015, and a bomb blast aboard a Somali A321 shortly after it left Mogadishu in February 2016, either or both of which may have been the target of battery bombs or similar devices.

While the ban on personal electronics in carry-on luggage affects only direct flights to the US and the UK from the countries noted above, it’s possible that the ban may be extended to other countries and maybe even to domestic flights in the US, UK and elsewhere.

If you rely on your laptop and/or tablet when traveling, what would you do if the ban suddenly applied to your next trip, as it already has for thousands of travelers? Here are some options:

The obvious (and worst) option is to travel with your laptop and tablet in checked luggage. While the rate of lost luggage, at least in the US, is relatively low at 3.09 bags per 1,000 passengers, a dramatic increase in number of laptops and tablets flying in checked luggage might motivate some baggage handlers to help themselves to the suddenly more valuable cargo. Even in the absence of theft, there is a significant risk that rough handling of luggage could damage the devices.
Another option is to work only from your smartphone. That will work for things like checking email and making presentations, but for writing, creating presentations or working with spreadsheets, that’s not a viable option.
A better option is to use a Windows to Go drive that will allow you to plug this USB device into any Windows-based computer or a Mac and use the computer only as a host. These bootable devices can be imaged with corporate applications and data, they store data only on the USB device leaving nothing on the host, and some are hardware-encrypted, providing a highly secure platform for storing data. Using a Windows to Go drive, a traveler could take with them an outdated Windows 7 or Windows 8 laptop that wouldn’t cause much angst if it was stolen, or they could borrow someone’s laptop at their destination.

There are a number of vendors that offer Windows to Go devices, including Kingston, Spyrus, Kanguru and Super*Talent. These devices offer a robust experience that is more or less indistinguishable from a native PC experience, they’re fairly inexpensive, and they are not likely to be the subject of a ban of the type discussed above. If you must have access to a laptop or tablet when traveling, Windows to Go drives should be an option you should evaluate sooner rather than later.