Download PDFFavro Publication Version PDF 

Cite as: Philip Favro, Donald Billings, David Horrigan & Adam Kuhn, The New Information Governance Playbook for Addressing Digital Age Threats, 23 Rich. J.L. & Tech. Ann. Survey (2017), http://jolt.richmond.edu/volume23_annualsurvey_favro/.

 

By: Philip Favro,* Donald Billings,** David Horrigan*** & Adam Kuhn****

 

[1]       The demand within organizations to manage the growth of electronic information has never been greater. Organizations across the spectrum of industry verticals are generally struggling to address the onslaught of data they both generate and receive. While there is nothing new to this trend, companies should be concerned about new threats arising from that data. From lax internal protocols and unsecured corporate networks to malicious insiders and cyber criminals, these threats—if left unchecked—could threaten the viability of the enterprise.

 

[2]       While some of these factors have posed challenges for years, they are particularly troubling at this time. Cyberattacks are on the rise. The Internet of Things, with its potential to generate revenue, continues to proliferate; as it does so, cybersecurity risks multiply exponentially.[1] Threats also originate internally as employees increasingly use consumer-grade cloud applications to engage in corporate espionage.[2]

 

[3]       Given the reality of these threats and others, organizations must take proactive steps to govern their information and prepare accordingly. While there is much that could be done to shore up electronic vulnerabilities, the best way to do so is through a holistic information governance strategy. Different from litigation readiness programs[3] of yesteryear that were primarily concerned with preparing for electronic discovery, organizations today need a new information governance playbook that deploys actionable procedures to prevent or mitigate harm from contemporaneous threats to valuable corporate data.[4]

 

[4]       For those organizations that are seeking understanding and guidance on these issues, the Coalition of Technology Resources for Lawyers (CTRL) has prepared this information governance playbook.[5] Developed so companies can better recognize and address the growing risks associated with digital age threats, the playbook should enable them to:

 

  • Learn how cyberattacks, the Internet of Things, and personal cloud use can endanger unsuspecting organizations;[6]
  • Develop actionable policies and enforcement mechanisms to protect against risks and strengthen vulnerabilities;[7]
  • Craft response plans and communication protocols that mitigate damages;[8] and
  • Understand the role that analytics can play in detecting cyber risks and enforcing internal protocols.[9]

 

I.    The Ubiquity of Cyberattacks in the Digital Age

 

[5]       The exponential growth of digital data has brought a corresponding increase in cyberattacks. Notorious incidents involving the Mossack Fonseca law firm in Panama,[10] Ashley Madison,[11] and Sony Pictures[12] have certainly grabbed the headlines.[13] Nevertheless, companies from various industries grapple daily with cyberattacks.[14]

 

[6]       Whether great or small, one of the principal issues arising from cyberattacks is the resulting expense to the organization associated with addressing breached data.[15] A recent study on the cost of data breaches found the average total cost of those breaches was between $3.79 and $4 million.[16] Viewed from the micro-level, the average cost of each stolen record reflecting sensitive information stands at $158, a 29 percent increase since 2013.[17] Those costs are felt acutely in highly regulated industries where the cost per breached record is substantially higher.[18]

 

[7]       An additional, complicating cost factor for organizations includes legal actions. From consumer civil lawsuits and class actions to regulatory enforcement proceedings, businesses often face staggering costs to remediate the harm flowing from breached data.[19]

 

[8]       For example, Yahoo! Inc. announced in September 2016 that it sustained a data breach two years earlier, which resulted in over 500 million records being compromised.[20] Within hours of the announcement, multiple lawsuits were filed, including a putative class action in California accusing Yahoo! of negligence both in allowing the data breach and in taking almost two years to detect it.[21] No doubt investigations will be initiated by government regulators; all of which could result in tens of millions of dollars in legal fees.[22] This does not include the costs to refurbish brand damage among consumers, a difficult task at best.[23]

 

A.    Gateways to Cyberattacks

 

[9]       With the massive costs that cyberattacks have levied on organizations, it is worth examining some of the corporate vulnerabilities that have led to those attacks. While cyber incidents originate from hackers and malicious insiders, weak corporate information governance programs are often the gateway to those attacks.[24] Indeed, most organizations are not prepared to address cyber threats with the policies, training, or technology needed to protect their corporate networks. A recent legal industry report confirmed as much when it found that:

 

  • Only slightly over half of the surveyed enterprises had established protocols “to govern identity and access management;”
  • 18 percent of the respondents had developed a data map; and
  • 19 percent of surveyed companies had cybersecurity insurance to fully cover damages resulting from a data breach.[25]

 

[10]     Despite being unaddressed, many of the gateways to cyberattacks are well known. E-mail, social networks, and text messages—ubiquitous on computers, smartphones, and tablets—have dominated the cyber breach headlines over the past few years.[26] However, other technologies are multiplying (though not replacing) traditional points of access for cyber criminals and insiders.[27] One innovation gaining increasing prominence is the growth of external messaging and collaboration software.[28] Like social networking applications, external messaging and collaboration tools provide employees with a more interactive communication platform than the less flexible feel of email or corporate messaging applications.[29]

 

[11]     One of the more popular messaging and collaboration tools is Slack.[30] Billed as a “messaging app for teams who are changing the world,”[31] Slack touts its multifaceted functionality of discussion “channels” for larger groups, “direct messages” for one-on-one exchanges, and “private channels” to communicate sensitive information.[32] Users have flocked to Slack, vaulting the company in three years from start-up status to a financial juggernaut valued at approximately $4 billion.[33]

 

[12]     Despite its popularity, the use of Slack may leave companies vulnerable to security lapses and cyberattacks. This is because Slack—like Asana, HipChat, and other collaboration tools—does not utilize traditional enterprise-grade technology that can be integrated into the corporate network.[34] Thus, while employees can use Slack from their company-issued laptops and smartphones, companies currently have limited ability to incorporate security measures to protect login credentials, user information, or corporate assets from further dissemination or attacks.[35]Hooks into consumer level storage options and open APIs into third party offerings are also among the various concerns troubling corporate security professionals over the use of cloud-based collaboration platforms.[36]

 

[13]     Although external collaboration apps present one set of cyber complexities for information governance efforts, there are other innovations that are equally problematic. The growth of the Internet of Things represents a distinct cyber challenge that only figures to increase in the coming years.

 

II.    The Internet of Things: A Growing Storm on the Horizon

 

[14]     Organizations face a wave of security related threats from the expected growth of the Internet of Things (IoT).[37] The IoT represents a unique category of data security problems that are distinct from other cybersecurity challenges. This is due to a confluence of factors including the nature of the IoT, its profit-making potential, and its growth in the coming years.

 

A.    The Nature of the IoT

 

[15]     The IoT is different from other cyber problems due to its interconnected and often heterogeneous nature. The essence of the IoT is that it encompasses a network of physical objects.[38] Those objects—commonly referred to as “things”—are embedded with electronics, software, sensors, and network connectivity. This enables these objects to collect and exchange data.[39]

 

[16]     The IoT ranges in size and stature. It affects objects on a micro-level, including traditional consumer goods such as refrigerators and ovens, together with home HVAC, outdoor watering, and security systems.[40] It also affects macro-level environments, including “smart city” initiatives such as those defined by the Smart City Application Ecosystem (SCALE).[41] As detailed below, the macro-level issues are of particular importance to enterprise cybersecurity initiatives.

 

B.    Profit and Growth

 

[17]     IoT functionality enables enterprises to derive substantial revenue from these connected devices.[42] Businesses currently generate more than $14 trillion of additional profits annually from IoT devices.[43] With “additional economic activity” surrounding the IoT, it is expected to hit $19 trillion within a decade, this market of opportunity is fueling tremendous IoT growth.[44] Indeed, five million new devices are predicted to be added to IoT networks each day in 2016.[45] By the end of 2016, these networks are projected to total approximately 6.4 billion devices.[46]

 

[18]     This growth is not limited to an insular group of organizations. 29 percent of companies from a broad range of industries have reported that they presently offer some form of connected consumer device.[47] An additional 14 percent of companies have announced plans to implement some form of the IoT in 2016.[48]

 

C.    Risks and Threats

 

[19]     As organizations increasingly rely on IoT devices, they should become aware of the risks and threats these devices present and develop comprehensive governance and risk mitigation strategies accordingly.[49] An essential, preliminary question is whether all IoT devices present the same level of risk.

 

[20]     To answer that inquiry, the potential risk of breach must be measured against the sophistication of the device. For example, smart consumer appliances such as toasters, each of which has a unique identification number (UID) and an Internet Protocol (IP) address, might easily be compromised.[50] This is due to their dependence on a combination of plug-and-play connectivity and relatively little security hardening.[51] However, a direct breach of a single consumer-facing device—even in the company break room—would likely present a relatively low risk.[52]

 

[21]     In contrast, more sophisticated devices such as smartphones and tablets, which have operating systems or messaging capabilities, present far greater threats to the enterprise.[53] That breaches will likely arise from such devices in the future is borne out by empirical data. For example, one recent study found that approximately 70 percent of IoT devices contained one or more significant vulnerabilities, with a combined total of more than 250 vulnerabilities (an average of 25 flaws per device).[54] In addition, “80 percent [of the devices analyzed] failed to require passwords of sufficient complexity” while 70 percent did not encrypt communications to the Internet and local network.[55] Still another “60 percent did not use encryption when downloading software updates.”[56]

 

[22]     Even though these issues are significant, there is one IoT risk of staggering importance: securing the macro aggregation of data.[57] With the increasing quantity of connected devices at the enterprise level, there is a significant risk that the immense volume of data being captured and stored from connected devices may be unintentionally exposing essential infrastructure devices within the IoT ecosystem to systemic failures.[58] This is due to the fusion of heterogeneous networks required for data aggregation and analysis.[59] If left unaddressed, a failure or vulnerability introduced within one service provider’s products could result in catastrophic failures across multiple organizations or industries.[60] This includes power grids, health care providers, building control systems, and national defense systems.[61]

 

[23]     All of this may have a ring of science fiction, but the risks of an IoT compromise are no longer fanciful. Indeed, “[t]he U.S. Department of Justice has formed a threat analysis team to study potential national security challenges posed by” connected devices, including terrorist threats or other exploitation by state actors.[62] Moreover, several notable hacks or breaches have already been attributed to flaws within IoT systems, including the following:

  • A massive attack on security cameras and digital video recorders that disabled French web hosting provider OVH and U.S. security researcher Brian Krebs by flooding their networks with webpage requests and other data.[63]
  • Malware was recently found on the transit network for the city of San Antonio, Texas. This transpired despite proactive efforts to implement enterprise-grade security on the network.[64]
  • An attack on Iranian nuclear facilities was the result of state-sponsored malware known as Stuxnet, which was designed to take-over control systems and meltdown critical centrifuge equipment.[65]
  • A vulnerability within Chrysler Jeep’s engine control and vehicle braking systems was shown to be accessible using an external cellular connection.[66]

[24] In summary, the risks and threats arising from the IoT are no longer theoretical in nature. Now is the time for organizations to begin taking proactive steps to address these issues.

 

III.    The Rising Threat from Personal Cloud Applications

 

[25]     Consumer-grade cloud applications represent a special case among digital age threats.[67] While personal clouds like Dropbox and Google Drive pose cyber-related risks, their problems are more far-reaching.[68] From information security and litigation readiness to information retention and eDiscovery, personal cloud use among employees implicates a range of troubles for organizations.[69] The threats from personal cloud use toward corporate trade secrets are particularly acute given the inherent aspects that make this technology so attractive: cheap and unlimited storage, simplified transfers, and increased collaboration.[70]

 

[26]     Despite these problems, organizations have yet to address the proliferation of shadow cloud use among their employees.[71] Equally troubling, some organizations have implemented “bring your own cloud” (BYOC) policies that officially sanction the use of personal clouds in the workplace without sufficient oversight.[72] Unless addressed through an effective information governance program, either scenario could prove disastrous for the enterprise.

 

A.    Shadow Use of Personal Clouds

 

[27]     Whether done in violation or in the absence of an express company policy, there is no doubt that employees are using personal clouds in the workplace.[73] While some employees do so in good faith to facilitate their work, others use clouds clandestinely to sabotage the organization or to help a current employer gain a competitive advantage over their former company.[74] Various decisions exemplify the problems with “shadow” or stealth use of personal clouds across the range of corporate employees.[75]

 

[28]     For example, in Toyota Industrial v. Land, a managerial level employee (Land) used his Google Drive account to remove hundreds of critical documents from his employer (Toyota) before going to work for a competitor.[76] On the eve of his departure from Toyota, Land placed approximately 800 files and folders on Google Drive–including technical specifications reflecting the proprietary design of certain industrial equipment, along with related pricing and financial information.[77] Land’s removal and retention of Toyota’s proprietary information after his departure from the company—in violation of his non-disclosure agreement—resulted in a court injunction that prevented Land from working for Toyota’s competitor.[78]

 

[29]     A similarly instructive case is RLI Insurance v. Banks.[79] In RLI, the employee (Banks) used a Norwegian cloud provider (Jottacloud)[80] to upload “757 customer claim files and other files containing proprietary information” belonging to her employer (RLI).[81] Banks initially tried to obtain the files through Dropbox, but she was denied access by a web filtering software that blocked Dropbox and other commonly used applications.[82] Undeterred, Banks researched “Dropbox alternatives” that could evade RLI’s filtering protocol, opened a Jottacloud account, and used that service to remove proprietary RLI data in violation of her employment agreement.[83] RLI eventually discovered Banks’ malfeasance, but only after offering her a severance package subsequent to her dismissal from the company.[84]

 

[30]     Company executives are also guilty of using personal clouds for nefarious purposes.[85] In Frisco Medical Center v. Bledsoe, the chief operating officer (Bledsoe) for a Texas hospital (Frisco) used Dropbox to take several classes of proprietary and patient information before leaving Frisco for a new position elsewhere. [86] Frisco did not suspect that Bledsoe had furtively removed proprietary information in violation of her employment agreements until she revealed in an exit interview that “she knew where too many bodies were buried.”[87] It was only then that Frisco began investigating Bledsoe’s computer usage, discovered the use of Dropbox, and determined the extent of the information she had taken from the hospital.[88]

 

B.    Corporate Approved BYOC Accounts

 

[31]     In contrast to shadow cloud use, some organizations have established a BYOC environment that welcomes employee use of cloud applications.[89] Whether by policy or by practice, corporate IT departments have approved the use of consumer clouds by expressly enabling their functionality.[90]

 

[32]     Nevertheless, that is often the extent of corporate oversight.[91] Beyond requiring a signature on a perfunctory non-disclosure agreement, little effort is made to prevent employees from transferring confidential information from company servers to a personal cloud.[92] Such corporate inaction can be challenging on multiple levels, particularly when an employee leaves the company with proprietary materials and begins working for a competitor.[93]

 

[33]     Just such a scenario transpired in Selectica v. Novatus.[94] A former employee (Holt) offered to share Selectica’s customer and pricing information with his new employer (Novatus), which he previously uploaded to Box before leaving Selectica.[95] The Box account was not a stealth cloud drive concealed from Selectica.[96] Instead, Selectica expressly authorized Holt to store that data with Box under a BYOC arrangement:

While employed by Selectica, [Holt] had a company laptop computer, which, on Selectica’s recommendation, was configured so that it automatically synced to his personal cloud storage account at Box.com. This meant that when Holt saved a file to the laptop, the system pushed a copy to his Box account.[97]

[34]     Despite having enabled the BYOC arrangement with Holt, Selectica apparently neglected to disable the Box account or remove any proprietary materials upon Holt’s departure.[98] As a result, Holt had full access to the pricing information when he joined Novatus.[99]

 

C.    Analysis of Cloud Jurisprudence

 

[35]     The above referenced cases involve corporate theft that likely could have been obviated had the organizations taken safeguards to prevent, detect, or monitor employee cloud use. Most of the enterprises relied on little more than non-disclosure and other employment agreements to protect their proprietary information.[100] While those agreements enabled the employers to obtain court victories against the cloud-wielding tortfeasors, they did nothing to stop perpetrating employees from misappropriating company trade secrets.[101] This could have resulted in the disclosure of sensitive information to industry competitors. [102]

 

[36]     With respect to shadow cloud use, none of the employers appears to have established a process to detect stealth cloud applications.[103] The only employer that apparently took anything close to a preventative step was RLI, which deployed the use of a blocking program to prevent personal cloud use.[104] However, even that step proved inadequate since the employee easily circumvented the software filter.[105]

 

[37]     In the BYOC context, Selectica took no action to protect its corporate information interests stored in Holt’s Box account.[106] Selectica did not seek the account’s login credentials, did not monitor Holt’s use of the account, did not disable the account when Holt left the company, nor confirmed that Holt destroyed all company information stored in the account.[107] Any one of these steps—and certainly a combination of them—could have prevented the disclosure of sensitive information to an industry competitor.[108]

 

[38]     All of these amply demonstrate that organizations should take action to reduce the risks from personal clouds, regardless of whether the cloud use is shadow or approved.

 

IV.    Steps to Combating Threats and Mitigating Harm

 

[39]     Despite the complexities that these threats present to organizations, now and in the future, they are not insurmountable difficulties. Enterprises can generally ameliorate these problems through a proactive, common sense approach to information governance. In this Part, we discuss some of the key aspects of a governance program that can help address the challenges from cyberattacks, the IoT, and personal cloud applications.

 

A.    Manufacturing Advances in Security and Analytics

 

[40]     Organizational cybersecurity plans stand to benefit from manufacturing advances that are incorporating security measures into the design of technology.[109] This is particularly the case with IoT devices.[110] For example, some manufacturers are now replacing direct device access with indirect access architecture.[111] Others are exploring the use of master-slave models for IoT deployments, restricting updates on the slave device via a secure, cloud-based master system.[112]

 

[41]     While these innovations are useful, they are exceeded by the functionality that analytics now offer for IoT security.[113] This includes built-in monitoring designed to notify users of any unexpected changes to the instrument’s core software or permission levels.[114] Applicable to both enterprise and consumer threats, the technology captures device activity level.[115] When such activity is aggregated with the metadata from other users in an ecosystem, it enables a more thorough examination and real-time patching of connected devices as threats are uncovered.[116]

 

[42]     For example, certain technology can detect suspicious activity, such as an attempt to access a user’s internal computer camera.[117] Once identified, the device blocks the inbound traffic and alerts the user through a smartphone app.[118] If the activity is authorized, the user can simply select the “unblock” option to allow the connection.[119]

 

[43]     Beyond these manufacturing advances, the growing concern around IoT security is fueling the expansion of data security companies that focus on monitoring and protecting data through the coupling of analytics and IoT Big Data sets.[120] Unlike more traditional technologies such as anti-virus software, these tools combine analytics and machine learning to identify and neutralize threats in real-time by pinpointing data anomalies within the metadata generated from the known universe of connected devices.[121]

 

B.    Data Mapping for Digital Age Threats

 

[44]     With the benefit of these manufacturing advances, organizations should begin taking steps to reduce digital age risks.[122] As an initial matter, the enterprise must understand what data it generates, receives, and stores.[123] To that end, organizations should regularly scan for all network-connected devices and clouds, identify what they are, and how they interact with the network and beyond.[124]

 

[45]     As new connections are identified, their functions and capabilities must be documented and, to the extent possible, secured or disabled.[125] Such a step is essential for controlling ingress and egress to proprietary information—precisely the data endangered by personal cloud applications.[126] A current and accurate data map will enable organizations to better accomplish these objectives and reasonably account for proprietary records.[127]

 

[46]     Another critical step is to ensure that default usernames and passwords are changed immediately and that UPnP services are disabled whenever possible.[128] If administrative functions on any given device are limited, applying an appropriate firewall can add at least one layer of protection.[129] Finally, proactive monitoring can help track system integrity while providing real-time analysis of suspicious activity.[130]

 

[47]     In addition, any plan should include security profiles aimed at determining the following:

  • What are the connectivity and access control features built into my devices?
  • If infiltrated and compromised, does the device allow access to other systems within the organization?
  • Does the device contain built-in security, and if so, how robust?
  • Does the device run on an operating system or configuration settings that might be exploited by malware?
  • What is the projected lifecycle of the connected product or device?
  • Should the organization engage outside consultants for targeted penetration testing and vulnerability assessments of devices, especially IoT devices?[131]

 

[48]     Many organizations may feel overwhelmed by the governance complexity surrounding these threats. Nevertheless, they must be in a position to perform adequate risk and threat evaluations that weigh the assumed benefits of using connected devices against the anticipated costs or potential loss of reputation that might accompany a failure or breach.[132] Formal policies related to IoT technologies should be designed in a way that ensures physical security measures and written policies are actively enforced and updated on a regular basis.[133]

 

[49]     The National Institute of Standards and Technology (NIST) provides some guidance concerning IoT security.[134] In NIST Special Publication 800-64 Revision 2 titled “Security Considerations in the Systems Development Life Cycle,” the organization recommends developing what is commonly known as the master Concept of Operations or CONOPs document.[135] Unlike a traditional data map, this flexible governance tool provides IoT stakeholders with a roadmap for installation, integration, and on-going auditing.[136] When used in conjunction with an advanced data map, the two documents provide a comprehensive blueprint to an organization’s IoT and cybersecurity systems.

 

[50]     Many organizations will likely recognize confidentiality and integrity as two of the three legs that comprise this security principle known as the CIA triad, a model designed to guide policies for information security within an organization.[137] When drafting the master CONOPs documentation, enterprises must address a unique collection of CIA challenges presented by IoT devices.[138] This includes ensuring that personally identifiable information remains segregated from device transmitters or logical objects that may leak data fragments from devices associated with unique identifiers.[139] While relatively innocuous on its own, the aggregated data could reveal sensitive information when combined, analyzed, and recompiled.[140] At a minimum, an organization’s CONOPs documentation should capture the following:

 

Confidentiality and Integrity

  • How will IoT devices be provisioned?
  • Is there a method for addressing data segmentation in place?
  • Does the organization have policies in place to address inadvertent data leaks or breaches?
  • What cryptographic tools can the organization apply and how will those resources be managed?
  • Are backup or hot swappable options available in the event of an outage or breach?[141]

 

Monitoring, Testing, Reporting, and Compliance

  • What mechanisms does the organization have in place for security monitoring?
  • What information should the systems mine from IoT logs and how is that information analyzed?
  • Is data captured and transmitted subject to compliance requirements?
  • Are big data analytics tools available to help streamline security monitoring?[142]

 

Authentication and Access Control

  • Can the system be integrated into existing enterprise authentication systems?
  • Are access controls sufficient to protect against unauthorized access or modification?
  • Can the organization place role-based access restrictions on IoT devices and transmitters?
  • Have security roles been provisioned and defined?
  • Can access controls be applied on a per device or per datatype basis?[143]

 

Incident Response

  • Define and assign incident response.
  • Mapping of business functions to new IoT systems.
  • Identify the potential impact of compromised IoT systems.
  • Create a comprehensive disclosure and alert policy.[144]

 

Documentation, Operations, and Destruction

  • Define the need for additional security documentation.
  • Create a system maintenance and management plan.
  • Create documentation for tracking the IoT product lifecycle.
  • Define additional training or certifications for support teams.
  • Formalize decommissioning and destruction protocols for IoT devices.[145]

 

C.    Developing Retention Policies

 

[51]     With a data map in place, organizations can then proceed to develop protocols that reasonably ensure the protection of corporate data.[146] This should include how information is stored and maintained among either various devices in the enterprise or with hosted service providers.[147] This is significant for both cybersecurity and litigation purposes, as all relevant data within the enterprise could be discoverable and subject to preservation duties.[148] That reality should justify the development of processes and policies around data retention and deletion.[149] As evidenced by the Sony hack, this is particularly the case for nonessential, obsolete, or superfluous information, which should be purged after a reasonable period.[150]

 

[52]     Although the implementation of procedures and policies can serve to reduce potential risk, it might in some instances provide a false sense of security.[151] Enforcement through audit or other metrics can help ensure that rules developed around access control, deletion, herding, and encryption are actually practiced in a manner that minimizes loss resulting from malicious or inadvertent breaches.[152] More importantly, active enforcement of information governance policies can help investigators respond more efficiently to attacks, allowing them to quickly close security gaps to prevent secondary attacks.[153] By formally assessing and addressing risks in this fashion, organizations will be better prepared to meet these threats in an increasingly interconnected world.

 

D.    Use Policies Governing Personal Clouds

 

[53]     Beyond information retention, organizations ought to develop policies that address employee use of personal cloud applications.[154] Those policies should delineate whether personal clouds will be permitted and if so, what constitutes an authorized BYOC account.[155] Irrespective of whether an enterprise chooses to ban the use of personal clouds or to adopt a BYOC environment, the policy should include audit and enforcement mechanisms to gauge observance.[156] At a minimum, those mechanisms ought to include the right to monitor, access, and disable employee clouds.[157] Related procedures will also be required for those organizations that proscribe BYOC use since employees will likely circumvent such a policy.[158] For example, blocking programs like the one used in RLI, while no guarantee, are a practicable first step to preventing some personal cloud use.[159]

 

[54]     In a BYOC ecosystem, policies should describe what company data can or cannot be transferred to the cloud.[160] In addition, organizations should require the disclosure of user login credentials for approved cloud applications to better ensure policy compliance.[161] Upon an employee’s termination, approved BYOC accounts should be disabled or the company should verify that corporate data previously maintained in the account has been returned or destroyed.[162]

 

[55]     In like manner, non-BYOC organizations should examine terminated employees’ computer activity and corporate devices to detect whether there was illicit use of personal clouds.[163] If a comprehensive sweep is cost prohibitive, organizations should consider conducting a review of those employees who most likely have access to sensitive corporate information.[164] Such a step would likely have obviated much of the litigation that ensued in Toyota Industrial, RLI, Frisco Medical, and Selectica.[165]

 

E.    Assess and Secure Collaboration Tools

 

[56]     As with other cloud-based tools, evaluating and securing third party collaboration and project management tools should be part of any formal governance strategy.[166] When evaluating options, organizations assess security features and vulnerabilities and develop policies around these tools to strike the proper balance between security and accessibility.[167] As with BYOC policies, organizations should specify how such tools are used, expressly determine the classification level of data shared within collaboration tools, and whether retention polices should be applied to the organization’s collaboration systems.

 

F.    Incident Response

 

[57]     A final aspect of the new information governance playbook is the need to design an incident response plan for mitigating harm from digital age threats.[168] Essential for addressing cybersecurity challenges, such a plan should include various steps to understand and respond to an attack or breach.[169]

 

[58]     The first step is to have a crisis communications protocol in place.[170] This should include having a dark website ready to be activated with little notice in the event of a cyber incident.[171] Dark sites are essentially corporate sponsored websites, pages, or feeds dedicated to providing information on the crisis at hand.[172] They offer a means to inform or educate viewers regarding the nature of the crisis and the organization’s response.[173] They also provide a gateway to customers that might otherwise be unavailable following a large breach or related failures.[174] In an era of when a brand crisis can become a Twitter hashtag within minutes, the organization should be prepared to broadcast its own voice on the issues.[175]

 

[59]     Having counsel ready to address cyber fallout is another fundamental aspect of incident response.[176] Whether outside the company or part of its in-house legal team, knowledgeable counsel should be aware of pertinent laws and regulations relating to the issues and assist in the company’s remediation efforts.[177] This includes competently interfacing with government investigators while simultaneously protecting corporate interests in litigation.[178] In order to accomplish these objectives, counsel should work jointly with the corporate information security team to understand how the attack happened, what was done in response, and what was lost or exposed.[179]

 

[60]     Any incident response plan should also include a public relations team to interact with the media.[180] This is a particularly important step with the changing nature of journalism. Given the impact of the 24-hour news cycle and social networking applications, organizations should have personnel designated to communicate with a unified voice regarding the issues.[181] One-off disclosures from operations-level employees, together with other unauthorized revelations, should be avoided and met with appropriate disciplinary measures.[182]

 

V.    Conclusion

 

[61]     Advances in technology march on. To keep cadence, organizations must stay current with digital age threats. While there is no elixir to completely eliminate these threats, enterprises can develop a holistic information governance plan to address the issues. By staying abreast of the issues, assessing known organizational risks, implementing reasonable procedures to defend against commonplace attacks, and preparing breach mitigation strategies, companies should be reasonably prepared to address these threats, both now and in the future.

 

 

 

 

* Consultant, Discovery and Information Governance, Driven, Inc.; Director of Legal Education, Coalition of Technology Resources for Lawyers; J.D., Santa Clara University School of Law, 1999; B.A., Political Science, Brigham Young University, 1994.

 

** Manager of Litigation & Practice Support, Sidley Austin; Post Graduate Diploma, Data Science, University of Liverpool, 2017; Walden University, D.B.A. (Doctorate), Technology Entrepreneurship, 2017(c); Walden University, M.Sc., Leading Innovation & Technology, 2013; Villanova University, GradCert, IS Security & Project Management, 2011; Tulane University, GradCert, Management, 2003; Touro College, BSCS, Computer Science – Software Engineering.

 

*** e-Discovery Counsel and Legal Content Director, kCura; J.D., University of Florida Levin College of Law, 2001; Certificate in International Law, Universiteit Leiden, The Netherlands, 1998; B.S., University of Houston, 1987.

 

**** Discovery Attorney, OpenText; Sr. Research Fellow, McCarthy Institute for IP and Technology Law; J.D. and M.B.A., University of San Francisco, 2013; B.A., English Literature, New York University, 2009.

 

[1] See Omner Barajas, How the Internet of Things (IoT) Is Changing the Cybersecurity Landscape, SecurityIntelligence (IBM) (Sept.17, 2014), https://securityintelligence.com/how-the-internet-of-things-iot-is-changing-the-cybersecurity-landscape/, https://perma.cc/TEJ9-B6QP.

 

[2] See Philip Favro, Protecting Corporate Trade Secrets in the Age of Personal Clouds, Driven (Aug. 10, 2016), http://www.driven-inc.com/protecting-corporate-trade-secrets-in-the-age-of-personal-clouds/, https://perma.cc/9LRC-993G.

 

[3] See generally Michael T. McGinley, Practice Tips for Mitigating Data-Breach Risk and Liability, ABA J. (Apr. 2, 2014), http://apps.americanbar.org/litigation/committees/criminal/articles/spring2014-0414-practice-tips-mitigating-data-breach-risk-liability.html, https://perma.cc/4K2R-MVC2 (providing an example of a litigation readiness program from 2014, which focuses on electronic discovery).

 

[4] See, e.g., Paz Eshel et. al., Why Breach Detection Is Your Must-Have, Cyber Security Tool, TechCrunch (Sept. 6, 2014), https://techcrunch.com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/, https://perma.cc/6HVL-8TSM.

[5] See Resources, Coalition of Tech. Resources for Lawyers (Jul. 22, 2014), http://ctrlinitiative.com/home/resources/, https://perma.cc/5QB6-M6LD.

 

[6] See Julia Franz, October’s Cyberattack Used the ‘Internet of Things’ to Attack the Internet Itself. Here’s Why it Could Happen Again, Public Radio International (Nov. 13, 2016), https://www.pri.org/stories/2016-11-13/october-s-cyberattack-used-internet-things-attack-internet-itself-here-s-why-it, https://perma.cc/7QQS-8D9R.

[7] See Frank Sorrentino, Cyber Attacks: 5 Ways Small Businesses Can Protect Themselves, Forbes (Oct. 26, 2015, 11:15 AM), http://www.forbes.com/sites/franksorrentino/2015/10/26/cyber-attacks-5-ways-small-businesses-can-protect-themselves/#72a2b9282ae2, https://perma.cc/QLN2-9QF3.

[8] See id.

 

[9] See id.

 

[10] See Nick Cumming-Bruce & Eric Lipton, Employee of Panama Papers Law Firm, Mossack Fonseca, Is Arrested in Switzerland, N.Y. Times (June 15, 2016), http://www.nytimes.com/2016/06/16/world/europe/employee-of-panama-papers-law-firm-mossack-fonseca-is-arrested-in-switzerland.html?_r=0, https://perma.cc/9H43-JPMA.

 

[11] See Claire Reilly, You blew it, Ashley Madison: Dating site slammed for security ‘shortcomings’, CNET (Aug. 23, 2016, 6:47 PM), https://www.cnet.com/news/canada-australia-privacy-report-ashley-madison-avid-life-media-hack/, https://perma.cc/PZ57-KPYH (last visited Mar. 31, 2017).

 

[12] See Philip Favro, The Sony hack signals the need for information governance, Inside Counsel (Jan. 22, 2015), http://www.insidecounsel.com/2015/01/22/the-sony-hack-signals-the-need-for-information-gov, https://perma.cc/S4J3-DXCK (last visited Mar. 31, 2017).

 

[13] According to the non-profit Identity Theft Resource Center (ITRC), there were 980 data breaches in the United States, exposing 35,233,317 records, in 2016. This represents the highest number of data breaches since ITRC started tracking in 2005. See 2016 Breach List, Identity Theft Resource Ctr., at 1 (Dec. 13, 2016), http://www.idtheftcenter.org/images/breach/ITRCBreachReport_2016.pdf, https://perma.cc/P27Q-UCYJ (including reported data breaches in the United States from Jan. 1, 2016 through Nov. 26, 2016); see Identity Theft Resource Center Breach Report Hits Near Record High in 2015, Identity Theft Resource Ctr. (Jan. 25, 2016), http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html, https://perma.cc/JG9H-NWWQ (reporting 781 breaches in 2015, the second-highest since the ITRC began tracking in 2005); see Identity Theft Resource Center Breach Report Hits Record High in 2014, Identity Theft Resource Ctr. (Jan. 12, 2015), http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html, https://perma.cc/B4XS- (reporting 783 breaches in 2014, the highest since the ITRC began tracking in 2005).

 

[14] The general business sector accounted for about 40 percent of the data breaches last year. The health/medical sector was second with 35.5 percent, the banking/credit/financial sector accounted for 9.1 percent, government/military was fourth with 8.1 percent, and education was fifth with 7.4 percent of the data breaches in the United States in 2015. See Identity Theft Resource Center, Identity Theft Resource Center Breach Report Hits Near Record High in 2015, Identity Theft Resource Center (Jan. 25, 2016), http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html, https://perma.cc/MGW9-ZAB3.

 

[15] See Neil Amato, The Hidden Costs of a Data Breach, J. Accountancy (July 25, 2016), http://www.journalofaccountancy.com/news/2016/jul/hidden-costs-of-data-breach-201614870.html, https://perma.cc/D69Q-8BT9 (last visited Mar. 31, 2017).

 

[16] See Ponemon Institute LLC, 2016 Cost of Data Breach Study: Global Analysis, at 1 (2016), https://www-03.ibm.com/security/data-breach/, https://perma.cc/LF3Y-UM4F (last visited Mar. 31, 2017). The June 2016 study surveyed 383 companies across various countries including Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, South Africa, the United Arab Emirates, the United States, and the United Kingdom.

 

[17] See id. at 1–2.

 

[18] See id. at 10 (observing that the costs per record in the healthcare vertical were $355 while the cost figure for the financial services industry was $221).

 

[19] See Marcus A. Christian et al., Cybersecurity in An Insecure World 3, 2016 ABA Litig. Sec. Annual Conference, http://www.americanbar.org/content/dam/aba/administrative/litigation/materials/2016_sac/written_materials/1_cybersecurity_in_an_insecure_world.authcheckdam.pdf, https://perma.cc/Z8EX-VALZ (last visited Mar. 31, 2017).

 

[20] See Nicole Perlroth, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, N.Y. Times (Sept. 22, 2016), https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html?_r=0, https://perma.cc/2HSR-9AYJ.

 

[21] See Complaint at ¶¶ 5–7, Schwartz v. Yahoo!, Inc., No. 5:16-cv-05456, 2016 WL 5404081 (N.D. Cal. Sept. 23, 2016) (5:16-cv-05456).

 

[22] Of course, the Yahoo! breach isn’t the only one resulting in civil litigation. The breaches at Anthem, LinkedIn, Target, and others have resulted in class action lawsuits and government investigations. See, e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 966–67 (N.D. Cal. 2016) (discussing the Anthem cyber-security attacks of 2015 and ensuing litigation); In re LinkedIn User Privacy Litig., 309 F.R.D. 573, 580 (N.D. Cal. 2015) (discussing the LinkedIn cyber-security attack of 2012 and ensuing litigation); In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1157 (D. Minn. 2014) (discussing the Target cyber-security attacks of 2013 and ensuing litigation).

[23] See James Patto et al., When IT hurts, It Hurts: Cyber Attacks, Negative Brand Perception and Reputational Damage, Lexology TMT & IP Blog (Mar. 8, 2016), http://www.lexology.com/library/detail.aspx?g=f5ce2b86-3957-484c-8849-b0895bfe7549, https://perma.cc/VG9F-RWLB.

 

[24] See Nate Lord, Data Security Experts Reveal the Biggest Mistakes Companies Make with Data & Information Security, Digital Guardian: Data Insider Blog, https://digitalguardian.com/blog/data-security-experts-reveal-biggest-mistakes-companies-make-data-information-security, https://perma.cc/7DTL-T9WD (last visited Mar. 31, 2017) (last updated Jan. 27, 2017).

[25] Daniel McKenna et al., ACC Foundation Releases Largest Study of its Kind on Cybersecurity Among In-House Counsel Study Underwritten by Ballard Spahr, BallardSpahr (Dec. 9, 2015), http://www.ballardspahr.com/alertspublications/legalalerts/2015-12-09-acc-ballard-spahr-cybersecurity-report.aspx, https://perma.cc/822F-T9RB (surveying approximately 1,000 corporate attorneys from 887 organizations around the world).

 

[26] See, e.g., Paul M. Barrett, Forget the Gossip, These are the Lessons of the Sony Hack, Bloomberg (Dec. 16, 2014, 12:54 PM), http://www.bloomberg.com/news/articles/2014-12-16/forget-the-gossip-these-are-the-lessons-of-the-sony-hack-i3rklun7, https://perma.cc/2DZV-YRZX (discussing Sony’s cyber hack and the hacks of other major companies from 2013 to 2014).

 

[27] See Eric Basu, Cybersecurity Lessons Learned From the Ashley Madison Hack, Forbes (Oct. 26, 2015, 11:55 AM), http://www.forbes.com/sites/ericbasu/2015/10/26/cybersecurity-lessons-learned-from-the-ashley-madison-hack/#75166e62ed99, https://perma.cc/S5H2-UTWU.

 

[28] See David M. Upton & Sadie Creese, The Danger from Within, Harv. Bus. Rev. (Sept. 2014), https://hbr.org/2014/09/the-danger-from-within, https://perma.cc/VLC3-N3Y5.

 

[29] See Ellis Hamburger, Slack is Killing Email, The Verge (Aug. 12, 2014, 11:00 AM), http://www.theverge.com/2014/8/12/5991005/slack-is-killing-email-yes-really, https://perma.cc/QPB7-YWV7.

 

[30] See Slack, https://slack.com, https://perma.cc/5SBN-LP5H (last visited Mar. 31, 2017).

 

[31] Id.

[32] Slack, About Channels and Direct Messages, Slack, https://get.slack.help/hc/en-us/articles/201925108-About-channels-and-direct-messages, https://perma.cc/4KVN-EJJR (last visited Mar. 31, 2017).

[33] See Eugene Kim, Slack Just Raised Another $200 Million Round, and It’s Now Worth $3.8 billion, Bus. Insider (Apr. 1, 2016, 12:08 PM), http://www.businessinsider.com/slack-just-raised-another-200-million-round-and-its-now-worth-38-billion-2016-4, https://perma.cc/BBU9-QF5U.

[34] See Haje Jan Kamps, ClearChat Picks a Heavily-Encrypted Fight with Slack, TechCrunch (Apr. 5, 2016), https://techcrunch.com/2016/04/05/clearchat-rapelcgrq-zrffntvat-sbe-grnzf/, https://perma.cc/RJZ9-KNSF.

 

[35] See Avi Turiel, Lessons Learned from the Slack & Hipchat Breaches, Cyren Blog (July 8, 2015), https://blog.cyren.com/articles/lessons-learned-from-the-slack-hipchat-breaches.html, https://perma.cc/R6KS-PJF2.

 

[36] See Graham Cluley, Slack Security Practices Could Lead to Hackers Eavesdropping on Corporate Internal Chat Systems, Tripwire (Apr. 29, 2016), http://www.tripwire.com/state-of-security/featured/slack-security-practices-lead-hackers/ https://perma.cc/9Z4X-VGKV.

 

[37] See IoT security: smart business requires smarter Internet of Things security, i-Scoop, https://www.i-scoop.eu/internet-of-things/internet-of-things-security-iot/, https://perma.cc/K8Z9-HKFL (last visited Mar. 26, 2017).

 

[38] See Antigone Peyton, A Litigator’s Guide to the Internet of Things, 22 Rich. J. L. & Tech. 9, 9 (2016).

 

[39] See Internet of Things Global Standards Initiative, Int’l Telecommunication Union, http://www.itu.int/en/ITU-T/gsi/iot/Pages/default.aspx, https://perma.cc/3SFR-QJJ4 (last visited Mar. 31, 2017).

 

[40] See Amit Sheth, Internet of Things to Smart IoT Through Semantic, Cognitive, and Perceptual Computing, 31 IEEE Intelligent Sys. 108, 108 (2016).

 

[41] Johannes M. Schleicher et al., Enabling a Smart City Application Ecosystem: Requirements and Architectural Aspects, 20 IEEE Internet Computing 58, 58, 60 (2016).

 

[42] See Sherif Abdelwahab et al., Enabling Smart Cloud Services Through Remote Sensing: An Internet of Everything Enabler, 1 IEEE Internet of Things J. 276, 276 (2014).

 

[43] See id.

 

[44] See Julie Bort, Cisco’s John Chambers Has Found a New $14 Trillion Market, Bus. Insider (May 29, 2013), http://www.businessinsider.com/ciscos-john-chambers-has-found-a-new-14-trillion-market-2013-5, https://perma.cc/69XF-ENBP.

[45] See Patrick Nelson, IoT Industry Will Explode in 2016, Gartner Says, NetworkWorld (Nov. 24, 2015), http://www.networkworld.com/article/3008228/internet-of-things/iot-industry-will-explode-in-2016-gartner-says.html, https://perma.cc/QXD5-YZWE.

 

[46] See Press Release, Gartner, Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent from 2015 (Nov. 10, 2015), https://www.gartner.com/newsroom/id/3165317, https://perma.cc/R9N6-SVMF.

 

[47] See Press Release, Gartner Survey Shows That 43 Percent of Organizations Are Using or Plan to Implement the Internet of Things in 2016, Gartner (Mar. 3, 2016), http://www.gartner.com/newsroom/id/3236718, https://perma.cc/6DY5-5Q4H.

[48] See id.

 

[49] See Wojciech Cellary & Jarogniew Rykowski, Challenges of Smart Industries – Privacy and Payment in Visible Versus Unseen Internet, Gov’t Info. Q. 1, 2 (Sept. 2015), http://www.sciencedirect.com/science/article/pii/S0740624X15300058, https://perma.cc/HPJ6-NR7R (discussing a 2013 survey conducted by ISACA (formerly the Information Systems Audit and Control Association), which found that up to 91 percent of respondents expressed concerns about the information collected by Internet-connected devices).

 

[50] See generally Elise Hu, What Do You Do If Your Refrigerator Begins Sending Malicious Emails?, NPR (Jan. 16, 2014), http://www.npr.org/sections/alltechconsidered/2014/01/16/263111193/refrigerator-hacked-reveals-internet-of-things-security-gaps, https://perma.cc/K4D5-62KZ (discussing the security of Internet connected appliances).

[51] Vijayaraghavan Varadharajan & Shruti Bansal, Data Security and Privacy in the Internet of Things (IoT) Environment, in Connectivity Frameworks for Smart Devices: The Internet of Things from a Distributed Computing Perspective 267 (Zaigham Mahmood ed., 2016), http://link.springer.com/chapter/10.1007/978-3-319-33124-9_11, https://perma.cc/67NB-AVA2.

 

[52] See Samuel Greengard, The Internet of Things 159–60 (MIT Press ed., 2d ed.) (2015). The typical home now contains nearly 75 electrical outlets. When accounting for both hard-wired devices and items consumers plug in only periodically, a household may have as many as 200 to 300 devices connected to sockets, with an ever increasing number of these devices offering some sort of smart interactivity.

 

[53] See id.

[54] See Daniel Miessler, HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack, Hewlett Packard Enterprise Blog (July 29, 2014), https://community.hpe.com/t5/Protect-Your-Assets/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices/ba-p/6556284#.WM1jV7GZPBL, https://perma.cc/H96Z-4JU7.

 

[55] Internet of Things Research Study, Hewlett Packard, (2014), https://www.hpe.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf, https://perma.cc/ZAC9-2WCS.

 

[56] Id.

 

[57] See Catherine Andrews et al., The Internet of Things: What the IoT Means for the Public Sector, GovLoop (July 24, 2015), at 13, http://www.isaca.org/Groups/Professional-English/cybersecurity/GroupDocuments/IoT%20in%20the%20Public%20Sector.pdf, https://perma.cc/32GZ-FM8M.

[58] See Sheth, supra n. 40 at 108–09 (describing how a myriad of devices ranging from “heavy assets” such as aircraft engines to more mundane enterprise systems generate massive amounts of data that can later be utilized in the form of aggregated analytics designed to improve performance over time; however, these data sources could be compromised, resulting in massive service or application outages).

[59] Shancang Li et. al, The Internet Of Things: A Security Point Of View, 26 Internet Research 337, 344 (2016).

 

[60] See Daeil Kwon et al., IoT-Based Prognostics and Systems Health Management for Industrial Applications, 4 IEEE Access 3659, 3663–65 (2016).

 

[61] See Chandrayee Basu et al., Sensor-Based Predictive Modeling for Smart Lighting in Grid-Integrated Buildings, 14 IEEE Sensors J. 4216, 4216 (2014).

 

[62] Dustin Volz, Justice Dept. group studying national security threats of internet-linked devices, Reuters (Sept. 9, 2016, 1:25 PM), http://www.reuters.com/article/us-usa-cyber-justice-idUSKCN11F2FP, https://perma.cc/5NMG-68Q5.

[63] See Drew Fitzgerald, Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks, Wall St. J. (Sept. 30, 2016, 3:11 PM), http://www.wsj.com/articles/hackers-infect-army-of-cameras-dvrs-for-massive-internet-attacks-1475179428, https://perma.cc/9F39-CG49 (describing how hackers also leveraged hijacked internet-connected things such as cameras, lightbulbs, and thermostats to attack a top security blogger, whose site was temporarily disabled after the attack overwhelmed the blogger’s resources); see also Tim Greene, Largest DDoS attack ever delivered by botnet of hijacked IoT devices, Network World (Sept. 23, 2016, 10:53 AM), http://www.networkworld.com/article/3123672/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html, https://perma.cc/YP2V-F88C (noting how security blogger Brian Krebs’ account with Akamai was canceled because defending the site against the DDoS attack was too costly).

 

[64] See Public Transportation Case Study: Mass Transit Agency Hunts Down Cybersecurity Threats with Infocyte, Infocyte, https://www.infocyte.com/s/Infocyte-Case-Study-Public-Transportation-6-16.pdf, https://perma.cc/QZW3-9Z5M (last visited Mar. 31, 2017).

 

[65] See P. W. Singer, International Regulation of Emerging Military Technology: Cyber Warfare: Stuxnet and Its Hidden Lessons on the Ethics of Cyberweapons, 47 Case W. Res. J. Int’l L. 79, 81–82 (2015).

[66] See Maurice Schellekens, Car Hacking: Navigating The Regulatory Landscape, 32 Computer L. & Sec. R. 307, 307–08 (2016).

 

[67] See generally Frisco Medical Center, L.L.P. v. Bledsoe, 147 F. Supp. 3d 646, 652–54 (E.D. Tex. 2015) (discussing defendants’ extensive use of Dropbox to remove vast amounts of proprietary information belonging to plaintiff).

 

[68] See, e.g., Nate Lord, Communicating the Data Security Risks of File Sharing & Cloud Storage, DigitalGuardian: Data Insider Blog, https://digitalguardian.com/blog/communicating-data-security-risks-file-sharing-cloud-storage, https://perma.cc/AM7W-LZPK (last updated Jan. 26, 2017).

 

[69] See Susan Miller, New risk on the block: Bring your own cloud, GCN (May 23, 2013), https://gcn.com/articles/2013/05/23/new-risk-bring-your-own-cloud.aspx, https://perma.cc/P2PH-H38J.

[70] See Robert L. Mitchell, IT’s new concern: The personal cloud, ComputerWorld (May 20, 2013, 7:00 AM), http://www.computerworld.com/article/2497860/consumerization/it-s-new-concern–the-personal-cloud.html, https://perma.cc/SAQ2-YNWD.

[71] See discussion infra Part IV.

[72] See Andrew Froehlich, The Buck Stops At BYOC, Network Computing (Jan. 29, 2014, 12:00 PM), http://www.networkcomputing.com/infrastructure/buck-stops-byoc/870595087, https://perma.cc/6GGF-PS2L (“BYOC presents a nightmare scenario because data can be copied, duplicated, and ultimately lost or stolen via the various cloud services.”).

 

[73] See Danny Palmer, CIOs worried cloud computing and shadow IT creating security risks, Computing (July 27, 2015), http://www.computing.co.uk/ctg/news/2419409/cios-worried-cloud-computing-and-shadow-it-creating-security-risks, https://perma.cc/U3D9-J2CZ; see Thoran Rodrigues, Cloud computing and the dangers of shadow IT, TechRepublic (Aug. 16, 2013, 12:48 PM), http://www.techrepublic.com/blog/the-enterprise-cloud/cloud-computing-and-the-dangers-of-shadow-it/, https://perma.cc/9QV8-LLUA.

[74] See, e.g., Frisco Med. Ctr., L.L.P. v. Bledsoe, 147 F.Supp.3d 646, 652, 663 (E.D. Tex. 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14–cv–1049–JMS–TAB, 2014 U.S. Dist. LEXIS 99070, at *6–8 (S.D. Ind. July 21, 2014).

 

[75] See Philip Favro, Addressing Employee Use of Personal Clouds, 22 Rich. J.L. & Tech. 6, ¶ 19 (2016).

 

[76] See Toyota Indus. Equip. Mfg., 2014 U.S. Dist. LEXIS 99070, at *3, *6 (S.D. In. 2014).

 

[77] See id. at *8.

 

[78] See id. at *6–8.

[79] See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 18, 2015).

[80] See About Jottacloud, Jottacloud, https://www.jottacloud.com/en/about.html, https://perma.cc/Z3U8-6MCJ (last visited Mar. 31, 2017) (“Jottacloud is a Norwegian cloud storage service for both private use and businesses. The service lets you securely copy, synchronize, save and share files from all your devices. These files will be safely stored on environmentally friendly servers in Norway or in countries with equivalent or even more rigorous privacy laws. Firms based in the US might be forced to hand over their stored information to the authorities. No one will get access to the data stored with us.”).

 

[81] RLI Ins., 2015 U.S. Dist. LEXIS 9396, at *2.

[82] See id. at *1–2.

 

[83] See id. at *2.

 

[84] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Apr. 15, 2014) (“Not aware of Defendant’s misappropriation of RLI’s Customer Claim Files and Proprietary Information, RLI offered Defendant a severance package upon her termination. Defendant had not yet accepted the offer of a severance package when RLI discovered the misappropriation. Based on Defendant’s misconduct, RLI revoked its offer of severance to Defendant by letter to Defendant.”).

[85] See generally De Simone v. VSL Pharm., Inc., 133 F. Supp. 3d 776, 796 (D. Md. 2015) (involving a chief executive officer who used Dropbox to steal corporate records belonging to the company).

[86] See Frisco Med. Ctr., L.L.P. v. Bledsoe, 147 F. Supp. 3d 646, 652–54 (E.D. Tex. 2015).

 

[87] Id. at 651.

 

[88] See id. at 652–53.

 

[89] See, e.g., Selectica, Inc. v. Novatus, Inc., No. 6:13–cv–1708–Orl–40TBS, 2015 U.S. Dist. LEXIS 30460, at *2 (M.D. Fla. Mar. 12, 2015).

[90] See Louis Columbus, How Enterprises Are Capitalizing On The Consumerization Of IT, Forbes (Mar. 24, 2014, 6:43 AM), http://www.forbes.com/sites/louiscolumbus/2014/03/24/how-enterprises-are-capitalizing-on-the-consumerization-of-it/#1af595ef6160, https://perma.cc/X6WJ-LFQ4 (stating “79% [of surveyed enterprises] report that file sharing and collaboration tools including Box, Egnyte, Google Apps, Microsoft Office 365, GroupLogic, ShareFile and others are pervasively used today. 49% are with IT approval and 30% are not.”).

 

[91] See Froehlich, supra n. 72.

 

[92] See Frisco Med. Ctr., L.L.P., 147 F. Supp. 3d 646, 650–51.

 

[93] See Toyota Indus. Equip. Mfg. v. Land, 2014 U.S. Dist. LEXIS 99070, at *3–4, *9–10 (S.D. In. 2014) (explaining that defendant uploaded confidential information from his former employer to his Google Drive account before going to work for an industry competitor).

 

[94] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *1–2.

[95] See id. at *3.

[96] See id. at *2–3.

 

[97] Id. at *1 (emphasis added).

 

[98] See id. at *3.

[99] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *2 (Selectica eventually sued Novatus for trade secret misappropriation and brought a separate action against Holt for his alleged role in the matter).

 

[100] See id. at *1–2; Frisco Medical Center, L.L.P., 147 F. Supp. 3d at 650; Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *3–5. But see See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, *2 (N.D. Ga. Jan. 18, 2015).

[101] See David S. Levine, School Boy’s Tricks: Reasonable Cybersecurity and the Panic of Law Creation, 72 Wash. & Lee L. Rev. Online 323, 334–35 (2015) (observing that many companies prefer to litigate rather than protect their trade secrets).

[102] See PrimePay, LLC v. Barnes, No. 14–11838, 2015 U.S. Dist. LEXIS 65710, *1, *2–3 (E.D. Mich. May 20, 2015) (refusing to enjoin the operation of a former executive’s competing enterprise).

 

[103] See, e.g., De Simone v. VSL Pharm., Inc., 133 F. Supp. 3d 776, 785 (D. Md. 2015); see also Rodrigues, supra note 73.

[104] See RLI Ins., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[105] See id. at *2.

 

[106] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *2–3.

 

[107] See id.

 

[108] See generally PrimePay, LLC, 2015 U.S. Dist. LEXIS 65710, at *2, *105–06 (denying plaintiff’s motion for preliminary injunction given, among other things, the circumstances surrounding the creation and use of defendant’s approved BYOC account with Dropbox); see also Tom Nolle, Bring Your Own Cloud: The Movement Companies Can’t and Shouldn’t Stop, TechTarget (Apr. 2014), http://searchcloudapplications.techtarget.com/feature/Bring-your-own-cloud-The-movement-companies-cant-and-shouldnt-stop, https://perma.cc/6SMD-A2Y8 (explaining the security and compliance risks generated by having company data stored on personal cloud storage and edited by cloud tools that are not subject to company governance practices, including storage of confidential information on employee’s personal cloud accounts).

 

[109] See Mark Kedgley, Cyber-Security of the Fridge: Assessing the Internet of Things Threat, S C Media (May 31, 2016), https://www.scmagazineuk.com/cyber-security-of-the-fridge-assessing-the-internet-of-things-threat/article/531554/, https://perma.cc/GPH6-KBTR.

 

[110] See id.

 

[111] See Ernesto Damiani, Toward Big Data Risk Analysis, 2015 IEEE Int’l Conf. on Big Data 1905, 1906-07 (2015), https://dl.acm.org/citation.cfm?id=2878279, https://perma.cc/5WFH-HVQP.

 

[112] See Manuel Díaz et al., State-Of-The-Art, Challenges, And Open Issues In The Integration Of Internet Of Things And Cloud Computing, 67 J. Network & Comput. Applications 99, 101-05 (2016), http://www.sciencedirect.com/science/article/pii/S108480451600028X, https://perma.cc/Z9PT-39DN.

 

[113] See id. at 111.

[114] See id. at 107.

 

[115] See id. at 100.

 

[116] See Sathish Alampalayam Kumar et al., Security in Internet of Things: Challenges, Solutions and Future Directions, 2016 49th Hawaii Int’l Conf. on Sys. Sci., 5772, 5773 (2016), http://tarjomefa.com/wp-content/uploads/2016/09/5288-English.pdf, https://perma.cc/YN6S-HDUE.

 

[117] See CUJO – Business-Level Internet Security For Your Smart Home, SecurityGem, http://www.securitygem.com/cujo-business-level-internet-security-for-your-smart-home/, https://perma.cc/8YQP-D6RZ (last visited Apr. 1, 2017).

 

[118] See id.

[119] See id.

 

[120] See generally id. (discussing an application designed to address cyber security issues).

[121] See id.

 

[122] See John Lainhart, Steve Robinson, & Marc van Zadelhoff, Managing Threats in the Digital Age: Addressing Security, Risk and Compliance in the C-Suite, IBM Institute for Business Value 1,1 (2011), https://www-935.ibm.com/services/uk/en/it-services/Managing_threats_in_the_digital_age.pdf, https://perma.cc/V4TK-L5T6.

 

[123] See id. at 4.

 

[124] See David Wetmore & Scott Clary, To Map or Not to Map: Strategies for Classifying Sources of ESI, Information Management (2009), http://content.arma.org/IMM/SeptOct2009/to_map_or_not_to_map.aspx, https://perma.cc/MJ9A-L5WH.

 

[125] See id.

 

[126] See R. Mark Halligan, Protecting U.S. Trade Secret Assets in the 21st Century, 6 No. 1 Landslide 1, 3 (2013) (urging companies to adopt “mapping” approaches to better safeguard trade secrets); see also Sterling Miller, Ten Things: Trade Secrets and Protecting Your Company, Corporate Law Advisory (Apr. 27, 2015), https://sterlingmiller2014.wordpress.com/2015/03/19/ten-things-trade-secrets-and-protecting-your-company/, https://perma.cc/BM25-7VFE (“You need an inventory of all of the company’s trade secrets . . . [a]n inventory helps you identify what steps are needed to keep those specific items confidential and protected and be clear with the business what items are not considered trade secrets . . .”).

 

[127] See R. Mark Halligan, supra note 126, at 3.

 

[128] See Chris Russell, Assessing the Risk of Transformative Technologies, 2016 Computer Fraud & Sec. 15, 16 (2016).

 

[129] See id.

[130] See Oliver Niggemann et al., Data-Driven Monitoring of Cyber-Physical Systems Leveraging on Big Data and the Internet-of-Things for Diagnosis and Control, Vanderbilt Univ. & Inst. for Software Integrated Sys. 185, 185-192 (2015), https://pdfs.semanticscholar.org/c846/29921b2836ce812a8959edb37158f83627ec.pdf, https://perma.cc/CL9Q-7ANE.

 

[131] See generally Adnan Masood & Jim Java, Static Analysis for Web Service Security-Tools & Techniques for a Secure Development Life Cycle, 2015 IEEE Int’l Symposium 1, 1–6, (2015) http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7225337, https://perma.cc/2JB9-R9YP (discussing the importance of penetration testing for these devices).

 

[132] See supra Parts I & II (discussing past and potential consequences of a breach in sophisticated devices).

 

[133] See Antigone Peyton, The Connected State of Things: A Lawyer’s Survival Guide in an Internet of Things World, 24 Cath. U. J.L. & Tech. 369, 369-400 (2016) (recognizing the current lack of these laws and the consequences resulting from the lack of regulations).

 

[134] See Katerina Megas, NIST Cybersecurity for IoT Program, Nat’l Inst. of Standards & Tech., https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program, https://perma.cc/Q73U-VJ8U (last visited Apr. 1, 2017) (last visited Apr. 1, 2017)ited .

 

[135] See generally, Richard Kissel et al., Security Considerations in the Systems Development Life Cycle, Nat’l Inst. of Standards & Tech., (2008), http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf, https://perma.cc/Q2R9-CFY2 (discussing NIST’s efforts to promote the U.S. economy and public welfare by providing technical leadership).

[136] See generally, Tomás Seosamh Harrington & Jagjit Singh Srai, Designing a “Concept of Operations” Architecture for Next-generation Multi-organisational Service Networks, AI & Soc. (2016), https://link.springer.com/article/10.1007/s00146-016-0664-5, https://perma.cc/MP73-HVPD (outlining the concept of operations architecture).

[137] See Margaret Rouse, Confidentiality, Availability, and Integrity (CIA triad), TechTarget, http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA, https://perma.cc/MN9Y-VR9R (last visited Apr. 1, 2017); See generally, Somayya Madakam & Hema Date, Security Mechanisms for Connectivity of Smart Devices in the Internet of Things, Nat’l Inst. of industrial engineering (2016), http://www.springer.com/cda/content/document/cda_downloaddocument/9783319331225-c2.pdf?SGWID=0-0-45-1579370-p179950200, https://perma.cc/4ENY-CXEN (discussing the importance of security in the development of IoT).

 

[138] See id.

 

[139] See generally, Dean C. Mumme et al., A Privacy Approach for Crowd-Source Analytics Based on Internet of Things Sensor Data, 2016 Int’l Conf. Artificial Intelligence 456, 459-60 (2016) (discussing various approaches to ensure privacy with regard to the Internet of Things).

 

[140] See generally, Jules Polonetsky, Omer Tene & Kelsey Finch, Shades of Gray: Seeing the Full Spectrum of Practical Data De-Identification, 56 Santa Clara L. Rev. 593, 594 (2016), http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=2827&context=lawreview, https://perma.cc/YVE7-8WDT (discussing “de-identification” the process of removing personally identifiable information from data collected that is stored and used by organizations).

 

[141] See generally Chad Heitzenrater et al., Motivating Security Engineering with Economics: A Utility Function Approach, 2016 IEEE Int’l Conf. on Software Quality, Reliability and Security Companion 352, 352–53 (2016) (discussing confidentiality protocols and organizational risk analysis).

 

[142] See generally D. Arora et al., Big Data Analytics for Classification of Network Enabled Devices, 2016 30th Int’l Conf. on Advanced Info. Networking and Applications Workshops 708, 708–09, 712 (2016) (discussing the options for using algorithms in machine learning based classifier models).

 

[143] See generally Ezedine Barka et al., Securing the Web of Things with Role-Based Access Control, in Codes, Cryptology, and Info. Security 14, 19-22 (Said El Hajji et al. eds., 2015) (discussing the potential use of role-based access control).

 

[144] See generally Eric Holm, The Role of the Refrigerator in Identity Crime?, Cyber-Security and Digital Forensics 1, 5 (2016) (discussing the need for improvement in regulatory responses to this type of crime).

 

[145] See generally Min-Jung Yoo et al., Closed-Loop Lifecycle Management of Service and Product in the Internet of Things: Semantic Framework for Knowledge Integration, 16 Sensors 1052, 1053–54 (2016) (discussing the general framework for the IoT and importance of documentation).

 

[146] A comprehensive information governance plan would take various factors into consideration. They would likely include the length of pertinent retention periods, the ability to preserve data for legal matters, applicable data protection laws, cybersecurity initiatives, and use policies for smartphones and other mobile devices. See generally Philip J. Favro, Getting Serious: Why Companies Must Adopt Information Governance Measures to Prepare for the Upcoming Changes to the Federal Rules of Civil Procedure, 20 Rich. J.L. & Tech. 5, 25 (2014) (explaining the comprehensiveness of information governance in satisfying the challenges related to information retention, data security, privacy, and e-Discovery).

 

[147] See generally id. (discussing the development of policies governing the use of mobile devices).

 

[148] See Gail Gottehrer, “Connected” Discovery: What the Ubiquity of Digital Evidence Means for Lawyers and Litigation, 22 Rich. J.L. & Tech. 8, 8 (2016).

 

[149] See id.

 

[150] See Favro, supra note 12 (referencing the importance of developing an information governance program).

 

[151] See, e.g., Cybersecurity Examination Sweep Summary, SEC (Feb. 3, 2015), https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf, https://perma.cc/7SKH-C2AZ (last visited Apr. 1, 2017) (highlighting that 57 percent of surveyed financial firms conducted the recommended audits to ensure compliance).

 

[152] See id.

[153] See Rodrigo Roman, Pablo Najera & Javier Lopez, Securing the Internet of Things, 44 IEEE Computer Soc. 51, 51–58 (2011).

 

[154] See Philip Favro, Protecting Corporate Trade Secrets in the Age of Personal Clouds, The Recorder (July 21, 2016), https://advance.lexis.com/search?crid=aefd2863-a8be-4bbc-9948-1afc74889d2a&pdsearchterms=LNSDUID-ALM-RECRDR-1202763302804&pdbypasscitatordocs=False&pdmfid=1000516&pdisurlapi=true, https://perma.cc/C34L-YKHW.

[155] See id.

 

[156] See Sophie Vanhegan, Legal Guidance: Protecting Company Information In The Cloud-Era, HRZone (Apr. 23, 2013), http://www.hrzone.com/perform/business/legal-guidance-protecting-company-information-in-the-cloud-era, https://perma.cc/7QEW-S2NU.

 

[157] See id. (observing that corporate policies must “allow company monitoring of employees’ IT activity and work email accounts . . .”).

 

[158] Id. (“Employers may also wish to consider . . . implementing IT measures to prohibit uploading of documents onto web-based applications.”); see also See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, *1 (N.D. Ga. Jan. 18, 2015).

 

[159] See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, *1 (N.D. Ga. Jan. 18, 2015).

 

[160] See Vanhegan, supra note 156 (explaining that policies addressing personal cloud usage should “expressly prohibit the removal of company documents and information outside the company’s systems”).

 

[161] See Esther Schindler, Protecting Corporate Data…When an Employee Leaves, Druva Blog (Oct. 13, 2014), http://www.druva.com/blog/protecting-corporate-data-employee-leaves/, https://perma.cc/GWR8-2J79.

[162] See Rachel Holdgrafer, Fix Insider Threat with Data Loss Prevention, Cloud Security Alliance (Dec. 10, 2015), https://blog.cloudsecurityalliance.org/2015/12/10/fix-insider-threat-with-data-loss-prevention/, https://perma.cc/SSE3-UPJL; see also Froehlich, supra note 72 (“Lack of IT management and control will quickly put an end to BYOC, even though it has the potential to provide real benefits.”).

 

[163] See Miller, supra note 126 (“Departing employees constitute one of your biggest risks for trade-secret theft.”).

 

[164] See id.

 

[165] See Frisco Med. Ctr., LLP v. Bledsoe, 147 F. Supp. 3d 646 (E.D. Tex. Nov. 30, 2015); Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-36TBS, 2015 U.S. Dist. LEXIS 30460 (M.D. Fla. Mar. 12, 2015); RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, *1 (N.D. Ga. Jan. 18, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070 (S.D. Ind. July 21, 2014).

 

[166] See Matt Grech, Slack Alternatives: 10 Collaboration Tools That Do What Slack Can’t, GetVoip (Aug. 29, 2016), https://getvoip.com/blog/2016/08/29/slack-alternatives/, https://perma.cc/H6CK-XQ2C.

 

[167] See Brad Woodberg et al., Configuring Juniper Networks NetScreen & SSG Firewalls 18–19 (2006); see also Christopher Benson, Security Planning, Microsoft, https://msdn.microsoft.com/en-us/library/cc723503.aspx, https://perma.cc/A3KC-WM8B (last visited Apr. 1, 2017).

 

[168] See e.g., Stefanie Fogel, et al., Breach Incident Response: An Emergency Preparedness Guide, DLA Piper, https://www.dlapiper.com/~/media/Files/Insights/Publications/2015/02/Breach%20Incident%20Response.pdf, https://perma.cc/26TA-6G75 (last visited Apr. 1, 2017).

 

[169] Id.

 

[170] See Crisis Communications: Three Essential Steps, PCI Communications (Nov. 13, 2013), http://www.pcicom.com/strategy/crisis-communications-three-steps/, https://perma.cc/8KRW-7HLD.

 

[171] See Stephen Bell, Dark Websites for Crisis Response, EMA Public Relations, http://www.mowerpr.com/reputation-management/our-experience/dark-websites-for-crisis-response/, https://perma.cc/RM8X-EMZA (last visited Apr. 1, 2017); see, e.g., Dark Site Stores Emergency Communications Until Crisis Occurs, Center for Infectious Disease Research and Policy, http://www.cidrap.umn.edu/practice/dark-site-stores-emergency-communications-until-crisis-occurs, https://perma.cc/96BS-RKSD (last visited Apr. 1, 2017) (discussing how the Santa Clara Public Health Department was able to activate its dark site when it was struck with an emergency and its regular website could no longer function).

 

[172] See Bell, supra note 171.

 

[173] Id.

 

[174] See Bruce T. Blythe, Blindsided: A Manager’s Guide to Crisis Leadership 261-62 (Kristen Noakes-Fry ed., 2nd ed. 2014).

 

[175] See Kim Bhasin, 13 Epic Twitter Fails By Big Brands, Bus. Insider (Feb. 6, 2012), http://www.businessinsider.com/13-epic-twitter-fails-by-big-brands-2012-2?op=1/#bitat-abused-trending-topics-to-promote-some-of-its-tweets-9, https://perma.cc/E7UJ-79UE.

 

[176] See Imran Ahmad, Is Your Organization Ready for a Cyberattack?, Media Edge Blogging (June 7, 2016), http://www.mediaedge.ca/supplierinsights/csae/is-your-organization-ready-for-a-cyberattack/, https://perma.cc/3ZHL-9KUU.

 

[177] See generally id. (discussing the importance of contacting inside and outside counsel to establish a ‘privileged’ reporting and communication channel).

[178] See generally id. (explaining that law enforcement’s expertise in evidence gathering and forensics can be leveraged to ensure that the evidence can be used in future court proceedings).

 

[179] See generally id. (suggesting effective ways for organizations to prepare for, respond to, and recover from cyberattacks).

 

[180] See id.

 

[181] See Ahmad, supra note 176.

 

[182] d.yalty of its employees. Id. organizations to prepare for, respond to, and recover from cyberattacks). id real estate be sold See generally Toftely v. Qwest Commc’n Corp., No. C3-02-1474, 2003 WL 1908022, at *1 (Minn. App. Apr. 22, 2003) (denying plaintiff employment benefits because she was discharged for violating the company’s confidentiality policy by disclosing a litigation hold instruction to a third party). In Toftely, when a telecommunications company sent a highly confidential and privileged litigation hold instruction to its employees by email, it attached an “electronic tracer” to the message, which allowed the company to monitor whether the message was forwarded outside the company. This technique enabled the company to manage the flow of privileged information and ascertain the loyalty of its employees.