Keeping Your Data Safe In The Remote Work Era
A conversation with Kelvin Coleman of the National Cyber Security Alliance.
Ed. note: This is the latest in a series on the changing practice of law. Click here for the prior installment.
As the world lives life online more than ever because of the COVID-19 pandemic, data privacy becomes an ever-more-serious concern.
Above the Law recently connected with Kelvin Coleman, the executive director of the National Cyber Security Alliance, to gain his insight into the many issues surrounding data security and privacy.
Coleman has two decades of cybersecurity experience, having served in posts at the White House and the U.S. Department of Homeland Security, as well as in the private sector.
Here, he weighs in on biometrics, the regulatory landscape, and how long-standing tactics like “phishing” remain a persistent threat.
This interview has been edited for length and clarity.
ATL: Because the pandemic is on everyone’s mind we’ve been hearing a lot about biometrics and safeguarding people’s privacy regarding this type of data. Is there anything happening on that front?
Coleman: The pandemic brought telehealth, telemedicine, and biometrics to the forefront, but we knew before the pandemic that we had to protect this information on two levels.
One is a cybersecurity level, meaning you want to make sure that whatever information you are collecting is protected from malicious actors, so they are not able to penetrate your systems to get that information.
The second point with telehealth and telemedicine is that certain individuals may treat your information like money, right? Health information has tremendous value to bad actors. And so we’ve really encouraged individuals and businesses to treat information like money and to protect it for their businesses.
ATL: Remote work has exploded. Has this brought any particular data privacy concerns to the surface related to remote-work technology?
Coleman: It only expanded what we were already fighting. Cyberattacks were happening, but increased at least 200 percent with the pandemic. Some might be scams saying, “Hey, click here to learn more about the stimulus,” right? Or, “Click here to learn more about vaccines,” or “Click here to find out where you can be tested.”
When a natural disaster happens on a national scale, bad actors will use that as an opportunity to hurt people. That activity has increased in so many ways.
[In the past few years] we’ve seen a number of massive data breaches involving remote operating structures — healthcare, schools, things of that nature. What the bad actors are getting right now is a target-rich environment because so many people are working from home. They may have a chief information officer or network administrator help them protect that information.
For students, they all become their own security. So it has changed, but only in the sense that you see so much more activity.
ATL: So, the nature of the attacks is the same, but they are occurring more often?
Coleman: That’s right. When I talk to reporters and others, they want me to tell them about the big, shiny, new threat that’s out there.
And, you know, I hear crickets when I mention “phishing.” But it works.
Why change tactics, tools, or techniques, if they’re working? And so phishing is still at the top for bad actors, especially during the times of COVID.
ATL: Given the target rich environment because of remote work structures, are there best practices companies can use to make their remote work apparatus as secure as possible?
Coleman: Absolutely. And again, it’s not as exciting as you would expect.
First, passwords are still relevant. A robust alpha-numeric password is an important step in blocking bad actors from carrying out their mission to get into your network.
Second, multi-factor authentication gets you that much more protection.
Third, make sure you are updating your machines and devices. You need to keep up with the latest updates. And those things usually come automatically. If you have to click “update now,” we encourage people to make sure they’re doing that.
I think those three things alone can have a tremendous impact on making sure you become less of a target. You’re 40 percent less likely to be a victim of an attack.
ATL: Suppose you were playing the role of a company’s legal counsel and you had to go to the executives and say, ‘This is what we should be doing to safeguard data privacy.’ What kind of advice would you give?
Coleman: Three things come to mind right away to help mitigate the risk of attack.
One is insurance policies. They’re pretty important should a breach occur. Would your policies cover ransomware payments, damage to digital assets, et cetera? And for law firms, they have personally identifiable information on their clients, information that the clients don’t want anyone else to know. So to review those insurance policies is very important.
Two, [companies and law firms] need to develop and implement a cyberattack protocol. An effective incident response procedure is key for organizations. You have to make sure you’re prepared.
Three, testing your cyberattack protocol is very important. You can hire a certified ethical hacker to conduct routine audits on the firm, to simulate a cyberattack and highlight vulnerabilities.
So, those three things alone are important, but I have a few other things they could do, including onsite data storage and taking an inventory of digital assets.
We know from the Capitol riot, right? If the offices never conducted a digital assets inventory, they wouldn’t know what was gone. If something happens with a physical breach or some sort of data breach, you need to know what has to be accounted for.
[You also need to] educate your employees, to promote a culture of cyber-hygiene and education. Make running through cybersecurity responses, protocols, and threats part of the culture of your firm.
Any company that thinks they’re not a potential target for hackers, they’re fooling themselves.
ATL: Do you think it’s important for companies these days to have a dedicated data privacy counsel? Are you recommending that people create these positions?
Coleman: The short answer is yes, but that isn’t surprising coming from the executive director of the National Cyber Security Alliance. It’s a smart move to better protect data every day, all day.
And you know, for larger firms it may not be a problem at all. They can do that at the drop of a hat and probably already have those positions. But I have spoken to small firms trying to make a margin like everyone else. And I’ve recognized that a chief privacy officer can serve multiple small firms and help them out.
But the short answer? Absolutely. I totally support that goal.
ATL: California’s new law, the Consumer Privacy Rights Act, has instituted a standalone data-privacy regulator and California is often a trendsetter when it comes to laws. Do you think standalone regulators and more stringent privacy protections are the way of the future? Do you think this kind of thing is going to be nationwide before long?
Coleman: Absolutely, we’re going to see that. [Laws have been passed] in Washington, Michigan, and I think in Texas. So, California is leading the way and we’re seeing other states do it as well.
[During the NCSA’s recent Data Privacy Day event] I spoke with Sen. Marsha Blackburn (R-Tennessee, a co-sponsor of federal data-privacy legislation), and we talked about this in terms of how it’s nearly impossible for businesses to traverse the different laws. I do think Congress at some point is going to step in or step up to say, wait a minute, maybe we should have a national act or legislation on this so businesses have one standard to meet and not 50 different standards.
I’m pleased the conversation is taking place and I’m very encouraged with the public-private collaboration on this. Now, certainly there are going to be some opposing views that the private sector and the government will have to deal with, but it’s a great change that the conversation is taking place.
ATL: What are the issues on everyone’s lips right now related to data privacy?
Coleman: Education. I think it’s very important that people understand exactly what privacy means and what information needs to be protected, but it’s also a generational thing, right?
If you’re talking to millennials, or Gen Z or Gen X, these folks have different views on privacy. And we’ve seen that time and time again.
We have to make sure folks understand what this conversation is about, because in order to make an informed decision you have to have the correct information. As I say, [data privacy] breaks down into three categories: products, processes, and the people in a particular case. I think we need to focus much more on the people part, on education and awareness. That’s certainly the biggest piece in my mind.
ATL: When you talk about the younger generation, are you referring to their willingness to be open with their personal information? The way they don’t even seem to think about it?
Coleman: Yes, and I’m a perfect example. When I go out, I generally turn off the tracking. You know, the mechanism [on a smartphone] that allows you to get better deals or get a suggestion for a good restaurant.
My daughter, she enables it, because she wants her friends to know where she is and wants to get suggestions. And of course, we’ve had family discussions on being safe with it, on using it wisely.
But we have different views on privacy. The younger you are, probably, the less likely you are to care about something of that nature.
Elizabeth M. Bennett was a business reporter who moved into legal journalism when she covered the Delaware courts, a beat that inspired her to go to law school. After a few years as a practicing attorney in the Philadelphia region, she decamped to the Pacific Northwest and returned to freelance reporting and editing.
