The ABA Cybersecurity Handbook by Jill D. Rhodes

Author:Jill D. Rhodes
Language: eng
Format: epub
Publisher: American Bar Association
Published: 2013-06-05T16:00:00+00:00

I. Government Data: A Problem of Growing Insecurity

Government data systems suffer an array of vulnerabilities and are subject to a variety of threats that range from accidental data loss to advanced persistent threats, often state-sponsored, dangerous, and highly sophisticated. While classified government computers have their own specialized networks and are generally not connected to the Internet at all, even such “air-gapped” systems have suffered major security breaches. Perhaps the most famous such breach was the massive disclosure of classified State Department cables and other classified information by the organization WikiLeaks in collaboration with major newspapers including the New York Times and the Guardian.76 Government lawyers should think of what the colorful founder of WikiLeaks, Julian Assange—not to mention lone hackers, criminal groups, or foreign governments—might do with the data whenever they are tempted to become complacent about the security or to trust such matters entirely to information technology professionals.

However, cybersecurity threats—and data breaches of all kinds—are not a problem limited to the Department of Defense, the CIA, or other “three-letter” agencies handling national security matters. Many government agencies handle data that poses unique confidentiality concerns, such as grand jury data,77 information protected by court order,78 taxpayer return information,79 health records,80 and asylum applications or other confidential immigration information81—the list goes on and on. While the US lacks a comprehensive privacy or security regime such as the regime that prevails in Europe,82 the patchwork of sector-specific privacy rules and practices are extensive enough that it is a safe bet that a public sector institution will usually have at least some legal responsibility to safeguard virtually any data that is personally identifiable. Even data that does not contain obvious personal identifiers may be covered. Research on differential privacy shows that data that has been scrubbed of such direct personal identifiers can often be “reidentified” with relative ease.83

Therefore, lawyers must avoid blithely assuming that they need not worry about security because they believe their organizations do not possess national security information or other information subject to specific legal requirements, or even because they think their clients’ data do not contain names, Social Security numbers, or other obvious personal identifiers. Rather, lawyers should assume there are potential legal ramifications for a failure to take reasonable steps to secure their organization’s nonpublic data. Of course, taking such steps is simply good government. Even aside from special considerations, data breaches and cyber intrusions in the public sector may affect very large segments of the population, as the data in government hands is typically broader in scope than that held by even very large law firms.

Unfortunately, the issue goes well beyond the by-now-familiar scenario of a data breach caused by mistake, inadvertence, or carelessness, such as the posting of confidential information on public websites or the compromise of unencrypted data through the theft or loss of laptops or removable media. There are almost certainly many government systems that are compromised in which neither users nor systems administrators may know it. Today, data exfiltration is not merely the

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.