Heartbleed — The ”Data Map” Lesson — Intro

The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot.   To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the ”To Learn More” section at the end of this post.    Note, though, that one key lesson is much more of a common-sense, communication and organizational one.  Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).


  Where’s Your Organization’s Data?

In the 1960's, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?“   In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI).  No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations.   So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.

A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists.   There should be a row for each key repository, e.g., each:

  • Database
  • Website
  • Cloud environment

And the columns (some of which would entail YES/NO) could include:

  • System Name
  • Content Type
  • In-House or Cloud
  • Owner Name (point of contact)
  • Owner Contact Info.
  • Encrypted at Rest
  • Encrypted in Transit
  • Retention/Deletion Rule(s)
  • Back-up Schedules
  • DR/BC Status (Disaster-Recovery/Business-Continuity)

For Cloud-stored data, additional columns could be:

  • Segregation from Others’ Data
  • Notice-of-Breach Duty Shifted

Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data.  Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:

  • Personally identiable information (PII)
  • Protected health information (PHI)
  • Payment card industry information (PCI)

Now, it’s time to begin charting . . . and to start mapping . . .


  

To Learn More

Some resources as to ESI data-mapping:

–  Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)

–  Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me :) ]

–  Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)

                                        And even more as to “Heartbleed”:

–  Codenomicon, The Heartbleed Bug (last visited 5/6/14)

–  Qualys, SSL Server Test (last visited 5/6/14)

–  Valsorda, Heartbleed test (last visited 5/6/14)

–  Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)

–  Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)

–  Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)

–  Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)

–  Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)

–  Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)

–  Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)

–  Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)

–  Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)

–  Timson, Who is Robin Seggelmann and did his Heartbleed break the internet?  Sidney Morning Herald (4/11/14)

 

Topics:  Corporate Counsel, Cybersecurity, Data Breach, Electronic Payment Transactions, Electronically Stored Information, Heartbleed, Personally Identifiable Information, PHI

Published In: General Business Updates, Consumer Protection Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fenwick & West LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »