Many companies have been breached and have had data stolen in some way, shape or form. We see this every day in the news and it seems like an unrelenting wave of cybercrime and data loss for people and companies. There are many technical solutions out there for the protection, containment, and encryption of data, but almost none of these help the legal team when they are dealing with the legal aftermath of a security breach.
Security practitioners tend to engage the lawyers at two points in the process of data protection tool selection:
- Before deployment: “Do the solutions being proposed satisfy the regulatory compliance and privacy law statutes that our company needs to address?”
- After a breach: “We have a potential data loss. Do we know what we’ve lost? What’s our legal exposure?”
Does the security tool you’re reviewing have possession, custody, and control capabilities?
The issues around the proof of “possession, custody, and control” are rarely looked at as part of the data protection solution selection. You probably won’t find these definitions and mappings in any data protection solutions you’re currently reviewing. As a result, delivering these definitions often needs to be done after the fact by cobbling the information together, if possible, from many sources. Even if it is possible to pull these many sources together during a breach investigation, this does not always mean that they can be used as submit table evidence in a court case due to a lack of cohesive evidence chaining from the various sources.
It’s a mess.
What a CISO should be asking, given the definitions and statutes above, is “How quickly and accurately could we respond to these questions of possession, custody, and control?”
With the tools today, the data is not only not categorized this way, it is not visualized this way to analyze the situation properly.
Without the proper tools and solutions available to map, track, and provide the current status of data that has been exfiltrated in a breach, the company that suffers the breach will be held culpable for said loss. During a breach legal case, there are three terms that come into play in every case – possession, custody, and control.
Currently, courts apply three general tests to determine if a party “controls” documents requiring them to preserve and produce the information for litigation: 1) The “Legal Right” Standard; 2) The “Legal Right Plus Notification” Standard; and 3) The “Practical Ability” Standard.
- Under the “Legal Right” test, a party has “possession, custody, or control” of documents if they have the legal right to obtain the information.
- Under the “Legal Right Plus Notification” standard, not only does a party need to have “possession, custody, or control” of documents to which it has a legal right, if there is a situation where the party does not have the legal right to obtain documents requested in discovery – but knows a third party possesses them – it must advise the requesting party that a third party has the documents.
- Finally, under the “Practical Ability” standard, a party must produce documents requested in litigation even if they do not have the legal right to obtain the documents, but they have the “practical ability” to obtain them.
Issues that need to be considered: when you say you have “possession” what does that mean when you are dispersed across cloud? When you say you have “custody” what does that mean when looking at data residence with all of the devices you are working with either corporate or personally owned? When you say “control” how does that look for you across your cloud dispersal and ecosystem of data sharing with customers, partners, supply chain, etc.?
These statutes and definitions apply for anyone being accused of being culpable in a data breach. When reading through press articles about breaches, you will find these statutes and terms in play throughout the investigations and reporting. During many data breach situations, the legal challenge is to show “Who had possession, custody, or control of the data at the time of loss?” and/or “Who was expected to have possession custody or control?” Many times we will see companies investigated for breach even if they haven’t been breached directly, but when the breach occurs within their “data ecosystem”.
Beyond breach situations, there are now legal and regulatory requirements that take it step further such as the EU’s GDPR regulations around residency personally identifiable information (PII). For GDPR, not only do you have to be able to show possession, custody, or control status of PII you also have to show whether or not you can “get the data back” and do so upon request. Do you have the data under your control? If not, do you know who has it and can you get it back from them? If not, do they know who has the data and can they point authorities to these entities for data retrieval?
Even if you have technical tools and mitigations in play to protect data, the question still stands, “If a breach occurs, can the technical solutions being utilized legally provide the evidence for possession, custody, and control of said data? Can it be organized and presented in a way that gives your legal team the ability to avoid breach culpability?”
If you do not have all of these controls and data management viewpoints in place, and you are trying to cobble it together “after the fact” of a breach it already shows that you did not have control!
Make Sure That Your Data Protections Tools Can Paint the Whole Picture
Currently few, if any, tools can comprehensively provide these answers in a succinct, provable way to be used as evidentiary control points. When cybersecurity practitioners are deploying data protection solutions that can try to keep data from being leaked and exfiltrated they are not thinking along these legal terms and statutes. They are only looking to handle containment and or transport and doing their best to try to keep breaches from occurring. This leaves the company and the legal team without the means to deal with breach investigations and legal requirements when breaches do occur.
If you can’t paint a clear picture you are going to find yourself potentially indemnifiable for the breach in question. In order to change this posture, here are two recommended actions items for vendors and customers:
- Vendors should be looking to offer these data views and legal control points in their offerings.
- Customers should improve their relationship with the legal teams when it comes to security tool selection. Make sure that the solution you choose is helping your legal team help you.
Elliot Lewis is the CEO of Encryptics, a cybersecurity technology and professional services company. Encryptics provides evolutionary technology for self-protecting data using “intelligent armor”, as well as state-of-the-art cybersecurity strategy and design consulting services. Lewis brings over 27 years of experience in cybersecurity technology and executive management strategy.
Editor’s Note: The video was shot back in August 2018, during the Black Hat Conference, and the article was written in December 2018. During those times Lewis was an independent consultant and analyst. Since the publishing of this article Elliot Lewis has become CEO of Encryptics.