How To Avoid ACS:Law Style Data Breaches

Thursday, October 07, 2010

Peter Abatan


After last week’s high-profile data breach at ACS:Law, BT wants to halt legal applications meant to obtain customer details from people alleged to have taken part in illegal online file sharing.

From ITPro: "The data was stored by the law firm to track P2P users sharing copyrighted pornographic films, possibly illegally. A data leak is believed to have occurred after members of 4chan, an image board website where activists recently organised attacks on film industry bodies, launched a distributed denial of service (DDoS) attack against ACS:Law’s site."

The telecoms company called for a moratorium, and it is likely that other telecoms companies will follow the same route. This really should not be a big issue since the solution to this problem has been around for a while.

It is called Enterprise Rights Management and works on the principle of persistent security, which means the data cannot be used for anything beyond what has been specified by the data owner - whether the data is in use, at rest or in motion.image

So lets get down to practicalities by asking: "How would this work for BT when it comes to sharing confidential data with law firms as a matter of compliance?" The information that BT sends to ACS:Law is most likely to be in a file format sent via email.

The enterprise rights management solution chosen will ensure that file sent can be packaged with your own security policy that describes who can open the files, and for what purpose - e.g. view, print, save, edit, etc.

By the way, the protection provided for files can also be used for emails too.

BT will also be able to monitor the use of the file through an audit log, and will be able to withdraw access to the file no matter where the file is located. BT can also set up the system so that it can be notified by email when anyone accesses the file.

So, the moment ACS:Law and BT become aware of a data breach the file is immediately disabled by issuing a "no access" on the file.

This solution is simple to implement and can save a lot of companies from heartache, like potential litigation and reputational damage.

At the same time, companies like BT are able to fulfill their legal requirements with assurance that it still controls and owns the data.

If you are looking for solution like the one described above contact me and we could work together to put a solution in place to make your data safer.

Enterprise Rights Management also has other solutions, from controlling the print of documents to ensuring that files in document management systems are encrypted immediately after they are checked-out of the system. Act now to prevent a similar recurrence to the ACS:Law data breach.

Possibly Related Articles:
breaches Enterprise Rights Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.