Speaking with peers at ILTA’s annual LegalSEC Summit has me thinking about data privacy, and companies such as Facebook have given us a lot of recent food for thought. For over a week in May, a system bug made posts on Facebook automatically public even if someone had previously saved their settings to indicate items should default to private. Facebook has had data-sharing agreements with over 60 device makers, allowing them to access data on users and their Friends. The company is still recovering from the Cambridge Analytica incident in which Cambridge gained access to data on over 87 million Facebook users. Facebook knew about the breach in 2015, but didn’t make people aware until 2016. And the list goes on.
A few months ago I was watching Mark Zuckerberg interact with Congress, and I was alarmed to see Facebook’s Terms of Service printed out. Without exaggeration, it looked like an entire ream of paper. Who would even begin to read that? A lawyer then read a few lines of the legalese and stated, “I’m a lawyer, and I have absolutely no idea what this means.” In this case, Facebook collected metadata from SMS texts and calls on Android devices. While they state they asked for consent, no lawyer –– who likely communicates with clients via texts and calls –– would knowingly and willing consent. Facebook states that, as of April 4, it changed its policy to delete all collected SMS and call logs older than one year. I don’t know about you, but I’m still not okay with them keeping this information for 12 months. How do we protect ourselves? Three things must be in place: secure systems, strong policies and knowledgeable people.
Secure Systems: The adage “the best defense is a good offense” says it all. Your security strategy should incorporate intrusion detection, firewalls, monitoring systems, virus protection, patch management, access controls, encryption and other basic technological best practices.
Strong Policies: Given the reach that Facebook and other social media platforms have, law firms will need to revisit policies and continue to be vigilant in the quest for knowledge. What policies need to change for mobile devices? Do they need to be different depending on the type of device? Which apps are allowed, not allowed? Who will take responsibility for reading the Terms of Service agreement and determining if the mere use of a device or app is in violation of the ethic responsibilities lawyers are to uphold?
Knowledgeable People: You empower people to make the right decisions when you educate them. Your users should be well-versed on your firm’s policies and what red flags to be aware of. Learn more in our recent ILTA article on “Your Recipe for a Delectable Security Awareness Program.”
While I knew Facebook was collecting information about me, a member of the Facebook community, I hadn’t taken time to consider the websites and apps using Facebook services to improve the relevance of their content and ads, including Like and Share buttons and the use of Facebook Login into other websites/apps. They use Facebook Analytics to better understand how people use their services, and they use Facebook ads and measurement tools to run their own ads on Facebook or elsewhere and to understand the effectiveness of their ads. They are collecting your computer’s IP address, the type of browser you’re using, the software your computer runs, the time of day you’re logged on, what you like, companies and issues you support, religious affiliation, relationship status, and your hobbies.
If you are a Facebook user, protect yourself from these types of “data mining” invasions by managing the applications that can see your data. Edit the privacy settings or delete them entirely. Opt out of settings that provide data to advertisers, and tweak your privacy settings so only Friends can see your Friends list, your email address, your phone number and your Facebook profile.
But what if you aren’t a Facebook user? You’re safe, right?! Zuckerberg shared that Facebook collects “data of people who have not signed up for Facebook” for …. [wait for it]…security reasons. What? The reality is you can’t truly opt out because one of the ways they are collecting information is by cookies. You can limit the use of your information by deleting cookies, but you will need to do this over and over again. If you don’t allow cookies, you aren’t allowed to use some websites. Given cookies can be required and deleting them can be a time-consuming process, people don’t typically take either action.
With the rate of change we experience today, it is extremely challenging to stay ahead of the threats to data privacy. The goal is to provide a reasonable level of security to protect against anticipated threats. The key to having the best odds when it comes to information security is to have a strategy that includes secure systems, strong policies, and knowledgeable people. Now go click Like and Share! 😊