Originally published in:

 

Author: Derek Dragotta

Senior Vice President, Information Security, JND Legal Administration

Certified Information Systems Security Professional (CISSP®) and Certified Information Security Manager (CISM®), member ISACA and ISC².

 

 

Stay vigilant. 2023 was a banner year for bad actors and 2024 is shaping up to be the same. Ransomware and data breaches are still on the rise, as are the costs associated with them. AI, aside from its legitimate value, is allowing bad actors, even those with limited skills and technology, to quickly shift tactics and generate more believable scams. There is a significant uptick in attempted fraudulent filings, especially in open-class settlements. Additionally, the multitude of new privacy legislation and other security requirements that govern our day-to-day activities are arriving like a torrent out of the floodgates. While flipping over your keyboard, and shouting “I can’t take it anymore” a’ la Billy Joel in “We Didn’t Start the Fire” may sound like a tempting reprieve, I can assure you there is a better way to maintain your sanity. For some assistance on that front, below are surefire ways you can protect your organization, and your class.

 

Follow your framework:  A successful information security program always starts with a proven framework. Without one, your control implementation will be unstructured and haphazard, at best, and auditing and assessing your program will be more difficult for you and anyone auditing your controls. You don't build a house without a blueprint, so why implement a security program without a framework? The U.S. Government's National Institute of Standards and Technology (NIST) and the independent International Organization for Standardization (ISO), for example, are industry standard frameworks with NIST's Cyber Security Framework (CSF), 800-171, and 800-53, and ISO's 27001 and 27002 being the most common. There are several other frameworks and standards available and some, such as, Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), The Gramm-Leach-Bliley Act (GLBA), and the Health Information Trust Alliance (HITRUST) include controls geared towards organizations who operate in a particular industry, offer a specific service, or process certain types of data.  Find the one(s) that best meets your organization’s needs and begin assessing, deploying, and continuously monitoring the applicable controls in your environment to ensure they are operating effectively.

 

What's on T.A.P.? Every framework is comprised of Technical, Administrative, and Physical controls intended to provide your organization with defense-in-depth protection. Implement as many controls as are applicable to your organization and ensure the intended objective is relevant and beneficial so controls provide real-world value. Implementing controls for the sake of checking a box can put a strain on resources and prevent you from addressing legitimate security concerns because you’re busy implementing controls for non-existent risk. ISO controls and those of similar frameworks tend to be more guidance-based, leaving open to interpretation how a control is designed and implemented. NIST's controls, on the other hand, tend to be much more direct and prescriptive. Regardless of which you select, be sure your framework is serving your organization and not the other way around. It is important to note that frameworks are not updated often, and certainly not at the speed at which technology, or bad actors, advance. To stay ahead of the curve, assess your controls and policies no less than annually, or whenever significant changes occur, to ensure you’re effectively managing risk. It is important to note that the depth of an organization’s controls also reflect their capabilities. For example, administrators who handle large, complex, class actions likely have a deeper bench of controls than those who don’t. Settlements that, for example, involve Healthcare providers, Credit Bureaus, Government Agencies, or large financial institutions, not only require the administrator have a robust framework but frequently include industry, regulatory, or client specific security requirements that fall outside of a normal control set.

 

Compliance and contracts:  As mentioned earlier, new security and privacy requirements continue to be on the horizon. As of January 19, 2024, the International Association of Privacy Professional’s (IAPP) Privacy Tracker reports that 13 States have already signed comprehensive consumer privacy bills and another fourteen have bills actively in the legislative process. If your organization already has a comprehensive framework in place, then many of these requirements may already be covered by existing controls. NIST 800-53 rev. 5, for example, contains over 1,000 controls spread across twenty individual control families and runs the gamut from access control and physical security to third party relationship management and privacy. Aside from compliance with statutory and regulatory requirements, a robust program aligned with an industry-standard framework will ensure you meet many of your client’s, or the court’s, obligations, as well. It is likely that your organization is already subject to a number of security and privacy requirements by way of Master Service Agreements or similar contractual instruments, for example, Business Associate Agreements (BAA's) for settlements involving healthcare data or additional privacy clauses for handling data on persons outside of the U.S. Similarly, the Northern District of California’s data protection checklist also includes specific requirements directed at entities handling the administration of settlements.

 

Data sprawl and data hygiene:  Data sprawl has become increasingly important due to the increase in remote work and greater adoption of cloud-based technologies and solutions. Properly identifying and classifying your data is paramount to effectively managing it and for preventing it from being stored in unknown or unapproved locations. This is also important when nearing the end of the data lifecycle so you can ensure all data is properly returned or destroyed. Educating employees about proper data handling procedures via annual training and periodic awareness messages is key.

 

Shadow IT:  Gartner reported that in 2022 over 40% of employees acquired, modified, or created technology outside of IT visibility (Gartner, 2023). Shadow IT can and will affect your ability to properly control your data throughout its lifecycle and will additionally negatively contribute to data sprawl, putting your data at risk of a breach without you even knowing it. Staff should be well educated on the tools and technologies that are approved for business use and be informed of the ramifications for stepping outside these boundaries. Ensure your policies prohibit the use of unapproved software and services and include enforcement clauses for handling employees who fail to comply. Implementing endpoint application control solutions or allowing employees to install approved software via a company portal will assist on this front.

 

Third party risk:  Many organizations partner with third parties to perform specific job functions. Managing those partnerships by ensuring proper contractual documentation (NDA/MSA) is in place, and properly sharing data are essential to any third-party risk management program. Remember, always share the minimum amount of data necessary and require that all third parties delete data as soon as they no longer have a business need to retain it. Additionally, and perhaps even more importantly, clients must assess their vendors’ security programs. Certifications and public statements may only provide limited information, and a vendor simply stating they have a firewall is no different from saying they have an automobile. This is a perfect opportunity for you to look under the hood, kick the tires, and find out for yourself if the product matches the brochure. Some solutions are implemented to “check a box” while others are mature, robust, and best-in-class.

 

Finding fraud:  Fraudulent filings have always been a part of settlement administration and 2023 saw an increase in this trend. Fraudsters are taking advantage of AI and inexpensive cloud resources to launch massive claim submission campaigns. While a myriad of technical controls, such as next-gen firewalls and bot protection, add layers of prevention, there will always be fraudulent claims that make it through the submission process. Robust administrative controls, such as a mature fraud program, experienced data analysts, and quality control procedures will help identify fraudulent claims that slipped past your preventative controls. AI also plays a part here as it can be used to increase the accuracy and expedience of your existing fraud and quality control/quality assurance procedures. AI, however, can be a double-edged sword as I outline in the next section.

 

The advent of AI:  It is difficult to remember anything in recent history receiving as much hype and fanfare as AI. It is and will continue to be a powerful tool in your arsenal of technologies. It must, however, be properly implemented and controlled because, for all its value, AI has already been the cause of a data leak (Mauran, 2023), fabricator of case law ( Neumeister, 2023), at the heart of a potential class action settlement (Mole, 2023), infringer of copyrights (Allyn, 2023) and, aside from these unintentional effects, AI, as I mentioned earlier, is also being used by bad actors to aid in nefarious endeavors.  In addition to this, some insurance carriers are requiring additional E&O insurance for organizations using AI and inquiries as to its use are appearing on cyber insurance and third-party security questionnaires. Those organizations providing AI services to the public frequently include disclaimers to state that their services should NOT be used to make unilateral decisions but instead help those who are making them. While this technology will continue to change the world, for now, on its entryway should be posted a caution sign.

 

The usual suspects:  Although I refrained from specifically mentioning them in this article there are, of course, the usual suspects when it comes to any good information security program. These are by no means runners-up in terms of importance to what is discussed above but they are so frequently the subject of articles and discussions that a mere mention of them should be more than sufficient. On that note, your information security program should also include the following:

• Full suite of information security and privacy policies
• Personnel security practices including background checks, non-disclosure and confidentiality agreements, and periodic access reviews.
• Comprehensive security and privacy training with a strong emphasis on phishing awareness. Training programs must include periodic phishing simulations.
• Strong network security such as Next-Generation Firewalls, Intrusion Detection and Prevention systems, Network Access Control, and Network Detection and Response.
• Endpoint Detection and Response solutions that provide anti-malware/anti-virus, behavioral analysis, auto-blocking and remediation, and device isolation.
• Security Information and Event Management or similar solution to aggregate logs and provide a single pane-of-glass for increased visibility into your environment.
• Encryption for data both at rest and in transit.
• Identity and Access Management controls and monitoring
• Strong and complex password requirements and multi-factor authentication.
• Internal, external, and application penetration testing.
• A robust vulnerability management and patching program
• Assessments by an independent third party (SOC, NIST, ISO, etc.).
• Annual internal risk assessments and business continuity and incident response testing.
• Proper collection, utilization, sharing, retention, and destruction of data (both physical and logical).
• Physical access controls for facilities storing, processing, or transmitting data.

 

 

Citations

Allyn, B. (2023, December 27). 'New York Times' sues ChatGPT creator OpenAI, Microsoft, for copyright infringement. https://www.npr.org/2023/12/27/1221821750/new-york-times-sues-chatgpt-openai-microsoft-for-copyright-infringement

Gartner (2023, March 28). Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024. https://www.gartner.com/en/newsroom/press-releases/2023-03-28-gartner-unveils-top-8-cybersecurity-predictions-for-2023-2024

IAPP (2024, January 1). U.S. State Privacy Legislation Tracker 2024. https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf

Mauran, C. (2023, April 6). Whoops, Samsung workers accidentally leaked trade secrets via ChatGPT. https://mashable.com/article/samsung-chatgpt-leak-details

Mole, B. (2023, November 16). UnitedHealth uses AI model with 90% error rate to deny care, lawsuit alleges. https://arstechnica.com/health/2023/11/ai-with-90-error-rate-forces-elderly-out-of-rehab-nursing-homes-suit-claims/

Neumeister, L. (2023, June 22) Lawyers submitted bogus case law created by ChatGPT. A judge fined them $5,000. https://apnews.com/article/artificial-intelligence-chatgpt-fake-case-lawyers-d6ae9fa79d0542db9e1455397aef381c