Implement multi-factor authentication for any kind of remote access to the system, to email, to any program, and to any database. For instance, we’ve had clients who have Human Resource (HR) programs that outsourced their payroll information. Let’s say an employee falls for a phishing email. The attacker gets their credentials, logs into their HR-portal, which is hosted by a third party, changes their bank account information and they don’t find out until payroll has gone somewhere else. Multi-factor authentication on any system that has remote vendor access is critical. Make sure your contractual agreement require access to your system utilizing multi-factor authentication.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Melissa Ventrone.
Melissa Ventrone, Member, Clark Hill, PLC is a Leader of the Cybersecurity, Data Protection & Privacy team. She focuses her experienced group of first responders, including lawyers and forensic investigators, on around-the-clock situational management to minimize damage and limit any public or regulatory fallout from privacy and cyber incidents. Melissa is also a Co-chair of the firm’s ASSET360 team, which helps to identify, mitigate and respond to cyber and data risks from a legal and technical perspective. She is retired from the U.S. Marine Corp Reserves, Major.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Chicago’s northwest suburbs. At the age of 18, I enrolled in college for a year, decided I wasn’t quite ready and then joined the Marine Corps. I was on active duty for four years. After finishing my first four years in the military, I re-enrolled in college and stayed in the USMC reserves while finishing my undergraduate degree.
The short break from college worked, I graduated Magna Cum Laude from Northern Illinois University, and was accepted to Chicago-Kent College of Law, Illinois Institute of Technology, Chicago, Illinois. Following law school, I was commissioned as a logistics officer in the Marine Corps Reserve. During my service, I served in various positions and was deployed to Djibouti and Afghanistan. My military service includes 21 years active duty and reserve service before retiring as a Major in the United States Marine Corps Reserves.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
My introduction to privacy and cybersecurity law was a bit of an accident. When I was deployed to Afghanistan, I was considering moving away from the legal field, becoming a logistics officer or working in the logistics sector. I received an email from a former commanding officer forwarding an email from a partner in privacy practice who was actively recruiting someone with military service. I immediately sent my resume to the partner. After a 45-minute phone call with the privacy partners (they were in Chicago; I was in Afghanistan), they made me an offer. The first day I met them was my first day on the job.
It was a great opportunity because cyber and privacy work allows me to utilize skills learned in the military. Much of privacy and cybersecurity is related to the right people, right place, and talking about the right. Cybersecurity involves logistics since teams must put together and work across departments collaboratively. Privacy and cybersecurity issues apply not just to one department, but to the whole organization.
Can you share the most interesting story that happened to you since you began your career?
The stories that stand out for me are ones where I get a call bright and early in the morning and am on the phone with somebody at 6:30 a.m. ready to help them respond to an incident. There was one in particular where I received a phone call at 6:30 in the morning and by one o’clock in the afternoon, I was on a flight out to the client’s site and ready to assist by 4:00 p.m. that same day.
Some of the other interesting stories include illicit activities conducted by cyber criminals. It’s this whole business aspect of paying a ransom and they give you a decryption key. The criminals supposedly delete your data and then leave you alone while you try to rebuild your systems. This is strange if you think about it. We are paying criminals, and they are supposedly “honoring” their obligations to return the data. These are some of the interesting aspects about privacy and cyber that you really must be prepared to handle.
When I was a staff sergeant and attending law school simultaneously. I was participating in a conference where we were working on putting together movement data for equipment and people. Colonel Hashimoto was there, and he asked me how close I was from completing my law degree? “Have you ever thought about becoming an officer?” And I told him, “Well, I made some phone calls, but I was told that for my particular position, it wasn’t possible.” And he said, “You’re asking the wrong people.” Then, he put me in touch with the right people. Honestly, I believe that was a defining moment for me.
I went from being enlisted to becoming an officer, going through all of the leadership training, and completing almost 10 years as a very successful officer. All of it was a result of Colonel Hashimoto taking the time to talk to me and asking me about my goals. He was looking at for me and my career. He put me in touch with the right people, followed up to ensure I had everything I needed, and helped facilitate the process for getting approval. And then the rest is history, as they say.
Is there anybody in particular that you’re grateful for that helped you along the way?
I have been fortunate to have a lot of really great mentors. Not just on the legal side but also on the military side. I think part of the reason I’m so successful in my civilian career is because of some of the military mentorship that I received. Colonel Robert Hashimoto (Ret) is the primary reason I became an officer. I was a staff sergeant in the reserves, almost finished with my legal degree, and he provided me with information that allowed me to become an officer. Colonel Hashimoto is a great leader and someone I highly respect.
On the legal side, I’ve been very fortunate to work with excellent attorneys across the board. Trying to put names to all of them would be difficult. I feel as though I have 25 to 30 mentors and people that I can confer and work with. I have been extremely fortunate that way.
Are you working on any exciting new projects now? How do you think that will help people?
We’re focusing on relationship building and making connections to provide the government with more information about the implications of the types of laws that they are enacting. Our government affairs group is helping to facilitate these conversations. We are certainly interested in the consumer protection aspect of it. We want to help and not stifle businesses. The question is how do we really marry up those different interests from a data collection and news perspective? These are exciting projects that will have long-term impacts on not just individuals but companies, as well.
What advice would you give to your colleagues to help them thrive and not burn out?
That’s an interesting question, especially in the middle of COVID-19. From a COVID-19 perspective, it helps if people think of things from a day-to-day point of view. Setting short-term realistic goals makes work more palatable. When I did my job interview from Afghanistan, I was asked, “What’s your short-term goal? What’s your long-term goal?” My short-term goal was to get through today. And my long-term goal was to get through tomorrow because if I thought about it, “I have months left,” it was too overwhelming. A key to not feeling burned out, is to make sure to take time for yourself. Another important factor is to build a team where you can rely on others to step in when you need to unplug for a little bit, and you have to unplug. It’s okay to say no. It’s okay to direct something to somebody else to help out, and it’s okay to reach out and ask for help. I think those are some of the important things to remember, especially for younger attorneys who want to build their own business. You can’t do it all yourself, and you have to make sure that you have a team that you can rely on, that’ll help you get through those tough points and let you take that week off.
Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some sort of financial info and people’s emails and information about their clients. For the benefit of the readers can you help articulate what legal requirements for businesses to protect their customers and clients’ private information? What are the rules of the road here?
You can’t answer that in a few sentences because they differ across the board. If you’re looking at the U.S., most of the U.S. regulations incorporate this concept of reasonable security, which isn’t well-defined. It’s beginning to become defined by adverse rulings, if you will, by agencies such as the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS). Most of the regulations still define it by having reasonable security measures. What does that mean? How do companies and businesses understand that? It is a very difficult question to answer.
A lot of the foreign regulations have more affirmative requirements with respect to the protection of information. We are seeing some of that in the U.S. For example, New York’s Department of Financial Services has their cybersecurity regulation that specifically references multi-factor authentication. Some of the guidance under H and HS, Office of Civil Rights talks about encryption. It really depends from a legal perspective on the particular requirements. In many instances, there aren’t even requirements that you have written policies; the laws talk about procedures. Then, there are some laws that require that you have written policies to protect the information. I think it’s incredibly hard for businesses to understand what they’re legally required to do to protect the information, but there are certainly best practices out there.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point? Is that prudent to do that?
Yes, absolutely. If you don’t need the information, destroy it. Because if you lose it, if it’s breached, or if somebody misuses it, then you face a multitude of issues. We’ve handled matters where a company had customer and employee information that was over 20 years old and wasn’t aware they had data that old. If you don’t need to keep a particular sensitive data element, find a way to get rid of it or redact it. If you don’t need customer or employee social security numbers, remove them from your system.
The problem lies with our data retention policies. A lot of these policies talk about how long you’re required to maintain the information, but don’t offer affirmative requirements to delete the information. If you don’t need it, get rid of it. You’ll also receive the benefit of more space.
In the face of this changing landscape, how has your data retention policy evolved over the years?
I think most organizations don’t pay much attention to data retention policies. They have a policy and occasionally look at it, but they don’t audit it. Most organizations don’t go back and review and then say, “We’re only required to keep this for seven years, and after seven years let’s get rid of it.” I’ve worked with over 4,000 companies, and maybe a handful actually audit their data retention policy.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
We have specific policies and procedures about data retention. Our email system has an archiving feature. Many companies haven’t enabled this feature, but emails after a certain period of time are archived. If you have data that you aren’t using but you’re required to keep, archive it. Get it off the main system. Think of it like putting the data in a storage facility that isn’t connected to your main system. It is important to think about ways that you can reduce your attack surface. If you have all of your data in one place and attackers get access to that one place, then all of your data is at risk. If you have requirements to maintain certain information, but you don’t need to access it except for maybe once every couple of years, remove it from your main system and store it somewhere else. And you can store it electronically. There are a variety of different methods and modalities out there that you can use, but it is a best practice not to keep everything.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA) most certainly impacted us and required changes in processes, procedures, contracts and training for the issues addressed in these regulations. In the U.S. we have a patchwork quilt of laws. When you have a state like California that enacts the CCPA, we anticipate and have seen in some respects other states start to follow suit and try to pass similar legislation.
Many states have legislation relating to the use, collection, and protection of data that differ slightly. Companies are required to comply with these laws, or they may face statutory penalties. It is concerning from a compliance perspective. It is concerning from a cost perspective. And, it is concerning from a standardization point of view.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
I don’t think that the necessary technological tools for data retention exist right now. We haven’t seen tools become as sophisticated as we need in order to help companies comply with the laws that are now online and that are coming online.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
We have clients that have been impacted by certain events that have caused them to change their processes or procedures. A lot of the changes we see are changes to help secure the environment and quickly help clients recover. We are seeing a lot of the changes in this concept of resiliency and business continuity.
Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
1. Implement multi-factor authentication for any kind of remote access to the system, to email, to any program, and to any database. For instance, we’ve had clients who have Human Resource (HR) programs that outsourced their payroll information. Let’s say an employee falls for a phishing email. The attacker gets their credentials, logs into their HR-portal, which is hosted by a third party, changes their bank account information and they don’t find out until payroll has gone somewhere else. Multi-factor authentication on any system that has remote vendor access is critical. Make sure your contractual agreement require access to your system utilizing multi-factor authentication.
2. Think of cyber resiliency and how you recover from an incident. It is incredibly important to have backups, and you want to make sure the backups are segmented from your environment. So, if someone gets in, they can’t get in and delete the backups or encrypt the backups. Backups also need to be tested regularly and ready when called upon.
For instance, we worked with a client who did have backups, but they had 250 servers and figured out it was going to take 14 hours to restore one server. They were looking at weeks of down time. They hadn’t tested how long the restoration process was going to take. So yes, have the backups, make sure they’re good, make sure they work, and have a program in place to test them.
3. Train the people who use your technology because they’re the ones who are either clicking on something, opening something, or providing someone their credentials. Training is key and needs to be up to date and relevant. For instance, if an employee is clicking on a phishing email at work where an attacker obtains their credentials, they may be also doing it for their own email accounts. Don’t just conduct training during orientation. Make sure that you follow up and provide additional and continuous training.
4. Go on a “data diet”. If you don’t need it, don’t collect it. If you no longer need it, get rid of it. If you don’t need it except for once every couple of years, store it where it’s not in your system. There are number of clients that we work with that have data that is from 20, 25, 30 years ago. If someone has been at the company for 20 years experiences an email compromise, we’ll have 20 years of emails to go through to identify PII. It’ll take months. If you don’t need it, don’t keep it.
5. Review your contracts. When you’re working with vendors who are providing some sort of IT services, take a look at the contracts. Most of those contracts will limit your liability to the amount paid for the last six months. If you’re paying them $500 and then the vendor’s systems go down and they can’t restore you for over a month, you’ve just lost thousands and thousands of dollars. So, make sure you review these contracts and incorporate appropriate security controls, review the limitation of liability section, and require the vendor to have cyber insurance.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I have this passion for the data diet. Get rid of it if you don’t need it. I believe that helps companies. It also helps individuals because you’re not as concerned about people having your data 20 years down the road because they haven’t deleted it. I would also love to see a movement on cyber education for smaller businesses. We have all of this training and discussion and tests around fire alarms. Let’s do that for cyber security.
We have to get there because the two and three-year-olds are playing on people’s phones, which is something we never did. There’s a different generation and a different way of thinking about technology and data. We need to make this a common discussion, common practice, common training, from a young age. So, I’d like to see that movement happen.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!