Cybersecurity, The Law Offices of Angela C. Schulz, PLLC

Amazon released new transparency data this weekend in its bi-annual transparency report, citing a record number of international government data demands in the second half of 2020.

According to the report, Amazon processed 27,664 government demands for user data, which includes data on customer shopping searches as well as data from Amazon Echo and Ring devices. The report shows an 800% spike in requests, up from only 3,222 data demands in the first six months of 2020.

Of the government requests, Germany made 42% of all requests, followed by Spain (18%) and the U.S. (11%).

Key Players Are U.S.-Based Cloud Companies

In the wake of COVID-19, governments and businesses alike increasing use of cloud technology and services. Cloud services offer many advantages, from accessing your company’s files or email from anywhere to purchasing applications and software ‘on demand’ in lieu of needing to purchase expensive individual software or hardware packages. Companies like Google, Oracle, Microsoft, Amazon, and IBM are constantly developing new technologies to sync the world into a convenient, communal virtual workplace.

European Regulators Express Concern Over Lack of Exclusive Privacy Jurisdiction

Many non-U.S. regulators, however, have concerns that U.S. cloud companies like Google, Oracle, Microsoft, Amazon, and IBM are not exclusively subject to European data protection law, such as the General Data Protection Regulation 2016/679 (“GDPR”), a regulation in European law on data protection and privacy in the European Union and the European Economic Area. U.S.-based cloud companies are also subject in the U.S. to the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”), which amends the Stored Communications Act of 1986 allowing federal law enforcement agencies to compel U.S.-based cloud companies to issue warrants or subpoenas to request stored data regardless of whether the data is stored on U.S. or foreign soil.

The Amazon report does not comment on the cause of the sharp rise in government information demands, however, German government authorities have expressed increasing concerns over the storage of sensitive data with U.S.-based cloud providers, citing concerns of a lack of exclusive jurisdiction and Europe’s dependency on U.S.-based cloud companies.

European Privacy Dependency on U.S. Cloud Providers

While foreign governments may be making more use of cloud technology and services, Europe is still heavily dependent on U.S.-based cloud companies to do so. Take, for example, the German Federal Police using Motorola devices and Amazon services to store bodycam footage in the absence of a European cloud provider alternative, because Amazon was the only company in Germany with a certificate from the Federal Office for Information Security. According to research conducted by the think tank Ceps, approximately 90 percent of the world’s Western data is stored in U.S.-based data centers.

Meanwhile in the U.S., Ring, the video doorbell and home security startup company that Amazon purchased for $1 billion, now has 2,000 law enforcement partners, allowing police departments across the United States to access homeowners’ doorbell camera footage.

If you have questions about developing or updating your company’s cybersecurity standards, legal guidelines, and/or compliance programs, call The Law Offices of Angela C. Schulz, PLLC today at 704-755-5254 or email info@acslawnc.com to schedule an initial consultation.

About the Author:

Angela Schulz is the Managing Attorney of The Law Offices of Angela C. Schulz, PLLC in North Carolina and practices data protection and information technology law. She practices corporate law for U.S.-based SMEs, serving the international needs of clients and negotiates domestic and cross-border transactional matters in a variety of industries, including technology, hospitality, pharmaceutical, healthcare, financial services, biotechnology, real estate, and energy infrastructure.

“Securing cyberspace is one of the most important

and urgent challenges of our time.”

-Senator Jay Rockefeller, Former Chairman of the Senate Commerce, Science and Transportation Committee

Small Businesses Face Cybersecurity Challenges

According to the Verizon Business 2020 Data Breach Investigations Report (“DBIR”), almost a third or 28% of data breaches in 2020 involved small businesses.

If you are reading this, it is a good indication that you or your company is committed to protecting itself, as well as its employees, partners, and clients from damaging cyber security breaches that are intentional or unintentional. Domestic and international laws alike are increasing privacy standards for how and when companies should take efforts

to prevent the disclosure of confidential client information. Whether sensitive or confidential data is passively stored on office computers, hidden in metadata while transmitting an electronic communication, or inadvertently transferred through other means, companies should pursue multiple options to minimize the risk of disclosing confidential information.

When companies choose an appropriate compliance mechanism to establish adequate safeguards for data importers and transferees, they should carefully analyze their particular situation, industry, and scope of domestic, interstate, or international commerce.

The Danger to Small Businesses

According to DBIR, the dividing line between small and large businesses is increasingly smaller, in part due to the movement toward the cloud and its numerous web-based tools, as well as the continued rise of social attacks. These factors have led the criminals to alter their forms of attack to get the information they need in the quickest and easiest way. Whether it is a threat of spyware, backdoor malware, physical tampering, phishing attempt, use of stolen credentials, or other hacking attempt to a company’s eCommerce site, blog, V-log, podcast, or other digital assets, companies should actively and routinely take steps to protect its domain and privacy compliance standards.

This not only ensures company and client data is safe, but a robust security platform becomes one more tool companies can use to attract new customers.

Cybersecurity: Protecting Small Business Personal and Client Data

What is reasonable cybersecurity protection for a company depends upon the circumstances including, for example, the sensitivity of the confidential information that may be disclosed, the potential adverse consequences from disclosure, any special instructions or expectations of a third-party or client, and the steps that the company takes to prevent the disclosure of metadata.

COVID-19: New Risks to Cybersecurity

The COVID-19 pandemic is also responsible for changing the way businesses are operating. As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount. In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.

Developing Comprehensive Small Business Protocols and Compliance Standards

Since effective security is a team effort involving the participation and support of every user that interacts with a company’s data and/or systems, it is a necessity for your company’s information security requirements to be made available or published to all users in an format that is understandable and concise.

The development of corporate policies ensures users, employees, and company vendors have a means to understand their day-to-day security responsibilities and the threats that could impact a company within the industry it operates.

In developing corporate policies, companies should consider:

Detecting the different ways hackers can access employee files and business systems
Identifying new and emerging cyber threats
Isolating weaknesses in your company systems
Recognizing various tactics to thwart system threats

Implementing consistent security documentation will help your company comply with current and future legal obligations to ensure long term due diligence in protecting the confidentiality, integrity and availability of data and systems.

Encrypting files to Protect Your Business

One simple, practical tool for small businesses?

Encrypting files is a critical security measure considered by privacy experts to be one of the best first steps a business can take to keep business data secure. Encryption is useful for anywhere your employees might have sensitive or confidential data: computers, laptops, mobile phones, tablets, portable media such as USB drives, etc.

If an encrypted device is lost or stolen, it will not be possible for someone to access the contents without the encryption password. For small businesses, Windows 10 has a built-in tool, BitLocker, and Mac OS has its FileVault option that can be easily configured and turned on by your IT department as a free and easy to use solution to add to your company’s cybersecurity protocol.

“Know your enemy and know yourself and you can fight a hundred battles without disaster.” – Sun Tzu

Small businesses can take this cybersecurity protection one step further by using encrypted email for sending confidential information. If you use a file-sharing service like Citrix ShareFile, ZixCorp, Box, SharePoint, GSuite and others, it is important to make sure your small business data is encrypted both at rest (stored on the system) and in transit (when sending, receiving, uploading, downloading, etc.). While those two solutions are usually not free, the cost is typically very low for the protection it affords.

About the Author:

Angela Schulz is the Managing Attorney of The Law Offices of Angela C. Schulz, PLLC in North Carolina and practices data protection and information technology law.