Open in app

Sign in

Write

Sign in

Show Your Work: The impact of privacy regulation on technology practitioners and why they should apply a tried and true forensic approach

Joseph Pochron
Forensic Horizons
Published in
6 min readJul 8, 2020

For those working in the field of Digital Forensics & Incident Response (DFIR), the concept of “showing your work” is not a new concept. For those that have traditionally worked in digital forensics, this concept has particularly been discussed often: forensic analysis requires the ability to explain what an artifact represents, where it came from, how the examiner located it, and the integrity of the evidence so that it can pass standards for admissibility of evidence in a legal proceeding.

For incident responders, the goal may be slightly different, but the need to show your work for a variety of purposes including assurance that the bad actors are no longer on the inside, critical systems are not altered, or whether sensitive data was exfiltrated. The California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, will impact technology practitioners including DFIR professionals, and the need to “show your work” will be just as important for compliance as it is for understanding root cause and possible attribution.

In other words, while the need to show your work for compliance with privacy regulations is clearly unrelated to the due process requirement to show your digital forensics work in a criminal case, there is a parallel we can draw from this in terms of needing it for due diligence.

“DFIR” has evolved to a point where often employees assigned to those positions need to wear many hats as “technology consultants.” While the recommendations and tasks in this article may not fall directly to personnel working in a traditional DFIR capacity, it is likely that employees working in information security (infosec), cybersecurity, and privacy & compliance either wear a few of those hats, or are working in tandem with DFIR professionals on topics such as this, especially as it relates to incident response planning.

The CCPA is complex and has many components. The purpose of this article is not to cover CCPA in broad detail, but to focus on how this is already impacting DFIR professionals and how it will continue to do so moving forward.

How does this impact DFIR professionals?

As most are aware, the European Union established the General Data Protection Rule (GDPR) to provide controls for European citizens for their personal data and international data transfers. Similarly, the CCPA was introduced as a mechanism for California residents to have a tool to have better control over their data. Among other components, the CCPA gives the consumer power to know what personal data was being collected about them, the sale of that data, and the right to request that data be deleted.

The degree of control over people’s data makes the concept of “reasonable security”, which has been around for some time in information security and is a component of CCPA, crucial for DFIR professionals. Reasonable security is not a clearly defined term and it’s clear that a strong showing of cyber hygiene and planning will be important to provide evidence of reasonable security.

In other words, you’re going to need to show your work of “reasonable security” under CCPA; otherwise you’re elevating your exposure if and when a breach occurs.

What can DFIR professionals do?

So what can a DFIR professional do to help implement reasonable security? Well, depending on comfort level, expertise, and organizational size, it is likely that the tasks discussed below will fall to a variety of practitioners within an organization, requiring input from infosec, legal, and privacy managers, just to name a few. While it will be incumbent on DFIR professionals to work with a team of professionals, it is important for DFIR professionals to understand several critical components for reasonable security under CCPA since they’ll likely be asked for consultation on the matter.

  • Information Governance/data mapping — Understand where the company stores personal information so that if and when a data breach occurs, you can quickly determine the severity and whether privacy laws like CCPA require notification. Realistically, this will involve more than DFIR personnel to determine where data resides, what type of data it is, and what regulatory obligations exist for that data, should a breach occur. This is an important step though for DFIR folks that will help to improve response, investigation, and recovery.
  • Vendor Management — Understand the data being accessed, managed, or sold to external vendors and how you can extend reasonable security beyond your organization to the data you are ultimately responsible for protecting. This will vary by organization; however, DFIR personnel responding to data breaches have a unique perspective on visibility into vulnerable areas and good cyber hygiene that can be utilized here to mitigate risk.
  • Incident Response — Clearly the most directly relevant to DFIR professionals: put a response plan in place. Depending on the size of the organization, this may be completely in-house, outsourced, or a combination of both. It is important to both have a plan in place and customize one to suit the needs of the organization.
  • Training — Train employees and keep records of periodic training. This includes tabletop exercises, which should periodically be conducted to assess the current environment and infrastructure.

For professionals tasked with the technical aspects of reasonable security, here are some additional items to consider:

  • Deploy encryption and multi-factor authentication.
  • Consider deploying an endpoint protection tool.
  • ID and inventory all hardware & authorized software. This point is more relevant during the COVID-19 pandemic where we have a large, decentralized workforce.

Why is this important?

Well, the fines are stiff under CCPA. For “right of action” claims, CCPA dictates that fines can be from $100-$750 per person, per incident. Furthermore, the Attorney General of California can assess fines from $2500-$7500 for CCPA violations.

Furthermore, the economic impact of the COVID-19 pandemic will likely change many organizations’ thresholds for spending on reasonable security. It will be important to stress security as an operational cost to relevant stakeholders and CCPA helps your case.

The Right of Action claim under CCPA is interesting: if a data breach occurs the business does have the ability to patch the issue that caused the breach in the first place. However, if that patch is insufficient, and an additional breach occurs, you are risking exposure to a violation or litigation that the problem was not correct in the first place. If it wasn’t obvious, involve legal counsel while trying to navigate these complex issues under CCPA.

The key takeaway of this for professionals responsible for these tasks is to maintain systems, push updates, actively monitor, and ensure the problem is fixed.

Interestingly, this also then impacts DFIR professionals who work within eDiscovery. It’s very possible that future discovery requests will include requests for incident response collateral, training and compliance procedures, and historical assessments to help vet if reasonable security was in place.

More important than ever, DFIR professionals need to understand that these pre-breach services may be relevant in litigation to “show your work.” If that turns out to be the case, a key takeaway is that the need to form relationships and “break silos” will be crucial to ensure organizations are properly aligned to comply with discovery obligations.

DFIR has gone through several progressions. Whether it was deadbox forensics, mobile forensics, or the addition of cyber incident response, we’ve seen the field adapt to the current environment.

Privacy regulation should not be viewed any differently. CCPA will likely impact what DFIR professionals have historically been asked to do and consider in their approach. Those working in traditional roles may be asked to expand their consultation; some will be asked to expand their technical aptitude.

As a result, industry professionals should familiarize themselves with this important piece of legislation. It’s worth noting that several states, aside from California, either have similar legislation in the pipeline, or are considering a similar law in that state.

DFIR professionals need to be aware of the privacy regulation wave that’s about to crash on our industry and how we adapt our approach to the changing landscape. In an industry that is often reactive, DFIR professionals will need to live in the “pre-breach” environment to ensure either their company, or their client’s infrastructure, is in accordance with CCPA, and ultimately offering “reasonable security.”

forensic horizons seeks to ask the questions that may be getting lost in the pressure to do more with less:

Our team consists of experienced forensic examiners, legal experts, journalists, and others with an interest in testing technology against the definition of “forensic” “belonging to, used in, or suitable to courts of judicature or to public discussion and debate; relating to or dealing with the application of scientific knowledge to legal problems.”

By thinking critically about both the tech we use in our everyday lives,the tech we use to investigate it, and the legal, legislative, and regulatory underpinnings of it all, we hope to inspire an ongoing conversation that will lead to better policies and processes for all.

Join us on the horizon and subscribe!

Digital Forensics
Incident Response
Ccpa
Legaltech
Data Privacy

--

--

Joseph Pochron
Forensic Horizons

Written by Joseph Pochron

19 Followers
Editor for

Digital Forensics. Privacy & Cyber Incident Response. Adjunct Professor. Opinions are my own.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams