Wegmans Settles With NYAG for $400,000 Over Data Incident

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.

Of concern for the AG, among other things, were that the passwords were salted and hashed using SHA-1 hashing, rather than PBKDF2. Similarly, the AG found concerning the fact that the company did not have an asset inventory of what it maintained in the cloud. As a result, no security assessments were conducted of its cloud-based databases. The NYAG also took issue with the company’s lack of long-term logging: logs for its Azure assets were kept for only 30 days. Finally, the company kept checksums derived from customer driver’s license information, something for which the NYAG did not feel the company had a “reasonable business purpose” to collect or maintain.

The NYAG argued that these practices were both deceptive and unlawful in light of the promises Wegman’s made in its privacy policy. It also felt that the practices were a violation of the state’s data security law. As part of the settlement, Wegmans agreed to pay $400,000. It also agreed to implement a written information security program that addresses, among other things:

  1. asset management that covers cloud assets and identifies several items about the asset, including its owner, version, location, and criticality;
  1. access controls for all cloud assets;
  1. penetration testing that takes into account cloud assets, and includes at least one annual test of the cloud environment;
  1. central logging and monitoring for cloud assets, including keeping cloud logs readily accessible for 90 days (and further stored for a year from logged activity);
  1. customer password management that includes hashing algorithms and a salting policy that is at least commensurate with NIST standards and “reasonably anticipated security risks;” and
  1. policies and procedures around data collection and deletion.

Wegmans agreed to have the program assessed within a year of the settlement, with a written report by the third-party assessor provided to the NYAG. It will also conduct at-least-annual reviews of the program. As part of that review it will determine if any changes are needed to better protect and secure personal data.

Putting It Into Practice: This case is a reminder for companies to think not only about assets on its network, but its cloud assets, when designing a security program. Part of these efforts include clearly identifying locations that house personal information (as defined under security and breach laws) and evaluating the security practices and controls in place to protect that information. The security program elements the NYAG has asked for in this settlement signal its expectations of what constitutes a reasonable information security program.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Law Firms are Switching to the Cloud. Here’s Why

Cloud computing has become ubiquitous in modern society, but law firms have been slower than most in adopting the technology. Recently, however, law firms switching from on-site data management to the cloud has become the norm due to rapid advancements in cybersecurity, increasing client demand, and the appeal of improving efficiency while cutting costs.

So, what are the most common reasons why cloud computing is still so controversial among legal professionals, and what has caused the industry shift toward cloud migration?

Cloud Computing and Confidentiality

One of the driving forces that used to keep many law firms from using cloud servers is client confidentiality. When practicing law, attorney-client privilege is essential and cannot be taken lightly. Even today, concerns about confidentiality and ethics are the main reasons why cloud computing can be a contentious subject among those in the legal industry.

In the early days of cloud-based systems, these issues were a valid reason to avoid outsourcing data storage to an off-site server. However, cybersecurity advancements have led to the cloud often being more secure than on-site servers. Small to medium sized law firms are particularly vulnerable to cyber attacks since they often don’t have the infrastructure or expertise to keep their servers secure. Even with a secure firewall, a Wi-Fi connection can leave information and files vulnerable to a data breach.

Cloud services offer end-to-end encryption, backup servers, teams of expert IT professionals, and physical safety measures, such as securely locked rooms with top-of-the-line camera systems and 24/7 monitoring. These procedures are impossible for law firms to enact at a lower cost than outsourcing.

Cloud-Based Law Practice Management Software is Efficient

The benefits of being able to integrate and automate systems is one of the greatest advantages to companies using cloud technologies. Time consuming and tedious tasks such as scheduling, billing, invoicing, file management, and the creation of legal documents are all streamlined on the cloud.

With a low barrier of entry and the ability to access their important information whenever and wherever they need it, many legal teams that were hesitant to make the switch are now migrating over to cloud-based systems, as Zoom meetings and online court hearings have become the norm.

Is the Cloud More Reliable than In-House Systems?

While it has been a long-standing belief that in-house servers are more reliable and secure than cloud systems, this is no longer the case. Cloud servers offer redundancy that is unmatched by internal servers, since the cloud is able to utilize a secondary server if the primary system should fail. This leads to less downtime and a much lower risk of losing files to equipment error, damage, or a data breach.

It is also common to forget to create local server backups, leaving law firms vulnerable to data loss. Cloud systems are able to continually sync and update, so companies don’t have to worry about being able to access files or documents.

Cloud Technology Saves Money

While efficiency is important, at the end of the day, companies are trying to improve their bottom line. Cloud technology saves law firms money by allowing them to increase efficiency while eliminating the high cost of local data storage and maintenance. Not only that, but they are able to budget better by avoiding unexpected costs, which are inevitable when dealing with aging hardware.

Another significant cost-saving feature of cloud-based law practice management software is the ability to scale. When data is kept on site, scalability is considerably more expensive (and difficult). Law firms using cloud technology are able to grow without updating or adding equipment, software, IT staff, or other expenses associated with keeping data management in-house. Being able to focus on the growth of the business and having predictable, consistent data management costs is a notable advantage when scaling.

Despite the obvious benefits, many law firms are still reluctant to take the plunge into the cloud. Some of the common reasons why include:

Unpleasant Past Experiences

Whether a law firm was an early adopter of cloud technology, or recently had a poor experience with a particular cloud service, unpleasant transitions can sour an entire legal team against the idea of cloud technology altogether. Since there have been remarkable advancements in cloud computing recently, past exposure to cloud services shouldn’t be considered representative of how most cloud servers operate.

Difficult Migrations

One of the most common complaints law firms have when attempting to switch over to cloud-based technology is a difficult migration process. It’s important for companies to check reviews and find out more about what’s required to import their data to the cloud before committing to a cloud computing service.

Security Concerns

Due to the added scrutiny and obligations regarding confidentiality that legal teams are required to abide by, security concerns persist as an important reason why some law firms remain dubious about using cloud technology. However, modern cloud computing services typically offer considerably more secure data storage options than what law firms can provide in-house.

Control and Possession of Data

Some legal professionals feel as though migrating to the cloud means giving up control over their data and important documents because it gives them peace of mind to have their servers physically nearby. This kind of thought pattern inhibits growth by limiting their ability to scale; in reality they are not giving up control or possession of their data, they are simply moving it to a safer location that is easily accessible.

© Copyright 2021 PracticePanther


ARTICLE BY PracticePanther
For more articles on the legal industry, visit the NLR Law Office Management section.