Last Week in Tech Law and Policy, Vol. 18: Struggles to Protect Data

(by Chris Ivy, Colorado Law 2L)

While last week’s blog post focused on how companies have used data collected from users to do research, this week’s will focus on how large organizations succeed or fail to protect data from hackers as well as government intrusion.

Protecting Data

One of the revelations of the Ashley Madison hack is methods to secure passwords, no matter how strong, can be compromised by human error.  A strong encryption such as bcrypt can be easily bypassed when the less secure MD5 hash of the passwords is stored in the same database.

Also, security firms that focus on checking the security of companies are not immune from security errors; a firm that specializes in researching iOS, Android, and Adobe vulnerabilities was found to have flaws in its software.

Even major universities and government agencies struggle with security. For example, MIT was found to have many security vulnerabilities and  the Office of Personnel Management suffered from data breaches.

Another struggle for technology companies like Apple is to provide new functionality while maintaining security that users have come to expect. Apple must balance personalization and convenience with its position on user privacy.

Struggles with Laws

Even if companies do everything “right” in protecting their data, they still struggle with government agencies seeking access to customer data.  Apple and other technology companies are fighting court orders to relinquish data in criminal investigations—a battle can extend to servers outside the U.S.

Companies must also balance giving employees access and protecting data.  Many employees expect the convenience of using their own devices, and allowing such use is cheaper for the companies.  However, that freedom creates greater overhead for securing the devices, if they are secured at all.

Federal laws struggle to balance protecting companies and burdening users.  Laws such as the Computer Fraud and Abuse Act can be used to prosecute innocuous activities like checking sports scores at work.

Companies must balance protecting data, advancing technology, working with the government, and giving employees access in a mobile world.  How should companies balance convenience with security?  If organizations that specialize in security are found to be vulnerable and tough security measures are easily bypassed by human error, how can we ensure that companies are safe from online vulnerabilities?