Microsoft And The SEC Put Time In A Bottle
If the SEC thinks it was sending a message to investment firms to make cybersecurity prevention a priority, it needs to put bite in its rule enforcement and mete out heftier fines.
Microsoft Corp. and the Securities and Exchange Commission put time in a 2015 bottle to open this year. The Redmond-based tech giant’s content is ripe for tasting, but the SEC must add bite to its 2016 formula for a key regulatory indicator.
In December, Microsoft Corp. closed 2015 with some important blog posts for legal professionals and IT support and service providers in the legal industry. Matter Center (MC) for Office 365 is now available in GitHub and commercial Office 365 users can create groups, with shared content and resources, in compliant and discoverable environments.
MC is a SharePoint-based document collaboration add-in to Office 365, designed to increase productivity for legal professionals. It is used to find project documents, emails and attachments, and collaborate with internal and external (read: outside counsel) team members. Although MC was designed for legal professionals, its matter management has applicability to a broad range of professionals.
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
With Office 365, MC is attractive for any professional service organization with clients and matters. MC supports enterprise content management of SharePoint, integrates with Outlook and Word, features rich content search and discovery with Delve, data analytics with Power BI, personal document storage and collaboration with OneDrive for Business, and extensive compliance, management and security.
In the GitHub repository, find MC source code and deployment guidance to get MC up and running in your environment or for your customers. And stay in touch with GitHub. The Redmond giant intends to expand its community on GitHub where it will actively drive technical and feature enhancements.
Office 365 Groups for commercial and educational customers now supports e-discovery inquiries and litigation holds, and it will soon apply to users external to the organization, like MC. Groups allow teams to form around a single identity, managed in Azure Active Directory, and share Office 365 apps such as Outlook, OneDrive for Business, OneNote, Skype for Business, Power BI and Dynamics CRM. This year, Office 365 Groups will include Office Planner, Delve, and Yammer. When a user joins a group, they immediately gain access to all of the assets of the team, such as conversations, meetings, and documents. And those assets are now discoverable in litigation.
For administrators, the Azure Management Portal surfaces group management events, such as group creation and membership additions and removals, in the group audit report. See Figure 1.
Sponsored
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
Legal AI: 3 Steps Law Firms Should Take Now
Legal AI: 3 Steps Law Firms Should Take Now
Figure 1. The Azure Management Portal exposes group management events, such as group creation, updates, membership changes, etc. Click image to enlarge.
This year, Group events will also appear in the Office 365 Compliance Center with other monitored Office 365 events, giving you a complete picture of the Groups changes in your organization or tenants.
And for those of you who set up Groups only to be disappointed that they do not support external users, keep an eye on Group updates here: enter “Groups” in the search box. Microsoft claims it is high on its to-do list for early 2016.
MESSAGE IN A BOTTLE
Sponsored
The Business Case For AI At Your Law Firm
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
Late last year, the Securities and Exchange Commission accepted a $75,000 settlement from investment advisory firm R.T. Jones for alleged failure to implement cybersecurity policies, resulting in a breach and compromise of personally identifiable information of approximately 100,000 individuals. The SEC intended to send a message: cybersecurity is a “Key Risk Indicator” (“KRI,” pronounced “CRY”).
R.T. Jones was a ways away from implementing security measures to safeguard customer data—a long way. The firm failed to adopt written policies and procedures designed to protect customer records and personal information in violation of the Safeguards Rule (Regulation S-P) adopted in 2000, when technology was recuperating from the dot com bust looking to get over Y2K (when millennials were in grade school).
According to the SEC, from September 2009 to July 2013, R.T. Jones stored personally identifiable information (PII) of customers on a Web server hosted by a third party—with no written policies and procedures on security, confidentiality and protecting customer data from anticipated threats and unauthorized access.
Regulation S-P requires investment advisers to register with the SEC and adopt policies and procedures to:
- Ensure the security and confidentiality of customer information and records;
- Protect from anticipated threats or hazards to the security and integrity of customer data; and
- Protect against unauthorized access to or use of customer data that could cause substantial harm or inconvenience to any customer.
For the $75K fine, the SEC must have found that R.T. Jones inconvenienced its customers to the tune of $0.75 per customer. If I were an R.T. Jones customer, I would not be too happy that my information was worth only $0.75 (unless it was the year 2000, when that amount would at least get me a Snickers bar from a vending machine with change).
R.T. Jones did not inconvenience itself with conducting periodic risk assessments, employing a firewall to protect the Web server storing PII, encrypting PII at rest, or even establishing a procedure to respond to a cybersecurity threat. In July 2013, an unauthorized user from China gained access and copy rights to the server’s data.
Besides the $0.75 fine per customer imposed on R.T. Jones, the firm took remedial measures:
- Adopting and implementing a written information security policy.
- Hiring an information security professional to oversee information security and ensure the protection of PII.
- Installing a firewall and logging system designed to detect and prevent network and server incursions.
- Retaining a cybersecurity firm to provide periodic risk and security assessments.
The remedial measures indicate progress since 2000, but it doesn’t bring the SEC or the Safeguards Rule to a modish regulatory stance today, when you’re nothing unless you’ve been breached. If the SEC thinks it was sending a message to investment firms to make cybersecurity prevention a KRI, it needs to put bite in its rule enforcement and mete out heftier fines. Or perhaps allow individuals to bring private actions when they are “inconvenienced” by data theft? Customers as plaintiffs would fare better than $0.75 apiece.
Attorney Sean Doherty has been following enterprise and legal technology for more than 15 years as a former senior technology editor for UBM Tech (formerly CMP Media) and former technology editor for Law.com and ALM Media. Sean analyzes and reviews technology products and services for lawyers, law firms, and corporate legal departments. Contact him via email at sean@laroque-doherty.net and follow him on Twitter: @SeanD0herty.
