Confidentiality is a key issue for businesses, families, and many individuals. Its importance has increased as digitization has made information much more accessible and created new classes of data. Not all information is national security level confidential, but many times even moderately confidential information, in the proper context, can be severely damaging if it becomes generally known.
More common instances of confidential information include personal data, finances, and business details. Data is arguable the most valuable and sought after asset today. Companies pay, and make, millions from data analysis to target sales, outmaneuver a competitor, and predict behaviors. Confidential data is used to compete, sell and profit. We are protective of our data and confidences, but with ever changing technology and data seeking, how do we protect our confidentiality?
The core issue is so much of our lives is visible through copious amounts of recording whether by digital footprint, photos, videos, or computers. We are watched in most places – video cameras at intersections, recording at airports, restaurants and malls, being tagged in social media posted photos, even visiting a friend’s house on their Ring doorbell. We have gotten so accustomed to being recorded and tracked that it is easy to not notice it any longer.
Common Steps.
In general, if we go out in public we have to tolerate recordings in many circumstances. But there are some common steps people take to provide some level of privacy but they each have flaws.
In business, and some sensitive personal matters, we use non-disclosure agreements. These are legal contracts in which the person receiving the information agrees to keep it private. The theory is nice, but it is generally impractical. Most of the violations of an NDA are very hard to track. When did the information get out? Who knows? The discloser now becomes a private investigator. Even if we can locate the revealer, how can we take back knowledge and information? A lawsuit may be able to get a money claim, after enough time and legal expense, but one cannot recover reputation or timing.
Online many use a VPN or cloaking software to make web surfing more private at home, on the phone and at the office. Useful but not impenetrable. Many VPNs survive by ad revenue and thus share data with their advertisers. This includes web tracking to better target ads. VPNs are not immune to malware. We have kept some eyes off the data but shared it with a different set of eyes.
Limiting who gets access to confidential information is another common tool, and subject to similar pitfalls. We have fewer suspects but that hasn’t significantly reduced risk, it has just narrowed the field some.
Solutions.
There is no magic technique that resolves all confidentiality issues or makes anyone “ironclad”, but rather there are different tools available that when used in concert can make confidential information more secure.
Know the Receiver. Simple but often underutilized. More than just discussing that only those who need to know get access, there can be tracking to confirm who has access, what they were viewing, and when they used that access.
Limits. Applying limits to the confidential information when possible. For instance, physical limits such as the item may not leave the room it is stored in, no phones or other devices permitted in the room. There can be access limits as well, such as may inspect but may not disassemble. Digital limits can apply, such as dual authenticated login, and no print and no forward privileges.
NDAs. Above we discussed that NDAs are imperfect, but that doesn’t mean they do not have some utility. NDAs do help formalize that the information is confidential. Well drafted NDAs can also add faster solutions, such as arbitration, to resolve a claim and specified damages for each infraction to discourage a breach.
Dataroom. A dataroom used to be a physical room filled with documents for review by a potential buyer of a business. Datarooms are now mostly digital and hosted on convenient web platforms. More recently they have been applied to host broader ranges of confidential information for day to day use. The platforms allow one to see who had access, when, and what they viewed, for how long, along with multiple other metrics. You can control viewing, forwarding, and printing authorities. Control over data has become much easier in this context.
Passwords. We all live with many, many passwords in our lives ranging from banks, credit cards, utilities, social apps, and just about everything else in between. With so many passwords to keep track of, most develop a password style. Easier to remember but also easier to access multiple accounts once the style has been discovered. Password managers have become a better solution in that an encrypted software application stores and manages passwords and online credentials which is accessed by a master password. Some use a physical key file, some biometrics, and others online.
Ongoing updates. Confidentiality is not a one time endeavor and does require periodic updates to procedures and review for potential holes. We also need to plan for backup access if the key person/people are incapacitated, dead, or unavailable.
Quality Recordkeeping. One of the simplest, but most effective techniques, is maintaining strong records. All confidential information is labelled and cross referenced. By way of example, when developing intellectual property, we tracked who was working on the file, dates, times, where it was stored, etc. Each iteration was clearly labelled and referenced to the master tracking sheets. If there is a break in the confidentiality the records help pinpoint when and by whom.
Analog. Digital is the method to store most items but going old school hard copy is sometimes easier to protect. A physical copy is not subject to hacking and requires on site access, which is more easily understood and controlled.
Looking at specific circumstances and locales, some suggestions to keep in mind:
Home: Any confidential information to be secured. Hard items (i.e. jewelry, collectibles, vehicles) typically have security measures, such as geo-trackers, biometric or pin pad access to the room where they are stored, keys/codes issued to limited number of people, alarm systems. Periodic rotation of codes/passwords is helpful.
Any digital information (i.e. computer access, home systems access, bill payment) secured with a strong password, dual authentication, and limited number of tracked users.
Anyone with access to the home (guests, vendors, staff, contractors) are background checked and cleared before access is granted. Crosschecks performed by at least one other person (property manager or the like) and detailed records of who was at the property and for what person, including times and locations.
General monitoring is applied in the form of cameras with local or cloud recording for possible review later to confirm any incidents.
Employees background checked, references verified, and clear written outline of job functions. Each would sign an NDA and unique access codes/swipe cards. Access to anything sensitive only by longer tenured employees with an established track record.
Office:
Hard items (i.e. servers, physical files, some inventory) typically have security measures, such as geo-trackers, biometric or pin pad access to the storage area, keys/codes issued to limited number of people, alarm system. Periodic rotation of codes/passwords is helpful.
Any digital information (i.e. computer access, systems access, payroll/bank access) secured with a strong password, dual authentication, and limited number of tracked users. Often dual signature access for most users.
Key areas, such as customer contracts, intellectual property, merger and acquisition information, access is limited. Not all participants receive full access to all facets. Each would sign an NDA which also contains agreement to security protocols and procedures. Crosschecks performed by at least one other person (department manager or the like) and detailed records of who was at the office and for what person, including times and locations.
General monitoring is applied in the form of cameras, particularly an inventory storage and server room, with local and cloud recording. Company email monitored and reviewed.
Employees background checked, references verified, and clear written outline of job functions. Each would sign an NDA and issued unique access codes/swipe cards.
Children/Family: Children are unwittingly the cause of many security breaches as their perception of confidentiality and consequences are skewed. They have been known to allow friends to access restricted areas, display items and inadvertently demonstrate access. Some have been plied by a potential romantic interest to show off something of value (e.g. collectible, car, jewelry, aircraft) and compromise confidentiality in the process only to be confused later when a breach occurs. Like manners when they were small, constant reminders of expected behavior is helpful to entrench proper protocols.
Conclusion
Maintaining confidentiality is a balancing act of risk and manageability. Developing a program, reviewing the program periodically, and troubleshooting on a regular basis can go a very long way in helping a successful family feel, and be, more secure with confidential information.
About the Author:
Adam Chodos, Esq., CPA, is the managing member of Chodos & Associates, LLC, a boutique private client law firm, with offices in Boca Raton, FL and Greenwich, CT, focusing on wealth consulting, asset protection, wealth preservation, business succession, and advanced estate planning. Previously, Mr. Chodos practiced law at the New York headquarters of Sidley Austin Brown & Wood and with Ernst & Young, LLP as a certified public accountant. He holds a B.A. in economics, summa cum laude, from the University of Pennsylvania and a J.D., high honors, from Duke University. Mr. Chodos is a member of the New York, Connecticut, and Florida Bars. mail@adamchodos.com
Please note that the information contained in this article is for informational purposes only and should not be construed as legal advice on any subject matter and does not create an attorney-client relationship. No reader should act, or refrain from acting, on the basis of any content without seeking appropriate legal or other professional advice based on their particular circumstances. As laws and rules change frequently, this article contains general information and may not reflect the most current legal developments. The author expressly disclaims all liability in respect to actions taken or not taken based on any or all the contents of this article.
© 2022 Chodos & Associates, LLC, all rights reserved. This article, and any excerpts thereof, may not be reproduced in any fashion without the prior express written consent of the author. Unauthorized use prohibited.