Dewey B Strategic*: Risk, value, strategy, libraries, knowledge and the legal profession.
Tuesday, May 14, 2013
Bloomberg Law Not Impacted By Bloomberg Terminal Privacy Breach. But Can We Ever Stop Worrying About a "Big Data" Hack of a Legal Research Provider?
Last week Bloomberg acknowledged that Bloomberg reporters had used the infamous "Z" and "UUID" functions on the Bloomberg terminal to access "customer data." Reporters had access to the names of users at an organization, how long the account had existed, when the account was last used and what broad categories of data they had accessed, e.g. news, bond data, etc. My reaction was "huh?" Given the shrillness of the press reports I assumed that that reporters were seeing actual search queries or trades. That kind of knowledge could be a real "market mover" but that was not the case at all. According to a story in the New York Times, reporters had used account inactivity to prompt a question to Goldman Sachs about whether a partner had been fired. A recent Washington Post story said that the Federal Reserve and Treasury Department are now examining whether their employee's activities were also tracked by Bloomberg reporters.
The Ethical Wall in Newsroom. The real controversy is not the extensiveness or the granularity of the data - which as quite limited - but the very fact reporters were able to cross the ethical threshold into accessing any customer data at all. In fact, the same data should be accessible to Bloomberg customer support personnel. Bloomberg has now disabled the "z" and "UUID" functions in their newsroom only.
The Bloomberg Response. Dan Doctoroff CEO of Bloomberg is quoted in the Times story: “To be clear, the limited customer relationship data previously available to our reporters never included access to our trading, portfolio, monitor, blotter or other related systems or our clients’ messages,” The Times story, also notes that Bloomberg recently centralized its data security efforts, including the appointment of Steve Ross, a senior executive, to the newly created role of client data compliance officer.
No Impact at Bloomberg Law. According to Greg McCaffery, CEO of Bloomberg Law, reporters have no access to the Bloomberg Law user data. Bloomberg Law resides on a separate cloud platform, not on the same platform as the Bloomberg terminal data. Bloomberg Law doesn't even have the same "command" functions which the reporters used to access customer data. He also pointed out that the Bloomberg BNA reporters who write the Bloomberg BNA newsletters have no access to the customer data. McCaffery stated that "Bloomberg Law takes the privacy of its customer data very seriously. To be clear: no journalists at Bloomberg News or BNA have ever had access to customer research activity on Bloomberg Law.
There are Bloomberg Business Terminals in Law Firms. The fact is that there are law firms which subscribe to Bloomberg business terminals under separate contracts from Bloomberg Law, so presumably reporters were also able to view the limited account activity described above. The Bloomberg business terminals are generally used by researchers and not law firm partners, but we now have assurance that reporters can no longer access any law firm Bloomberg terminal customer information or usage. However, Bloomberg does need to do some outreach and provide assurances to law firms with "the terminal."
Bloomberg Thumb Scanner
Bloomberg is No Stranger to Privacy and Confidentiality. Bloomberg is the last information provider I would have expected to be accused of violating privacy. Bloomberg is all about closed systems and being locked down and buttoned up. They are unapologetically restrictive in how their subscribers use their products. When you subscribe to the Bloomberg business terminal they retain the right to come to your office and inspect the installation. The earliest version of Bloomberg Law used the Bloomberg terminal platform, but required a lawyer use a biometric card which validated their thumbprint in order to logon to the terminal. I repeatedly warned them that biometric card was "thumbprint too far" for most lawyers and they now use a more traditional username and password approach.
The Big Data Question The recent Bloomberg privacy issue is really a journalistic ethics issue about the wall which has always existed between news reporting and the newspaper or news service subscriber data. I believe there is a bigger issue lurking out there for all the large legal research providers. What really scares me is the prospect of a rogue internal or external hacker who could analyse all of the search queries of a law firm and draw some conclusions about things like M&A activity, litigation research or government investigations. Law firm research queries are a treasure trove of leads... pretty innocuous standing alone - but probably an interesting "data map" of law firm client support activity if viewed in the aggregate. In 30 years I have never ever heard of a breach or misuse of this kind of data at LexisNexis Westlaw, Wolters Kluwer or Bloomberg but I think it is time that these companies provide more information to customers about how they protect law firms and their clients from the threats of a "big data" hack.