Cybersecurity: Can a law firm and/or an E-Discovery service provider protect a corporate client’s sensitive data during

litigation?

April 7th, 2015 ACEDS – New York Metro Area Chapter

Agenda – April 7th, 2015

1. Introduction

2. Cyberattacks – Tips on Preventing a Threat

3. Cyberattacks – Response After a Data Breach

4. Legal Obligations – Risks Arising from a Data Breach

5. Gauging Risks When Using Third-Party E-Discovery Providers

6. Best Practices for Reducing Risks Associated with Hacking Incidents

7. Meeting Client Demands for Increased Data Security

8. Conclusion

1. Introduction

Global Advisory Panel - ACEDS:

Scott M. Cohen, CEDS

Director of E-Discovery Support Services at Winston & Strawn, he is responsible for all aspects of the firm’s litigation support technology, e-discovery operations and document review center management. Throughout his career, he has worked in a consultative capacity with law firms and corporate legal departments enabling them to effectively leverage technology in all legal practice areas. With a focus on e-discovery, records management, and litigation readiness, he advises firm lawyers and clients on a wide variety of technical issues relating to discovery in complex litigation.

1. Introduction

Moderator

Chris Costello, Esq.

Christopher Costello is a Senior eDiscovery Attorney in Winston & Strawn's E-Discovery & Information Governance Practice Group (the “E-Discovery Group"), a member of the E-Discovery Group's Leadership Team, and co-chair of the Group's committee on International Privacy and Cross-border E-Discovery. Mr. Costello is also the Executive Editor of E-Discovery Advantage, Winston & Strawn's bi-monthly newsletter summarizing domestic and international E-Discovery cases and developments.

1. Introduction

Subject Matter Expert Panelists:

Gary Kibel, Esq. Gary Kibel is a partner in the Digital Media, Technology & Privacy groups of Davis & Gilbert LLC. Mr. Kibel regularly counsels clients with respect to privacy and data security; new media/advertising law; and information technology matters. He is a Certified Information Privacy Professional (CIPP) and co-chairs the International Association of Privacy Professionals’ (IAPP) New York City “KnowledgeNet” Group.

Chase Cunningham, Ph.D. As the threat intelligence lead for FireHost, Dr. Chase Cunningham (CPO USN Ret.) proactively seeks out cyber threat tactics and technical indicators of various threat groups. He is regularly cited as an expert on cyber security and contributes to white papers and other publications. He is also the co-author of “The Cynja”, a comic designed to educate children about security threats and online best practices. Dana Post, Esq. Dana Post serves as Special Counsel, E-Discovery and Data Management at Freshfields Bruckhaus Deringer US LLP in New York. As a member of the firm’s cybersecurity practice, she counsels clients on cybersecurity preparedness and data breach litigation strategy.

1. Introduction – Are We Losing the Cybersecurity War?

• Why have law offices become significant targets of cyber attacks?

• Law offices house some of the world’s most valuable secrets. Law Firm Secrets Include:

• Trade Secrets. Private litigators and government regulators handle commercial data and trade secrets of extraordinary value.

• Corporate Deals. Corporate lawyers and antitrust regulators work on huge mergers and acquisitions involving highly confidential data.

• Personal Data. A wide spectrum of lawyers have access to very sensitive personal data – e.g., class-action litigators, tax attorneys, and employee-benefits practitioners.

• Export-Controlled Technology. Law offices ranging from the U.S. State Department to private international law practices review data subject to strict export controls.

• Healthcare Information. • Attorney-client privileges and attorney work product represent some of the most important and

sensitive secrets in the practice of law.

• Source: Cybersecurity Standards and Risk Assessments for Law Offices: Weighing the Security Risks and Safeguarding Against Cyber Threats by David Z. Bodenheimer and Cheryl A. Falvey

1. Introduction – Are We Losing the Cybersecurity War?

• At present, lawyers operate under a standard of reasonable security for information held in law offices. However, the ABA guidance and state ethical canons do not specify detailed cybersecurity standards defining what constitutes “reasonable” security for lawyers.

• No single security checklist exists for all law offices for a simple reason – a single “one-size-fits-all” standard could hardly address the kaleidoscope of risks, data, practices, technology, and security needs of every small, medium, and large law office in the public and private sectors.

• Source: Cybersecurity Standards and Risk Assessments for Law Offices: Weighing the Security Risks

and Safeguarding Against Cyber Threats by David Z. Bodenheimer and Cheryl A. Falvey

1. Introduction – 8 Major Cybersecurity Concerns

1. Most Organizations Do Not Take a Strategic Approach to Cybersecurity Spending

2. Organizations Fail to Address Security Capabilities of Third-Party Providers

3. Supply Chain Risks are Not Addressed or Adequately Understood

4. Security for Mobile Devices is Inadequate and has Elevated Risks

5. Cyber Risks are Not Sufficiently Assessed

6. Organizations Do Not Collaborate to Share Intelligence on Risks and Threats

7. Insider Threats are Not Sufficiently Addressed

8. Employee Training to Prevent Risks is Effective but is Lacking at Most Organizations

• Source2014 – PWC – Global Annual CEO Survey

1. Introduction – Are We Losing the Cybersecurity War?

• 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.

• 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.

• 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.

• 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.

• Source: Marsh USA Survey - 2014

1. Introduction – Are We Losing the Cybersecurity War?

• 59% of CEO’s More Concerned About Cybersecurity in 2014 than prior year

• 77% of Corporations Reported a Security Incident in Last 12 Months

• 135 Average Cyber Incidents Per Corporation on Average in 2014

• 69% of Corporations that Reported an Incident was Unable to Estimate the Cost

• Only 38% of Corporations Say They Have a Methodology to Prioritize Security Investments Based on Risk and Impact to Business Strategy

• Source2014 – PWC – Global Annual CEO Survey

1. Introduction – Are We Losing the Cybersecurity War?

Source: TGC Survey - 2014

Top Projected Spending Needs of GC’s in 2014

1. Introduction – Are We Losing the Cybersecurity War?

Source: Cowen Group Survey - 2014

1. Introduction – Are We Losing the Cybersecurity War?

Source: ILTA Survey – May 2014

• List of ISO 27001 Certified Law Firms:

• ISO CERTIFIED Allen & Overy Bond Dickinson Clifford Chance Cravath, Swaine & Moore Freshfields Hogan Lovells Irwin Mitchell Linklaters Orrick, Herrington & Sutcliffe Paul, Weiss, Rifkind, Wharton & Garrison Simpson Thacher & Bartlett Sullivan & Cromwell White & Case

• ISO – WORKING TOWARD CERTIFICATION BuckleySandler Cleary Gottlieb Steen & Hamilton Davis Polk & Wardwell Debevoise & Plimpton Fried, Frank, Harris, Shriver & Jacobson Holland & Knight Jones Day Kramer Levin Proskauer Ropes & Gray Shearman & Sterling Skadden, Arps, Slate, Meagher & Flom Taft Stettinius & Hollister von Briesen & Roper Wilmer Hale Winston & Strawn

2. Cyberattacks – Tips on Preventing a Threat

• What Methods are Available to Reduce the Risk of a Breach?

• Are There Industry Standard Best Practices for Cybersecurity? If so, What are They?

2. Cyberattacks – Tips on Preventing a Threat

What Plans Are Needed?

• Information Security Policy

• Employee Manual Policies (email; technology usage)

• B.Y.O.D.

• Vendor Policies

• Security Breach Incident Response Plan

• Disaster Recovery Plan

• Business Continuity Plan

2. Cyberattacks – Tips on Preventing a Threat

Log everything and then log again….

• Know the network baseline intimately and use that measuring stick to determine changes

• A layered defense is always the best one

• Don’t rely on vendors to solve your security problems, technology alone cant do it…people, processes and technology are needed

• Have a lens on everything occurring in the network

• Pro active threat intelligence and simulated threat operations are a must

2. Cyberattacks – Tips on Preventing a Threat

ABA Model Rules of Professional Conduct Rule 1.6(c)

• “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”

• NY Rules of Professional Conduct, Rule 1.6(c)

• “A lawyer shall exercise reasonable care to prevent the lawyer’s employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidential information of a client …”

3. Cyberattacks – Response After a Data Breach

• What Needs to Happen After a Breach has Occurred?

• Are There Different Legal Obligations for Law Firms after a beach than for Corporations?

3. Cyberattacks – Response After a Data Breach

Incident Response Plans

• Fail to plan…Plan to fail….

• Have clearly defined swim lanes, checklists, steps and criteria for ALL areas of response

• Alert, Secure, Stop the bleeding, Start the inking….

• Prioritize over scrutinize…

• Notify the Law….

3. Cyberattacks – Response After a Data Breach

Incident Response Plans

• Activate existing plan

• Chain of command

• Remedial efforts vs. preservation

• CC: Counsel – privilege

• Forensics

• Law – Contracts – PR/Best Practices

3. Cyberattacks – Response After a Data Breach

State Security Risk Breach Notifications Laws

• California SB 1386 (2003)

• 47 states now have security breach notification laws (no law in AL, NM, SD)

• Separate laws re: medical information

• Scope of personal information

• Notification to regulators

• Timing

• Generally apply to unencrypted personal information of consumers

3. Cyberattacks – Response After a Data Breach

State Data Security Laws

• 20 states with data security laws

• NY does not have a comprehensive law

• 28 states with data destruction laws

• 32 states with social security number use laws

• 46 states with security breach notification laws

3. Cyberattacks – Response After a Data Breach

NEW YORK SECURITY BREACH NOTIFICATION LAW (GBL §899-aa)

• Covers unauthorized disclosures of unencrypted (or encrypted + encryption key) “Private information”

• “Private information” = personal information + another data element (social security, driver’s license, bank / credit card account numbers)

• Notification required in the most expedient time possible, subject to any law enforcement requirements

• In addition to consumers, must notify AG, Consumer Protection Board and State Office of Cyber Security

• AG may bring an action for damages for violations of the notice requirements ($5k per violation, up to $150k)

3. Cyberattacks – Response After a Data Breach

COMMONWEALTH OF MASSACHUSETTS (21 CMR 17.00)

• Effective March 1, 2010

• Massachusetts Office of Consumer Affairs and Business Regulation (OCBAR) – “Standards for the Protection of Personal Information of Residents of the Commonwealth”

• “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written …”

• Risk of harm approach (“size and scope”)

3. Cyberattacks – Response After a Data Breach

COMMONWEALTH OF MASSACHUSETTS (21 CMR 17.00)

• 3 Key Aspects of Regulations

1. Develop a Written Information Security Program (WISP)

2. Contracts with third party service providers

3. Encryption

3. Cyberattacks – Response After a Data Breach

Legal Obligations for Attorneys

• Question - May private lawyers who share space also share a computer for confidential, client-related information where they have separate administrative passwords to the computer that are not known to each other?

• When a lawyer uses a particular technology to store or transmit confidential information, the degree of care that is required may depend on factors such as the security of that technology and the sensitivity of the information. If the technology, taking into account legal as well as technological safeguards, does not provide a reasonable expectation that confidentiality will be protected; if circumstances put the lawyer on notice of a heightened risk that confidentiality may be compromised; or if the information is extraordinarily sensitive, then further security measures may be required.

Source: NEW YORK STATE BAR ASSOCIATION COMMITTEE ON PROFESSIONAL ETHICS – OPINION 939 (October 16, 2012)

4. Legal Obligations – Risk Arising from a Data Breach

• What Are Some Potential Legal Liability Issues to be Concerned With After a Breach?

• Data Preservation: What Happens if Data is Lost as Result of a Breach?

• Data Privacy: What Happens if Confidential Data is Exposed?

4. Legal Obligations – Risk Arising from a Data Breach

• Notifications – complex web of requirements due to the 47 different state data breach notification laws

• Reputation – your firm’s reputation will suffer and other firms will use this against you when talking to prospective clients (including the ones you are trying to keep)

5. Gauging Risks When Using Third-Party eDiscovery Providers

• What Concerns Should Law Firms and/or Corporations Have when Outsourcing Data to an E-Discovery Provider?

• What are Some Suggested Best Practices for Dealing with Third-Party E-Discovery Providers if a Data Beach Occurs?

5. Gauging Risks When Using Third-Party eDiscovery Providers

Vendor Management

• Initial security assessment

• Questionnaires

• Contracts

• Audits

• Re-assessments

5. Gauging Risks When Using Third-Party eDiscovery Providers

Vendor Management

FTC V. GMR TRANSCRIPTION SERVICES (JANUARY 2014)

• 50th data security consent order

• Independent medical transcription contractors

• Independent contractors transmitted medical files in clear readable text

• “The lawsuit also alleges that GMR didn’t monitor what [its subcontractor] was doing to protect the highly sensitive information in its possession. Taken together, the FTC says that GMR’s course of conduct violated Section 5”

• Vendor liability

6. Best Practices for Reducing Risks Associated with Hacking Incidents

• Are There Industry Standard Best Practices for Reducing Risk of Liability Associated with a Hacking Incident?

• What Can Be Done to Limit the Scope of a Data Breach?

• What are Some Available Resources to Law Firms and Corporate Law Departments that Might Be Helpful to Reduce Damages Resulting from a Breach?

6. Best Practices for Reducing Risks Associated with Hacking Incidents

Tips for Reducing Risks

• Find your most valuable assets and remove them from your network….ASAP

• Isolation is key to security

• Evaluate the threat and remember this is an iterative process, not a one shot deal

• Use what you pay for

• Outrun the bear….

6. Best Practices for Reducing Risks Associated with Hacking Incidents

INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (IAPP)

• All industries

• privacyassociation.org

• Certification

7. Meeting Client Demands for Increased Data Security

• What Steps Can a Law Firms Take to Satisfy Their Corporate Clients That the Client’s Data

Will Be Handled in a Secure Fashion?

• Are There Issues of Concern that Law Firms Should Plan to Address Regarding Increased Cybersecurity Demands?

7. Meeting Client Demands for Increased Data Security

• Encrypt your client data using strong encryption combined with role based access controls

• Logical encryption allows you to take advantage of safe harbor from 45 of the 47 state data breach notification laws and the OCR for HIPAA data breaches

• Strong authentication – implement multi-factor authentication to ensure you can validate users before providing access to sensitive data

• Invest in logging and event correlation – this will enable your security operations people to better protect your environment

8. Conclusion 12 Key Items to Address

• 1. Email Practices

• 2. File Shares and Other "Unapproved" Repositories

• 3. Encryption

• 4. Protecting Shared Information Assets

• 5. Removable Media

• 6. Password Policy

• 7. Hiring Practices and Background Checks

• 8. Ongoing Rights Management

• 9. Internal Tracking of Employee Activity

• 10. IT Asset Disposition

• 11. Mobile Device Management

• 12. Employee Awareness and Training

• Source: 12 Issues That Threaten Info Security and Data Governance Programs by Judy A. Selby and Bryn Bowen, Law Technology News – April 6, 2015

8. Conclusion

• 77% of corporate survey respondents in 2014 stated they have security requirements for third-party service providers….however….

• Only 52% of the same respondents said those requirements extend to their outside counsel law firms for the same shared data

• Mandiant Security estimated 80 of the top 100 U.S. Law Firms have already suffered a data breach

• Source: The Recorder - Clients Eye Law Firms as Security Weak Link by David Ruiz, February 13, 2015

8. Conclusion • Additional Resources For This Topic Will Be Provided at the ACEDS Website – www.aceds.org

• Panelist Contact Information: • Chase Cunningham, Ph.D. - chase.cunningham@firehost.com • Gary Kibel, Esq. - gkibel@dglaw.com • Dana Post, Esq. - dana.post@freshfields.com • Chris Costello, Esq. – CCcostello@winston.com

• ACEDS Global Advisory Board Member: • Scott Cohen, CEDS – scohen@winston.com

• ACEDS New York Metro Area Chapter: • Joe Alonzo – President – joe.alonzo@glenmontgroup.com

• ACEDS New York Metro Area Chapter – Educational Committee Co-Chairs: • Brad Schaffel, CEDS - Bradley.Schaffel@wilmerhale.com • Joe Bartolo, J.D. – jbartolo@jsl-hq.com

8. Conclusion – Reference Materials

Additional Reference Materials

• CALIFORNIA AMENDS DATA BREACH NOTIFICATION RULES, WHICH “MAY” INCLUDE FREE CREDIT MONITORING

• http://www.dglaw.com/press-alert-details.cfm?id=486#.VR1tqZ3D_IU

• NEW FLORIDA PRIVACY BREACH LAW TAKES EFFECT, WITH STRINGENT NOTIFICATION RULES AND OTHER NEW PROVISIONS

• http://www.dglaw.com/images_user/newsalerts/Technology_New_Florida_Privacy_Breach_Law.pdf

• PRIVACY AND DATA SECURITY • http://www.dglaw.com/practice-area-

details.cfm?pgcat=Privacy%20%26%20Data%20Security#.VR78SJ3D_IU

8. Conclusion – Reference Materials

Additional Reference Materials

• www.privacyassociation.org – International Association of Privacy Professionals

• www.edrm.net – Electronic Discovery Reference Model

• www.iltanet.org – International Legal Technology Association

• www.iginitiative.com/ - Information Governance Initiative

• www.Arma.org – Association of Records Managers and Administrators

• www.legaltechnews.com – Legal Technology News

• www.hitrustalliance.net – High Trust Alliance – HIPAA Compliance & Cybersecurity

8. Conclusion

• ACEDS Metro New York Area Chapter Thanks You For Attending • Thanks to Winston & Strawn for Hosting This Event • Thanks to Our Subject Matter Expert Panelists • Thanks to Litigation Video Technology Services (litvideotech.com) • Questions: www.aceds.org

Powerpoint by Joe Bartolo, J.D. – JURISolutions Legal – jbartolo@jsl-hq.com V.P. of ACEDS Metro New York Area Member Advisory Board

8. Conclusion

• QUESTIONS & ANSWERS