Lex Encryptus: Keeping Client Data and Your Law License Securehbawp-docs.s3.amazonaws.com/sections/international-law/intlsept1… · Jason Smith - Duff & Phelps, LLC . Presentation

Lex Encryptus: Keeping Client Data and

Your Law License Secure

Presented By:

Ron Chichester – Ron Chichester, P.C.

Jason Smith - Duff & Phelps, LLC

Presentation produced by:

Table of Contents

• The Facts

• The “Information”

• The Ethics and the Duties

– To Protect

• The Statutes

• The Disciplinary Rules

• The Ethics Opinions

• Why Are Law Firms Targets?

– To Notify

• The Penalties

• The Protection (by Encryption)

• Summary JS

The Facts

In 2010...

• Almost 600 breaches were reported

• The average breach affected more than 31,000 records

• The average cost to the company was $204 per record

The average hard cost of a breach = $6.5 Million

The potential soft costs of a breach = Immeasurable

Source: http://goo.gl/zTHTD JS

http://goo.gl/zTHTD

http://goo.gl/zTHTD

The Facts

In 2011...

• More than 80 law firms suffered a breach

• Identity Theft (family law, probate, tax)

• Securities (Chinese hackers attempted to stop a merger)

• Corporate Espionage (intellectual property)

“Confidential information is the new currency crooks

are after. We have seen a 40 percent rise in the theft

of intellectual property since the 2008 recession.”

-President of a security firm that investigates major corporate breaches

…via law firms

JS

Why are Law Firms Targets?

Corporations • Secure data centers • Information overload

Law Firms • Less security • Consolidated, High-Value Data

The “Information”

Personally Identifying Information

Confidential & Proprietary Information

Covered by:

• Statutes

• Ethics Rules (TX+)

Covered by:

• Ethics Rules (TX+)

• “Reasonable” procedures to avoid disclosure

• “Personal information”

• “Notification” requirement

• Law change on September 01, 2012 – (b) A person who conducts business in this state and owns or licenses computerized data that

includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

– (b) A person who conducts business in this state and owns or licenses computerized data that

includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Duty to Protect TX Business & Commerce Code Chapter 521

• “Confidential Info” = “Privileged” & “Unprivileged client” info

• Scienter requirement = “Knowingly”

• NOTE: No mention of "encrypt" or "encryption“

• Exceptions: – Inadvertent disclosure?

– Intercepted communications? TX Pen. Code Sect. 16.02 makes interception a crime.

– Court orders

– ECPA

• No Exceptions for:

– Loss of electronic device

– Confiscation by government agency (with later sale of the device at auction)

Duty to Protect TX Disciplinary Rule 1.05 – Confidentiality of Information

Duty to Protect ABA Ethics Opinion on Electronic Communication

Formal Opinion 11-459

-August 4, 2011

• Deals with the duty of an attorney in communicating electronically with a client and threat of third-party interception.

Source: http://goo.gl/N5ivg

• Does the attorney have to insure the client’s technology infrastructure is sufficiently secure?

• When the attorney initiates the electronic communication, he/she should use a secure method

http://goo.gl/N5ivg

http://goo.gl/N5ivg

• On November 1, 2009, the FBI issued an advisory warning to law firms that they were specifically being targeted by hackers.

• Matt Kesner, CIO of Fenwick and West says his firm has been breached twice.

• China is the biggest state-sponsored offender*.

• Law firms have a vested interest in keeping breaches quiet...

…or they did until 2003!

Source: http://goo.gl/LSl1r

Now… Back to the Law Firms

LAW

FIRMS

http://goo.gl/LSl1r

http://goo.gl/LSl1r

The Duty to Notify States with Data Breach Notification Statutes - 2002

Key

Green No Statute

Red Statute in Place

2002


Key

Green No Statute


2003


Key

Green No Statute


2012


Key

Green No Statute


Orange Notify Attorney

General (Oct ‘12)

Coming

October 2012:

Notify State

Attorney General

2012

The “Penalties”

Do we have any volunteers to:

• Notify the world of your lack of reasonable care?

• Lose your reputation… and your clients?

• Lose your law license?

• Pay statutory damages?

• Have an injunction imposed upon you by the Attorney General (most common remedy)?

• See your name in the style of the first case heard by the Supreme Court on this topic?

JS

The Protection

• Encryption algorithm – Single key – password security

• Single key is “reasonable protection” in every state with data breach notification law

• Thumb drives can accommodate single key

– Public/Private key – Each person has a public key and a private key

• Not covered in this presentation

• Thumbdrive – TrueCrypt – Free

– Open source – runs on multiple platforms

Overview of Portable Apps

• Create and Edit documents

• Surf the web

• Send/receive emails

• E-Discovery tools

• Many software utilities

• Insert thumb drive

• Double-click the “Start” icon to start PortableApps

How to Encrypt Installing Portable Apps

JS

• Click “Apps” icon to select Apps to load to drive (license acceptance issue)


JS

• Select the apps to install by clicking the checkboxes

• Suggested:

– Browsers: Firefox, Chrome

– Office Suite: LibreOffice, OpenOffice


JS

• The apps are now ready to use (double click to launch)


JS

• Open TrueCrypt

– Locate thumb drive on your computer

– Find the TrueCrypt folder

– Double-click the TrueCrypt.exe

How to Encrypt Creating an Encrypted “Container”

JS

• Click “Create Volume” (Container)

– TrueCrypt Volume Creation Wizard - Select first option


JS

– Volume Type – Select Standard

– Click Next


JS

– Volume Location – Click ‘Select File’

• (make sure “never save file history” is checked)

• Find thumbdrive

• Type in any name you want

• Click Next

• Click Save


JS

– Encryption Options • Single, Double, Triple

(triple is best but slowest)

• Side note: 128-bit key encryption is sufficient for financial transactions

• Hash algorithm – leave default

• Click Next


JS

– Volume (Container) Size

• On this thumb drive, 4GB is plenty, don't want to do more than 6GB

• Caveat: If sending via email, may need to consider email size limitations (alternative is cloud storage like Dropbox)

• Click Next


JS

– Volume Password

• Enter a password

• Click Next


JS

– Volume Format

• Filesystem – leave defaults

• Move mouse around to generate (about 10 seconds is sufficient)

• Click Next


JS

– Volume Created – click Next


JS

– Click Cancel to exit (No, it’s not really intuitive)


JS

• Mount Volume (Container)

– Select Drive Letter and click “Select File”

How to Encrypt Creating an Encrypted “Container” (cont’d)

JS


– Find volume (“container”) you created and click “Open”, then click “Mount”


JS


– Drive is now available to save to


4.0 GB

JS

• Create/Edit Document

– Save file to drive created


JS

• Dismount Volume (Container)

– Go to TrueCrypt, click “Dismount”

– Volume/Container gets encrypted on dismount

– NOTE: DO NOT REMOVE THE THUMBDRIVE UNTIL DISMOUNT IS COMPLETE (removing the thumbdrive prematurely will result in a corrupted, unusable container)


JS

• Volume (“Container) can be distributed – it’s encrypted


JS

• Law Firms are being targeted because they house high-value data in less-secure, consolidated locations

• Lawyers have a duty (ethically and by statute) to protect certain information

• Notification statutes are forcing data breaches to become public knowledge

• Data breaches can cause serious financial and reputational harm

• Simple, cost-effective tools exist to increase protection of data and keep you from seeing your name in the style of the first case heard by the Supreme Court on this topic!

Summary

Questions?

Ron Chichester Ron Chichester, PC 31526 Helen Lane Tomball, TX 77375-2977 T +1 713 302 1679 M +1 281 357 4240 F +1 281 657 7044 [email protected] www.texascomputerlaw.com Past Chair, State Bar of Texas Computer & Technology Section

Jason Smith DUFF & PHELPS, LLC 1111 Bagby, Suite 1900 Houston, TX 77002 T +1 713 237 5370 M +1 832 470 5178 F +1 832 589 1160 [email protected] www.duffandphelps.com Chair, State Bar of Texas Computer & Technology Section

Presentation produced by:

www.sbot.org

mailto:[email protected]

http://www.texascomputerlaw.com/

mailto:[email protected]

http://www.duffandphelps.com/

http://www.texascomputerlaw.com/

Documents

Lex Encryptus: Keeping Client Data and Your Law License Securehbawp-docs.s3.amazonaws.com/sections/international-law/intlsept1… · Jason Smith - Duff & Phelps, LLC . Presentation