Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Lex Encryptus: Keeping Client Data and
Your Law License Secure
Presented By:
Ron Chichester – Ron Chichester, P.C.
Jason Smith - Duff & Phelps, LLC
Presentation produced by:
Table of Contents
• The Facts
• The “Information”
• The Ethics and the Duties
– To Protect
• The Statutes
• The Disciplinary Rules
• The Ethics Opinions
• Why Are Law Firms Targets?
– To Notify
• The Penalties
• The Protection (by Encryption)
• Summary JS
The Facts
In 2010...
• Almost 600 breaches were reported
• The average breach affected more than 31,000 records
• The average cost to the company was $204 per record
The average hard cost of a breach = $6.5 Million
The potential soft costs of a breach = Immeasurable
Source: http://goo.gl/zTHTD JS
The Facts
In 2011...
• More than 80 law firms suffered a breach
• Identity Theft (family law, probate, tax)
• Securities (Chinese hackers attempted to stop a merger)
• Corporate Espionage (intellectual property)
“Confidential information is the new currency crooks
are after. We have seen a 40 percent rise in the theft
of intellectual property since the 2008 recession.”
-President of a security firm that investigates major corporate breaches
…via law firms
JS
Why are Law Firms Targets?
Corporations • Secure data centers • Information overload
Law Firms • Less security • Consolidated, High-Value Data
The “Information”
Personally Identifying Information
Confidential & Proprietary Information
Covered by:
• Statutes
• Ethics Rules (TX+)
Covered by:
• Ethics Rules (TX+)
• “Reasonable” procedures to avoid disclosure
• “Personal information”
• “Notification” requirement
• Law change on September 01, 2012 – (b) A person who conducts business in this state and owns or licenses computerized data that
includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of this state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
– (b) A person who conducts business in this state and owns or licenses computerized data that
includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Duty to Protect TX Business & Commerce Code Chapter 521
• “Confidential Info” = “Privileged” & “Unprivileged client” info
• Scienter requirement = “Knowingly”
• NOTE: No mention of "encrypt" or "encryption“
• Exceptions: – Inadvertent disclosure?
– Intercepted communications? TX Pen. Code Sect. 16.02 makes interception a crime.
– Court orders
– ECPA
• No Exceptions for:
– Loss of electronic device
– Confiscation by government agency (with later sale of the device at auction)
Duty to Protect TX Disciplinary Rule 1.05 – Confidentiality of Information
Duty to Protect ABA Ethics Opinion on Electronic Communication
Formal Opinion 11-459
-August 4, 2011
• Deals with the duty of an attorney in communicating electronically with a client and threat of third-party interception.
Source: http://goo.gl/N5ivg
• Does the attorney have to insure the client’s technology infrastructure is sufficiently secure?
• When the attorney initiates the electronic communication, he/she should use a secure method
• On November 1, 2009, the FBI issued an advisory warning to law firms that they were specifically being targeted by hackers.
• Matt Kesner, CIO of Fenwick and West says his firm has been breached twice.
• China is the biggest state-sponsored offender*.
• Law firms have a vested interest in keeping breaches quiet...
…or they did until 2003!
Source: http://goo.gl/LSl1r
Now… Back to the Law Firms
LAW
FIRMS
The Duty to Notify States with Data Breach Notification Statutes - 2002
Key
Green No Statute
Red Statute in Place
2002
The Duty to Notify States with Data Breach Notification Statutes - 2003
Key
Green No Statute
Red Statute in Place
2003
The Duty to Notify States with Data Breach Notification Statutes - 2012
Key
Green No Statute
Red Statute in Place
2012
The Duty to Notify States with Data Breach Notification Statutes - 2012
Key
Green No Statute
Red Statute in Place
Orange Notify Attorney
General (Oct ‘12)
Coming
October 2012:
Notify State
Attorney General
2012
The “Penalties”
Do we have any volunteers to:
• Notify the world of your lack of reasonable care?
• Lose your reputation… and your clients?
• Lose your law license?
• Pay statutory damages?
• Have an injunction imposed upon you by the Attorney General (most common remedy)?
• See your name in the style of the first case heard by the Supreme Court on this topic?
JS
The Protection
• Encryption algorithm – Single key – password security
• Single key is “reasonable protection” in every state with data breach notification law
• Thumb drives can accommodate single key
– Public/Private key – Each person has a public key and a private key
• Not covered in this presentation
• Thumbdrive – TrueCrypt – Free
– Open source – runs on multiple platforms
Overview of Portable Apps
• Create and Edit documents
• Surf the web
• Send/receive emails
• E-Discovery tools
• Many software utilities
• Insert thumb drive
• Double-click the “Start” icon to start PortableApps
How to Encrypt Installing Portable Apps
JS
• Click “Apps” icon to select Apps to load to drive (license acceptance issue)
How to Encrypt Installing Portable Apps
JS
• Select the apps to install by clicking the checkboxes
• Suggested:
– Browsers: Firefox, Chrome
– Office Suite: LibreOffice, OpenOffice
How to Encrypt Installing Portable Apps
JS
• The apps are now ready to use (double click to launch)
How to Encrypt Installing Portable Apps
JS
• Open TrueCrypt
– Locate thumb drive on your computer
– Find the TrueCrypt folder
– Double-click the TrueCrypt.exe
How to Encrypt Creating an Encrypted “Container”
JS
• Click “Create Volume” (Container)
– TrueCrypt Volume Creation Wizard - Select first option
How to Encrypt Creating an Encrypted “Container”
JS
– Volume Type – Select Standard
– Click Next
How to Encrypt Creating an Encrypted “Container”
JS
– Volume Location – Click ‘Select File’
• (make sure “never save file history” is checked)
• Find thumbdrive
• Type in any name you want
• Click Next
• Click Save
How to Encrypt Creating an Encrypted “Container”
JS
– Encryption Options • Single, Double, Triple
(triple is best but slowest)
• Side note: 128-bit key encryption is sufficient for financial transactions
• Hash algorithm – leave default
• Click Next
How to Encrypt Creating an Encrypted “Container”
JS
– Volume (Container) Size
• On this thumb drive, 4GB is plenty, don't want to do more than 6GB
• Caveat: If sending via email, may need to consider email size limitations (alternative is cloud storage like Dropbox)
• Click Next
How to Encrypt Creating an Encrypted “Container”
JS
– Volume Password
• Enter a password
• Click Next
How to Encrypt Creating an Encrypted “Container”
JS
– Volume Format
• Filesystem – leave defaults
• Move mouse around to generate (about 10 seconds is sufficient)
• Click Next
How to Encrypt Creating an Encrypted “Container”
JS
– Volume Created – click Next
How to Encrypt Creating an Encrypted “Container”
JS
– Click Cancel to exit (No, it’s not really intuitive)
How to Encrypt Creating an Encrypted “Container”
JS
• Mount Volume (Container)
– Select Drive Letter and click “Select File”
How to Encrypt Creating an Encrypted “Container” (cont’d)
JS
• Mount Volume (Container)
– Find volume (“container”) you created and click “Open”, then click “Mount”
How to Encrypt Creating an Encrypted “Container” (cont’d)
JS
• Mount Volume (Container)
– Drive is now available to save to
How to Encrypt Creating an Encrypted “Container” (cont’d)
4.0 GB
JS
• Create/Edit Document
– Save file to drive created
How to Encrypt Creating an Encrypted “Container” (cont’d)
JS
• Dismount Volume (Container)
– Go to TrueCrypt, click “Dismount”
– Volume/Container gets encrypted on dismount
– NOTE: DO NOT REMOVE THE THUMBDRIVE UNTIL DISMOUNT IS COMPLETE (removing the thumbdrive prematurely will result in a corrupted, unusable container)
How to Encrypt Creating an Encrypted “Container” (cont’d)
JS
• Volume (“Container) can be distributed – it’s encrypted
How to Encrypt Creating an Encrypted “Container” (cont’d)
JS
• Law Firms are being targeted because they house high-value data in less-secure, consolidated locations
• Lawyers have a duty (ethically and by statute) to protect certain information
• Notification statutes are forcing data breaches to become public knowledge
• Data breaches can cause serious financial and reputational harm
• Simple, cost-effective tools exist to increase protection of data and keep you from seeing your name in the style of the first case heard by the Supreme Court on this topic!
Summary
Questions?
Ron Chichester Ron Chichester, PC 31526 Helen Lane Tomball, TX 77375-2977 T +1 713 302 1679 M +1 281 357 4240 F +1 281 657 7044 [email protected] www.texascomputerlaw.com Past Chair, State Bar of Texas Computer & Technology Section
Jason Smith DUFF & PHELPS, LLC 1111 Bagby, Suite 1900 Houston, TX 77002 T +1 713 237 5370 M +1 832 470 5178 F +1 832 589 1160 [email protected] www.duffandphelps.com Chair, State Bar of Texas Computer & Technology Section
Presentation produced by:
www.sbot.org