View
745
Download
5
Tags:
Embed Size (px)
Citation preview
#ClioWeb
Cybersecurity for Law Firms
Joshua Lenon – ClioRakesh Madhava – Nextpoint
Howard Irving – Atlantic Insurance
#ClioWeb
Instructors
Joshua Lenon• Lawyer in Residence at Clio• Attorney Admitted in New York
Rakesh Madhava• Nexpoint, CEO & Founder• Litigation Consultant since 1996
• President, Atlantic Insurance Agency
Howard Irving
#ClioWeb
Agenda• Cybersecurity is a Necessity (20 minutes)
– Ethical– Statutory– Federal Recommendations
• Cybersecurity Considerations (20 minutes)– Physical and Environmental Controls– “Need to Know” Access Within the Law Firm– Encryption and User Authentication– Audit trail and Access Logs
• Cybersecurity Insurance (10 minutes)• Questions
#ClioWeb
CYBERSECURITY IS A NECESSITY
#ClioWeb
ETHICAL CYBERSECURITY
#ClioWeb
Ethical Requirements for Security
Rule 1.1 Competence• [Comment 8]
– “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
States Adopting Comment 8• Arizona• Arkansas• Connecticut• Delaware• Idaho• Kansas• Massachusetts• Minnesota• New Mexico• North Carolina• Ohio• Pennsylvania• West Virginia• Wyoming
#ClioWeb
Ethical Requirements for Security
Rule 1.6 Confidentiality• (a) A lawyer shall not reveal
information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…
• [Comment 18]– ..inadvertent or unauthorized disclosure
of information relating to the representation of a client does not constitute a violation if the lawyer has made reasonable efforts to prevent the access or disclosure.
#ClioWeb
Rule 5.3 Responsibilities Regarding Nonlawyer Assistant
• (b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer…
#ClioWeb
Continuous Ethical Duties
NY Ethics Opinion 842Lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and the lawyer should monitor the changing law of privilege to ensure that storing information in the "cloud" will not waive or jeopardize any privilege protecting the information.
CA Formal Ethics NO. 2010-179Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.
#ClioWeb
Ethics Opinions Weakness
Opinions fail to discuss regulatory requirements.
#ClioWeb
STATUTORY CYBERSECURITY
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
CFPB Bulletin 2012-03Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
HIPAAProtected Health Information (PHI): Any information relating to past, present, or future physical or mental health or condition of an individual.• Medical records• Any information that identifies an
individual as a patient
• Applies to “covered entities” & “business associates” Protect the storage and transmission of electronic PHI
• Implement administrative, technical and physical safeguards
• Criminal Penalties & State Attorneys General can bring civil actions for violation
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
HIPAA• 9 Administrative Safeguards
(164.308)– Security Management Process– Assigned Responsibility– Workforce Security– Information Access Management
• 4 Physical Safeguards (164.310)– Facility Access– Workstation Use– Workstation Security– Device & Media Controls
• 5 Technical Safeguards (164.312)– Access Control– Audit Controls– Integrity– Person Authentication– Transmission Security
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
#ClioWeb
Growing Alphabet of Regulation
• Federal Trade Commission (FTC)• Securities & Exchange
Commission (SEC)• Fair Credit Reporting Act (FCRA)• California’s Online Privacy
Protection Act of 2003• Massachusett’s 940 CMR 27
• Canada– Personal Information Protection
and Electronic Documents Act (PIPEDA)
– BC’s Freedom of Information and Privacy Act (FOIPA)
• European Union Date Protection Directive
#ClioWeb
FEDERAL CYBERSECURITY RECOMMENDATIONS
#ClioWeb
Cybersecurity Framework
• “Framework for Improving Critical Infrastructure Cybersecurity”
• Published by NIST in February 2014• Provides Core, Tiers and Profiles
#ClioWeb
Cybersecurity Framework: Cores
Source:.NIST,.“Framework.for.Improving.Critical.Infrastructure.Cybersecurity,”.02/14/2014
#ClioWeb
Cybersecurity Framework: Tiers
• 4 Tiers:– Tier 1: Partial– Tier 2: Risk Informed– Tier 3: Repeatable– Tier 4: Adaptive
“Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”
#ClioWeb
Cybersecurity Framework: Tiers
• Tier 3: Repeatable– Formal risk management policies with reviews–Organization-wide approach with training– Collaborates with outside partners on risk management
• Tier 4: Adaptive– Adapts security based on lessons & predictions– Security is part of corporate culture with continuous improvement– Actively shares information with partners
#ClioWeb
Cybersecurity Framework: Profiles
• Current: security outcomes being achieved• Target: outcomes needed to meet goals• Compare Current and Target Profiles to identify gaps in
security processes
#ClioWeb
Cyber Security Framework
Cloud services allow easier regulatory compliance.
#ClioWeb
Cloud EconomiesDedicated.Security.Team Greater.Investment.in.
Security.InfrastructureFault.Tolerance.and.Reliability
Greater.Resiliency Hypervisor.Protection.Against.Network.Attacks
Simplification.of.Compliance.Analysis
Data.Held.by.Unbiased.Party
LowPCost.Disaster.Recovery.and.Data.Storage.Solutions
OnPDemand.Security.Controls
RealPTime.Detection.of.System.Tampering
Rapid.RePConstitution.of.Services
Source:.Cloud.CIO.gov
#ClioWeb
CYBERSECURITY CONSIDERATIONS
Rakesh Madhava, Founder, CEO Nextpoint
Considerations in Cybersecurity for Law Firms
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
Microsoft-Data-Center-outside-of-San-Antonio
QTS-Data-Center-outside- of-Atlanta
View-of- the-World-Trade-Center
from-Hoboken- NJ-after-Superstorm
Sandy
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
2. “Least-Privilege”
What"Does"“Least"Privilege"Mean?
“The%principle%means%giving%a%user%accountonly%those%privileges%which%are%essential%to%that%user's%work.”
O Wikipedia,-Principle%of%Least%Privilege
Source:-http://en.wikipedia.org/wiki/Principle_of_least_privilege
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
2. “Least-Privilege”
3.Encryption-at-rest-and-in-transit
Source:-https://msdn.microsoft.com/enOus/library/ff648434.aspx
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
2. “Least-Privilege”
3.Encryption-at-rest-and-in-transit
4.User-access-controls-and-audit-logs
User"Access"Controls"&"Audit"Logs
Can-I-add,-delete-or-suspend-users?
Are-users-authenticated-with-multiple-factors?
Can-I-delete,-download-or-add-data-myself?
Can-I-see-who-has-accessed-the-data?
Can-I-see-what-data-users-have-accessed?
Cloud vs. Legacy Decision Tree
Rigorous" security"provisioning
Review-
Platform- Is-
Needed
Security-
Protocols
No- preferenceSupported-
by-
Developer-
or-Reseller
Direct"from"Developer
Cost:-User-
fees-and-
hosting-
cost
Unlimited" users" "without" hosting"
Ability-to-
load-data-
directly-into-
platform No- preference
SelfEserve" upload"and" processing
No- preference
Legacy-
solution-from-
vendor- or-onO
premise
Technology Comparison: Cloud vs. Legacy
Confidential-O Nextpoint-©-2015
Integrated-
trial-
preparation
No-
preference
No-
preference
Lifecycle" Solution
1.-Physical-And-Environmental-Measures
Is-the-data-center-in-a-lowOdensity-area-with-environmental-protections? ✅
Is-there-SOC3-or-ISO-27001-certifications-validating-physical-security-measures? ✅
Is-there-geographic-redundancy-in-the-event-of-a-natural-disaster? ✅
2.-Use-of-Encryption-Technology
Is-data-encrypted-when-stored-at-the-data-center? ✅
Is-the-data-transmitted-to-and-from-the-data-center-in-an-encrypted-form? ✅
3.-Users-and-Access-Control
Are-users-validated-using-factors-in-addition-to-username-and-password? ✅
Does-the-law-firm-have-the-ability-to-add-or-suspend-users-on-it’s-own? ✅
Does-the-law-firm-have-rights-to-add-and-delete-data-on-it’s-own? ✅
Are-the-activities-of-users-tracked-with-audit-logs-available? ✅
Technology Comparison: Cloud vs. Legacy
Confidential-O Nextpoint-©-2015
#ClioWeb
CYBERSECURITY INSURANCE
#ClioWeb
Cybersecurity Insurance
Why is cybersecurity insurance necessary?
#ClioWeb
Cybersecurity Insurance
What rates can firms expect?
#ClioWeb
Cybersecurity Insurance
What information will firms have to provide when acquiring coverage?
#ClioWeb
Cybersecurity Insurance
What should technology vendors provide to help firms obtain coverage?
#ClioWeb
Vendor Security
#ClioWeb
Vendor Security
#ClioWeb
Vendor Security
#ClioWeb
CONCLUSIONS
#ClioWeb
Conclusions
• Cybersecurity is moving from an ethical to regulatory duty• Law Firms are vulnerable due to high volume of data and lack
of preparedness.• Firms need a repeatable, adaptive cybersecurity process• Reasonable cybersecurity safeguards include:– Adminstrative– Physical– Technical
#ClioWeb
Action Plan
• Today1. Create an encrypted backup;2. Turn on 2-factor authentication and strong passwords;3. Find the access logs for your software.
• Going Forward1. Map your current technology & data;2. Read which data privacy laws apply to your practice area;3. Document current cybersecurity levels;4. Plan for the next level.
#ClioWeb
QUESTIONS?