Cybersecurity for law firms handouts

#ClioWeb

Cybersecurity for Law Firms

Joshua Lenon – ClioRakesh Madhava – Nextpoint

Howard Irving – Atlantic Insurance

#ClioWeb

Instructors

Joshua Lenon• Lawyer in Residence at Clio• Attorney Admitted in New York

Rakesh Madhava• Nexpoint, CEO & Founder• Litigation Consultant since 1996

• President, Atlantic Insurance Agency

Howard Irving

#ClioWeb

Agenda• Cybersecurity is a Necessity (20 minutes)

– Ethical– Statutory– Federal Recommendations

• Cybersecurity Considerations (20 minutes)– Physical and Environmental Controls– “Need to Know” Access Within the Law Firm– Encryption and User Authentication– Audit trail and Access Logs

• Cybersecurity Insurance (10 minutes)• Questions

#ClioWeb

CYBERSECURITY IS A NECESSITY

#ClioWeb

ETHICAL CYBERSECURITY

#ClioWeb

Ethical Requirements for Security

Rule 1.1 Competence• [Comment 8]

– “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

States Adopting Comment 8• Arizona• Arkansas• Connecticut• Delaware• Idaho• Kansas• Massachusetts• Minnesota• New Mexico• North Carolina• Ohio• Pennsylvania• West Virginia• Wyoming

#ClioWeb

Ethical Requirements for Security

Rule 1.6 Confidentiality• (a) A lawyer shall not reveal

information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…

• [Comment 18]– ..inadvertent or unauthorized disclosure

of information relating to the representation of a client does not constitute a violation if the lawyer has made reasonable efforts to prevent the access or disclosure.

#ClioWeb

Rule 5.3 Responsibilities Regarding Nonlawyer Assistant

• (b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer…

#ClioWeb

Continuous Ethical Duties

NY Ethics Opinion 842Lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and the lawyer should monitor the changing law of privilege to ensure that storing information in the "cloud" will not waive or jeopardize any privilege protecting the information.

CA Formal Ethics NO. 2010-179Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.

#ClioWeb

Ethics Opinions Weakness

Opinions fail to discuss regulatory requirements.

#ClioWeb

STATUTORY CYBERSECURITY

#ClioWeb

Non-Lawyer Rules Affecting Lawyers

#ClioWeb


CFPB Bulletin 2012-03Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.

#ClioWeb


#ClioWeb


HIPAAProtected Health Information (PHI): Any information relating to past, present, or future physical or mental health or condition of an individual.• Medical records• Any information that identifies an

individual as a patient

• Applies to “covered entities” & “business associates” Protect the storage and transmission of electronic PHI

• Implement administrative, technical and physical safeguards

• Criminal Penalties & State Attorneys General can bring civil actions for violation

#ClioWeb


HIPAA• 9 Administrative Safeguards

(164.308)– Security Management Process– Assigned Responsibility– Workforce Security– Information Access Management

• 4 Physical Safeguards (164.310)– Facility Access– Workstation Use– Workstation Security– Device & Media Controls

• 5 Technical Safeguards (164.312)– Access Control– Audit Controls– Integrity– Person Authentication– Transmission Security

#ClioWeb


#ClioWeb

Growing Alphabet of Regulation

• Federal Trade Commission (FTC)• Securities & Exchange

Commission (SEC)• Fair Credit Reporting Act (FCRA)• California’s Online Privacy

Protection Act of 2003• Massachusett’s 940 CMR 27

• Canada– Personal Information Protection

and Electronic Documents Act (PIPEDA)

– BC’s Freedom of Information and Privacy Act (FOIPA)

• European Union Date Protection Directive

#ClioWeb

FEDERAL CYBERSECURITY RECOMMENDATIONS

#ClioWeb

Cybersecurity Framework

• “Framework for Improving Critical Infrastructure Cybersecurity”

• Published by NIST in February 2014• Provides Core, Tiers and Profiles

#ClioWeb

Cybersecurity Framework: Cores

Source:.NIST,.“Framework.for.Improving.Critical.Infrastructure.Cybersecurity,”.02/14/2014

#ClioWeb

Cybersecurity Framework: Tiers

• 4 Tiers:– Tier 1: Partial– Tier 2: Risk Informed– Tier 3: Repeatable– Tier 4: Adaptive

“Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”

#ClioWeb

Cybersecurity Framework: Tiers

• Tier 3: Repeatable– Formal risk management policies with reviews–Organization-wide approach with training– Collaborates with outside partners on risk management

• Tier 4: Adaptive– Adapts security based on lessons & predictions– Security is part of corporate culture with continuous improvement– Actively shares information with partners

#ClioWeb

Cybersecurity Framework: Profiles

• Current: security outcomes being achieved• Target: outcomes needed to meet goals• Compare Current and Target Profiles to identify gaps in

security processes

#ClioWeb

Cyber Security Framework

Cloud services allow easier regulatory compliance.

#ClioWeb

Cloud EconomiesDedicated.Security.Team Greater.Investment.in.

Security.InfrastructureFault.Tolerance.and.Reliability

Greater.Resiliency Hypervisor.Protection.Against.Network.Attacks

Simplification.of.Compliance.Analysis

Data.Held.by.Unbiased.Party

LowPCost.Disaster.Recovery.and.Data.Storage.Solutions

OnPDemand.Security.Controls

RealPTime.Detection.of.System.Tampering

Rapid.RePConstitution.of.Services

Source:.Cloud.CIO.gov

#ClioWeb

CYBERSECURITY CONSIDERATIONS

Rakesh Madhava, Founder, CEO Nextpoint

Considerations in Cybersecurity for Law Firms

4"Considerations" For"Law"Firm"Data"Security

1.Physical-&-Environmental-Controls

Microsoft-Data-Center-outside-of-San-Antonio

QTS-Data-Center-outside- of-Atlanta

View-of- the-World-Trade-Center

from-Hoboken- NJ-after-Superstorm

Sandy



2. “Least-Privilege”

What"Does"“Least"Privilege"Mean?

“The%principle%means%giving%a%user%accountonly%those%privileges%which%are%essential%to%that%user's%work.”

O Wikipedia,-Principle%of%Least%Privilege

Source:-http://en.wikipedia.org/wiki/Principle_of_least_privilege




3.Encryption-at-rest-and-in-transit

Source:-https://msdn.microsoft.com/enOus/library/ff648434.aspx




3.Encryption-at-rest-and-in-transit

4.User-access-controls-and-audit-logs

User"Access"Controls"&"Audit"Logs

Can-I-add,-delete-or-suspend-users?

Are-users-authenticated-with-multiple-factors?

Can-I-delete,-download-or-add-data-myself?

Can-I-see-who-has-accessed-the-data?

Can-I-see-what-data-users-have-accessed?

Cloud vs. Legacy Decision Tree

Rigorous" security"provisioning

Review-

Platform- Is-

Needed

Security-

Protocols

No- preferenceSupported-

by-

Developer-

or-Reseller

Direct"from"Developer

Cost:-User-

fees-and-

hosting-

cost

Unlimited" users" "without" hosting"

Ability-to-

load-data-

directly-into-

platform No- preference

SelfEserve" upload"and" processing

No- preference

Legacy-

solution-from-

vendor- or-onO

premise

Technology Comparison: Cloud vs. Legacy

Confidential-O Nextpoint-©-2015

Integrated-

trial-

preparation

No-

preference

No-

preference

Lifecycle" Solution

1.-Physical-And-Environmental-Measures

Is-the-data-center-in-a-lowOdensity-area-with-environmental-protections? ✅

Is-there-SOC3-or-ISO-27001-certifications-validating-physical-security-measures? ✅

Is-there-geographic-redundancy-in-the-event-of-a-natural-disaster? ✅

2.-Use-of-Encryption-Technology

Is-data-encrypted-when-stored-at-the-data-center? ✅

Is-the-data-transmitted-to-and-from-the-data-center-in-an-encrypted-form? ✅

3.-Users-and-Access-Control

Are-users-validated-using-factors-in-addition-to-username-and-password? ✅

Does-the-law-firm-have-the-ability-to-add-or-suspend-users-on-it’s-own? ✅

Does-the-law-firm-have-rights-to-add-and-delete-data-on-it’s-own? ✅

Are-the-activities-of-users-tracked-with-audit-logs-available? ✅

Technology Comparison: Cloud vs. Legacy

Confidential-O Nextpoint-©-2015

#ClioWeb

CYBERSECURITY INSURANCE

#ClioWeb

Cybersecurity Insurance

Why is cybersecurity insurance necessary?

#ClioWeb


What rates can firms expect?

#ClioWeb


What information will firms have to provide when acquiring coverage?

#ClioWeb


What should technology vendors provide to help firms obtain coverage?

#ClioWeb

Vendor Security

#ClioWeb

Vendor Security

#ClioWeb

Vendor Security

#ClioWeb

CONCLUSIONS

#ClioWeb

Conclusions

• Cybersecurity is moving from an ethical to regulatory duty• Law Firms are vulnerable due to high volume of data and lack

of preparedness.• Firms need a repeatable, adaptive cybersecurity process• Reasonable cybersecurity safeguards include:– Adminstrative– Physical– Technical

#ClioWeb

Action Plan

• Today1. Create an encrypted backup;2. Turn on 2-factor authentication and strong passwords;3. Find the access logs for your software.

• Going Forward1. Map your current technology & data;2. Read which data privacy laws apply to your practice area;3. Document current cybersecurity levels;4. Plan for the next level.

#ClioWeb

QUESTIONS?

#ClioWeb

Thank You

Joshua Lenon

[email protected]

@JoshuaLenon

Linkedin.com/in/joshualenon