6/5/2018
Managing The Risk of a Data Breach: The Ethical Obligation of Cybersecurity
Goals 1.What is a breach? After we have concluded this 2.Why should we session we should be able to answer the following care? questions: 3.What can we do to prevent a breach?
“A security incident in which What is a sensitive, protected or Breach? confidential data is copied, transmitted, viewed, stolen or used by an individual or group unauthorized to do so.”
1 6/5/2018
Hacking
▪ Website ▪ Network ▪ Computer ▪ Email ▪ Password ▪ Online Banking
4
Those ▪Criminals Who ▪Hacktivists Hack ▪Individuals with Malicious Intent ▪Sovereign Governments
In the News Data breaches have become common in the news. 6
2 6/5/2018
Equifax Breach
Major Government Website Data Breaches from April 2015 to April 2016 state.co.us amherstohio.gov brunswickme.org tschhsa.org georgia.gov state.md.us floridahealth.gov gsa.gov irs.gov whs.mil dentoncounty.com fws.gov ca.gov vermont.gov istmarta.com nasa.gov opm.gov state.tx.us nedhhs.gov fbi.gov army.mil mn.gov dhs.gov nationalguard.com coloroado.gov lacounty.gov va.gov illinios.gov flgov.com state.gov laems.net slco.gov az.gov nyc.gov myflflamilies.com
-Information can be found in the Security Scorecard Report
Office of the Texas Attorney General
3 6/5/2018
Law Firms
11,500,000 Whoa! That’s a big number!
How did they do it? So easy a high school student could have done it.
4 6/5/2018
• Lost access to phone
• Lost access to email
• Lost access to web portal
Why do hackers want the information you keep? • Online banking passwords • Credit card number • Social Security number • Email passwords • Tax information • Health or medical information • Confidential emails
5 6/5/2018
17
ABA Commission on Ethics 20/20
6 6/5/2018
ABA Proposed several rule changes to the Commission ABA House of Delegates in 2012. on Ethics 20/20 ▪ Amendments to Model Rule 1.1 ▪ Amendments to Model Rule 1.6 ▪ Amendments to Model Rule 5.3
Kansas Ethics 20/20 Commission
Reviewed the ABA changes and made recommendations. 20
KRPC 1.1 Competence
7 6/5/2018
KRPC 1.1 Competence, Comment 8
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and comply with all continuing legal education requirements to which the lawyer is subject.”
Wait, really?
KRPC 1.6 Confidentiality
8 6/5/2018
KRPC 1.6(c) Confidentiality
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
KRPC 1.6 (c) Data Breach Confidentiality Definition
“A lawyer shall make “A security incident in which reasonable efforts to prevent sensitive, protected or confidential data is copied, transmitted, the inadvertent or viewed, stolen or used by an unauthorized disclosure of, or individual or group unauthorized unauthorized access to, to do so.” information relating to the representation of a client”
KRPC 1.6, “… The unauthorized access to, or the Comment inadvertent or unauthorized disclosure of, information relating to the 26 representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
27
9 6/5/2018
Those factors include:
• the sensitivity of the information, • the likelihood of disclosure if additional safeguards are not employed, • the cost of employing additional safeguards, • the difficulty of implementing the Factors to safeguards, and Consider • the extent to which the safeguards Making reasonable adversely affect the lawyer’s ability to efforts represent clients.
Wait a minute, say that again…
Might as well say water is wet.
30
10 6/5/2018
What’s the bigger picture?
31
KRPC 5.3 Responsibilities Regarding Nonlawyer Assistance, Comment 3
“A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client…When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer's professional obligations…”
11 6/5/2018
When Using Technology
34
Digital Data Security
Transit Rest Use
12 6/5/2018
Basic Protection
Protect your computer with: • firewall, • spam filters, • anti-virus and anti-spyware software.
13 6/5/2018
Lost or Stolen Devices
▪Passwords ▪Encryption ▪Wiping Apps
Email Should I encrypt?
Dklajf&*IHFDp90p!klhd af80932!kjl;djsaf0j’a@* &nhdiaofh&^&*((787y# k90%^ojiaoiJJddkliuok m;l’a/.
14 6/5/2018
Texas Opinion 648
Does a lawyer have the duty to encrypt email? 43
Look for other alternative ways to encrypt
15 6/5/2018
https://thehackernews.com/2018/05/efail-pgp-email-encryption.html
Encryption for Free in Microsoft Word
48
16 6/5/2018
Encryption for Free in Adobe
Phishing Not the kind you do at the lake
50
Cryptolocker
51
17 6/5/2018
You’ve Got Mail Be especially cautious of emails that come Implement safe email practices from unrecognized senders
52
Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with.
54
18 6/5/2018
Never email personal or financial information, even if you are close with the recipient.
Passwords are a critical part of account safety
Don’t be like Equifax!
19 6/5/2018
Use a Wilson012779 combination of letters and Wi7s0no1SL79 numbers
Use Password Phrases
59
ImGoing2KansasCity15
When I was seven, my sister threw my stuffed rabbit in the toilet = WIw7,mstmsritt
20 6/5/2018
Two-Factor Authentication 62
21 6/5/2018
Password Keepers and Generators
64
3rd Party Vendors
KRPC 5.3 – Same ethical obligations of lawyers with respect to confidentiality.
66
22 6/5/2018
ABA 2017 What are lawyers using? Technology Report Dropbox 58% Google Docs 39% iCloud 31% Evernote 18% Clio 12%
Which is best?
Paid
23 6/5/2018
Read the Privacy Statement
“To provide you with the Services, we may store, process and transmit information in the United States and locations around the world – including outside your country.”
Read the Privacy Statement
“…we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy.”
24 6/5/2018
Cloud ▪ Storage Require Log-ins ▪ and Keep Access Contained ▪ Sharing Notifications Software ▪Expiration Date
• How do you safeguard the privacy/confidentiality of stored data? • Who has access to my firm’s data when it’s stored on your servers? • Is my data hosted on servers owned and operated by your company or is it stored at another facility such as RackSpace, Amazon or Google? • Have you (or your data center) ever had a data breach? • Will we be notified if there is a data breach? • If you are served with a subpoena will we be notified? Do your due • Where does my data reside – inside or outside of the United States? diligence • What happens to my data if your company is sold or goes out of business? Ask questions! • Is data from my firm to your service encrypted in transit and at rest?
Public WiFi
40% of responses report using public WiFi to do work related items, such as checking email.
25 6/5/2018
The Mobile Lawyer You’ve got mail
California “The lawyer risks violating his Opinion duties of confidentiality and competence in using the wireless 2010-179 connection at the coffee shop to work on the client’s matter unless he takes appropriate precautions”
77
Protect Personal Firewall and yourself Antivirus Software when using File Encryption public WiFi VPN (Virtual Private Network)
26 6/5/2018
What do I • If you have an IT provider, contact them do if the immediately. • Disconnect any potentially affected devices. office is • Determine what data has been breached? compromised. • Notify law enforcement. • Notify the client. If the data is PII make sure you are following notification laws if applicable. • If you have cybersecurity insurance, contact your carrier.
27 6/5/2018
Reasonable Efforts
Follow me on Twitter:
@Danielle_mHall
83
28