6/5/2018 Managing The Risk of a Data Breach: The Ethical Obligation of Cybersecurity Goals 1.What is a breach? After we have concluded this 2.Why should we session we should be able to answer the following care? questions: 3.What can we do to prevent a breach? “A security incident in which What is a sensitive, protected or Breach? confidential data is copied, transmitted, viewed, stolen or used by an individual or group unauthorized to do so.” 1 6/5/2018 Hacking ▪ Website ▪ Network ▪ Computer ▪ Email ▪ Password ▪ Online Banking 4 Those ▪Criminals Who ▪Hacktivists Hack ▪Individuals with Malicious Intent ▪Sovereign Governments In the News Data breaches have become common in the news. 6 2 6/5/2018 Equifax Breach Major Government Website Data Breaches from April 2015 to April 2016 state.co.us amherstohio.gov brunswickme.org tschhsa.org georgia.gov state.md.us floridahealth.gov gsa.gov irs.gov whs.mil dentoncounty.com fws.gov ca.gov vermont.gov istmarta.com nasa.gov opm.gov state.tx.us nedhhs.gov fbi.gov army.mil mn.gov dhs.gov nationalguard.com coloroado.gov lacounty.gov va.gov illinios.gov flgov.com state.gov laems.net slco.gov az.gov nyc.gov myflflamilies.com -Information can be found in the Security Scorecard Report Office of the Texas Attorney General 3 6/5/2018 Law Firms 11,500,000 Whoa! That’s a big number! How did they do it? So easy a high school student could have done it. 4 6/5/2018 DLA Piper Petya Malware • Lost access to phone • Lost access to email • Lost access to web portal Why do hackers want the information you keep? • Online banking passwords • Credit card number • Social Security number • Email passwords • Tax information • Health or medical information • Confidential emails 5 6/5/2018 17 ABA Commission on Ethics 20/20 6 6/5/2018 ABA Proposed several rule changes to the Commission ABA House of Delegates in 2012. on Ethics 20/20 ▪ Amendments to Model Rule 1.1 ▪ Amendments to Model Rule 1.6 ▪ Amendments to Model Rule 5.3 Kansas Ethics 20/20 Commission Reviewed the ABA changes and made recommendations. 20 KRPC 1.1 Competence 7 6/5/2018 KRPC 1.1 Competence, Comment 8 “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and comply with all continuing legal education requirements to which the lawyer is subject.” Wait, really? KRPC 1.6 Confidentiality 8 6/5/2018 KRPC 1.6(c) Confidentiality “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” KRPC 1.6 (c) Data Breach Confidentiality Definition “A lawyer shall make “A security incident in which reasonable efforts to prevent sensitive, protected or confidential data is copied, transmitted, the inadvertent or viewed, stolen or used by an unauthorized disclosure of, or individual or group unauthorized unauthorized access to, to do so.” information relating to the representation of a client” KRPC 1.6, “… The unauthorized access to, or the Comment inadvertent or unauthorized disclosure of, information relating to the 26 representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.” 27 9 6/5/2018 Those factors include: • the sensitivity of the information, • the likelihood of disclosure if additional safeguards are not employed, • the cost of employing additional safeguards, • the difficulty of implementing the Factors to safeguards, and Consider • the extent to which the safeguards Making reasonable adversely affect the lawyer’s ability to efforts represent clients. Wait a minute, say that again… Might as well say water is wet. 30 10 6/5/2018 What’s the bigger picture? 31 KRPC 5.3 Responsibilities Regarding Nonlawyer Assistance, Comment 3 “A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client…When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer's professional obligations…” 11 6/5/2018 When Using Technology 34 Digital Data Security Transit Rest Use 12 6/5/2018 Basic Protection Protect your computer with: • firewall, • spam filters, • anti-virus and anti-spyware software. 13 6/5/2018 Lost or Stolen Devices ▪Passwords ▪Encryption ▪Wiping Apps Email Should I encrypt? Dklajf&*IHFDp90p!klhd af80932!kjl;djsaf0j’a@* &nhdiaofh&^&*((787y# k90%^ojiaoiJJddkliuok m;l’a/. 14 6/5/2018 Texas Opinion 648 Does a lawyer have the duty to encrypt email? 43 Look for other alternative ways to encrypt 15 6/5/2018 https://thehackernews.com/2018/05/efail-pgp-email-encryption.html Encryption for Free in Microsoft Word 48 16 6/5/2018 Encryption for Free in Adobe Phishing Not the kind you do at the lake 50 Cryptolocker 51 17 6/5/2018 You’ve Got Mail Be especially cautious of emails that come Implement safe email practices from unrecognized senders 52 Beware of links in emails that ask for personal information, even if the email appears to come from an enterprise you do business with. 54 18 6/5/2018 Never email personal or financial information, even if you are close with the recipient. Passwords are a critical part of account safety Don’t be like Equifax! 19 6/5/2018 Use a Wilson012779 combination of letters and Wi7s0no1SL79 numbers Use Password Phrases 59 ImGoing2KansasCity15 When I was seven, my sister threw my stuffed rabbit in the toilet = WIw7,mstmsritt 20 6/5/2018 Two-Factor Authentication 62 21 6/5/2018 Password Keepers and Generators 64 3rd Party Vendors KRPC 5.3 – Same ethical obligations of lawyers with respect to confidentiality. 66 22 6/5/2018 ABA 2017 What are lawyers using? Technology Report Dropbox 58% Google Docs 39% iCloud 31% Evernote 18% Clio 12% Which is best? Paid 23 6/5/2018 Read the Privacy Statement “To provide you with the Services, we may store, process and transmit information in the United States and locations around the world – including outside your country.” Read the Privacy Statement “…we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy.” 24 6/5/2018 Cloud ▪ Storage Require Log-ins ▪ and Keep Access Contained ▪ Sharing Notifications Software ▪Expiration Date • How do you safeguard the privacy/confidentiality of stored data? • Who has access to my firm’s data when it’s stored on your servers? • Is my data hosted on servers owned and operated by your company or is it stored at another facility such as RackSpace, Amazon or Google? • Have you (or your data center) ever had a data breach? • Will we be notified if there is a data breach? • If you are served with a subpoena will we be notified? Do your due • Where does my data reside – inside or outside of the United States? diligence • What happens to my data if your company is sold or goes out of business? Ask questions! • Is data from my firm to your service encrypted in transit and at rest? Public WiFi 40% of responses report using public WiFi to do work related items, such as checking email. 25 6/5/2018 The Mobile Lawyer You’ve got mail California “The lawyer risks violating his Opinion duties of confidentiality and competence in using the wireless 2010-179 connection at the coffee shop to work on the client’s matter unless he takes appropriate precautions” 77 Protect Personal Firewall and yourself Antivirus Software when using File Encryption public WiFi VPN (Virtual Private Network) 26 6/5/2018 What do I • If you have an IT provider, contact them do if the immediately. • Disconnect any potentially affected devices. office is • Determine what data has been breached? compromised. • Notify law enforcement. • Notify the client. If the data is PII make sure you are following notification laws if applicable. • If you have cybersecurity insurance, contact your carrier. 27 6/5/2018 Reasonable Efforts Follow me on Twitter: @Danielle_mHall 83 28.