cybersecurity for your law firm: data security and data encryption

www.solidcounsel.com

Cybersecurity: A Legal Issue?


Ethics – Specific Attorney Risks.

▪ Law firm cybersecurity – this applies to law firms and attorneys.

▪ Clients are demanding adequate security (firms are their third-party risk).

▪ Law firms are an increasingly popular target.

▪ Value and sensitivity of data.

▪ Data for multiple clients.

▪ “A lawyer should preserve the confidences and secrets of a client.”

▪ Ethics Opinion 384 (Sept. 1975)

▪ Canon No. 4, Code of Professional Responsibility

▪ Disciplinary Rule (DR) 4-101 (A) and (B)


What do you think?

Sophisticated James Bond-like attacks?

or

Simple things, people doing dumb things?


The real-world threats are not so sophisticated.

Easily preventable

• 90% in 2014

• 91% in 2015

• 63% confirmed breaches from weak,

default, or stolen passwords

• Data is lost over 100x more than stolen

• Phishing used most to install malware

Easily preventable

• 90% in 2014

• 91% in 2015


Start with the basics.

“Some people try to find things in this game that don’t exist but football is only two things – blocking and tackling.”

-Vince Lombardi

* If you want to talk deep programming-type issues, see Section VII of paper.


Our objective is to protect IP.

Which of the following aspects of the IP are we most focused on protecting?

1. Confidentiality

2. Integrity

3. Availability

4. All of the above

“CIA Triad” of cybersecurity


Cybersecurity “CIA” examples.

▪ Stuxnet▪ Integrity

▪ German steel mill▪ Integrity

▪ Sony▪ Availability

▪ Confidentiality

▪ Target▪ Confidentiality


Malicious

• compete

• newco

• Sabotage

• disloyal insider

Negligence

• email

• usb

• passwords

Blended

• foot out the door

• misuse of network

• stealing data

• negligence with data

• violate use policies

Hacking / Cracking

Social Engineering

Malware

Stealing

Planting

Corrupting

Who are the primary threats?


Threat Vectors

Network

Website

Email

BYOD

USBGSM

Internet Surfing

Business Associates

People

To protect law firm, you must:

• Protect our companies’ data

• Confidentiality

• Integrity

• Availability

• Against threats from

• Insiders

• Outsiders

• Third-party partners


Cybersecurity needs for companies (and firms).▪ Strong cybersecurity basics.

▪ Policies and procedures focused on cybersecurity.

▪ Social engineering.

▪ Password and security questions

▪ Training of all employees.

▪ Phish all employees (esp. executives).

▪ Signature based antivirus and malware detection.

▪ Multi-factor authentication.

▪ Backups segmented from the network.

▪ Incident response plan.

▪ Encryption for sensitive and air-gap for hypersensitive data.

▪ Adequate logging and retention.

▪ Third-party security and supply chain risk management.*

▪ Intrusion detection and intrusion prevention systems.*


Encryption -- oh, this is hard, how do I encrypt?

(Appendix B)


Encryption – encrypt Adobe .pdf documents


Encryption – encrypt Word documents


Incident Response

• Appendix A

• Goal is to execute IRP

• This is check list, not an IRP

• How detailed?

• Tabletop exercises


Cyber Risk Assessment

Strategic Planning

Deploy Defense Assets

Develop, Implement & Train on

P&P

Tabletop Testing

Reassess & Refine

Cybersecurity Risk Management Program


• Board of Directors & General Counsel, Cyber Future Foundation

• Board of Advisors, North Texas Cyber Forensics Lab

• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)

• SuperLawyers Top 100 Lawyers in Dallas (2016)

• SuperLawyers 2015-16 (IP Litigation)

• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)

• Council, Computer & Technology Section, State Bar of Texas

• Privacy and Data Security Committee of the State Bar of Texas

• College of the State Bar of Texas

• Board of Directors, Collin County Bench Bar Foundation

• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association

• Information Security Committee of the Section on Science & Technology Committee of the American Bar Association

• North Texas Crime Commission, Cybercrime Committee

• Infragard (FBI)

• International Association of Privacy Professionals (IAPP)

• Board of Advisors Office of CISO, Optiv Security

• Editor, Business Cybersecurity Business Law Blog

Shawn TumaCybersecurity PartnerScheef & Stone, [email protected]@shawnetumablog: www.shawnetuma.comweb: www.solidcounsel.com