Privacy and Data Security for Law Firms...Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward &...
Transcript of Privacy and Data Security for Law Firms...Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward &...
[email protected] | 407.409.8828
LAW FIRMS ARE A TARGET FOR HACKERS
[email protected] | 407.409.8828
LAW FIRMS TARGETED BY HACKERS
Akin Gump Strauss Hauer & Feld
Allen & Overy
Baker & Hostetler
Baker Botts
Cadwalader Wickersham & Taf
Cleary Gottlieb Steen & Hamilton
Covington & Burling
Cravath Swaine & Moore
Davis Polk & Wardwell
Debevoise & Plimpton
Dechert
DLA Piper
Ellenoff Grossman & Schole
Freshfields Bruckhaus Deringer
Fried Frank Harris Shriver &
Jacobson
Gibson Dunn & Crutcher
Goodwin Procter
Hogan Lovells
Hughes Hubbard & Reed
Jenner & Block
Jones Day
Kaye Scholer
Kirkland & Ellis
Kramer Levin Naftalis & Frankel
Latham & Watkins
McDermott Will & Emery
Milbank Tweed Hadley & McCloy
Morgan Lewis & Bockius
Morrison & Foerster
Nixon Peabody
Paul Hastings
Paul Weiss Rifkind Wharton &
Garrison
Pillsbury Winthrop Shaw Pittman
Proskauer Rose
Ropes & Gray
Schulte Roth & Zabel
Seward & Kissel
Shearman & Sterling
Sidley Austin
Simpson Thacher & Bartlett
Skadden Arps Slate Meagher &
Flom
Sullivan & Cromwell
Vinson & Elkins
Wachtell Lipton Rosen & Katz
Weil Gotshal & Manges
White & Case
Wilkie Farr & Gallagher
List by Flashpoint (via Crain’s Chicago Business
[email protected] | 407.409.8828
Reported Law Firm Security BreachesABA LTRC TECH SURVEY
[email protected] | 407.409.8828
Key Corporate Assets That May
Be Of Interest And Value
https://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/
[email protected] | 407.409.8828
What’s Valuable At your Law Firms?
• Financial info– Online banking credentials
– Payroll
– Retirement / pension plan
– Credit card / bank account
numbers
• Personal information– Employee SSNs
– Health / medical info
• Client data
– Confidential case details
– Proprietary information
• Pricing, patents, contracts, plans
– Email addresses
• Your computers themselves!!!
If your data is worth $ to you or your client, it’s also worth $ to somebody else.
[email protected] | 407.409.8828
Your Data is Worth Money
[email protected] | 407.409.8828
Breach Trigger
• What qualifies as a breach?
– “Breach of security” or “breach”
means unauthorized access of
data in electronic form containing
personal information
• does not include information that is
encrypted, secured, or anonymized
– Trigger: breach compromises of
500+ Florida residents
[email protected] | 407.409.8828
What is PII Under FIPA?
• First name or first initial and last name +– Social security number– Drivers license or ID card number– Military/Govt ID number– Financial account number or credit or debit card
number with security code– passport number
– medical history– mental or physical condition
– medical treatment or diagnosis
– health insurance policy number (or any unique identifier health insurers use to classify individuals)
• Usernames/passwords/security question for online accounts
[email protected] | 407.409.8828
Breach Notification
• Must notify within 30 days of the breach discovery– Florida Department of Legal Affairs
– Each affected or likely affected resident
• Decide not to notify?– $1,000 per day for the first 30 days and $50,000 for each
subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA
Florida's 30-day breach notification deadline is one of the strictest in the country.
[email protected] | 407.409.8828
Breach Trigger
• What qualifies as a breach?
– “Breach of security” or “breach”
means unauthorized access of
data in electronic form containing
personal information
• does not include information that is
encrypted, secured, or anonymized
– Trigger: breach compromises of
500+ Florida residents
[email protected] | 407.409.8828
What is PII Under FIPA?
• First name or first initial and last name +– Social security number– Drivers license or ID card number– Military/Govt ID number– Financial account number or credit or debit card
number with security code– passport number
– medical history– mental or physical condition
– medical treatment or diagnosis
– health insurance policy number (or any unique identifier health insurers use to classify individuals)
• Usernames/passwords/security question for online accounts
[email protected] | 407.409.8828
Breach Notification
• Must notify within 30 days of the breach discovery– Florida Department of Legal Affairs
– Each affected or likely affected resident
• Decide not to notify?– $1,000 per day for the first 30 days and $50,000 for each
subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA
Florida's 30-day breach notification deadline is one of the strictest in the country.
[email protected] | 407.409.8828
Notice to AG Must Include
• A synopsis of the events surrounding the breach
• The number of individuals in Florida affected
• Services being offered or to be offered (without charge) and instructions
• A copy of notice sent to victims
• AG May Request– A police report, incident report, or computer forensics report.
– A copy of the policies in place regarding breaches.
– Steps that have been taken to rectify the breach
[email protected] | 407.409.8828
[email protected] | 407.409.8828
Aren’t Law Firms Exempt?
• Any commercial or
governmental entity,
including a health care
provider and health plan,
that acquires, maintains,
stores or uses personal
information of individuals in
the state of Florida is subject
to this law
[email protected] | 407.409.8828
[email protected] | 407.409.8828
You do NOT Have to Report IF
• After proper investigation with federal, state, or
local law enforcement, it’s determined that the
breach will likely not result in identity theft or other
financial harm to individuals whose personal
information was accessed.
– But written documentation of the determination must be
kept by you for at least five years after the breach.
• Personal information has been encrypted, secured,
or so that PII is rendered unusable
[email protected] | 407.409.8828
Where are the threats?
• Lost or stolen devices
• Poor passwords
• Disposal of data
• Social Engineering
• Photocopiers
• Shredding machines
• Flash drives
• Hackers
• 3rd party providers / vendors– Cloud storage
(Google Drive, DropBox, eDiscovery Systems, etc)
– Practice Management Cloud-based services
– E-discovery/ litigation
– Court Reporters -Audio/Video Tapes, Transcripts
[email protected] | 407.409.8828
Risk Management Misconceptions
• IT (or SOMEONE) is on top of it
• We are too small
• Data stored off-site
• Data stored with a third-party
• Mobile devices are secure because they are password protected
[email protected] | 407.409.8828
#1 Threat: Email
• Email spoofing/fraud attempt targeting a specific organization or person
• Access confidential data or hold documents for ransom, infect computers
• Education– Understand social media factor
– Ongoing awareness campaign
• Email hygiene / Filtering
[email protected] | 407.409.8828
Your Passwords are Weak
• Use 2-factor authentication everywhere
• Have a STRONG password of at least 12 characters or a pass phrase
• Don’t use the same password everywhere
• Change your passwords regularly
• Change the defaults
• Require screen saver passwords
1. 1234562. Password3. 123456784. qwerty5. 123456. 1234567897. letmein8. 12345679. football10. Iloveyou11. admin12. welcome13. monkey
14. login15. abc12316. starwars17. 12312318. dragon19. passw0rd20. maste21. hello22. freedom23. whatever24. qazwsx25. trustno1
THE 25 MOST POPULAR PASSWORDS OF 2017 STILL SUCK
[email protected] | 407.409.8828
Encryption
• Whole disk encryption
• Biometric access
• Backup media should be encrypted
• Make sure the data is encrypted in transit and while being stored
• Be sure that employees of the backup or cloud vendor do not have access to decrypt keys
• Thumb drives should be encrypted
[email protected] | 407.409.8828
Wireless• Wireless networks should be set
up with the proper security– WEP is weak
– the only wireless encryption standards that have not been cracked (yet) are WPA with the AES or WPA2
• Use wireless hot spots with great care– Do not enter any credit card
information or login credentials without seeing https
• Use Broadband or Tether to your phone
[email protected] | 407.409.8828
Consider Client Portals
• Clients now expect
– Access to their documents 24x7
– Access to WIP before the bill arrives
– Notification of all key milestones
– Live feeds of all significant case activity
– Threaded discussions
• Secure client communications
• All matter files and communications in one place
[email protected] | 407.409.8828
Smartphones and Tablets
• Label devices
• Have strong passcode policies
• Set idle timeouts
• Update, update, update
• Do not "jailbreak" or "root" your devices
• Apps from trusted sources
• MDM if possible
• Find My iPhone or an equivalent
• If supported encrypts storage/ hardware
[email protected] | 407.409.8828
Laptops
• Strong password, biometrics if possible
• Encrypt hard drive
• Robust firewall
• Bluetooth
• Get privacy screens
• User access controls
• Remove bloatware
[email protected] | 407.409.8828
Thank you.
Adriana LinaresLawTech Partners
www.lawtechpartners.com
Adriana Linares is a legal technology consultant with her company, LawTech Partners. Using her practical and personal approach to technology she helps legal professionals use it to maximize their skills and investments through training and consulting She served as Chair of ABA TECHSHOW 2017; works as a technology consultant to the Florida Bar Board of Governors, serves on the board of the Florida Justice Technology Center and hosts the New Solo podcast on Legal Talk Network.