Privacy and Data Security for Law Firms...Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward &...

[email protected] | 407.409.8828

Privacy and Data

Security for Law Firms


LAW FIRMS ARE A TARGET FOR HACKERS


LAW FIRMS TARGETED BY HACKERS

Akin Gump Strauss Hauer & Feld

Allen & Overy

Baker & Hostetler

Baker Botts

Cadwalader Wickersham & Taf

Cleary Gottlieb Steen & Hamilton

Covington & Burling

Cravath Swaine & Moore

Davis Polk & Wardwell

Debevoise & Plimpton

Dechert

DLA Piper

Ellenoff Grossman & Schole

Freshfields Bruckhaus Deringer

Fried Frank Harris Shriver &

Jacobson

Gibson Dunn & Crutcher

Goodwin Procter

Hogan Lovells

Hughes Hubbard & Reed

Jenner & Block

Jones Day

Kaye Scholer

Kirkland & Ellis

Kramer Levin Naftalis & Frankel

Latham & Watkins

McDermott Will & Emery

Milbank Tweed Hadley & McCloy

Morgan Lewis & Bockius

Morrison & Foerster

Nixon Peabody

Paul Hastings

Paul Weiss Rifkind Wharton &

Garrison

Pillsbury Winthrop Shaw Pittman

Proskauer Rose

Ropes & Gray

Schulte Roth & Zabel

Seward & Kissel

Shearman & Sterling

Sidley Austin

Simpson Thacher & Bartlett

Skadden Arps Slate Meagher &

Flom

Sullivan & Cromwell

Vinson & Elkins

Wachtell Lipton Rosen & Katz

Weil Gotshal & Manges

White & Case

Wilkie Farr & Gallagher

List by Flashpoint (via Crain’s Chicago Business

http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/russian-cyber-criminal-targets-elite-chicago-law-firms?X-IgnoreUserAgent=1


Reported Law Firm Security BreachesABA LTRC TECH SURVEY


Reported Law Firm Viruses/Spyware/Malware

ABA LTRC TECH SURVEY


Key Corporate Assets That May

Be Of Interest And Value

https://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/


What’s Valuable At your Law Firms?

• Financial info– Online banking credentials

– Payroll

– Retirement / pension plan

– Credit card / bank account

numbers

• Personal information– Employee SSNs

– Health / medical info

• Client data

– Confidential case details

– Proprietary information

• Pricing, patents, contracts, plans

– Email addresses

• Your computers themselves!!!

If your data is worth $ to you or your client, it’s also worth $ to somebody else.


Your Data is Worth Money


Breach Trigger

• What qualifies as a breach?

– “Breach of security” or “breach”

means unauthorized access of

data in electronic form containing

personal information

• does not include information that is

encrypted, secured, or anonymized

– Trigger: breach compromises of

500+ Florida residents


What is PII Under FIPA?

• First name or first initial and last name +– Social security number– Drivers license or ID card number– Military/Govt ID number– Financial account number or credit or debit card

number with security code– passport number

– medical history– mental or physical condition

– medical treatment or diagnosis

– health insurance policy number (or any unique identifier health insurers use to classify individuals)

• Usernames/passwords/security question for online accounts


Breach Notification

• Must notify within 30 days of the breach discovery– Florida Department of Legal Affairs

– Each affected or likely affected resident

• Decide not to notify?– $1,000 per day for the first 30 days and $50,000 for each

subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA

Florida's 30-day breach notification deadline is one of the strictest in the country.


Breach Trigger

• What qualifies as a breach?

– “Breach of security” or “breach”

means unauthorized access of

data in electronic form containing

personal information

• does not include information that is

encrypted, secured, or anonymized

– Trigger: breach compromises of

500+ Florida residents


What is PII Under FIPA?

• First name or first initial and last name +– Social security number– Drivers license or ID card number– Military/Govt ID number– Financial account number or credit or debit card

number with security code– passport number

– medical history– mental or physical condition

– medical treatment or diagnosis

– health insurance policy number (or any unique identifier health insurers use to classify individuals)

• Usernames/passwords/security question for online accounts


Breach Notification

• Must notify within 30 days of the breach discovery– Florida Department of Legal Affairs

– Each affected or likely affected resident

• Decide not to notify?– $1,000 per day for the first 30 days and $50,000 for each

subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA

Florida's 30-day breach notification deadline is one of the strictest in the country.


Notice to AG Must Include

• A synopsis of the events surrounding the breach

• The number of individuals in Florida affected

• Services being offered or to be offered (without charge) and instructions

• A copy of notice sent to victims

• AG May Request– A police report, incident report, or computer forensics report.

– A copy of the policies in place regarding breaches.

– Steps that have been taken to rectify the breach


Aren’t Law Firms Exempt?

• Any commercial or

governmental entity,

including a health care

provider and health plan,

that acquires, maintains,

stores or uses personal

information of individuals in

the state of Florida is subject

to this law


You do NOT Have to Report IF

• After proper investigation with federal, state, or

local law enforcement, it’s determined that the

breach will likely not result in identity theft or other

financial harm to individuals whose personal

information was accessed.

– But written documentation of the determination must be

kept by you for at least five years after the breach.

• Personal information has been encrypted, secured,

or so that PII is rendered unusable


Where are the threats?

• Email

• Lost or stolen devices

• Poor passwords

• Disposal of data

• Social Engineering

• Photocopiers

• Shredding machines

• Flash drives

• Hackers

• 3rd party providers / vendors– Cloud storage

(Google Drive, DropBox, eDiscovery Systems, etc)

– Practice Management Cloud-based services

– E-discovery/ litigation

– Court Reporters -Audio/Video Tapes, Transcripts


Risk Management Misconceptions

• IT (or SOMEONE) is on top of it

• We are too small

• Data stored off-site

• Data stored with a third-party

• Mobile devices are secure because they are password protected


#1 Threat: Email

• Email spoofing/fraud attempt targeting a specific organization or person

• Access confidential data or hold documents for ransom, infect computers

• Education– Understand social media factor

– Ongoing awareness campaign

• Email hygiene / Filtering


Your Passwords are Weak

• Use 2-factor authentication everywhere

• Have a STRONG password of at least 12 characters or a pass phrase

• Don’t use the same password everywhere

• Change your passwords regularly

• Change the defaults

• Require screen saver passwords

1. 1234562. Password3. 123456784. qwerty5. 123456. 1234567897. letmein8. 12345679. football10. Iloveyou11. admin12. welcome13. monkey

14. login15. abc12316. starwars17. 12312318. dragon19. passw0rd20. maste21. hello22. freedom23. whatever24. qazwsx25. trustno1

THE 25 MOST POPULAR PASSWORDS OF 2017 STILL SUCK


Encryption

• Whole disk encryption

• Biometric access

• Backup media should be encrypted

• Make sure the data is encrypted in transit and while being stored

• Be sure that employees of the backup or cloud vendor do not have access to decrypt keys

• Thumb drives should be encrypted


Wireless• Wireless networks should be set

up with the proper security– WEP is weak

– the only wireless encryption standards that have not been cracked (yet) are WPA with the AES or WPA2

• Use wireless hot spots with great care– Do not enter any credit card

information or login credentials without seeing https

• Use Broadband or Tether to your phone


Consider Client Portals

• Clients now expect

– Access to their documents 24x7

– Access to WIP before the bill arrives

– Notification of all key milestones

– Live feeds of all significant case activity

– Threaded discussions

• Secure client communications

• All matter files and communications in one place


Smartphones and Tablets

• Label devices

• Have strong passcode policies

• Set idle timeouts

• Update, update, update

• Do not "jailbreak" or "root" your devices

• Apps from trusted sources

• MDM if possible

• Find My iPhone or an equivalent

• If supported encrypts storage/ hardware


Laptops

• Strong password, biometrics if possible

• Encrypt hard drive

• Robust firewall

• Bluetooth

• Get privacy screens

• User access controls

• Remove bloatware


Thank you.

Adriana LinaresLawTech Partners

[email protected]

www.lawtechpartners.com

Adriana Linares is a legal technology consultant with her company, LawTech Partners. Using her practical and personal approach to technology she helps legal professionals use it to maximize their skills and investments through training and consulting She served as Chair of ABA TECHSHOW 2017; works as a technology consultant to the Florida Bar Board of Governors, serves on the board of the Florida Justice Technology Center and hosts the New Solo podcast on Legal Talk Network.

http://www.flabarfndn.org/about/news-publications/newsroom/florida-justice-technology-center.aspx

Privacy and Data Security for Law Firms...Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward &...

Documents

Transcript of Privacy and Data Security for Law Firms...Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward &...