Embed Size (px)
Citation preview
Protecting Your Company from Cyber Risks and Potential Liabilities
• Moderator: Jay Downs - Downs.Stanford, P.C. (Dallas, TX)
• Client Panelist: Miriam Goddard - Hiscox Insurance, a Lloyds of London Syndicate (London, United Kingdom)
• Client Panelist: Ray Georges Chehata - Above Security (Blainville, Québec)
• Panelist: J. Paul Zimmerman - Christian & Small LLP (Birmingham, AL)
• Panelist: Gerardo Balboni, II - Krevolin & Horst, LLC (Atlanta, GA)
1
Cyber
2
• What is a Data Breach? Theft, loss or unauthorized disclosure of:
(1) personally identifiable information;
(2) personal health information; or
(3) third party corporate information
• Law firms particularly vulnerable – “very target rich environment with less cybersecurity protection
than clients”
• ABA: Cybersecurity Legal Task Force (2012) (1) organizational cohesion
(2) raise awareness
(3) ensure involvement
(4) craft solutions
How do breaches occur?
3
• Lost unencrypted portable device (blackberry, laptop, thumb drive, backup tape)
• Property crimes
• Inside job (employee steals information, particularly upon separation with firm)
• Stray faxes, emails
• Phishing scams (the “Nigerian prince” is so yesterday…) and increasingly Spear-Phishing (social
engineering)
• Malware / virus attacks (especially when working remotely on an unsecured network)
• Advanced Persistent Threats
• Failure to purge/scrub devices scheduled for destruction
• Weaknesses in "Cloud" security
• Don’t forget videoconferencing!
What is the exposure?
4
• Notification and other first party expenses • Mandatory breach notification in 47 states
• HIPAA Regulations
• Federal banking regulatory agencies
• Regulatory Investigations
• Third party claims
• Costs
Proof that law firms are vulnerable
5
2015
• California-based personal injury law firm reported to clients that it experienced the theft of a laptop computer containing
identifying client information including names, social security numbers and dates of birth.
(January 12, 2015)
2014
• Criminal defense firm notified clients of data breach when a backup hard drive was stolen from a locked truck of an
employee’s vehicle. Information contained on backup hard drive may have included names, birthdates, Social Security
numbers, driver’s license numbers, addresses emails and phone numbers.
(August 26, 2014)
• Law firm informed current and former employees of suspicious activity on servers belonging to vendor. Information
potentially breached included Federal Wage and Tax Statement Forms W-2, names, addresses, wages, taxes and
Social Security numbers, dates of birth, ages, genders, ethnicities, Visa, Passport or Federal Form I9 documents
numbers. Firm operates 15 offices throughout the United States and one in Korea and the data breach could have
affected current and former employees in any of the 14 offices.
(February 26, 2014)
Proof that law firms are vulnerable (cont’d)
6
2013
• Former employee and husband sentenced to three years’ probation and banned from owning smartphones after
hacking a Pittsburgh-based law firm’s systems. In apparent retaliation for being fired, employee provided accomplice
with a firm password which enabled him to installed software to capture other users’ passwords on the firm’s server. (October 2013 – ABA Journal, eSecurity Planet)
• Four US law firms identified in a group of 141 US companies attacked seemingly by Chinese hackers for unknown
reason. (March 2013)
• Albuquerque-based firm disposed of hundreds of documents without shredding them because it thought they contained
information already in public domain. When found in a recycling center, it was discovered that some of the documents
contained sensitive PHI and other personal information dating back to the 1990s. (January, 2013)
• Toronto-area law firm lost a “large six figure” sum from its trust account when a virus on a computer in the firm’s
accounts department allowed hackers to copy bank account passwords as they were typed. (January 2013 – Law Times News)
Proof that law firms are vulnerable (cont’d)
7
2012
• Virginia-based law firm known for defending soldiers against US government was hacked by ‘Anonymous’ in an
apparent attempt to obtain documents relating to controversial criminal case against a US Marine. Several years’ of
emails stolen, some attaching client documents, and the firm’s servers were wiped of all client email. Incident arose
because Google email passwords were not secure enough and were overcome by equipment which tests multiple
password combinations in rapid succession. (February 2012 – ABA Journal)
• Former partner allegedly installed Dropbox software onto the firm’s computers that provided ongoing remote access to
client files though a third-party cloud site. (2012 – ABA Journal)
Proof that law firms are vulnerable (cont’d)
8
2011
• Employee of Baltimore-based firm lost an external hard drive containing medical records of clients gathered as part of a medical malpractice suit.
(August 4, 2011)
• Washington DC firm was one of 20 victims breached by Chinese hackers, “Byzantine Candor”, known in security circles
as the “Comment group” for trademark of infiltrating computers using hidden webpage computer code known as “comments.”
(July 18, 2011 - Bloomberg) • CPA: Computers and hardware stolen from offices of Boca Ratan firm. Although stolen hardware was recovered, it had
been overwritten ready for resale by the thieves, resulting in a data loss to the firm. (March 18, 2011) • Medical information belonging to Minneapolis-based firm's clients was found in a local school after a paralegal donated
'scrap' paper to the school instead of destroying it. The incident was uncovered after a parent found medical information for an individual on the back of a drawing her daughter brought home from school.
(2011)
Proof that law firms are vulnerable (cont’d)
9
2010
• Three UK law firms were victims of targeted DDoS attacks by 'Anonymous' in 2010, shutting down web sites for periods
of time. In addition, one firm’s website was found to contain an error when it went back online causing an archive of
internal emails and financial information to be publicly available on its home page. Hackers also attempted to access
another firm’s servers in order to deface the firm's home page in the attacks.
(September 2010)
• Attempted spear phishing attack, which was traced back to China where the firm was litigating a $2.2 billion copyright
infringement suit against the government. Lawyers at small firm received e-mails that appeared to be sent from other
lawyers within the firm and included a message requesting the recipients to open an attachment which contained
malware.
(2010 – ABA Journal)
Evolving Best Practices
10
• Changes to Model Rules of Professional Conduct
ABA Model Rule 1.1 re Maintaining Competence
[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks associated with relevant technology, engage in continuing study and
education and comply with all continuing legal education requirements to which the lawyer is subject
New Model Rule 1.6 (c)
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a client.”
• Firm Management
• Encryption!
Evolving Best Practices (cont’d)
11
• BYOD
• Cloud
• Vendors
• Security is a process and not a product…
• Expert assistance
• The future…
Good Steps…
12
• Start at the top
• ATP
Administrative:
Written Information Security Policy/Plan ("WISP")
Regular and documented training of employees regarding information security
Access to data on "need to know" basis
Privacy impact assessments for new technology
Contractual control over third-party vendors
Designated incident response teams – first responder exercise
Technical:
Risk Assessment
Encryption
Limits in storage capacity on portable devices
Data loss prevention and detection software
Physical:
Data retention plan
Proper security of facilities and physical hardware assets
Proper purging of physical hardware scheduled for destruction
Data Breach: •A Holistic Approach to Representing the Client with Compromised Consumer Data
Prepare for a Data Breach
“There are only two types of companies: those that have been hacked and those that will be.”
–Robert Mueller, Former FBI Director
•Because of the significance of the impact of a data breach, a data
breach is a business risk not merely an IT risk.
Prepare for a Data Breach
Develop the Data Security Plan
•Risk Assessment
–Sensitive Data
What
Where
How
•Technical Considerations
Penetration Testing
Intrusion Detection
File Monitoring
•
Prepare for a Data Breach
Create Data Breach Response Team
•Technical
–Data Security Professionals
–Data Forensics Professionals
•Outside Legal counsel
•Risk officers
•Inside and outside PR
Review Insurance
Prepare for a Data Breach
•Written Plan
–Day 1 Action Items
Notification
Check Lists
Contact Information
–Forensic Analysis
What
Where
How
Anatomy of a Data Breach
•Hacker gains unauthorized access
–Spear phishing
–Public WiFi
–Download of infected file
•Often undetected for a significant period
Anatomy of a Data Breach
According to the consulting firm Mandiant:
–100% of data breach "victims" have up to date anti-virus software;
–100% of the breaches involve stolen credentials;
–The median number of days that an "advanced"
attack is undetected – 243
Discovery of the Hack
•Routine internal audit
•Customer complaint
•Employee alert
Implement: Data Breach has occurred •Implement Technical Response
–DOCUMENT
–Alert response team
–Take infected machines offline; stop loss of additional data
–Don’t destroy evidence
–Compile daily reports
Implement: Data Breach has occurred Public Relations Response
–First communication
Deflate newsworthiness
Share bad news as well (Tough one for lawyers)
–Control the message
Don’t be afraid to make early disclosures
–When you don’t know everything
Tell what you know and what you are doing to find out and the timetable to complete that task
Implement: Data Breach has occurred
Legal Response
•Contact law enforcement
•Document what occurred
•Conserve evidence
•Determine records compromised
•Determine what states
are involved
Implement: Data Breach has occurred Legal Response
•Determine reporting obligations
–Statutory
AGs
Consumers
Credit Reporting Agencies
–Contractual
•Content and Timing of notice
–Marketplace Trust
– Consider giving notice even if your are not legally required to do so
Implement: Data Breach has occurred
Legal Response
•Assess litigation risk
–Class Actions
What duty owed to plaintiff
Causation
Injury
•Private rights of action
•Future – Claims for unjust enrichment
