Embed Size (px)
DESCRIPTION
Citation preview
CBA Live Online PD Safeguarding your Client’s Confidential Information –
Tips and Traps‘
Wednesday, February 23rd, 2011
Presented by the CBA's Legal Profession Assistance Conference (LPAC) and the Canadian Lawyers Insurance Association (CLIA)
2
Speakers:
David FraserMcInnes Cooper, Halifaxhttp://www.mcinnescooper.com/
Dominic JaarKPMG s.r.l./S.E.N.C.R.L.http://www.kpmg.com/ca/
Outline
1) Lawyers’ Obligations to Clients
2) Privacy Legislation
3) Social Media
4) Border Searches
5) Portability
6) Network
3
“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.
≈“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”
— Bruce Schneier, Security Guru par excellence
4
• Among other things …- Protect privilege- Safeguard confidentiality
Check out the CBA’s program on Solicitor-Client Privilege:
(insert link)
Lawyers’ Obligations to Clients
5
• CBA Code of Professional Conduct: Practice Competence1. The lawyer owes the client a duty to be competent to perform any legal services
undertaken on the client’s behalf.
2. The lawyer should serve the client in a conscientious, diligent and efficient manner so as to provide a quality of service at least equal to that which lawyers generally would expect of a competent lawyer in a like situation.
• Commentary 4 to Rule II, added to the Code in 2004, specifically mentions competence with respect to technologies:– Competence involves more than an understanding of legal principles; it involves an
adequate knowledge of the practice and procedures by which those principles can be effectively applied. To accomplish this, the lawyer should keep abreast of developments in all areas in which the lawyer practices. The lawyer should also develop and maintain a facility with advances in technology in areas in which the lawyer practices to maintain a level of competence that meets the standard reasonably expected of lawyers in similar practice circumstances. [emphasis added]
Back to Basics
6
• CBA Code of Professional Conduct: Confidentiality
• The Rule in Chapter IV of the Code (Rule IV) provides that:– Maintaining Information in Confidence
1. The lawyer has a duty to hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship, and shall not divulge any such information except as expressly or impliedly authorized by the client, required by law or otherwise required by this Code.
• Guiding Principle 1 of Rule IV reads:– The lawyer cannot render effective professional service to the client unless there is full
and unreserved communication between them. At the same time the client must feel completely secure and entitled to proceed on the basis that, without an express request or stipulation on the client’s part, matters disclosed to or discussed with the lawyer will be held secret and confidential.
Back to Basics (cont’d)
7
• CBA Code of Professional Conduct: Privilege
• Confidential information includes privileged information. Guiding Principle 3 to Rule IV of the Code states:– The importance of the even broader ethical rule regarding confidential information is
illustrated by the Supreme Court of Canada’s approach to solicitor-client privilege. The Court has held that solicitor-client privilege must remain as close to absolute as possible if it is to retain its relevance. Solicitor-client privilege is a rule of evidence, an important civil and legal right and a principle of fundamental justice in Canadian law. The public has a compelling interest in maintaining the integrity of the solicitor-client relationship. Confidential communications to a lawyer represent an important exercise of the right to privacy, and they are central to the administration of justice in an adversarial system.
Back to Basics (cont’d)
8
• Not just a rule against gossip and intentionally disclosing client information
• Includes an obligation to safeguard all of the information about a client against misuse and disclosure.
• Confidential Information includes the fact that the client is a client.
Confidentiality
9
• Lawyers in private practice are engaged in “commercial activity” so are subject to private sector privacy laws:- Personal Information Protection and Electronic Documents Act (All Canada
except BC, AB, QC)
- Personal Information Protection Act (AB)
- Personal Information Protection Act (BC)
- An Act Respecting the Protection of Personal Information in the Private Sector (QC)
But some records may be subject to other privacy laws, such as records of public sector clients (Fasken Martineau Dumoulin LLP, Re, BC IPC, Docket P05-03, 2005 CanLII 18159)
Privacy Legislation
10
• All of them generally require that all “personal information” be safeguarded.
• Some laws are vague and some are specific.
Privacy Legislation (cont’d)
11
What PIPEDA Says …
4.7 Principle 7 -- SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information.
4.7.1 The security safeguards shall protect personal information against ⁻ Loss or theft, as well as ⁻ Unauthorized access, ⁻ Disclosure, ⁻ Copying, ⁻ Use, or ⁻ Modification.Organizations shall protect personal information regardless of the format in which it is held.
12
4.7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
13
What PIPEDA Says … (cont’d)
4.7.3 The methods of protection should include(a) Physical measures, for example, locked filing cabinets and restricted access
to offices;(b) Organizational measures, for example, security clearances and limiting
access on a "need-to-know" basis; and(c) Technological measures, for example, the use of passwords and encryption.
4.7.4 Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.
4.7.5 Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).
What PIPEDA Says … (cont’d)
14
What Does “Sensitive” Mean?
• Not defined in PIPEDA, but some examples are given:“Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.”
• Very little doubt that information subject to privilege is highly sensitive.
15
“Cradle-to-Grave” Protection
• Anything that can record information and has ever been exposed to client information should NEVER just be thrown out.- Paper should be shredded – cross-cut and
onsite preferably- Have your office cleaners empty the recycling
bins into a locked shredder bin- Technology should be destroyed – disks should
be deformed or wiped- Copiers and fax machines have memories, too
• Make sure you trust your cleaning and disposal contractors, but get it in writing.
16
© Fresh Start Recycling and Disposalhttp://www.freshstartrecycling.com/
• You likely have an obligation to keep up with technology if it becomes the accepted standard for your practice.
• With all technologies (from the quill and scroll to the coolest smartphone), you need to safeguard your clients’ information.
• In many cases, it’s hard enough to keep up with basic competence in using technology, let alone securing it.
• Inadvertent disclosure of client information generally doesn’t make it admissible, but it can significantly harm the client and damage your reputation.
What This All Means…
17
• Lawyers are jumping on the social media bandwagon, both for personal and professional reasons
• Need to be cautious about whether to separate “personal” from “professional” and how to do it
• Boundaries blur very easily online
• Look before you leap
• Be careful that the information disclosed about you is not information about a client
Social Media
18
Don’t Be This Guy …
19
@formerlawyer: Don’t know when this contract review will ever Finnish. Ha ha.
http://twitter.com/
Or this guy …
20
@exjuristi: Why do I feel that this contract should be in Comic Sans font? Ha ha.
http://twitter.com/
Border Searches
21
New York Times, February 19, 2011 : http://www.nytimes.com/2011/02/20/weekinreview/20laptop.html
• Governed by Customs Act, - s. 98 – Search of the person- s. 99 – Examination of goods
• Subject always to the Charter- 8. Everyone has the right to be secure against unreasonable
search or seizure.
Border searches by Canadian Authorities
22
Broad authority:
• 99. (1) An officer may
(a) at any time up to the time of release, examine any goods that have been imported and open or cause to be opened any package or container of imported goods and take samples of imported goods in reasonable amounts;
(b) at any time up to the time of release, examine any mail that has been imported and, subject to this section, open or cause to be opened any such mail that the officer suspects on reasonable grounds contains any goods referred to in the Customs Tariff, or any goods the importation of which is prohibited, controlled or regulated under any other Act of Parliament, and take samples of anything contained in such mail in reasonable amounts; …
Customs Act, s. 99
23
Broad authority: (cont’d)
• 99. (1) An officer may
(e) where the officer suspects on reasonable grounds that this Act or the regulations or any other Act of Parliament administered or enforced by him or any regulations thereunder have been or might be contravened in respect of any goods, examine the goods and open or cause to be opened any package or container thereof; or
(f) where the officer suspects on reasonable grounds that this Act or the regulations or any other Act of Parliament administered or enforced by him or any regulations thereunder have been or might be contravened in respect of any conveyance or any goods thereon, stop, board and search the conveyance, examine any goods thereon and open or cause to be opened any package or container thereof and direct that the conveyance be moved to a customs office or other suitable place for any such search, examination or opening.
24
Customs Act, s. 99 (cont’d)
• While in Customs, no threshold suspicion or reasonable or probable grounds necessary
• R. v. Simmons, [1988] 2 S.C.R. 495, 1988 CanLII 12: per Dickson C.J. (case dealing with search of person)
48. … In my view, the state interests enunciated throughout the American jurisprudence that are deemed to make border searches reasonable, are no different in principle from the state interests which are at stake in a Canadian customs search for illegal narcotics. National self protection becomes a ‑compelling component in the calculus.
49. I accept the proposition advanced by the Crown that the degree of personal privacy reasonably expected at customs is lower than in most other situations. People do not expect to be able to cross international borders free from scrutiny. It is commonly accepted that sovereign states have the right to control both who and what enters their boundaries. …
Customs Act
25
• Before customs clearance, customs officers have the authority to search your goods, which would include an electronic device
• After customs clearance, customs officers have search authority where they suspect on reasonable grounds violations of Customs Act or other federal law (including Criminal Code)
• Both would likely withstand Charter challenge
Canada Customs
26
• Very similar rules apply
• No probable cause necessary for routine searches at the border and within a limited radius of the border
U.S. Customs
27
• Routine – No Level of Suspicion- Searches without a high degree of intrusion - Examples: vehicles, luggage, outer clothing, personal effects, purses,
wallets.
• Non-routine – Reasonable Suspicion- Searches with a high degree of intrusion that invades the privacy and
dignity of the individual- Examples: strip searches, X-rays- Reasonable Suspicion – particularized and objective basis to suspect
criminal conduct
U.S. Border Searches
28
• Laptop searches are within border search exception and therefore do not require a warrant or probable cause
• No level of suspicion is required
• Treated as “cargo”
Laptops at the Border
29
• US Customs & Border Protection Policy
• Attorney-Client Privilege- Although legal materials are NOT necessarily exempt from a border
search, they may be subject to special handling procedures- If attorney-client privilege is asserted, Customs Officer MUST seek
advice from the CBP Associate/Assistant Chief Counsel or the appropriate U.S. Attorney’s Office BEFORE conducting a search of the document
Border Searches and Privilege
30
1. Don’t cross the border with client materials and wipe all electronic devices. Instead use VPN or other remote access technology to obtain secure access to your files while traveling.
2. If you do take client materials with you, A. Mark as privileged
B. Use encryption
C. Assert privilege
What To Do?
31
32
Polling Question
33Time Archive: http://www.time.com/time/covers/0,16641,20061225,00.html
The Most Dangerous Locations
Office
HomeMobile
34
35
Portability
Images from Microsoft Clip Art
Lost/Stolen Laptops
• 86,000 lost or stolen laptops/year
• $2.1 Billion/year
• $6.4 Million/year/company
• 5-10% chance of losing a laptop over 3 years
• 46% contain sensitive or confidential data
• 30% are encrypted
• 29% are backed up
• 10% have an anti-theft device• Study by Intel and the Ponemon Institute
36
http://www.ponemon.org/index.php
http://www.intel.com/
Where?37
33%
43%
12%
12%
TravelOff-SiteOfficeUnknown
Network
Software- Anti-Virus- Anti-Malware- Firewall
38
Hardware•Firewall• Intrusion Detection
Internet
Images from Microsoft Clip Art
Software•VPN•Encryption
Default Settings
• Change - Hardware Name- Username- Password
• For• Router
• Cellular phone
• Computer
• Bluetooth device
39
http://www.google.ca/
Password
• Complex• 8+ alphanumerical, mix case and symbol
• Phrase;
• 1337;
• Random (http://www.pctools.com/guides/password/ )
• Unique: change for each platform
• Don’t share
• Change frequently
40
Image from Microsoft Clip Art
Password
• Understand (http://www.lockdown.co.uk/?pg=combi)
41
Numerals 123456789Password Class of Attack
Length Combinations Class A Class B Class C Class D Class E Class F2 100Instant Instant Instant Instant Instant Instant3 1000Instant Instant Instant Instant Instant Instant4 10Instant Instant Instant Instant Instant Instant5 10010 Secs Instant Instant Instant Instant Instant6 1 Million1½ Mins 10 Seconds Instant Instant Instant Instant7 10 Million17 Mins 1½ Mins 1½ Mins Instant Instant Instant8 100 Million2¾ Hours 17 Mins 1½ Mins 10 Seconds Instant Instant9 1000 Million28 Hours 2¾ Hours 17 Mins 1½ Mins 10 Seconds Instant
Lockdown.co.uk - The Home Computer Security Centre
• Understand (http://www.lockdown.co.uk/?pg=combi)0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Password Class of Attack
Length Combinations Class A Class B Class C Class D Class E Class F
2 9,216Instant Instant Instant Instant Instant Instant3 884,73688½ Secs 9 Secs Instant Instant Instant Instant4 85 Million2¼ Hours 14 Mins 1½ Mins 8½ Secs Instant Instant5 8 Billion9½ Days 22½ Hours 2¼ Hours 13½ Mins 1¼ Mins 8 Secs6 782 Billion2½ Years 90 Days 9 Days 22 Hours 2 Hours 13 Mins7 75 Trillion238 Years 24 Years 2½ Years 87 Days 8½ Days 20 Hours8 7.2 Quadrillion22,875 Years 2,287 Years 229 Years 23 Years 2¼ Years 83½ Days
Password (cont’d)42
• Testhttps://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link
• Software safePassword Safe: http://passwordsafe.sourceforge.net/
Password43
http://passwordsafe.sourceforge.net/
Backup
• Hardware dies…
• Offsite
• Secured
• Solutions• Windows Backup Utility
• Apple’s Time Machine
• NAS
• Cloud
• Mozy
44
https://mozy.com/
Metadata
• The Good vs. The Bad
45
2
46
Metadata (cont’d)
• The Good vs. The Bad (cont’d)
Partition
• Partition Hard Drive for Personal vs. Professional material
48
http://partitionlogic.org.uk/
Encrypt
• Encrypt• Media
• Support
• Communication channel
• Files
• Function of the risk
49
http://www.truecrypt.org/
(https://www.ultravpn.fr/)
(http://www.axantum.com/axcrypt/)
Questions
49
Parenting Plans for Infants and ToddlersMarch 29th, 2011
Reducing Risk Through Effective Practice ManagementApril 13, 2011
The Impact of Effective Apology, With or Without Legislation April 27, 2011
50
Upcoming CBA Online PD Programs
For related content on systems for managing client documents, watch "Effective Document Management for the Small Firm" : (insert link)
Experience the CBA ADVANTAGE:
Visit our new Professional Development website!
www.cba.org/pd
