32
+ +topper May 2015 Cybersecurity Risk Analysis Program: Law Firm Risk Management

Cybersecurity: How To Protect Your Law Firm Data

Embed Size (px)

Citation preview

+

+topper

May 2015 Cybersecurity Risk Analysis Program: Law Firm Risk Management

+Agenda

n  Why does cybersecurity matter in a law firm?

n  What are the clients asking for and what to expect?

n  What are the consequences of not securing data?

n  How does a law firm adhere to data security standards when there seem to be none?

n  What can you do about the gaps in data security?

n  Your Obligations

n  Where do the vulnerabilities exist?

n  How will your practice improve if you champion data security?

n  Sample Elements of a Privacy and Data Security Program for a law firm

+What This Program is Not (but what law firms should be doing)

n  Technical manual on network security or architecture

n  Priorities to validate investment

n  Gap analysis of vulnerabilities

n  Privacy program out of the box

n  Guidelines for a CISO to initiate a risk assessment

n  Incident response or preparation plan

n  Crisis management or disaster recovery plan

n  Business continuity plan

+Why Does Cybersecurity Matter?

n  Industry and government have long considered law firms to be the “weak link” in data security

n  Information compromises are now cited one of the top priorities of corporate counsel and senior management among the Fortune 1000

n  Penalties in the tens or hundreds of millions of dollars, class action litigation, reputational damage, residual costs of mitigation (credit monitoring and remediation), crisis management

n  Law Firms must better understand and help mitigate the risks of their clients

+Why Does Cybersecurity Matter?

n  “Legal data” is not protected or immune from hackers any more than other corporate data so it is just as vulnerable to breaches

n  Attorney-client privilege doesn’t segregate confidential data

n  Law firm investment in technology has been de minimus and so vulnerabilities are exacerbated with firms as targets for compromises

n  A law firm’s data security protocols are increasingly becoming a factor in the assessment of the firm’s qualifications to serve as counsel

n  HIPAA requires third-parties (yes, law firms) to be in compliance with security standards when representing covered-entity clients

n  Clients are increasingly more aware of how weak the security in law firms is and they are beginning to ask questions…

+What to Expect

n  Vendor Risk Assessments (VRAs) are now a standard compliance requirement in order for a service provider or vendor to be included on a company’s approved list.

n  Onsite inspections not just by insurers, but at the request of corporate clients that insist on evaluating a firm’s security protocols and data protection standards.

n  Security assessments and RFPs are standard requirements to evaluate data protection and the trend toward International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) certification for data protection is landing several service providers without contract renewals or inclusion on “short lists” even for professional services.

n  Insurers are imposing tighter cybersecurity standards as they assess policyholders’ data security protocols and breach notification reporting controls. Policyholders in this case being the law firm!

+What to Expect

n  Is this firm positioned to handle my data securely?

n  What are their security, training and privacy protocols?

n  Is their vendor management evaluation process rigorous?

n  Is my lawyer even using encryption?

n  Will my insurance policy cover data risks if my service provider or lawyer has a breach involving my data?

n  Does my lawyer and her firm embrace the concept that technology is no longer solely the domain of e-discovery and IT experts

+What do corporate counsel want?

n  Information governance functions that TRANSCEND the IT department n  Executive committee level attention n  Documented processes n  Audits and reviews of security framework n  Third-party (e.g., cloud provider and data storage, records retention vendors)

security assessments n  Employee training n  Access Controls

n  Dedicated and accountable resource to information security and privacy: a law firm CISO

n  Critical response to and preparation for a data incident is now a board-level responsibility

n  To be comfortable sending data to their leading law firm, rather than measuring risk in doing so

+The New Normal

n  Legal technology is now considered in the domain of legal data and must be n  Managed n  Protected n  Secured n  Assigned a value in the lifecycle of information

à  BY LAYWERS…and NOT the IT Department

§  Privacy, data security, information governance and e-discovery are a bundled risk; it is the lawyer’s responsibility to assist the client to §  Manage client data in accordance with a secure policy §  Manage the firm’s own data as an extension thereof. Create and convey the message

to clients about your approach and it will surely resonate.

Lawyers need to grasp this concept and incorporate it into their marketing and their practice

+The New Normal

n  Nearly 70 percent of corporate counsel reported in a recent survey that data security and cybersecurity play the leading role in how they manage e- discovery, so we are already seeing a significant re-prioritization of security considerations.

n  Predictive coding and analytics should be the opportunity for lead litigators to differentiate with their ability to become more strategic rather than to punt to technologists.

n  Data security in the course of litigation has the potential to pose massive risk, but outside counsel should be able to comprehensively reassure clients and insurers that the data is protected and managed tightly and in accord with secure protocols.

n  In 2011, the FBI met with managing partners of several Biglaw firms to highlight computer security, espionage and hacker threats by foreign countries.

n  Even before 2014, the “Year of the Breach,” a security consulting firm in 2011 reported that 80 percent of the 100 largest American law firms had some malicious computer breach that year

+What are the consequences of not securing data? n  Clients are increasingly issuing RFPs and assessments of

their law firms’ data security. When responses are not up to par: n  Companies will eliminate a law firm from their “short list” of

providers. In other words, “You’re Fired.”

n  Liability of failure to preserve such data can result in malpractice suits, CFAA criminal claims, sanctions n  California Magistrate Judge Paul Grewal slapped a firm in May 2015 with

an order sanctioning over $212,000 for failing to preserve relevant documents by running "Crap Cleaner" file-wiping software

+What are the consequences of not securing data? n  Lose clients

n  Reputational damage

n  Financial penalties

n  Court sanctions with rippling effects

+What Standards Can Firms Adopt?

n  ISO27001: Certain of the larger law firms have information governance or data security C-level professionals, but few have been issued a budget to support an ISO27001 certification process n  16 of the AmLaw 200 law firms have ISO27001 certification, and they have that

because corporate clients have insisted on it.

n  Financial Services Information Sharing and Analysis Center. n  Not a standard but an information-sharing forum focused on financial services

institutions. Several law firms have become members. FS-ISAC has been in existence since 1999 but has only recently served as a key asset and leader in the drive to shore up data security and mitigate cyberthreats in the corporate environment for financial services.

n  International Association of Privacy Practitioners - IAPP guidance and best practices is almost universally accepted as the standard of privacy and data security information, analysis, guidance and best practices. n  Law firms can more broadly support the certification of staff and practitioners

as appropriate with IAPP to encourage training and best practices

+What standards can firms adopt?

n  Ethics and Technology: n  The first issuance of guidance on ethics

and technology vis-à-vis keeping client data secure: Delaware Supreme Court Commission on Law & Technology (http://courts.delaware.gov/declt/news.stm)

n  ABA Model Rules of Professional Conduct in August of 2012, adopting the work of the Ethics 20/20 Commission

n  National Institute of Standards and Technology (NIST) n  This little-known government agency has

issued guideance for Cybersecurity Standards that are almost universally accepted by practitioners.

Law Firms customarily do not adopt these standards because it would require a Chief Information Security Officer with budget to allocate, training and staff with an organization and authority to work across silos to accomplish the testing, remediation, monitoring, and other risk mitigation tactics set forth in the guidelines.

+What standards can firms adopt?

n  In the absence of standards: n  Documented processes, protocols and incident response plans

and preparation

n  Encryption on devices and thumb-drives

n  Detection and intrusion programs including system log reviews

n  Employee training

n  Access controls (documented and vetted)

+Is Compliance Cost-Prohibitive?

n  Small and mid-sized firms and solo practitioners should be able to compete on a more level playing field given the variation of firms with committed privacy and data security programs n  Use the improvement of security posture as a marketing asset

n  Communications to clients about cybersecurity in the law firm can be astounding differentiators

n  ISO is a lengthy, costly process. Only less than a dozen AmLaw 200 firms have invested in the process so far, and only at the behest of major clients

n  IAPP-CIPP/CIPM training and certification is < $1500/pp

+What Can a Lawyer Do?

n  Understand and embrace the technological aspects of the risks and how that is tied to your firm’s and client’s risk profile with respect to data. n  Technology is an integrated element in the client service relationship

rather than an auxiliary one. Lawyers need to stop separating the technology aspect of this practice.

n  Take a lead role in developing your firm’s data security position n  Work with your IT, litigation support, HR and records professionals on

a process or compliance structure n  Active role in the strategy to create RFP responses to data security

assessments.

n  Communicate to clients that you are involved in improving your firm’s security posture and they will trust that you will put that kind of effort into their data incident response matters. This is a highly marketable asset.

+What Can a Lawyer Do?

n  Get certified as CIPP through the International Association of Privacy Professionals

n  Initiate a culture of security n  Simple tactics like smart password protection, device management,

desktop/workstation security

n  Take the time to understand the information management functions in the firm and current security posture

n  Ask your clients for their privacy policies and see where you fit

n  Understand your firm’s current policies and see if you can improve your own security behavior

+What Can a Lawyer Do?

n  Be Proactive! Reach out to clients on the subject, ask about their positions, your competitors, and work on a program together to manage risks associated with data and information

n  Identify the business advocate at your organization and engage

n  Understand the fine points of your legal and ethical obligations to clients vis-à-vis a data breach (See Obligations)

+Your Obligations

n  ABA - Rule 1.6 in the context of the duty to protect client email communications between a lawyer and the client. The ABA opinion noted that:

“a lawyer must act competently to protect the confidentiality of clients’ information. This duty, which is implicit in the obligation of Rule 1.1 to ‘provide competent representation to a client,’ is recognized in two Comments to Rule 1.6. Comment [16] observes that a lawyer must ‘act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.’”

+Your Obligations

n  ABA Model Rule 1.6(c) requires that “[a]lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Most states have similar ethical provisions.

n  State laws n  For example:

n  Massachusetts data security regulation requires encryption of PII that is transmitted over the Internet. Law firms having offices in or otherwise doing business in Massachusetts must comply with this regulation or face potential civil and/or criminal penalties.

n  HIPAA – “Business Associate” rules to protect PII and PHI

+Where Do Vulnerabilities Exist?

n  In a word, EVERYWHERE

n  Senior partners who over-rule strong suggestions by the IT department to use password protection

n  Bring Your Own Devices and remote working operations have loose security controls, not to mention portable devices with travel (Did someone leave a laptop in the back of the cab or drop a thumb drive in the rental car?)

n  Behind-the-curve technologies to detect, prevent, monitor and deter attacks on networks, servers, apps and devices

n  Poor vendor security management due to lack of standardization or centralization of such controls

n  Loose access controls to data (anyone in the IT department can access most documents, servers and data)

n  EMPLOYEE mistakes, oversights, carelessness and lack of training

+How Can Your Practice Improve If You Champion Data Security?

n  Differentiator will always win the day

n  Your visibility within your firm and among your clients will improve

n  Enhancement of the trust relationship

n  Gestures of outreach to the client to inquire about security will always generate good will and trust

n  If a firm (or any institution) is under question or investigation for a data breach, at least an adherence to standards and a compliant ecosystem will serve as a mitigating factor

+Elements of a Program

n  Identifying the stakeholders and administrators responsible for any data – not just client data

n  Vendors to the law firms must undergo assessment processes including: n  Experts n  Litigation Support n  Translation services n  Dictation services n  Facilities and building management n  HR and benefits vendors and software platforms n  Travel agency services n  …anyone processing payment on or behalf of the firm and its

members

STAKEHOLDERS

n  Information Technology

n  Human Resources and Legal Personnel

n  Facilities and Physical Security

n  Litigation Support and E-Discovery

n  Vendor Management and Contracts / Procurement

n  Records

n  Marketing

n  Executive Committee

n  Finance and Accounting

n  Plan and Consensus n  Collaboration and Policy Management and Enforcement

n  Compose business plan for Executive Committee

n  Ensure all stakeholders buy in before EC presentation

n  Establish budget and investment parameters

n  EC must agree on “Captain of the Ship” for CISO in addition to reporting and task force responsibilities

n  Continual review and testing of policies and procedures; adjust as necessary

n  Incident Response Plan

n  All stakeholders must develop and agree on enforcement

n  Break down the silos

n  Find a way to work together!

n  Information Technology

n  Human Resources and Legal Personnel

n  Facilities and Security

n  Compliance and policies

n  Access and usage, device policies

n  Vendor management

n  Data Protection and Information Security (CISO)

n  Retention schedules and Disposition protocols

n  Categorization and Tagging

n  Physical/analog information

n  Network and systems, devices architecture

n  User licenses and access

n  Vendor management

n  Server security

n  Mobile and desktop

n  Facility and vendor management

n  Employee data and PII

n  Account information for benefits

n  HIPAA

n  Records

n  Litigation Support and E-Discovery

n  Extranets

n  Discovery and EDRM

n  Client and legal data

n  Checklist

n  Attorney training

n  Staff training

n  Committee/task force

n  Budget

n  Leadership n  Clients

n  Communications to clients clear and concise

n  RFP boilerplate and standard process not relegated to IT

n  Security standards requirements

n  Litigation Support and E-Discovery

n  Vendor management

n  Incorporate policy for all EDD outsourcing for data security

n  Adhere to firm’s protocols, not vendor’s

n  Employees

n  Encryption, handhelds and VPNs, remote office

n  User profiles and access codes

n  DMS protocol enforcement

n  Standards and Compliance n  Summary

n  There is no better time than now to implement integrated Information Governance an Data Security programs

n  Investment in these areas imply compliance with federal standards and client service

n  Attorneys have an ethical obligation to protect data

n  Communicate cybersecurity standards to clients for a competitive advantage

n  NIST

n  ISO270001

n  SEC

n  IAPP

n  Self-driven controls and reporting

E-Discovery

Privacy

Data Security

Information Governance

Law Firm Security Business Process Model

n  Other Drivers

Insurance Cybersecurity Policy Requirement

Risk Profile

Leverage Client demands

Quality Assurance

Premium Expense

Low risk, low premium

Investment to lower premium

Standards

Insurers providing mainstay of compliance standards for

cybersecurity

+Final Thoughts / Q&A

n  Biography

Jenn Topper advises clients on the operational and organizational elements of privacy and data security. She offers guidance to senior executives, insurers, privacy professionals and corporate board members on enterprise risk management with respect to cybersecurity best practices and the implementation of privacy and data security programs and compliance.

Jenn has been working closely with law firm clients in developing privacy and data security practices. She has spent the majority of her career in professional services helping lawyers establish and execute innovative and sustainable business planning and business development, legal project management, marketplace analysis, and communications. She is a frequent speaker and author on issues relating to the execution of privacy programs, the effect of regulatory and legislative changes on data security and privacy statutes in such publications as Cybersecurity Law Report and Privacy Law360. 

[email protected] 732 266 4973