Cyber Lawyering, Data Management and

Security for Lawyers Leslie A. Greathouse

Association of Corporate Counsel May 8, 2013

Do You Know How to Be A Safe Cyber Lawyer?

2

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Where to start . . . • Evaluate your expertise on cyber security.

Do you need an expert? • Inventory your data

and where it is stored. • Identify your current

security measures.

3

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Which rules control data protection? • First, the Rules of Professional Conduct: A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted by certain limited exceptions. Mo. S. Ct. Rule 4-1.6; see also KRPC 1.6

4

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Which rules control data protection? • Second, look to your contracts. • Third, some court rules restrict the filing of personal

information and require redaction of information like SSNs. • Fourth, look to Federal laws such a HIPAA (protecting privacy

of health information). • Fifth, some State laws protect various data, examples outside

our geographic include: • California even protects zip codes (Pineda v. Williams-Sonoma Stores, Inc.,

246 P.3d 612 (Cal. 2011))

• Massachusetts protects the information of its residents, nationally and internationally (Mass. Gen. L. ch. 93H, 201 CMR 17.00)

5

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Which rules control data protection? • Missouri—§407.1500 • Kansas—§50-7a01

• Applies to “personal information”

• Addresses unauthorized access

• Requires notification to the consumer

• May require notification to officials

• “Personal information” includes: • Social security number; • Driver's license or state ID

number; or • Financial account number or

credit/debit card number • Missouri also protects:

• Unique IDs and passwords to financial accounts;

• Medical information; and • Health insurance

information

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

6

There are evolving guidelines for lawyers and cyber security • The ABA has recommended a new model rule to

address safeguarding information:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Amended Model Rule 1.6(c)

7

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

More on the evolving guidelines . . . • The ABA has recommended five factors to

consider in determining whether information has been competently safeguarded by a lawyer • Sensitivity • Likelihood of disclosure if additional safeguards are

not used • Cost of additional safeguards • Difficulty of using safeguards • Extent to which safeguards adversely affect the ability

of the lawyer to represent the client Model Rule 1.6, Amended Comment [18]

8

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Potential standards to assist you in preparing a plan • FTC’s Standards for Safeguarding Customer Information, 16

C.F.R. Part 312 • FTC’s Identity Theft Red Flags Rules, 16 C.F.R. Part 681 • International Organization for Standardization (ISO) has

published standards available for purchase • http://www.iso.org/iso/catalogue_detail?csnumber=42103

• International Legal Technical Standards Organization has published standards and technology surveys • See e.g., http://www.iltanet.org/techsurvey • Offering a variety of webinars and publications on tech security

for law firms

9

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Secure disposal does not just mean shredding paper…

You must also securely dispose of electronic data. 10

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Just what is your risk? • External threats:

• Corporate espionage • Criminal trolling • Activist hacking

• Internal threats: • Insensitive personnel • Disgruntled personnel

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

11

Some simple solutions . . . • Office computers should be password protected

and automatically time-out • All portable devices (laptops, tablets,

smartphones) should be password protected and automatically time-out

• Portable devices should be able to be “wiped” remotely

• “Cloud” storage on devices such as iPads and iPhones should be disabled or secure

• Consider prohibition of highly sensitive data anywhere other than your network devices

12

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

. . . remember your basics . . . • Firewalls • Antivirus software • E-mail filters • Upgrade software on

a regular basis • Track access to files • Use vulnerability and

penetration tests to identify gaps

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

13

. . . More simple solutions . . . • Make sure your videoconferencing equipment is

secure • Review possible interaction between “apps” and

firm data • Bluetooth devices should be set to

“nondiscoverable”, have strong passwords and paired only when in trusted locations

• Be smart on public wireless networks • Provide a separate wireless network for visitors

not on your network • Address e-mail risks by stripping viruses and

other malware

14

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Additional resources . . . • SANS Institute recommended 20 security controls to thwart

hackers: http://www.sans.org/critical-security-controls/

• ABA article: “Preventing Law Firm Data Breaches” http://www.americanbar.org/publications/law_practice_magazine/2012/january_february/hot-buttons.html

15

2013

Eth

ics C

LE

Spen

cer F

ane

Britt

& B

row

ne L

LP

Thank you Leslie A. Greathouse

Spencer Fane Britt & Browne LLP 1000 Walnut Street, Suite 1400

Kansas City, MO 64106 Telephone: 816-292-8115

Fax: 816-474-3216 lgreathouse@spencerfane.com

www.spencerfane.com