Cybersecurity for law firms handouts
-
Upload
clio-legal-practice-management-software -
Category
Law
-
view
745 -
download
5
Transcript of Cybersecurity for law firms handouts
![Page 1: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/1.jpg)
#ClioWeb
Cybersecurity for Law Firms
Joshua Lenon – ClioRakesh Madhava – Nextpoint
Howard Irving – Atlantic Insurance
![Page 2: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/2.jpg)
#ClioWeb
Instructors
Joshua Lenon• Lawyer in Residence at Clio• Attorney Admitted in New York
Rakesh Madhava• Nexpoint, CEO & Founder• Litigation Consultant since 1996
• President, Atlantic Insurance Agency
Howard Irving
![Page 3: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/3.jpg)
#ClioWeb
Agenda• Cybersecurity is a Necessity (20 minutes)
– Ethical– Statutory– Federal Recommendations
• Cybersecurity Considerations (20 minutes)– Physical and Environmental Controls– “Need to Know” Access Within the Law Firm– Encryption and User Authentication– Audit trail and Access Logs
• Cybersecurity Insurance (10 minutes)• Questions
![Page 4: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/4.jpg)
#ClioWeb
CYBERSECURITY IS A NECESSITY
![Page 5: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/5.jpg)
#ClioWeb
ETHICAL CYBERSECURITY
![Page 6: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/6.jpg)
#ClioWeb
Ethical Requirements for Security
Rule 1.1 Competence• [Comment 8]
– “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
States Adopting Comment 8• Arizona• Arkansas• Connecticut• Delaware• Idaho• Kansas• Massachusetts• Minnesota• New Mexico• North Carolina• Ohio• Pennsylvania• West Virginia• Wyoming
![Page 7: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/7.jpg)
#ClioWeb
Ethical Requirements for Security
Rule 1.6 Confidentiality• (a) A lawyer shall not reveal
information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…
• [Comment 18]– ..inadvertent or unauthorized disclosure
of information relating to the representation of a client does not constitute a violation if the lawyer has made reasonable efforts to prevent the access or disclosure.
![Page 8: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/8.jpg)
#ClioWeb
Rule 5.3 Responsibilities Regarding Nonlawyer Assistant
• (b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer…
![Page 9: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/9.jpg)
#ClioWeb
Continuous Ethical Duties
NY Ethics Opinion 842Lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and the lawyer should monitor the changing law of privilege to ensure that storing information in the "cloud" will not waive or jeopardize any privilege protecting the information.
CA Formal Ethics NO. 2010-179Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.
![Page 10: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/10.jpg)
#ClioWeb
Ethics Opinions Weakness
Opinions fail to discuss regulatory requirements.
![Page 11: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/11.jpg)
#ClioWeb
STATUTORY CYBERSECURITY
![Page 12: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/12.jpg)
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
![Page 13: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/13.jpg)
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
CFPB Bulletin 2012-03Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
![Page 14: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/14.jpg)
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
![Page 15: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/15.jpg)
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
HIPAAProtected Health Information (PHI): Any information relating to past, present, or future physical or mental health or condition of an individual.• Medical records• Any information that identifies an
individual as a patient
• Applies to “covered entities” & “business associates” Protect the storage and transmission of electronic PHI
• Implement administrative, technical and physical safeguards
• Criminal Penalties & State Attorneys General can bring civil actions for violation
![Page 16: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/16.jpg)
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
HIPAA• 9 Administrative Safeguards
(164.308)– Security Management Process– Assigned Responsibility– Workforce Security– Information Access Management
• 4 Physical Safeguards (164.310)– Facility Access– Workstation Use– Workstation Security– Device & Media Controls
• 5 Technical Safeguards (164.312)– Access Control– Audit Controls– Integrity– Person Authentication– Transmission Security
![Page 17: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/17.jpg)
#ClioWeb
Non-Lawyer Rules Affecting Lawyers
![Page 18: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/18.jpg)
#ClioWeb
Growing Alphabet of Regulation
• Federal Trade Commission (FTC)• Securities & Exchange
Commission (SEC)• Fair Credit Reporting Act (FCRA)• California’s Online Privacy
Protection Act of 2003• Massachusett’s 940 CMR 27
• Canada– Personal Information Protection
and Electronic Documents Act (PIPEDA)
– BC’s Freedom of Information and Privacy Act (FOIPA)
• European Union Date Protection Directive
![Page 19: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/19.jpg)
#ClioWeb
FEDERAL CYBERSECURITY RECOMMENDATIONS
![Page 20: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/20.jpg)
#ClioWeb
Cybersecurity Framework
• “Framework for Improving Critical Infrastructure Cybersecurity”
• Published by NIST in February 2014• Provides Core, Tiers and Profiles
![Page 21: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/21.jpg)
#ClioWeb
Cybersecurity Framework: Cores
Source:.NIST,.“Framework.for.Improving.Critical.Infrastructure.Cybersecurity,”.02/14/2014
![Page 22: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/22.jpg)
#ClioWeb
Cybersecurity Framework: Tiers
• 4 Tiers:– Tier 1: Partial– Tier 2: Risk Informed– Tier 3: Repeatable– Tier 4: Adaptive
“Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective.”
![Page 23: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/23.jpg)
#ClioWeb
Cybersecurity Framework: Tiers
• Tier 3: Repeatable– Formal risk management policies with reviews–Organization-wide approach with training– Collaborates with outside partners on risk management
• Tier 4: Adaptive– Adapts security based on lessons & predictions– Security is part of corporate culture with continuous improvement– Actively shares information with partners
![Page 24: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/24.jpg)
#ClioWeb
Cybersecurity Framework: Profiles
• Current: security outcomes being achieved• Target: outcomes needed to meet goals• Compare Current and Target Profiles to identify gaps in
security processes
![Page 25: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/25.jpg)
#ClioWeb
Cyber Security Framework
Cloud services allow easier regulatory compliance.
![Page 26: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/26.jpg)
#ClioWeb
Cloud EconomiesDedicated.Security.Team Greater.Investment.in.
Security.InfrastructureFault.Tolerance.and.Reliability
Greater.Resiliency Hypervisor.Protection.Against.Network.Attacks
Simplification.of.Compliance.Analysis
Data.Held.by.Unbiased.Party
LowPCost.Disaster.Recovery.and.Data.Storage.Solutions
OnPDemand.Security.Controls
RealPTime.Detection.of.System.Tampering
Rapid.RePConstitution.of.Services
Source:.Cloud.CIO.gov
![Page 27: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/27.jpg)
#ClioWeb
CYBERSECURITY CONSIDERATIONS
![Page 28: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/28.jpg)
Rakesh Madhava, Founder, CEO Nextpoint
![Page 29: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/29.jpg)
Considerations in Cybersecurity for Law Firms
![Page 30: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/30.jpg)
![Page 31: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/31.jpg)
![Page 32: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/32.jpg)
![Page 33: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/33.jpg)
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
![Page 34: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/34.jpg)
Microsoft-Data-Center-outside-of-San-Antonio
QTS-Data-Center-outside- of-Atlanta
![Page 35: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/35.jpg)
View-of- the-World-Trade-Center
from-Hoboken- NJ-after-Superstorm
Sandy
![Page 36: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/36.jpg)
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
2. “Least-Privilege”
![Page 37: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/37.jpg)
What"Does"“Least"Privilege"Mean?
“The%principle%means%giving%a%user%accountonly%those%privileges%which%are%essential%to%that%user's%work.”
O Wikipedia,-Principle%of%Least%Privilege
Source:-http://en.wikipedia.org/wiki/Principle_of_least_privilege
![Page 38: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/38.jpg)
![Page 39: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/39.jpg)
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
2. “Least-Privilege”
3.Encryption-at-rest-and-in-transit
![Page 40: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/40.jpg)
Source:-https://msdn.microsoft.com/enOus/library/ff648434.aspx
![Page 41: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/41.jpg)
4"Considerations" For"Law"Firm"Data"Security
1.Physical-&-Environmental-Controls
2. “Least-Privilege”
3.Encryption-at-rest-and-in-transit
4.User-access-controls-and-audit-logs
![Page 42: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/42.jpg)
User"Access"Controls"&"Audit"Logs
Can-I-add,-delete-or-suspend-users?
Are-users-authenticated-with-multiple-factors?
Can-I-delete,-download-or-add-data-myself?
Can-I-see-who-has-accessed-the-data?
Can-I-see-what-data-users-have-accessed?
![Page 43: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/43.jpg)
Cloud vs. Legacy Decision Tree
![Page 44: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/44.jpg)
Rigorous" security"provisioning
Review-
Platform- Is-
Needed
Security-
Protocols
No- preferenceSupported-
by-
Developer-
or-Reseller
Direct"from"Developer
Cost:-User-
fees-and-
hosting-
cost
Unlimited" users" "without" hosting"
Ability-to-
load-data-
directly-into-
platform No- preference
SelfEserve" upload"and" processing
No- preference
Legacy-
solution-from-
vendor- or-onO
premise
Technology Comparison: Cloud vs. Legacy
Confidential-O Nextpoint-©-2015
Integrated-
trial-
preparation
No-
preference
No-
preference
Lifecycle" Solution
![Page 45: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/45.jpg)
1.-Physical-And-Environmental-Measures
Is-the-data-center-in-a-lowOdensity-area-with-environmental-protections? ✅
Is-there-SOC3-or-ISO-27001-certifications-validating-physical-security-measures? ✅
Is-there-geographic-redundancy-in-the-event-of-a-natural-disaster? ✅
2.-Use-of-Encryption-Technology
Is-data-encrypted-when-stored-at-the-data-center? ✅
Is-the-data-transmitted-to-and-from-the-data-center-in-an-encrypted-form? ✅
3.-Users-and-Access-Control
Are-users-validated-using-factors-in-addition-to-username-and-password? ✅
Does-the-law-firm-have-the-ability-to-add-or-suspend-users-on-it’s-own? ✅
Does-the-law-firm-have-rights-to-add-and-delete-data-on-it’s-own? ✅
Are-the-activities-of-users-tracked-with-audit-logs-available? ✅
Technology Comparison: Cloud vs. Legacy
Confidential-O Nextpoint-©-2015
![Page 46: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/46.jpg)
#ClioWeb
CYBERSECURITY INSURANCE
![Page 47: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/47.jpg)
#ClioWeb
Cybersecurity Insurance
Why is cybersecurity insurance necessary?
![Page 48: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/48.jpg)
#ClioWeb
Cybersecurity Insurance
What rates can firms expect?
![Page 49: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/49.jpg)
#ClioWeb
Cybersecurity Insurance
What information will firms have to provide when acquiring coverage?
![Page 50: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/50.jpg)
#ClioWeb
Cybersecurity Insurance
What should technology vendors provide to help firms obtain coverage?
![Page 51: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/51.jpg)
#ClioWeb
Vendor Security
![Page 52: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/52.jpg)
#ClioWeb
Vendor Security
![Page 53: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/53.jpg)
#ClioWeb
Vendor Security
![Page 54: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/54.jpg)
#ClioWeb
CONCLUSIONS
![Page 55: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/55.jpg)
#ClioWeb
Conclusions
• Cybersecurity is moving from an ethical to regulatory duty• Law Firms are vulnerable due to high volume of data and lack
of preparedness.• Firms need a repeatable, adaptive cybersecurity process• Reasonable cybersecurity safeguards include:– Adminstrative– Physical– Technical
![Page 56: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/56.jpg)
#ClioWeb
Action Plan
• Today1. Create an encrypted backup;2. Turn on 2-factor authentication and strong passwords;3. Find the access logs for your software.
• Going Forward1. Map your current technology & data;2. Read which data privacy laws apply to your practice area;3. Document current cybersecurity levels;4. Plan for the next level.
![Page 57: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/57.jpg)
#ClioWeb
QUESTIONS?
![Page 59: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/59.jpg)
![Page 60: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/60.jpg)
![Page 61: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/61.jpg)
![Page 62: Cybersecurity for law firms handouts](https://reader030.fdocuments.in/reader030/viewer/2022032421/55a696b41a28ab662d8b4653/html5/thumbnails/62.jpg)