Protecting Client Data 11.09.11
Transcript of Protecting Client Data 11.09.11
![Page 1: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/1.jpg)
Protecting Client Data for Professional Responsibility and to
Prevent Identity Theft
Paula S. deWitte, J.D., Ph.D., P.E.
![Page 2: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/2.jpg)
Attorney Liability
• Violate Professional Responsibility Rules• Violate state/federal identity theft statutes• Commit malpractice• Suffer embarrassment and loss of reputation from
being on the front page of the newspaper or the lead story on the 6 p.m. news.
Good business practices to protect all client data – including sensitive personal information.
![Page 3: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/3.jpg)
Three Business Reasons to Know This Material
• 1. Protect you and your law firm
• 2. Advise your clients to safeguard information
• 3. Prepare for new business opportunities
![Page 4: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/4.jpg)
Why Are Law Firms Good Targets?
• To get to the lawyers
• To get to the clients’ information
• General, undirected attack on enterprises that are easily hacked into
![Page 5: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/5.jpg)
Are Lawyers Targets?• http://www.wired.com/threatlevel/2010/02/apt-hacks/
• One mark of APT attacks is that they have especially hit companies with dealings in China, including more than 50 law firms.– Advanced Persistent Threats (APT) -- the attacks are distinctive in the kinds of data the attackers
target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.
• “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it,” Mandia says.
• In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm’s network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.
•
Read More http://www.wired.com/threatlevel/2010/02/apt-hacks/#ixzz0hsIFsw2n
![Page 6: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/6.jpg)
Manage Your Risk
• Know the terms:– Sensitive Personal Information– Encryption – Business duty – Reasonable procedures
• Know what is required to comply with the law.• You may be liable under the laws of another state! – Massachusetts law is the strictest and requires a
written information security program (WISP).
![Page 7: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/7.jpg)
Your Biggest Hidden Security Threats
• Social engineering: Unintentional and by those you trust
OR
• Insider threat: Intentional and by those internal to your law firm
![Page 8: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/8.jpg)
Identity Theft Is Growing• U.S. Dept. of Veterans Affairs = 1,800,000 (11/07) – stolen laptop
• U.S. Dept. of Veterans Affairs == 76,000,000 – defective hard drive sent out for repair/recycling without proper procedures
• Countrywide Home Loan == 2,000,000 (08/08)
• Overall U.S. identities lost since Jan 2005 => 250,000,000
• Estimated $1 Trillion worth of data stolen (2008)
• Cybercrime up 53%
• Cost to repair average 2008 data = $6,600,000
Bolded statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston, TX.
![Page 9: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/9.jpg)
Sony PlayStation Network and Online Entertainment Breaches
• 100 Million Accounts … – 100,000,000
• Costs of up to $2B … – $2,000,000,000
• Sony market capitalization is $20.5B – $20,500,000,000
• Liable under different nations’ and states’ laws• PR nightmare
![Page 10: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/10.jpg)
What Can Trigger Your Duties
• Security or data breaches by someone who targets your law firm
• Lost, stolen, or strayed computer or laptop• Improperly trashed or donated computers or computer
parts• Lost mobile devices, USBs, or CDs • Weak, limited, or no data encryption• Weak passwords• No/poorly written policies:• E-mailing sensitive data to personal accounts
![Page 11: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/11.jpg)
Security Aspects
• Electronic– Firewalls, Security Software, Intrusion Detection
Systems, • Physical• Administrative/Management – Your biggest vulnerability are people.
![Page 12: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/12.jpg)
The World is Changing
• The “reasonableness” standard• Growing client awareness • Statutory and civil liabilities• Technology:– Readily available– Relatively inexpensive– Minimizes risk of being caught – Web resources
• The ease of being a hacker
![Page 13: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/13.jpg)
Security Framework
• Prevention– Did you prevent unauthorized access?
• Detection– Can you detect if a security breach has occurred?– Can you figure out what and how it happened?
• Remediation– How can you fix the situation?– Do you have remediation plans in place
![Page 14: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/14.jpg)
Statutory/Lawsuit Trend (1/3)
• HIPAA• Gramm-Leach-Bliley Financial Services Modernization
Act • What is the standard to determine liability? • States continue to pass harsher legislation to deal
with a growing identity theft problem.• Federal legislation possible
![Page 15: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/15.jpg)
Statutory/Lawsuit Trend (2/3)• “Sensitive personal information” means … an individual’s first
name or first initial and last name in combination with any one or more of the following items, if the names and the items are not encrypted:
– social security number;– driver’s license number or government-issued identification number;
or– account number or credit or debit card number in combination with
any required security code, access code, or password that would permit access to an individual’s financial account
– Other: biometric data ignored in this presentation.
![Page 16: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/16.jpg)
Statutory/Lawsuit Trend (3/3)
• How does Tex. Bus. & Com. Code § 521.053(b) (2009) apply to lawyers?– Three business duties
• Use reasonable procedures to safeguard SPI…• Destroy or arrange for destruction of SPI…• Notify when a breach is detected or when you are notified of a
breach…– “Many entities don’t discover a breach until someone from law
enforcement notifies them. By then, it’s too late.”
• Tied to the DTPA
![Page 17: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/17.jpg)
What is Sensitive Personal Information (SPI)?
• First initial and last name OR First name and last name
• Combined with any of:– Social security number OR – Drivers license number OR – Account or credit card number in combination
with any required security code, access code, or password that would permit access to that account.
![Page 18: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/18.jpg)
Business Duty 1: Use “reasonable procedures”…
• “..including appropriate corrective action to protect unlawful use or disclosure of any SPI collected or maintained by the business in the regular course of business.”
• Cannot be delegated.
• Liable for the actions of your employees, regardless.
![Page 19: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/19.jpg)
What is the Reasonable Standard?
• The business owner?• The SPI owner (i.e., the potential victim)• IT personnel?• Information assurance (IA) experts?• Prevailing public perception?
Is there a standard?
![Page 20: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/20.jpg)
Reasonable Procedures
• Must be in writing.• Protect against anticipated threats or hazards.• Consider administrative, technical, and physical. • Consider all aspects of the SPI -- collection, storage,
access, use, transmission, and protection.• Consider the security framework of prevention,
detection, and remediation.• Institutionalize procedures. • Train.• Audit.
![Page 21: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/21.jpg)
Continuous Process
• Have a written information security program (WISP).
• Have a third party test your systems.• Document the problems. • Fix the problems.• Conduct periodic reviews.
![Page 22: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/22.jpg)
Business Duty 2: Destroy or Arrange for the Destruction…
• “…of customer records by shredding, erasing, or “otherwise modifying the sensitive PI in the records to make the information unreadable or indecipherable through any means”
• What works?• What doesn’t work?
![Page 23: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/23.jpg)
Business Duty 3: Notify Potential Victims
• “… after discovering or receiving notification of that breach … as quickly as possible”
• How do you discover a breach?• What constitutes “receiving notification of
that breach”? • What does “quickly as possible” mean?• How do I notify potential victims
![Page 24: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/24.jpg)
The Good News
The use of reasonable procedures and proper destruction work for all types of data a law
office might maintain.
![Page 25: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/25.jpg)
What Does the Attorney General Tell an Identity Theft Victim To Do
• http://www.texasfightsidtheft.gov/• Create a written criminal report to protect
themselves from being denied credit.• File report with the Federal Trade
Commission.• Collect as much evidence as possible. This
evidence can be used against you!
![Page 26: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/26.jpg)
Your Liability
• Statutory fines to Texas
• To the SPI Owner:– Lost income – Expenses of fixing credit– Attorney fees– Possible treble damages under DPTA
• Your consequences: – Loss of revenue and reputation
![Page 27: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/27.jpg)
What SPI Do You Routinely Maintain?
• Employee Records– Every employee record has the employee’s name and
social security number• Client Contact Information – Besides SPI, IP and client sensitive information
• Discovery Documents • Statutory exceptions:– Statue excludes publicly available information
available from federal, state, or local governments – Excludes encrypted data
• No statutory definition for “encryption”
![Page 28: Protecting Client Data 11.09.11](https://reader035.fdocuments.in/reader035/viewer/2022062711/55bfdbb4bb61ebc8728b4697/html5/thumbnails/28.jpg)
Do Not Rely on the Encryption Exception
• Encryption is not a yes/no category.– Encryption is a continuum from weak to strong.
• True encryption requires encryption throughout system; one piece of your system that is not encrypted renders the entire system vulnerable.