#ClioWeb

Security by Design for Law FirmsA Clio & Nextpoint Webinar

Joshua Lenon & Fiona Finn – ClioJulianne Walsh - Nextpoint

#ClioWeb

• Legal Marketing Specialist at Clio• Bachelor of Civil Law & Masters of

Laws (LLM)• @FionaFinn

Instructors

Joshua Lenon

• Lawyer in Residence at Clio• Attorney Admitted in New York• @JoshuaLenon

Fiona Finn

#ClioWeb

Instructors

Julianne Walsh

• Attorney in Residence at Nextpoint

• Attorney Admitted in Illinois• jwalsh@nextpoint.com

#ClioWeb

Agenda

• Security by Design (5 minutes)• FTC’s regulation of cybersecurity (10 minutes)• 10 Tips for protecting client data in the cloud (35 minutes)• Legal Technology Security Evolves (5 minutes)• Questions (5 minutes)

#ClioWeb

SECURITY BY DESIGN

#ClioWeb

Security by Design

Formalizes account design, automates security controls, and streamlines auditing

Phase 1 – Understand your requirements.

Phase 2 – Build a “secure environment” that fits your requirements and implementation.

Phase 3 – Enforce the use of the templates.

Phase 4 – Perform validation activities.

#ClioWeb

FTC’S REGULATION OF CYBERSECURITY

#ClioWeb

FTC & Cybersecurity

Federal Trade Commission (FTC)• Established in 1914 by the Federal Trade Commission Act• Section 5 of the Federal Trade Commission Act, 15 U.S.C. §

45 grants the FTC power to investigate and prevent unfair or deceptive trade practices (UDAP Authority)

• 50 cybersecurity enforcement actions since 2002

#ClioWeb

Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236, (3d Cir. 2015)

#ClioWeb

FTC’s Standard of Care

Take “reasonable and necessary measures” to protect consumer data

#ClioWeb

Lawyer Ethical Requirements for Security

Rule 1.6 Confidentiality• (a) A lawyer shall not reveal information

relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…

• [Comment 18]– ...inadvertent or unauthorized

disclosure of information relating to the representation of a client does not constitute a violation if the lawyer has made reasonable efforts to prevent the access or disclosure.

#ClioWeb

10 TIPS FOR PROTECTING CLIENT DATA IN THE CLOUD

#ClioWeb

1. Start with Security

2. Control Access to Data Sensibly

3. Require Secure Passwords and Authentication

4. Store Sensitive Personal Information Securely and Protect it During Transmission

5. Segment Your Network and Try to Monitor Who is Trying to Get in and Out

6. Secure Remote Access to Your Network

7. Apply Sound Security Practices When Developing New Products

8. Make Sure Your Service Providers Implement Reasonable Security Measures

9. Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities That May Arise

10. Secure Paper, Physical Media, and Devices

Source:StartwithSecurity,FederalTradeCommission

#ClioWeb

1. Start with Security

Don’t collect personal information you don’t need. No one can steal what you don’t have. • Collect information in stages: potential client, client, ex-client

Hold on to information only as long as you have a legitimate business need. Securely dispose personal information once there’s longer had a legitimate need for it. • Return client files at the end of engagements

Don’t use personal information when it’s not necessary.

#ClioWeb

2. Control Access to Data Sensibly

Restrict access to sensitive data.Implement proper controls to ensure that only authorized employees with a business need have access • Use job roles and permissions to control access• MRPC Rule 1.10 Imputation Of Conflicts Of Interest

Limit administrative access. Tailor administrative controls to job needs. • Administrative access is required for changing users & permissions

#ClioWeb

2. Control Access to Data Sensibly

#ClioWeb

2. Control Access to Data Sensibly

#ClioWeb

3. Require Secure Passwords & Authentication

Use a strong password. Your password should contain at least three of the four following types of characters, and preferably all four:Upper case, lower case, numbers and special characters (including space)Store passwords securely. Don’t make it easy for passwords to be accessed.•Have policies and procedures in place to store credentials securely. Change passwords regularly. A password change is recommended every 90 days.•Do not use the same password for multiple sites.Prevent brute force attacks. Lock out accounts after a defined number of incorrect password attempts.Protect against authentication bypass. Address vulnerabilities in authentication mechanisms.

#ClioWeb

#ClioWeb

4. Store & Transmit Sensitive Personal Information Securely

Keep sensitive information secure through its lifecycle.Data does not stay in one place.• Client information should be protected from collection through transmission, use and destruction.Use industry-tested and accepted and methods.All of the certifications listed are used to gain confidence and place trust in a serviceorganization’s systems.

• Type 2 SOC 2 certification

• ISO 27001 certification

• ISO 27018 certification

Ensure proper configuration.Technology is not enough.• Make sure encryption technologies are properly configured, deployed and updated or they may be ineffective.

#ClioWeb

#ClioWeb

5. Segment & Monitor Your Network

Segment your network.Not every computer in your system needs to be able tocommunicate with every other one.• Protect particularly sensitive client data by housing it in a separate

secure place on your network.

Monitor access.Know who is accessing your network.

#ClioWeb

#ClioWeb

#ClioWeb

6. Secure Remote Access to Your Network

Ensure endpoint security.• Access your & your clients’ security setup• Use Client Portals to minimize risks

– ABA Formal Ethics Opinion 11-459 – Duty to Protect the Confidentiality of Email Communications with One’s Client

Put sensible access limits in place.• Only share what you need to with clients and others

#ClioWeb

#ClioWeb

7. Apply Sound Security Practices When Developing New Products

Train your engineers in secure coding.

Follow platform guidelines for security.

Verify that privacy and security features work.• Trust but verify. Don’t take security for granted

Test for common vulnerabilities.

#ClioWeb

#ClioWeb

8. Make Sure Your Service Providers Implement Reasonable Security Measures

Put it in writing.Insist that appropriate security standards are part of your contracts.• The Service Agreement should include terms to abide by attorney-client

confidentiality in the Privacy Policy, thereby ensuring that the online data storageprovider has an enforceable obligation to preserve confidentiality and security.

Verify compliance.Security can’t be a “take our word for it” thing• The Service Agreement should include your right to audit performance records and

access daily service quality statistics.

#ClioWeb

www.legalcloudcomputingassociation.org

#ClioWeb

#ClioWeb

9. Procedures to Keep Your Security Current

Update and patch third-party software. Outdated software undermines security. • Compromising software for lawyers: Internet Explorer • Prioritize patches, incorporate updates into standard compliance practice.

Heed credible security warnings and move quickly to x them. Have a process in place to address security vulnerability reports. • Identify and assess vulnerability reports. • Align combatting team and assets • Notify clients and maintain open flow of information via a clearly publicized

and accessible channel.

#ClioWeb

9. Procedures to Keep Your Security Current

Think shared responsibility between users and vendors, and a consistent approach of updating and awareness -there’s no once off solution to ensure full security of sensitive information.

#ClioWeb

10. Secure Paper, Physical Media, and Devices

Securely store sensitive files. If it is necessary to retain important paperwork, take steps to keep it secure.• ABA Model Rules of Professional Conduct 1.15(a) – Safekeeping Property

Protect devices that store personal information.

Keep safety standards in place when data is en route.• Limit the instances when attorneys need to be out and about with sensitive data in their possession.

Dispose of sensitive data securely. • Use available technology to wipe devices that are not in use.

#ClioWeb

#ClioWeb

LEGAL TECHNOLOGY SECURITY EVOLVES

#ClioWeb

www.legalcloudcomputingassociation.org

#ClioWeb

http://www.legalcloudcomputingassociation.org/standards/

#ClioWeb

QUESTIONS?

#ClioWeb

Thank You

Joshua Lenon

joshua@clio.com

@JoshuaLenon

Linkedin.com/in/joshualenon