Corporate law firm in india, Law firms in india, Criminal Law firms in Delhi
Security by Design for Law Firms
-
Upload
clio-legal-practice-management-software -
Category
Law
-
view
410 -
download
7
Transcript of Security by Design for Law Firms
#ClioWeb
Security by Design for Law FirmsA Clio & Nextpoint Webinar
Joshua Lenon & Fiona Finn – ClioJulianne Walsh - Nextpoint
#ClioWeb
• Legal Marketing Specialist at Clio• Bachelor of Civil Law & Masters of
Laws (LLM)• @FionaFinn
Instructors
Joshua Lenon
• Lawyer in Residence at Clio• Attorney Admitted in New York• @JoshuaLenon
Fiona Finn
#ClioWeb
Instructors
Julianne Walsh
• Attorney in Residence at Nextpoint
• Attorney Admitted in Illinois• [email protected]
#ClioWeb
Agenda
• Security by Design (5 minutes)• FTC’s regulation of cybersecurity (10 minutes)• 10 Tips for protecting client data in the cloud (35 minutes)• Legal Technology Security Evolves (5 minutes)• Questions (5 minutes)
#ClioWeb
Security by Design
Formalizes account design, automates security controls, and streamlines auditing
Phase 1 – Understand your requirements.
Phase 2 – Build a “secure environment” that fits your requirements and implementation.
Phase 3 – Enforce the use of the templates.
Phase 4 – Perform validation activities.
#ClioWeb
FTC & Cybersecurity
Federal Trade Commission (FTC)• Established in 1914 by the Federal Trade Commission Act• Section 5 of the Federal Trade Commission Act, 15 U.S.C. §
45 grants the FTC power to investigate and prevent unfair or deceptive trade practices (UDAP Authority)
• 50 cybersecurity enforcement actions since 2002
#ClioWeb
Lawyer Ethical Requirements for Security
Rule 1.6 Confidentiality• (a) A lawyer shall not reveal information
relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…
• [Comment 18]– ...inadvertent or unauthorized
disclosure of information relating to the representation of a client does not constitute a violation if the lawyer has made reasonable efforts to prevent the access or disclosure.
#ClioWeb
1. Start with Security
2. Control Access to Data Sensibly
3. Require Secure Passwords and Authentication
4. Store Sensitive Personal Information Securely and Protect it During Transmission
5. Segment Your Network and Try to Monitor Who is Trying to Get in and Out
6. Secure Remote Access to Your Network
7. Apply Sound Security Practices When Developing New Products
8. Make Sure Your Service Providers Implement Reasonable Security Measures
9. Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities That May Arise
10. Secure Paper, Physical Media, and Devices
Source:StartwithSecurity,FederalTradeCommission
#ClioWeb
1. Start with Security
Don’t collect personal information you don’t need. No one can steal what you don’t have. • Collect information in stages: potential client, client, ex-client
Hold on to information only as long as you have a legitimate business need. Securely dispose personal information once there’s longer had a legitimate need for it. • Return client files at the end of engagements
Don’t use personal information when it’s not necessary.
#ClioWeb
2. Control Access to Data Sensibly
Restrict access to sensitive data.Implement proper controls to ensure that only authorized employees with a business need have access • Use job roles and permissions to control access• MRPC Rule 1.10 Imputation Of Conflicts Of Interest
Limit administrative access. Tailor administrative controls to job needs. • Administrative access is required for changing users & permissions
#ClioWeb
3. Require Secure Passwords & Authentication
Use a strong password. Your password should contain at least three of the four following types of characters, and preferably all four:Upper case, lower case, numbers and special characters (including space)Store passwords securely. Don’t make it easy for passwords to be accessed.•Have policies and procedures in place to store credentials securely. Change passwords regularly. A password change is recommended every 90 days.•Do not use the same password for multiple sites.Prevent brute force attacks. Lock out accounts after a defined number of incorrect password attempts.Protect against authentication bypass. Address vulnerabilities in authentication mechanisms.
#ClioWeb
4. Store & Transmit Sensitive Personal Information Securely
Keep sensitive information secure through its lifecycle.Data does not stay in one place.• Client information should be protected from collection through transmission, use and destruction.Use industry-tested and accepted and methods.All of the certifications listed are used to gain confidence and place trust in a serviceorganization’s systems.
• Type 2 SOC 2 certification
• ISO 27001 certification
• ISO 27018 certification
Ensure proper configuration.Technology is not enough.• Make sure encryption technologies are properly configured, deployed and updated or they may be ineffective.
#ClioWeb
5. Segment & Monitor Your Network
Segment your network.Not every computer in your system needs to be able tocommunicate with every other one.• Protect particularly sensitive client data by housing it in a separate
secure place on your network.
Monitor access.Know who is accessing your network.
#ClioWeb
6. Secure Remote Access to Your Network
Ensure endpoint security.• Access your & your clients’ security setup• Use Client Portals to minimize risks
– ABA Formal Ethics Opinion 11-459 – Duty to Protect the Confidentiality of Email Communications with One’s Client
Put sensible access limits in place.• Only share what you need to with clients and others
#ClioWeb
7. Apply Sound Security Practices When Developing New Products
Train your engineers in secure coding.
Follow platform guidelines for security.
Verify that privacy and security features work.• Trust but verify. Don’t take security for granted
Test for common vulnerabilities.
#ClioWeb
8. Make Sure Your Service Providers Implement Reasonable Security Measures
Put it in writing.Insist that appropriate security standards are part of your contracts.• The Service Agreement should include terms to abide by attorney-client
confidentiality in the Privacy Policy, thereby ensuring that the online data storageprovider has an enforceable obligation to preserve confidentiality and security.
Verify compliance.Security can’t be a “take our word for it” thing• The Service Agreement should include your right to audit performance records and
access daily service quality statistics.
#ClioWeb
9. Procedures to Keep Your Security Current
Update and patch third-party software. Outdated software undermines security. • Compromising software for lawyers: Internet Explorer • Prioritize patches, incorporate updates into standard compliance practice.
Heed credible security warnings and move quickly to x them. Have a process in place to address security vulnerability reports. • Identify and assess vulnerability reports. • Align combatting team and assets • Notify clients and maintain open flow of information via a clearly publicized
and accessible channel.
#ClioWeb
9. Procedures to Keep Your Security Current
Think shared responsibility between users and vendors, and a consistent approach of updating and awareness -there’s no once off solution to ensure full security of sensitive information.
#ClioWeb
10. Secure Paper, Physical Media, and Devices
Securely store sensitive files. If it is necessary to retain important paperwork, take steps to keep it secure.• ABA Model Rules of Professional Conduct 1.15(a) – Safekeeping Property
Protect devices that store personal information.
Keep safety standards in place when data is en route.• Limit the instances when attorneys need to be out and about with sensitive data in their possession.
Dispose of sensitive data securely. • Use available technology to wipe devices that are not in use.