Preventing the Next Panama PapersTips for Protecting Client Data in the Age of Cybercrime

September 22, 2016

Presenters

Brian Focht | Attorney | Stiles Byrum & Horne

Author of The Cyber Advocate: Tools and Tech for Legal Professionals

Eli Wald | Professor, Legal Ethics and Profession |University of Denver Sturm College of Law

Author of Legal Ethics’ Next Frontier: Lawyers and Cybersecurity

Joe Marquette | CEO | Accellis

Cybersecurity consultant and former CTO of publicly traded company

● Overview of recent law firm data breach ● Reasons for increased focus on law firms ● Ethical and professional ramifications of breach ● Considerations for reducing risk of breach

Agenda

2016: The Year of Law Firm Data Breach

Panama Papers: Hack leads to leak of 11.5 million docsbelonging to clients of Mossack Fonseca law firm

April

Major Firms Breached: Two high-profile US firms admitto data breach by hackers seeking M&A material

March

‘Oleras’ Alert: Russian cybercriminal reported to have targeted nearly 50 top U.S. law firms

Feb.

2016: The Year of Law Firm Data Breach

Dropbox Hack Reported: Credentials of more than68 million users stolen in 2012.

Aug.

DNC Emails Leaked: Confidential communications b/tpresidential candidates and law firms exposed

July

Firms Sued Over Breach: Top plaintiff’s firm brings class action suit against unnamed law firms

May

Why are law firms increasingly targeted by hackers?

Law firms are a ‘one-stop shop’ Clearinghouses for client data: Law firms handle

sensitive client data — and only sensitive client dataClients have ‘first-mover advantage’: Entity clients

generally have better underlying cybersecurity infrastructureIncreased competition in legal services: Lawyers are

offering 24/7 services

Law firms are ‘soft underbelly’ of cybersecurity’Downstream Victims’: Companies’ outside lawyers and

vendors are targeted for IP 1 in 4 firms with 100+ attorneys have suffered breaches: According to recent ABA Legal Technology Survey *16% of firms with 2-9 attorneys

What are the ethical and professional consequences of

data breach?

Professional rules related to data breachABA Model Rule 1.6(c): Must make “reasonable efforts”

to prevent unauthorized disclosuresState rules: e.g. CAL. BUS. & PROF. CODE § 6068(e)(1) -

must preserve client secrets at ‘every peril to himself or herself’

Professional rules (continued)ABA Model Rule 1.1: Duty of competence, which includes

keeping abreast of ‘benefits and risks associated with relevant technology’

Duty of Supervision: (e.g. ABA Model Rule 5.3) - Attorneys are responsible for conduct of non-lawyer assistance

ABA Model Rule 1.0(e): Lawyer must get ‘informed consent’

The consequences of breach are severeDamage to reputation

Ancillary costs: crisis management, breach notification, fulfillment of compliance obligations, credit monitoringThreat of malpractice: e.g. Edelson lawsuit against major

firms

Where are law firms most vulnerable to breach?

Too many lawyers don’t appreciate risk… and they don’t have planLack of awareness: “I’m too small to be a target,”

“I don’t open bad websites”

Even firms that don’t handle huge amounts of PII are vulnerable : Because they have money.

IT systems and practices are weak Lots of data in lots of places: Can you answer the

question, “Where is your client’s data right now?”

Encryption is lacking: About 20 percent of attorneys use encryption to protect client files according to 2015 ABA Tech Survey

Law firms are as weak as their weakest link: People Training is infrequent: 2015 ILTA survey conducted with

Digital Defense found ‘employee negligence’ to be top security concern; less than 20% conduct regular training

Phishing/Ransomware attacks on the rise: - In February, Jacksonville firm paid $2,500 to get ransomed client data back - Phishing emails have 23% open rate (via LegalTech News)

- Estimates suggest more than 90% of viruses come from Phishing

The eDiscovery process… Insecure Data Transfer: Via unencrypted channels such

as email and Dropbox, and due to reliance on physical media

Lack of expertise*: Lack of technical skills exacerbated by complexity of tools and process

* See California Ethics Opinion No. 2015-193

What can you do to limitthe risk of breach?

Have a plan!

Bolstering IT systems and policiesIdentify your IT manager

Encrypt your data and limit duplication of it

Implement BYOD policy

Require strong passwords

Train your peoplePeople are first and last line of defense

Conduct regularly scheduled audits and random tests

Make sure leadership takes training seriously

Audit third parties Who has access to your data?

How can you retrieve data from vendor?

Does agreement require vendor to notify you of breach?

How does vendor secure data?

Questions?

The Downright Terrifying Cost of Data Breach

Email matthew.dodge@logikcull.com to request

The costs of data breach

The aftermath of the Panama Papers

Steps to prevent breach