Cyber Lawyering, Data Management and
Security for Lawyers Leslie A. Greathouse
Association of Corporate Counsel May 8, 2013
Do You Know How to Be A Safe Cyber Lawyer?
2
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Where to start . . . • Evaluate your expertise on cyber security.
Do you need an expert? • Inventory your data
and where it is stored. • Identify your current
security measures.
3
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Which rules control data protection? • First, the Rules of Professional Conduct: A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted by certain limited exceptions. Mo. S. Ct. Rule 4-1.6; see also KRPC 1.6
4
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Which rules control data protection? • Second, look to your contracts. • Third, some court rules restrict the filing of personal
information and require redaction of information like SSNs. • Fourth, look to Federal laws such a HIPAA (protecting privacy
of health information). • Fifth, some State laws protect various data, examples outside
our geographic include: • California even protects zip codes (Pineda v. Williams-Sonoma Stores, Inc.,
246 P.3d 612 (Cal. 2011))
• Massachusetts protects the information of its residents, nationally and internationally (Mass. Gen. L. ch. 93H, 201 CMR 17.00)
5
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Which rules control data protection? • Missouri—§407.1500 • Kansas—§50-7a01
• Applies to “personal information”
• Addresses unauthorized access
• Requires notification to the consumer
• May require notification to officials
• “Personal information” includes: • Social security number; • Driver's license or state ID
number; or • Financial account number or
credit/debit card number • Missouri also protects:
• Unique IDs and passwords to financial accounts;
• Medical information; and • Health insurance
information
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
6
There are evolving guidelines for lawyers and cyber security • The ABA has recommended a new model rule to
address safeguarding information:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Amended Model Rule 1.6(c)
7
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
More on the evolving guidelines . . . • The ABA has recommended five factors to
consider in determining whether information has been competently safeguarded by a lawyer • Sensitivity • Likelihood of disclosure if additional safeguards are
not used • Cost of additional safeguards • Difficulty of using safeguards • Extent to which safeguards adversely affect the ability
of the lawyer to represent the client Model Rule 1.6, Amended Comment [18]
8
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Potential standards to assist you in preparing a plan • FTC’s Standards for Safeguarding Customer Information, 16
C.F.R. Part 312 • FTC’s Identity Theft Red Flags Rules, 16 C.F.R. Part 681 • International Organization for Standardization (ISO) has
published standards available for purchase • http://www.iso.org/iso/catalogue_detail?csnumber=42103
• International Legal Technical Standards Organization has published standards and technology surveys • See e.g., http://www.iltanet.org/techsurvey • Offering a variety of webinars and publications on tech security
for law firms
9
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Secure disposal does not just mean shredding paper…
You must also securely dispose of electronic data. 10
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Just what is your risk? • External threats:
• Corporate espionage • Criminal trolling • Activist hacking
• Internal threats: • Insensitive personnel • Disgruntled personnel
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
11
Some simple solutions . . . • Office computers should be password protected
and automatically time-out • All portable devices (laptops, tablets,
smartphones) should be password protected and automatically time-out
• Portable devices should be able to be “wiped” remotely
• “Cloud” storage on devices such as iPads and iPhones should be disabled or secure
• Consider prohibition of highly sensitive data anywhere other than your network devices
12
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
. . . remember your basics . . . • Firewalls • Antivirus software • E-mail filters • Upgrade software on
a regular basis • Track access to files • Use vulnerability and
penetration tests to identify gaps
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
13
. . . More simple solutions . . . • Make sure your videoconferencing equipment is
secure • Review possible interaction between “apps” and
firm data • Bluetooth devices should be set to
“nondiscoverable”, have strong passwords and paired only when in trusted locations
• Be smart on public wireless networks • Provide a separate wireless network for visitors
not on your network • Address e-mail risks by stripping viruses and
other malware
14
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Additional resources . . . • SANS Institute recommended 20 security controls to thwart
hackers: http://www.sans.org/critical-security-controls/
• ABA article: “Preventing Law Firm Data Breaches” http://www.americanbar.org/publications/law_practice_magazine/2012/january_february/hot-buttons.html
15
2013
Eth
ics C
LE
Spen
cer F
ane
Britt
& B
row
ne L
LP
Thank you Leslie A. Greathouse
Spencer Fane Britt & Browne LLP 1000 Walnut Street, Suite 1400
Kansas City, MO 64106 Telephone: 816-292-8115
Fax: 816-474-3216 [email protected]
www.spencerfane.com