attorney obligations for safekeeping client information · cyber security . threats . 8 . the...

Attorney Obligations for Safekeeping Client Information ATG LEGAL EDUCATION

Audio problems? Listen by phone: 877.691.9300 Access Code: 7521231#

You are now logged in to ATG Legal Ed Connect.

Attorney Obligations for Safekeeping Client Information May 24, 2017

Program Time Today’s presentation will begin at 12:00 noon.

Sound Quality To improve sound quality, please close all other applications.

Download Education Materials Documents for today’s seminar may be downloaded and printed at any time by visiting your ATG Legal Education homepage. Locate today’s seminar under My Registrations and click More Details. Near the end of the seminar description, click Program Notes.

Problems? If you experience any problems during this presentation, please call 800.252.0402, then press “0” for the operator.

http://atglegaled.elogiclearning.com/UI/LandingPage.aspx



Attorney Obligations for Safekeeping Client Information May 24, 2017

Presented by: Scott Renfroe Chief of Supreme Court Practice Attorney Registration and Disciplinary Commission of the Supreme Court of Illinois

Cyber Security Basics

3 www.SchumannLaw.com

• Minimize Your “Digital Footprint”

• Make that Smaller Footprint Harder to Hack

Cyber Security Threats


The American Lawyer:

“Chicago's Johnson &

Bell First US Firm Publicly

Named in Data Security Class Action”

December 9, 2016



The American Lawyer: Class action attorney Jay Edelson claims, in first public data

security class action complaint against a

U.S. Law Firm: • Time entry system “10 years old”,

susceptible to hacking, had not been updated with security patches





U.S. Law Firm:

• Troves of confidential information available to hackers





U.S. Law Firm:

• Firm’s Virtual Private Network (VPN) susceptible to

attack





U.S. Law Firm:

• Firm’s e-mail system susceptible to same type of hack believed used against Panama’s Mossack Fonseca



Mac Users: Think It Can’t

Happen To You?



Snake Malware Attacks Macs

Professional Responsibility


Illinois Supreme Court Rules: • Rule 1.1: Maintaining Competence –

Comment [8] recently amended -- refers to keeping abreast of changes in the law and its practice, “including the benefits and risks associated with relevant technology”


Illinois Supreme Court Rules: • Rule 1.6(e): Confidentiality -- “A

lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”



Illinois Supreme Court Rules: • Rule 1.6(e): COMMENT [18]: . . .

The unauthorized access to, or the unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (e) if the lawyer has made



Illinois Supreme Court Rules: • Rule 1.6(e): COMMENT [18]: . . . . (Continued) “reasonable efforts to prevent

the access or disclosure . . . “



Illinois Supreme Court Rules: • Rule 1.6(e): COMMENT [18]: . . . . Factors regarding what constitute

“reasonable efforts” include: • How sensitive is the

information



Illinois Supreme Court Rules: • Rule 1.6(e): COMMENT [18]: . . . . • Likelihood of disclosure if

additional safeguards not employed

• Cost of employing additional safeguards



Illinois Supreme Court Rules: • Rule 1.6(e): COMMENT [18]: . . . . • Difficulty of implementing

the safeguards and adverse effect on lawyer’s practice

• Client’s instructions; waiver • State or federal requirements



Illinois Supreme Court Rules: • Rule 4.4 (b): Inadvertent Disclosure • (b) A lawyer who receives a

document or electronically stored information relating to the representation of the lawyer’s client and knows that the



Illinois Supreme Court Rules: • Rule 4.4 (b): Inadvertent Disclosure • . . . document or electronically

stored information was inadvertently sent shall promptly notify the sender.



Illinois Supreme Court Rules: • “Inadvertently sent”? • COMMENT [2]: “A document

or electronically stored information is accidentally transmitted, such as when an email or letter is



Illinois Supreme Court Rules: • “Inadvertently sent”? • COMMENT [2]: . . .

“misaddressed or a document or electronically stored information is accidentally included with information



Illinois Supreme Court Rules: • “Inadvertently sent”? • COMMENT [2]: . . .

that was intentionally transmitted.”

• Includes embedded data

(metadata)



ISBA Professional Conduct Advisory Opinion 16-06: Use of Cloud-Based Services •Reasonable Measures •Confidentiality •Protect from Breaches



ISBA Professional Conduct Advisory Opinion 16-06: •Selecting a Provider •Duty to Assess Risks •Review Existing Practices


Background: “When, not if” …


Homeland Security and NSA Position – 2016: Top threats worldwide:

1. Cyber Attacks 2. Terrorism 3. WMDs


Wells Fargo – March, 2013: Online banking jammed; logins blocked

Target – January 2014: Hackers stole credit card data - 40 million customers; personal information - 70 million customers

Home Depot – September 2014: Cyber attack - 56 million credit card numbers exposed; $62 million



JP Morgan Chase – October 2014: Breach affects about 76 million households and 7 million small businesses

Yahoo: 2014 Cyber attack hacks more than a billion accounts



DNC Cyber attack exposes weaknesses of DNC systems. Forensic Evidence of Russian involvement: 1. Timing of attacks on DNC correspond to Russian time zone, holidays. 2. One obvious digital fingerprint 3. Another batch of hacked Democratic emails released later pointed to known Russian actors. 4. U. S. formally accused Russia of hacking to try to affect outcome of U.S. Election.



DNC Cyber attack



Other Political Hacks • French 2017 Presidential Election -- ”Massive Hack”



Targets of Business Email Compromise


Targets of Business Email Compromise – 2017 Update

Verizon 2017 Data Breach Investigations Report (DBIR): •Malware grew by 50% in 2016 •Will Continue to Increase Rapidly – not going away



Verizon 2017 DBIR: •Malware now being used to

infect and control devices on the Internet of Things



Verizon 2017 DBIR: •Ransomware has Jumped from the

22nd Most Common Malware Method

in 2014 to the 5th most common specific malware variety -- a 50% increase over 2016



Verizon 2017 DBIR: Including Traffic controls,

And Other Devices



Verizon 2017 DBIR: Last year, Verizon labeled ransomware as a high-frequency, low-impact annoyance.



Verizon 2017 DBIR:

Ransomware has upped its game.



Verizon 2017 DBIR: Now a $1 billion industry

http://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html



Verizon 2017 DBIR: •More than 100,000 infections per day

•An as-a-service model to rival its legitimate counterparts.

http://www.darkreading.com/vulnerabilities---threats/advanced-threats/here-comes-locky-a-brand-new-ransomware-threat/d/d-id/1324371

http://www.darkreading.com/vulnerabilities---threats/advanced-threats/here-comes-locky-a-brand-new-ransomware-threat/d/d-id/1324371

http://searchsecurity.techtarget.com/news/450417110/Cheap-ransomware-as-a-service-arrives-for-malicious-actors



Verizon 2017 DBIR: •Ransomware is now a board-room discussion, causing major productivity outages and data loss.



Verizon 2017 DBIR: •81% of hacking-related breaches involved weak or stolen credentials -- an 18% increase from last year.



Verizon 2017 DBIR: •nomoreransom.org •Has some tools to help prevent ransomware •No foolproof inoculation



Verizon 2017 DBIR Recommendations: •Use Two-Factor Authentication •Stay Vigilant •Other steps . . .



Verizon 2017 DBIR:



ALTA TitleNews Warning:


Fraudulent Wire Transfers


Business Email Compromise


Keylogging Malware - Business Email Compromise


FBI, TRID and Best Practices

File a Complaint


IC3 Complaint


FTC – Help for Small Business

https://www.ftc.gov/SmallBusiness

Internet of Things (IoT)




Devices: • Webcams • DVRs • Connected Alarm Systems • Connected Refrigerators • Connected Toasters



Devices: •Sprinkler systems •Doorbell/cameras to talk to

person at the door • Connected Virtual Assistants

• Apple Home app – IOS 10 • Pretty much any connected device with an IP

address


DDoS Attacks:

•History •Dyn Managed DNS


IoHT - Internet of Hackable Things




Cars: Some new vehicles, now connected to the internet, have become as hackable as laptops.



Homeland Security: •One major cyberattack — the NSA chief has said it’s a matter of “when, not if” — could cost $50 billion and cause 2,500 fatalities.

Ransomware




Amazon Echo device: •“Wakes up” with a word . . . •Sort of a ”Siri” for the home

Best Practices


• ALTA Best Practices: • Compliance Required?

• Written Policies • Handling Non-Public Personal

Information • Computer and Network Security

Best Practices


• Best Practices issues: • Compromising Client

Confidential information • Careless transmission of

Wire Instructions – Significant Losses

Best Practices


• Best Practices issue: • Inadequate monitoring of

paralegals and other law firm staff

Best Practices


• Best Practices issues: • Lack of attention to

preventing infection of computer systems with malware, key-stroke analysis software, or ransomware

Best Practices


• Best Practices: • Written Policies – Templates are

available: • Disaster Management Plan • Confidentiality Agreements • Background Checks • Oversight of Service Providers

Cyber Security


•Beware Unexpected Funds from Unusual Sources

• Cashier’s Checks from outside U.S.

Cyber Security


Cyber Security Basics


• Minimize Your “Digital Footprint”

• Use Separate systems • Keep critical business

and client data separate and secure

Cybersecurity


•BEFORE an attack: • Mission critical data • Risk management practices • Action Plan • Scheduled Exercises

Cybersecurity


•BEFORE an attack: • Update Plan to reflect

changes in personnel and structure

• Implement appropriate technology and services

Cybersecurity: Test Scenarios


•BEFORE an attack: • Run “WarGames” tests

and evaluate results


•BEFORE an attack: • Evaluate and modify firm

policies in light of Incident Response plan

• Establish relationships with Law Enforcement

Cyber Security


Illinois Data Breach Notification Requirements:

• (815 ILCS 530/10)

Sec. 10. Notice of breach.


Cybersecurity


•AFTER an attack: • Assess scope and nature of

the attack • Comply with Data Breach

Notification Requirements • Malicious vs. Tech glitch?

Cybersecurity


•AFTER an attack: • Implement measures to

minimize damages • Collect information • Continue to monitor

network

Cybersecurity


•AFTER an attack: • Do Post-Incident review • Make appropriate

corrections

Cybersecurity


•ALSO: • Avoid using the

compromised system until certified ok

• Check status of other systems

Cybersecurity


•ALSO: • Fraud, Cybercrime or a

Breach can target data, contracts, Loan documents, Loan Applications, any form of money, and NPI

Cybersecurity UPDATE


•May, 2017: • Google Docs

phishing attack • Google Docs

service • “The Future of

Phishing”?


TODAY: What's ONE Thing

You Can Do?

Cybersecurity


Tips: FBI Cybersecurity Month Suggestions 1.Use complex, changing passwords 2.Consider using a Password manager, (e.g., 1Password or LastPass or Dashlane) 3.Protect Yourself with Two-Factor Authentication -- many e-mail service providers, social media platforms, cloud based storage solutions, and even banking and finance sites provide this service [But not Constant Contact]


2FA/MFA

Cyber Security


A More Basic Option: Secure Key •Meets Highest Security Standards of U.S. Government

•Unlocked using its own keypad and not the PC keyboard •Not vulnerable to software/hardware based key-loggers or

brute force attacks. •Data further protected with a “Brute Force Hack Defense

Mechanism”, which deletes the encryption key if the incorrect PIN is entered a total of 10 consecutive times.


Apricorn Aegis Secure Key 120 GB FIPS 140-2

Level 3 Validated 256-bit Encryption USB 3.0 Flash

Drive (ASK3-120GB)

Cybersecurity


Tips: 4. FBI Cybersecurity Suggestion: “Defense in Depth for the Everyday User” Implement multiple layers of security 5. Protect mobile devices from cyber intruders in public places. (Avoid “sniffers”.) Use a Virtual Private Network (VPN) (E.g, “HideMyA**”)

Cybersecurity


Tips: 6.Use Out-of-Band Backup: 7.Back up your data to a cloud environment 8. Or store hard copies of data at a different physical location Avoid using just a single External Hard Drive connected to your computer. -Cyber criminals can encrypt attached EHD

Cybersecurity


Tips:

9. Encrypt email communications. 10. Use electronic banking and safeguard your account numbers and bank routing numbers. Monitor all bank accounts carefully.

Cybersecurity


Tips: 11. Ban social media from your computers 12. Update Operating System regularly 13. Install and keep up to date appropriate anti-virus and anti-malware software. Update and use daily. 14. Security Questions – think differently

Cybersecurity


Tips: 15. Set Folder Options View settings so you can see file extensions on all files

Cybersecurity



Speaker1 Company1

City1


Speaker2 Company2

City2

Speaker3 Company3

City3

Speaker4 Company4

City4

Please complete the Survey/Certification for CLE credit. – When you close this meeting, a new page will open on the ATG Legal Education login screen in about 5-10

seconds. Sign in and select Survey” as shown below. It takes three days to post the certificate.

If you are not redirected, access ATG Legal Education from your seminar email. Complete the Certification/Survey.

Select “Attendance Records” at left to view and print your certificate.

Thank you for attending today’s seminar.