CHAPTER 4

DATA SECURITY/DATA

BREACH: WHAT EVERY LAWYER

NEEDS TO KNOW TO PROTECT

CLIENT INFORMATION

Sheila M. Blackford

Professional Liability Fund Practice Management Advisor

Hong Dao Professional Liability Fund Practice Management Advisor

Name: Bar Number:

Sponsor of CLE Activity:

Title of CLE Activity: Program Number:

Date: Location:

❑ Activity has been accredited bythe Oregon State Bar for thefollowing credit:

____ General

____ Prof Resp-Ethics

____ Access to Justice

____ Child Abuse Rep.

____ Elder Abuse Rep.

____ Practical Skills

____ Pers. Mgmt/Bus. Dev.*

❑ Full Credit.I attended the entire program andthe total of authorized credits are:

❑ Partial Credit.I attended _________ hours of theprogram and am entitled to thefollowing credits*:

MCLE FORM 1: Recordkeeping Form (Do Not Return This Form to the Bar)

Instructions:Pursuant to MCLE Rule 7.2, every active member shall maintain records of participation in accredited CLE activities. You may wish to use this form to record your CLE activities, attaching it to a copy of the program brochure or other information regarding the CLE activity.

Do not return this form to the Oregon State Bar. This is to be retained in your own MCLE file.

*Credit Calculation:One (1) MCLE credit may be claimed for each sixty (60) minutes of actual participation. Do not include registration, introductions, business meetings and programs less than 30 minutes. MCLE credits may not be claimed for any activity that has not been accredited by the MCLE Administrator. If the program has not been accredited by the MCLE Administrator, you must submit a Group CLE Activity Accreditation application (See MCLE Form 2.)

Caveat: If the actual program length is less than the credit hours approved, Bar members are responsible for making the appropriate adjustments in their compliance reports. Adjustments must also be made for late arrival, early departure or other periods of absence or non-participation.

*Personal Management Assistance/Business Development. See MCLE Rule 5.11 and Regulation 5.300 for additional information regarding Category III activities. Maximum credit that may be claimed for Category III activities is 6.0 in a three-year reporting period and 3.0 in a short reporting period.

8/16:MCLE1

____ General

____ Prof Resp-Ethics

____ Access to Justice

____ Child Abuse Rep.

____ Elder Abuse Rep.

____ Practical Skills

____ Pers. Mgmt/Bus. Dev.*

____ General

____ Prof Resp-Ethics

____ Access to Justice

____ Child Abuse Rep.

____ Elder Abuse Rep.

____ Practical Skills

____ Pers. Mgmt/Bus. Dev.*

C h a p t e r 4

D A T A S E C UR I T Y / D AT A B R E A C H: W HA T E V E R Y L A W Y E R N EE D S T O KN OW T O P R OT E C T

C L I E NT I N FOR M A T I ON

T A B LE OF C ON T E N T S

Page # PowerPoint Slides .................................................................................................................................................................................. 4-1 Protecting Yourself and Law Firm from Data Breach Checklist ....................................................................... 4-12 To view these chapter materials and the additional resources below on or before November 1, go to www.osbplf.org , select Upcoming CLE, select Learning The Ropes, and click on program materials, under Quick Links. After November 1, select Past CLE, Learning The Ropes, and click on program materials, under Quick Links.

Additional Resources

What to Do After a Data Breach, In Brief article, available at: https://www.osbplf.org/assets/in_briefs_issues/What%20to%20Do%20After%20a%20Data%20Breach%20April%202016%20In%20Brief.pdf

What’s Backing Up Your Data, In Brief article, available at: https://www.osbplf.org/assets/in_briefs_issues/Whats%20Backing%20Up%20Your%20Data.pdf

How to Back up Your Computer, PLF practice aid, https://www.osbplf.org/assets/forms/pdfs//How%20to%20Back%20Up%20Your%20Computer.pdf

Beware Ransomware, In Brief article, available at: https://www.osbplf.org/assets/in_briefs_issues/Beware%20Ransomware%20Data%20Encrypting%20Software%20Continues%20to%20Extort%20Money.pdf

Data Security/Data Breach:What Every Lawyer Needs to Know to Protect Client Information

Sheila Blackford & Hong DaoPLF Practice Management Advisors | Attorneys

What is Data Breach

How to Protect Client Data

What to Do When a Breach Occurs

Lawyer’s Other Ethical Obligations

Data

4-1

ORPC 1.1:Provide 

competent representation to 

a client

OSB Ethics Opinion 211‐187 & ABA Rule 1.1 (Comment 8)Understand 

technology and its risk

OCPC 1.15‐1:Client property shall be identified as such and appropriately 

safeguarded

• Safeguard client physical property & electronic property

• Understand how to use technology safely

• Have a response plan

Viewed, stolen or used 

without authority or knowledge

What is a 

data breach? 

4-2

Lost or 

Stolen Device

Social Engineering 

4-3

Common Methods SE Attack 

Dumpster Diving

PretextingPhysical Entry

Phishing

Enticement

Malware Infection 

Adware

Spyware

Trojan Horse

Virus

Worm

Ransomware

4-4

Phishing

Anatomy of a Phishing email

Sender’s email doesn’t look right

You weren’t expecting that email

Misspelled words & poor grammar

Ask you to open attachment or click on link

High sense of urgency

References to threat/reward

Request personal information

Ransomware

4-5

Warning!

Phish  Infection  Ransom Note  Pay or restore

ORPC 1.6(c):Confidentiality: Make reasonable Efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. 

4-6

PasswordInternet Browser

Computer Files Other

Email

Password

• Use strong password• Change frequently• 2 factor authentication• Consider password manager

Email

• Don’t clink on suspicious attachments and links

• Avoid getting spam emails

4-7

Internet Browser

• Update web browser• Enable automatic 

updates• Disable pop‐ups

Computer

• Install OS, program & app updates• Install/update anti‐virus & malware 

protection• Use firewall • Don’t use free public WiFi• Encrypt hard drive

Files

• Back up | Use 3‐2‐1• Use secured file sharing• Encrypt before upload

4-8

More

• Educate and train • Be vigilant• Ensure files are properly destroyed• Limit facility entry • Question unknown people in 

secured areas 

Contact Professional Liability Fund

Contact Oregon State Bar  Call IT expert Change usernames and 

passwords

4-9

Consider placing bank/credit/security freeze

File police report  Notify clients  Implement “How to protect client 

data” tips

Contain the attack Notify the FBI Restore computer

Lawyer’s Other Duties

4-10

ORPC 5.1Responsible for another lawyer’s conduct that 

violates the RPCs

ORPC 5.2Responsibilities of 

subordinate lawyer

ORPC 5.3Have a duty to supervise staff

Thank you!

Sheila Blackfordsheilab@osbplf.org

503‐684‐7421

Hong Daohongd@osbplf.org503‐726‐1467

www.osbplf.org

4-11

Data Breach Checklist Page 1

Protecting Yourself and Law Firm from Data Breach Checklist

Data breach is the unintended exposure of your data to unauthorized viewers. As lawyers, we are entrusted with confidential data about our clients. This checklist is intended to help you to become more secure. Think of it as a cyber security checklist that is helpful for identifying areas of concern for you to discuss with your IT support person. As cyber security is an area of ongoing change due to the increasing sophistication of cyber criminals, you should continue to seek out information about data security. Passwords

1. Use passwords to protect all devices connected to the internet. Create strong passwords that are at least 14 characters or more using upper and lower case letters, numbers and special characters. Use a passphrase such as a sentence to help you to remember it.

2. Use a password manager program to store your passwords security in an encrypted vault on

your computer or in the cloud. Don’t store passwords in files on your computer such as in a Word document or Excel spreadsheet. If you must write down your passwords, secure it in a locked location.

3. Use two-factor authentication which allows you to verify your identity using two methods of the following: something you know (for example a password), something you have (for example a key or hardware authentication device something you are (for example a fingerprint or retina scan). There are authentication devices that provide strong two-factor authentication for example a YubiKey www.yubico.com itself is a two-factor authentication device incorporating a physical key with your fingerprint that plugs into your USB drive and supports one-passwords, public key encryption and authentication. Their YubiKey 4C Nano is the world’s smallest USB-C authentication device for use with USB-C ports.

4. Keep your password confidential. Don’t share it with anyone.

5. Keep your password unique. Don’t re-use important passwords for multiple websites, devices or services.

6. Change your password frequently, such as every 30 or 45 days. Don’t recycle passwords! Hardware and Software

7. Keep your hardware and software as current as possible with upgrades from the vendor.

Those upgrades will typically include improved security features.

8. Secure your server in a locked room. Some cyber criminals have walked through law firms with clipboards posing as IT service personnel. Verify identities before granting access to your server.

9. Use intrusion detection systems. These systems will alert you to attempts to invade your computer system.

4-12

Data Breach Checklist Page 2

10. Use security software suites that include virus and malware protection and keep it up-to-

date.

11. Have your IT support person set up your wireless network to include enabling strong encryption. Disable the WEP and WPA encryption and require WPA2 encyption.

12. Be sure to change the default passwords on all wireless routers and servers. Consult your IT support person for any help.

13. Be sure that any device holding client data is password protected and encrypted, especially if these devices are taken off site. Thumb drives, smart phones, tablets and laptops continue to be most frequently stolen or lost devices.

Protocols

14. Backup all data and do regular periodic test restores of the backup. Store your backup

securely. Backups taken off site or stored on the internet should be encrypted. If you are storing your backup or any data on the internet, be sure that the vendor does not have access to the decryption key.

15. Be sure that your IT support person sets up your backup system so that it cannot be corrupted in the event your computer is attacked by ransomware. Otherwise, ransomware can travel onto your backup.

16. Develop a protocol for internet usage at work. Employees should not be allowed to download and install programs and apps on devices that connect to your server without prior authorization from your IT support person. Freeware frequently is infected with malware. Train your staff to avoid downloading any attachments sent by email especially if the extension ends in .exe which means it is an executable file.

17. Insure that all remote access to the office network occur through the use of a VPN, MiFi, smartphone hotspot or some other type of encrypted connection. Prohibit connecting to the office network using a public computer (such as at a hotel or library) and unsecured open public Wi-Fi network (such as at an airport, hotel, coffee shop, or library). Obtain guidance from your IT support person for setting up a VPN, MiFi, or smartphone hotspot.

18. Do not allow non-employees to have access to your network. This especially includes terminated employees.

19. Conduct an annual internal network security audit to ensure your network is secure. This is most helpful when it includes a vulnerability assessment.

Education

20. Provide mandatory social engineering awareness training to your staff annually.

4-13

Data Breach Checklist Page 3

21. Provide training to staff for how to respond to a cyber breach incident, including disconnecting the device from the internet and office network immediately if staff suspects the device has been breached and contact IT support immediately.

22. Instruct staff on how to properly dispose of any device or digital media that contains client or law firm data.

23. Instruct staff on proper safeguards if they are allowed to use their own device on your network.

24. Instruct staff on how to scrub documents for metadata.

25. Teach staff how to recognize phishing scams.

26. Teach staff to exercise caution on using social media as cyber criminals could use the same information to assist them in personal identity theft or hacking online accounts.

RESOURCES FOR FURTHER STUDY

27. “Back to Basics: 10 Security Best Practices,” DARKReading, Nimmy Reichenberg, September 4, 2015. https://www.darkreading.com/operations/back-to-basics-10-security-best-practices/a/d-id/1322053

4-14

Data Breach Checklist Page 4

28. “Best Practices for a Data Security Plan,” Forbes Technology Council, Chalmers Brown, September 5, 2017. https://www.forbes.com/sites/forbestechcouncil/2017/09/05/best-practices-for-a-data-security-plan/#66d82b675c0e

29. “Data Security,” Federal Trade Commission. https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security

30. Lawyers Mutual Liability Insurance Company of North Carolina Data Breach Incident

Response Plan Toolkit http://files.www.lawyersmutualnc.com/risk-management-resources/risk-management-handouts/Data_Breach_Toolkit.pdf

31. “Protecting yourself from cybercrime dangers: The steps you need to take,” by Tim

Lemieux, December 1, 2013, Practice PRO. http://www.practicepro.ca/2013/12/protecting-yourself-from-cybercrime-dangers-the-steps-you-need-to-take/

32. Schneier on Security: Books by Bruce Schneier https://www.schneier.com/books/

4-15