cybersecurity for lawyers and law firm data breaches · faculty bios kevin ribble is the president...

Cybersecurity for Lawyers and

Law Firm Data Breaches

March 7 & 8, 2018

Roman Hruska Law Center, Lincoln, NE

UNO Thompson Center, Omaha, NE

This page intentionally left blank.

Faculty Bios

Kevin Ribble is the president of the Employment Practices Risk Management Association (www.eprma.org), a nonprofit organization dedicated to assisting employers with data management, human resources risk management services. Mr. Ribble is also president and founder of Comply America an on-line management training facility. His clients include American Express, Hitachi, Practicing Law Institute, and thousands of small businesses. Mr. Ribble is a consultant on cyber forms and a frequent speaker on cyber liability and HR related topics, he most recently conducted a cyber-work shop at the Target Market Association’s annual convention, He has been a speaker at the NY, CLM 2016 Cyber Liability Summit, LA restaurant association, CO restaurant association and a frequent contributor to “National Underwriter” and Target Market “Rough Notes” magazine. He is a certified instructor in continuing education for licensed insurance professionals. Kevin has held senior executive insurance positions; Vice President of TIG, Vice President of CIGNA, a Principle and Executive Vice President of Edgewater Holdings LLC. (MGU specializing in underwriting cyber liability & EPLI affinity group programs) Edgewater’s Cyber program’s clients include; McDonald’s Owner Operators, Mercer professional lines, ICC restaurants and hotels, Florida Restaurant Association and many other programs. For more information please see www.eprma.org Scott Sweeney is a member of the Cybersecurity & Data Privacy practice team of Wilson Elser, LLP. Scott dedicates a great deal of time and effort to addressing the latest issues in this quickly expanding field, and continues to share that knowledge with clients on a personal level and on a larger scale through speaking engagements geared to national and international professionals. In addition to handling data breaches and helping to craft effective responses, Scott has advised a variety of businesses and claims personnel on issues involving the use and protection of social media, cyber issues of special concern for institutions of higher education, and those ethical obligations and concerns for corporate general counsel and in-house staff counsel. As the incidence of cybercrimes has exploded, Scott has endeavored to remain on the forefront, equipped to advise clients on the identification and management of risk, and cost-effective means for prevention and resolution, providing a full level of service aimed at containing potential damages. Scott received his Juris Doctor from the University of Colorado Law School. Scott can be contacted at (303) 572-5324 or at [email protected].

http://www.eprma.org/

mailto:[email protected]

This page intentionally left blank.

1

1

Cybersecurity for Lawyers and Law Firm Data Breaches

A Presentation for the Nebraska Bar Association

Kevin Ribble and Scott Sweeney

November 10, 2017

© 2017 Wilson Elser. All rights reserved.

Learning Objectives

• Understand cyber liability risk and its impact on

professional services firms, including law firms

• Understand how data breaches typically occur at

professional services firms

• Understand the professional and legal responsibilities

of a firm in the event of a data breach

• Understand the typical data breach response process

and learn strategies to help ensure an appropriate

breach response

2


The Landscape

3


2

What is Cyber Liability?

• Privacy – data and location tracking privacy

expectations

• E-Publishing in the social media context

• Technology errors and omissions

– Shared applications and data

– Project management disconnects

• And......data breaches

4


Aggressive Regulatory Environment

• Who is regulating?

– Federal Trade Commission

– Securities and Exchange Commission

– Department of Health and Human Services/Office for Civil Rights

– State regulators

– Foreign and international regulatory activity – Investigations of U.S. incidents

• Why?

-Public attention

-Media attention

-Revenue generation

5


State Regulations

• Forty-Eight (48) states, the District of Columbia, Guam, Puerto Rico

and the Virgin Islands have enacted legislation requiring private or

governmental entities to notify individuals of security breaches of

information involving personally identifiable information

• The holdouts – South Dakota, Alabama

• Typical provisions include:

• Who must comply with the law

• Definitions of “personal information”

• What constitutes a breach

• Requirements for notice exemptions

• See http://www.ncsl.org/research/telecommunications-and-information-technology/securitybreach-

notification-laws.aspx for more specific statutes by state.

6


3

Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006

Nebraska Revised Statute 87-803.

Breach of security; investigation; notice to resident; notice to Attorney General.

(1) …a commercial entity that conducts business in Nebraska and that owns or licenses computerized

data that includes personal information about a resident of Nebraska

shall, when it becomes aware of a breach of the security of the system, conduct in good faith areasonable and prompt investigation to determine the likelihood that personal information hasbeen or will be used for an unauthorized purpose. If the investigation determines that the useof information about a Nebraska resident for an unauthorized purpose has occurred or is

reasonably likely to occur, the individual or commercial entity shall give notice tothe affected Nebraska resident. Notice shall be made as soon as possible and withoutunreasonable delay, consistent with the legitimate needs of law enforcement and consistent withany measures necessary to determine the scope of the breach and to restore the reasonableintegrity of the computerized data system.

7


8

“Personal Information”


(5) Personal information means either of the following:(a) A Nebraska resident's first name or first initial and last name in combination withany one or more of the following data elements that relate to the resident if eitherthe name or the data elements are not encrypted, redacted, or otherwise altered byany method or technology in such a manner that the name or data elements areunreadable:(i) Social security number;(ii) Motor vehicle operator's license number or state identification card number;(iii) Account number or credit or debit card number, in combination with any requiredsecurity code, access code, or password that would permit access to a resident'sfinancial account;(iv) Unique electronic identification number or routing code, in combination with anyrequired security code, access code, or password; or(v) Unique biometric data, such as a fingerprint, voice print, or retina or iris image,or other unique physical representation; or(b) A user name or email address, in combination with a password or securityquestion and answer, that would permit access to an online account.

“Notice”

(4) Notice means:

(a) Written notice;

(b) Telephonic notice;

(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as such section existed on January 1, 2006;

(d) Substitute notice, if the individual or commercial entity required to provide notice demonstrates that the cost of providing notice will exceed seventy-five thousand dollars, that the affected class of Nebraska residents to be notified exceeds one hundred thousand residents, or that the individual or commercial entity does not have sufficient contact information to provide notice. Substitute notice under this subdivision requires all of the following:

9


4

State Attorneys General

• Trained by federal regulators in cybersecurity

enforcement

• Use the same “play book” as federal regulators

• Maintain close communications with federal regulators and other Attorneys General

• Seek and use publicity effectively (e.g. California AG)

• Coordinate investigations

10


Not “Just” Federal and State Regulations

• The allegations:

– Violation of privacy laws and common law rights

– Breach of contract

– Negligence

– Fraud

– Unfair trade practices

• Alleged damages:

– Compensatory damages, treble damages, attorneys

fees, punitive damages, civil monetary fines

• Plaintiffs use regulatory fines as evidence of wrongdoing

11


Law Firms Seen as Easy Targets for Hackers

• Law firms of all sizes are vulnerable.

• 2011 FBI met with the largest 200 law firms “to warn them that they represent major targets to hackers.”

• FBI and cybersecurity experts continue to maintain that law firms are the “weakest link.”

12


5

Cybersecurity Not Just Ethical Sense But Also Business Sense/Measures

• Clients Are Beginning to Demand More Stringent Cybersecurity

• Over half of mid-sized and large law firms have indicated that a client has performed a risk audit of their security practices.

• Strong cybersecrity practices becoming a competitive advantage for firms.

– Attractive to clients

– Avoidance of business interruption

– Avoid firm embarrassment and client distrust

13


Notification of a Breach? Easier Said than Done

• A study from 2011 estimated 80 of the 100 largest firms experienced an unauthorized data breach.

• The majority of which, either failed to notice the breach on their own, or noticed the breach many months after it occurred.

• Furthermore, even if one is able to determine that a breach has occurred, determining what information was compromised is not always a guarantee.

14


Duty of Technological Competence

Neb. Ct. R. of Prof. Cond. §3-501.1 Competence:

– “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, preparation and judgment reasonably necessary for the representation."

Comment 6:

– "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.."

15


6

Robust Cybersecurity Measures Within Reach for Even Small Firms and Solo Practioners

• Overwhelming majority of cyberattacks used unsophisticated techniques to gain access to sensitive information

• 97% of attacks can be blocked by common security practices that are reasonably affordable, even for smaller firms and solo practioners.

16


Duty of Technological Competence-Neb. Ct. R. of Prof. Cond. §3-501.6

Confidentiality of Information

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized…

Comments:[15] A lawyer must act competently to safeguard information relating to the representation of a client against

inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation ofthe client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1 and 5.3.

[16] When transmitting a communication that includes information relating to the representation of a client, the lawyermust take reasonable precautions to prevent the information from coming into the hands of unintended recipients.This duty, however, does not require that the lawyer use special security measures if the method ofcommunication affords a reasonable expectation of privacy. Special circumstances, however, may warrant specialprecautions. Factors to be considered in determining the reasonableness of the lawyer's expectation ofconfidentiality include the sensitivity of the information and the extent to which the privacy of the communication isprotected by law or by a confidentiality agreement. A client may require the lawyer to implement special securitymeasures not required by this Rule or may give informed consent to the use of a means of communication thatwould otherwise be prohibited by this Rule.

17


ABA Ethics Formal Opinion 477

• In May, the ABA released Formal Opinion 477 stating that lawyers need to undertake “reasonable efforts” to ensure that client communications are secure and to avoid inadvertent or unauthorized data breaches.

• Opinion updates Formal Opinion 99-413 issued in 1999

• Key points from Formal Opinion 477

– Implicates duties of confidentiality, communication, and competency

– Model Rules do not impose heightened standard of confidentiality based upon the medium of client communication, but compliance with the core duty of confidentiality in the rapidly developing digital world requires further thought.

– “Reasonable efforts is fact-specific. Relevant considerations include:

• sensitivity of the information,

• risk of disclosure without additional precautions,

• cost of extra measures,

• difficulty of adding safeguards,

• whether more safeguards adversely affect the lawyer’s ability to represent the client.

18


7

ABA Ethics Formal Opinion 477 (cont.)

• “Each device and each storage location offer an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation and thus implicate a lawyer’s ethical duties.”

• Opinion suggests that Model Rule 1.4 on communications may require a lawyer to discuss security safeguards with a client in certain instances. However, opinion offers little guidance on when such circumstances may arise.

19


Worry About “Insider Hacks” Too

• Disgruntled/rogue employees

– E.g. William Balaban of Stevens & Lee accused of taking 78,000 files following his departure from the firm

• Incorporate cybersecurity measures in your termination procedures

– Block computer access

– Terminate remote access

– Terminate email account or forward to another account

– Assurances that employee has not retained any data

– Update alarm codes and the like which are shared by all or some employees

•

20


Duty of Technological Competence

• E-Discovery

• Electronic filing of court documents

• Communicating with clients and third-parties

• Use of social media

• Knowledge of client's technology

• Use of courtroom technology

21


8

Duty of Technological Competence (cont.)

• Competence does not require perfection

• Encryption generally not required, but may help

• If you lack competence, talk to others in the firm

• If they do not have competence, hire third-party vendors

• Make sure to advise client and obtain consent for hiring third parties to protect their interests

22


More About Data Breaches

23


24


9

Who is at Risk? Everybody!

• In 2016, U.S. data breaches tracked hit a record high of 1,093 (40%

increase over 2015)

• 2016 also saw 1,093 reported data breach incidents, involving more than 36

million estimated records exposed.

• Industries affected in 2016:

– Business services – 45.2%

– Medical/healthcare – 34.5%

– Educational – 9.0%

– Government/military – 6.6%

– Banking/credit/financial – 4.8%

Source: 2016 End of Year Report, Identify Theft Resource Center Data Breach Report athttp://www.idtheftcenter.org/images/breach/2016/DataBreachReport_2016.pdf

25


What is a Breach?

Definition

– Access v Acquired - what does this really mean

– Confidentiality, integrity, and security of the personal information

- "risk of harm"

– Encryption "safe harbor" - or is it?

And don’t call it a “breach”

– Legal impact of a "breach"

– So what do you call it?

26


What Type of Law Firm InformationIs at Risk?

• Sensitive business data: projections, forecasts, M&A

• Social Security and driver's license numbers

• Medical records

• Financial information: bank/credit card accounts

• Personal information: email addresses, phone

numbers and home addresses (if coupled with

other information)

27


10

Ethics Opinion No. 17-01

• Question Presented: “When a client file is closed, is it permissible to make an electronic copy of the file and then destroy the physical file immediately?

• Answer: The NRPC do not prohibit an attorney from keeping a closed client file in electronic form and immediately destroying the physical copy, but several considerations should be made before destroying a file.

– Best interest of the client

– Client Expectations

– Potential need for a physical copy at a future date

– Ease of access

– Availability and cost of digital and physical storage

– Preserving confidentiality

28


Ransomware – How does it work?

• Malware from advertisement on internet or email

attachment

• “Brute Force” Attack – Hackers attempt different password

combinations until they find the right one or Email/Website

Deployment

• The virus encrypts your files so they are inaccessible, and

demands a ransom to provide the decryption key

• Sometime the virus will just result in the files being

encrypted…

• …Other times, hackers will attempt to access the

information on your network

– This would trigger notification obligations under state data breach notification laws

29


Facts about Ransomware(Computerworld)

• Average ransom increased in 2016 to $1,077 from $294

• 36% increase in attacks in 2016

• Ransom kits cost between $10 and $1800

• Consumers were 69% of targets; business were the rest

• 34% pay the ransom, only 47% got access to the data

• 77% of attacks are through email

• 33% involved voluntary divulging of personal information (as opposed to malicious link or attachment)

30


11

Preventing Ransomware Attacks

• To minimize the risk of a ransomware attack:

– Incorporate strong passwords and frequent resets (especially from manufacturer default)

– Use a VPN for remote RDP access to servers

– Frequent review of internal and third-party security

procedures

– Up-to-date anti-virus software – detects malware

installed on a network or computer

– Encrypt at-rest data

– Train employees to be aware of security threats

31


Fraud Without an Incident?

• You have identified instances of client information being fraudulentlyused, but don’t have an explicit attack vector

• Where is the fraud coming from?– Insider wrongdoing or outside hacker?

– Could be from you, or a third-party with the same information

• What to do?

– Forensic investigation to “find the leak”: identify unusual access to the network,foreign IP address, compromise of employee credentials

- Determine if PII in your system has been compromised; if so,

compliance with notification laws

32


Social Engineering Fraud

• What is Social Engineering– Manipulating someone into doing something by clandestine

means

• Types of Social Engineering– Quid Pro Quo

– Phishing

– Baiting

– Pretexting

– Diversion Theft

33


12

Statistics on Social Engineering Fraud

• Reported Losses of social engineering fraud in 2016 were nearly $1.2 billion.

• FBI has noted that since 2013, losses from phishing have been over $2.3 billion. The financial impact to an organization can be significant.

• 29% of all data breaches in 2013 involved social engineering. In 2016, 95% of those breaches used

phishing.

• Certain industries are targeted more than others for fraud

34


Phishing

• Fraudulently obtaining private information– Hacker sending an email that looks like it came from a

legitimate business or pop-up messages

– Requesting verification of information and warning of some consequence if not provided

– Usually contains link to a fraudulent web page that looks legitimate

– User gives information to the social engineer Ex: Banking Scam

35


Phishing (Cont.)

36


• Spear Fishing (Specific Phishing)– Ex: email that makes claims using your name

• Vishing - where criminals persuade victims to hand over personal details or transfer money, over the telephone. They have a number of techniques at their disposal.

• “Whale phishing” or “whaling” is spear phishing but for bigger fish — in other words, CEOs, CFOs and other senior executives with the power to authorize major money transfers or release sensitive data.

13

Protecting Against Phishing

1. Hover over “From” Column to better identify the sender

2. Are the URLs legitimate?

3. Incorrect grammar/spelling

4. Plain text/Absence of logos

5. Message body is an image

6. Reputation of country of origin as to scams

7. Request for personal information

8. Suspicious attachments

9. Urgent/Too good to be true.

10. Is my email address listed as the "From" address?

37


Avoiding Email Wire Transfer Scams

• Never change wiring process from email

• Always call person who changes funding

• Carefully compare the email address on the funding change email and prior known real one

38


Don’t Be Fooled!

• Obtain verbal confirmation from the person requesting the information before transmitting sensitive material via email.

• Beware of fraudulent email addresses (misspelled names or unusual domain addresses).

• Lookout for malicious links, i.e. fake link to your bank or Dropbox account in attempt to obtain personal information or infect the user’s computer with malware.

• Practice makes perfect – use training programs to test employees to be aware of these threats and identify them

39


14

Password Protection

• Experts now maintain that users should only change their passwords if they suspect there has been a breach.

• Experts argue that periodically changing passwords may actually increase instances of successful cyberattacks.

• Passwords should be 12+ characters long

– Georgia Institute of Technology:

• 8 character password can be cracked in less than 2 hours

• 12 character password would take roughly 17,000 years to cracked

– Strong passwords use a alphanumeric passphrase

• e.g. Alpha7#beta3

– Prohibit use of most commonly used passwords• e.g. 123456

40


Know Your Client

• Meet client face to face! (foreigners too)

• Get ID (passport, driver's license)

• Google/Facebook search

• Ask your firm colleagues

• Check court dockets

• Know source of deal funds & deal purpose

41


Mobile/Home Devices

• Install anti-virus and anti-malware on phones/tablets

• Password protect all devices and wifi

• Enable "find my iPhone" feature

• Firm must require immediate notice of lost device and right to wipe lost device (will include personal data)

• Keep separate devices for work and personal

• Upgrade all the operating systems

42


15

Lawyers Misuse of Technology

• Public Wifi – easy interception

• Including personal information in public filings

• Password deficiencies (weak and security issues)

• Sloppy or rogue employee

• "Reply to all" mistakes

• Disclosing and reviewing Metadata – ethical issues

• Misuse of mobile devices and home computers

43


Lawyers’ Mishandling of Hardware

• Lost devices – work data compromised

• Stolen devices –mobile or home devices

• Improper disposal – home/mobile/work devices

• USBs/external hard drives –portable and not secure

• Cloud computing

• Obsolete hardware & software – subject to easy attack

• Lawyers slow to report

• Physical security in the office

44


What About Metadata?

• “Drafting Information about information”– Dates of creation or access

– Authors

– Editing history

– Management and retrieval information

– Track changes

• Applies to documents, emails, spreadsheets, PowerPoint presentations and databases

45


16

Consequences of a Data Breach

• Cost of issuance of breach notice

• Business interruption

• Media failure - damaged data, damaged hardware & cost of repair

• Additional business overhead

• Injury to business associates

• Reputational injury

• Ransom

• Civil penalties

• Audit of the firm's data security46


What Law Firms Should Do: Practical Take Aways for Cyber Risk

• The first line of defense is the best and latest software to filter out as much suspicious activity as possible.

• Risk management awareness and training

• Strict protocols around wire transfers and information

• User Awareness– User knows that giving out certain information is bad

– Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information

– Do not provide personal information, nor information about the company(such as internal network), unless authority of person is verified

47


More Practical Take Aways

• Encourage caution & double-checking– Before transmitting personal information over the internet,

check the connection is secure and check the url is correct

– If unsure if an email message is legitimate, contact the person or company by another means to verify

• Employ technology-based solutions to filter emails.

• Be paranoid and aware when interacting with others on anything that needs protected

48


17

49


So What Happens Next?

Life Cycle of a Data Breach

• Identification

– Identify that an event has occurred and determine who should be involved

– Trigger the Incident Response Team

• Containment

– Stop the bleeding – but don’t damage the wound!

• Remediation

– Take steps to prevent a similar event from occurring in the future

• Notification

– Who do you tell?

– How?

– When?

50


Who You Gonna Call?

• Data breach coach

• Forensic support

• Public relations

• Insurance company

• IT Support– Don’t wipe the system clean;

– Preserve all evidence for further investigation

– If overwriting data, make sure to create a backup copy

51


18

52


An Ounce of Prevention is Worth a Pound of Cure

Leadership and Ownership

• Protecting client data is everyone’s responsibility

• Provide education and training on best practices, build in responsibility at the employee level.

• Put controls in place, particularly if you’re handling client money.

• But…it all starts with the tone at the top– Allocation of resources

– Model the way

53


Assess Your Risk and Vulnerabilities

• Do you:

– collect, store, or transact any personal, financial or health data?

– transport sensitive or protected data on portable devices or paper files?

– outsource computer network operations, data or network management?

– share data with business partners or vendors?

– have a website hosted on a shared server?

– schedule recent and routine cyber risk assessments?

– have encrypted electronic devices?

– have current intrusion detection software/protocol?

– have a posted privacy policy which aligns with your internal data management practices?

• How long do you maintain records?

54


19

Address the Risk

• Policies and procedures

– Industry-specific requirements (HIPAA, for example)

– Information security program

– Access management

– Password policy

• Training and education

– Who?

– How often?

• Incident Response Plan

– Don’t wait until it’s too late

– Living document – take it off the shelf and practice!

• Don’t forget about vendors!

55


Cyber Insurance Coverage

• Financial or business interruption loss from cyber attacks

• Extortion or ransom payments

• Data Restoration and Forensic Investigation

• Breach response services – notification letters, call center, credit monitoring

• Regulatory investigations, fines or penalties

• Certain policies may cover property damage and bodily injury due to cyber attacks on critical infrastructure

56


57


Questions?

20

58

Contact

Kevin Ribble

Edgewater Holdings, Ltd

Chicago, IL

(214) 676-8662

[email protected]


Scott D. Sweeney, Esq.

Wilson Elser, LLP

Denver, CO

(303) 572-5324

[email protected]

About Wilson Elser, LLP

Wilson Elser's Data Privacy & Security and Technology teams help companiesprepare, strategize and respond to risk management issues and data security eventsarising from cyber attacks that represent varying degrees of potential disruption,expense and reputational damage to companies. Wilson Elser excels at advising ourclients so they can anticipate these threats, prepare for the potential consequences,and respond quickly and effectively if and when attacks materialize. We offer servicesto assist with all aspects of cyber risk management, including the oversight of dataand privacy assessments; development of incident response plans and policies andprocedures; and assistance with implementation, training and testing of revised andexisting plans and operations. Faced with an incident, our experienced breachcoaches stand beside our client to navigate the overall response, includingoverseeing the investigation process, providing legal counsel to assist withcompliance with federal and state legal notification requirements, assisting withdevelopment of appropriate responsive and remedial measures, and representing theclient in connection with regulatory investigations. Should an event result in litigation,our seasoned litigators can provide effective and collaborative defense strategies tohelp contain the risk and the ultimate impact of a data security event.

59


cybersecurity for lawyers and law firm data breaches · faculty bios kevin ribble is the president...

Documents