Don't Diligence -Information Security for Lawyers

Cloud Security, the Law Society and what every lawyer needs to know

Darren Thurston – hardBox Solutions

Information technology solutions for high and medium security office environments

Secure data storage, sharing & retrieval

Our Clients Include

●Edelmann & Company Law Office

●Helps Law Corporation

●Wilson, Buck, Butcher and Sears

●Browning, Ray, Soga, Dunne, Mirsky & Ng

●Phillip A. Riddell

●Don Morrison

Who Are You?

- Solo

- 2 to 5

- 6 to 20

- 21 to 75

- Over 75

- Crown Counsel

What size is your firm?

Security breaches are happening every day.

Reputation is the first thing to be effected when a breach

occurs.

What is the cloud

Cloud Services

● DropBox● Google● iCloud● AmazonCloudDrive● WindowsLive

Law Specific Cloud Services

● PCLaw / TimeMatters - LexisNexis● EsiLaw.com● Clio● AmicusAttorney.com● Rocketmatter.com

Report Of The Cloud Computing Working Group

Law Society of B.C.

Gavin Hume, QC (Chair)

Bruce LeRose, QC

Peter Lloyd, FCA

Stacy Kuiack

http://www.lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf

Cloud Issues

● Location of data and jurisdictional issues

● Security and data privacy issues

● Legal compliance issues

● Ownership issues

● Access and retention issues

● Force majeure issues

● Liability issues

● Termination issues

Where is my data?

There are several problems with lawyers having their business records stored or processed outside British Columbia. Lawyers have a professional obligation to safeguard clients’ information to protect confidentiality and privilege. When a lawyer entrusts client information to a cloud provider the lawyer will often be subjecting clients’ information to a foreign legal system. The foreign laws may have lower thresholds of protection than Canadian law with respect to accessing information. A lawyer must understand the risks (legal, political, etc.) of having client data stored and processed in foreign jurisdictions.

Jurisdictional Issues

Jurisdictional Issues● US PATRIOT Act

● Alberta, Canada: “Bill 54” and Personal

Information Protection Act (PIPA)

● UK Regulation of Investigatory Powers Act of 2000

● EU Data Protection Directive

● India Information Technology (Amendment) Act,

2008 (the IT Act)

Security and Data Privacy

● Confidentiality provisions● SAS 70● Statement on Standards for Attestation

Engagements No. 16 (SSAE 16)● ISO 27002● Annual independent audits or

assessments● Incident Response Plan

Legal compliance issues

● The Personal Information Protection and Electronic Documents Act

Personal Information Protection Act, B.C. of 2003

● Sarbanes-Oxley Act of 2002 (SOX)

● Health Insurance Portability and Accountability Act of

1996 (HIPAA)

● Health Information Technology for Economic and

Clinical Health (HITECH) Act

● Gramm-Leach-Bliley Act (GLB)

● Payment Card Industry Data Security Standard

(PCIDSS)

Potential impact on Rule 4-43

...the Law Society revised Rule 4-43 (in 2008) to create a process to protect personal information. The balance that was sought recognized that the Law Society has the authority to copy computer records and investigate lawyers, but the process of making a forensic copy of computer records can capture irrelevant personal information. In light of this, the Law Society created a process to allow irrelevant personal information to be identified and segregated, so it was not accessed by the Law Society. Cloud computing creates a situation where that process might not be able to be followed.

Ownership issuesMy data, right?

● Google has recently been sued

for mining data● Can your data be exported -

PCLaw?!?@#

Access and Retention Issues

● Litigation Hold

● Audit Trail

How is my data stored?

- Virtualization

- Multi-tenancy

- Other

Other issues● Force Majeure Issues

natural disaster, act of war, etc.

● Liability Issues

services and not responsible for their downtime

● Termination Issues

exit strategy

Security Incidents

DropBox

The problem child of cloud services

Not just cloud services

The dangers.. and your obligations

● Unprotected computers infected/hacked

within minutes of connecting to Internet● Lost / stolen cell phones or laptops● Theft of client, firm or personal data● Rules of professional conduct

oblige you to protect client data

Information Security Best Practices

● How much time, effort and

money do you invest?● Absolute security is impossible● Safety vs. convenience

● Find balance between:● Allowable risk● Acceptable cost/effort

Keep your electronicdata secure and private

Steps you must ensure:

● Install all latest software updates

● Use strong passwords

● Antivirus software is essential

● Install a firewall on your Internet

connection

● Avoid the dangers of e-mail

● Beware the dangers of metadata

Keep your electronicdata secure and private (cont.)

● Lockdown and encrypt your data

● Harden your wireless connections

● Learn how to safely surf the Web

● Change key default settings

● Implement a technology use policy

● A backup solution, can save your practice

Install updates...

● Microsoft products particularly prone● Update all software regularly!● Microsoft / Apple Mac's ● Don’t forget non-OS software!

Java / Flash / Adobe PDF● Check on a regular schedule

Further update issues

● Turn on Automatic Updates● Automatic vs. ask to install● Periodically check Microsoft website● Critical updates ASAP● Watch for “optional” software● Backup before you install updates● Create Restore point (Windows)

A few thoughts on passwords

How many of you re-use passwords?

Use a your child's or pet's name or birthdate?

Top used passwords1) password

2) 123456

3) 12345678

4) 1234

5) qwerty

6) 12345

7) dragon

8) pussy

9) baseball

10) football

11) letmein

12) monkey

13) 696969

14) abc123

Use strong passwords

Frankiepoo1 = BAD

m%")FZTm"d*A = DECENT

a{3xQXbDZ`k=/T8z\>Mx = GOOD

Proper use

● Passwords are the keys to

“unlock” your computer● Essential for securing your

electronic data and entire corporate

network● You need to be conscientious about

how to set them up and use them

Proper use

● Don’t use the same password

for everything● Don’t tell anyone your

passwords, EVER!!● Be wary of saving passwords

in your browser

Proper use● Never write them down

● If you must store them securely (safe)

● Be careful about storing passwords on

your computer – Use an encrypted

password safe

● A security breach can compromise your

entire network

● Rotate important passwords every

60 to 90 days

Anti-virus software Essential

● Protect your computer and data from malware

- Viruses

- Worms

- Trojan Horses

- Key Stroke Recorders

- Backdoors

- Rootkits

Anti-Virus Use

● Decent free anti-virus is available

Microsoft Security Essentials● Needs to set up correctly● Daily scans of all data● Regularl updates of your

virus definition or signature files

False Security

● The anti-virus game is one of

catch-up● 20 % of viruses will get past most

anti-virus products

Use a Firewall

● A gatekeeper that ensures incoming and

outgoing communications are legitimate● All computers on the Internet can see

one another● Lines of communication are established

through ports● Open ports can allow unwanted

access to a computer

E-mail dangers● Protect access with passwords

● Use privacy statements Please note that this email correspondence is *not* encrypted or secured in any way. If you are sending sensitive information or attachments you may wish to send them in another format. If you choose to communicate with us by email, you agree to accept the possible risk of loss of privacy.

The information in this internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this internet email by anyone else is unauthorized.

Smart email use

● Read email in text format not html● Be wary of phishing emails● Be wary of links & attachments

in emails● Implement a spam filter

metadata

● Data About Data● MS Offices Products● Adobe pdf's● Photo's

Lockdown and encrypt your data

● Startup & Users passwords● Put a password on your screensaver● Data stored on computers and

on external drives should

ALWAYS be encrypted● USB Drives !

Harden your wireless connections● Disable SSID Broadcast● MAC Filtration● Change Defaults● Enable Logging● Use Encryption WEP is not secure● WPA2 with AES Algorithm● WPS can be hacked w/ Reaver

Learn how to safely surf the Web

● Safe browser choices = No IE● Disabling some browser features● Controlling which cookies can be stored on

your computer● Preventing pop-ups● Plug-ins turned off by default

Change key default settings

● File Sharing● Administrator account● Normal user account for everyday use● Domain name● Workgroup name

Technology use policy

● Does your office have one?● Law Society has templates● Internet and Email Use Policy

Backup solutions

● Secure ● Encrypted● Onsite● Offsite

Backup details

● Who’s Responsible● Full Backup● Daily Backups● Establish Alerts● Files● E-mail● Logs

Further information

● The Law Society of BC – practice

docs/tips● CBA - Guidelines for Practicing

Ethically with New Information

Technologies● Give us a call

Questions?Contact Information

Darren Thurston

darren@hardbox.ca

www.hardbox.ca