don't diligence information security for lawyers
DESCRIPTION
Dont Diligence -Information Security for Lawyers : Cloud Security, the Law Society and what every lawyer needs to know - Darren Thurston - hardBox SolutionsTRANSCRIPT
Don't Diligence -Information Security for Lawyers
Cloud Security, the Law Society and what every lawyer needs to know
Darren Thurston – hardBox Solutions
Information technology solutions for high and medium security office environments
Secure data storage, sharing & retrieval
Our Clients Include
●Edelmann & Company Law Office
●Helps Law Corporation
●Wilson, Buck, Butcher and Sears
●Browning, Ray, Soga, Dunne, Mirsky & Ng
●Phillip A. Riddell
●Don Morrison
Who Are You?
- Solo
- 2 to 5
- 6 to 20
- 21 to 75
- Over 75
- Crown Counsel
What size is your firm?
Security breaches are happening every day.
Reputation is the first thing to be effected when a breach
occurs.
What is the cloud
Cloud Services
● DropBox● Google● iCloud● AmazonCloudDrive● WindowsLive
Law Specific Cloud Services
● PCLaw / TimeMatters - LexisNexis● EsiLaw.com● Clio● AmicusAttorney.com● Rocketmatter.com
Report Of The Cloud Computing Working Group
Law Society of B.C.
Gavin Hume, QC (Chair)
Bruce LeRose, QC
Peter Lloyd, FCA
Stacy Kuiack
http://www.lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf
Cloud Issues
● Location of data and jurisdictional issues
● Security and data privacy issues
● Legal compliance issues
● Ownership issues
● Access and retention issues
● Force majeure issues
● Liability issues
● Termination issues
Where is my data?
There are several problems with lawyers having their business records stored or processed outside British Columbia. Lawyers have a professional obligation to safeguard clients’ information to protect confidentiality and privilege. When a lawyer entrusts client information to a cloud provider the lawyer will often be subjecting clients’ information to a foreign legal system. The foreign laws may have lower thresholds of protection than Canadian law with respect to accessing information. A lawyer must understand the risks (legal, political, etc.) of having client data stored and processed in foreign jurisdictions.
Jurisdictional Issues
Jurisdictional Issues● US PATRIOT Act
● Alberta, Canada: “Bill 54” and Personal
Information Protection Act (PIPA)
● UK Regulation of Investigatory Powers Act of 2000
● EU Data Protection Directive
● India Information Technology (Amendment) Act,
2008 (the IT Act)
Security and Data Privacy
● Confidentiality provisions● SAS 70● Statement on Standards for Attestation
Engagements No. 16 (SSAE 16)● ISO 27002● Annual independent audits or
assessments● Incident Response Plan
Legal compliance issues
● The Personal Information Protection and Electronic Documents Act
Personal Information Protection Act, B.C. of 2003
● Sarbanes-Oxley Act of 2002 (SOX)
● Health Insurance Portability and Accountability Act of
1996 (HIPAA)
● Health Information Technology for Economic and
Clinical Health (HITECH) Act
● Gramm-Leach-Bliley Act (GLB)
● Payment Card Industry Data Security Standard
(PCIDSS)
Potential impact on Rule 4-43
...the Law Society revised Rule 4-43 (in 2008) to create a process to protect personal information. The balance that was sought recognized that the Law Society has the authority to copy computer records and investigate lawyers, but the process of making a forensic copy of computer records can capture irrelevant personal information. In light of this, the Law Society created a process to allow irrelevant personal information to be identified and segregated, so it was not accessed by the Law Society. Cloud computing creates a situation where that process might not be able to be followed.
Ownership issuesMy data, right?
● Google has recently been sued
for mining data● Can your data be exported -
PCLaw?!?@#
Access and Retention Issues
● Litigation Hold
● Audit Trail
How is my data stored?
- Virtualization
- Multi-tenancy
- Other
Other issues● Force Majeure Issues
natural disaster, act of war, etc.
● Liability Issues
services and not responsible for their downtime
● Termination Issues
exit strategy
Security Incidents
DropBox
The problem child of cloud services
Not just cloud services
The dangers.. and your obligations
● Unprotected computers infected/hacked
within minutes of connecting to Internet● Lost / stolen cell phones or laptops● Theft of client, firm or personal data● Rules of professional conduct
oblige you to protect client data
Information Security Best Practices
● How much time, effort and
money do you invest?● Absolute security is impossible● Safety vs. convenience
● Find balance between:● Allowable risk● Acceptable cost/effort
Keep your electronicdata secure and private
Steps you must ensure:
● Install all latest software updates
● Use strong passwords
● Antivirus software is essential
● Install a firewall on your Internet
connection
● Avoid the dangers of e-mail
● Beware the dangers of metadata
Keep your electronicdata secure and private (cont.)
● Lockdown and encrypt your data
● Harden your wireless connections
● Learn how to safely surf the Web
● Change key default settings
● Implement a technology use policy
● A backup solution, can save your practice
Install updates...
● Microsoft products particularly prone● Update all software regularly!● Microsoft / Apple Mac's ● Don’t forget non-OS software!
Java / Flash / Adobe PDF● Check on a regular schedule
Further update issues
● Turn on Automatic Updates● Automatic vs. ask to install● Periodically check Microsoft website● Critical updates ASAP● Watch for “optional” software● Backup before you install updates● Create Restore point (Windows)
A few thoughts on passwords
How many of you re-use passwords?
Use a your child's or pet's name or birthdate?
Top used passwords1) password
2) 123456
3) 12345678
4) 1234
5) qwerty
6) 12345
7) dragon
8) pussy
9) baseball
10) football
11) letmein
12) monkey
13) 696969
14) abc123
Use strong passwords
Frankiepoo1 = BAD
m%")FZTm"d*A = DECENT
a{3xQXbDZ`k=/T8z\>Mx = GOOD
Proper use
● Passwords are the keys to
“unlock” your computer● Essential for securing your
electronic data and entire corporate
network● You need to be conscientious about
how to set them up and use them
Proper use
● Don’t use the same password
for everything● Don’t tell anyone your
passwords, EVER!!● Be wary of saving passwords
in your browser
Proper use● Never write them down
● If you must store them securely (safe)
● Be careful about storing passwords on
your computer – Use an encrypted
password safe
● A security breach can compromise your
entire network
● Rotate important passwords every
60 to 90 days
Anti-virus software Essential
● Protect your computer and data from malware
- Viruses
- Worms
- Trojan Horses
- Key Stroke Recorders
- Backdoors
- Rootkits
Anti-Virus Use
● Decent free anti-virus is available
Microsoft Security Essentials● Needs to set up correctly● Daily scans of all data● Regularl updates of your
virus definition or signature files
False Security
● The anti-virus game is one of
catch-up● 20 % of viruses will get past most
anti-virus products
Use a Firewall
● A gatekeeper that ensures incoming and
outgoing communications are legitimate● All computers on the Internet can see
one another● Lines of communication are established
through ports● Open ports can allow unwanted
access to a computer
E-mail dangers● Protect access with passwords
● Use privacy statements Please note that this email correspondence is *not* encrypted or secured in any way. If you are sending sensitive information or attachments you may wish to send them in another format. If you choose to communicate with us by email, you agree to accept the possible risk of loss of privacy.
The information in this internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this internet email by anyone else is unauthorized.
Smart email use
● Read email in text format not html● Be wary of phishing emails● Be wary of links & attachments
in emails● Implement a spam filter
metadata
● Data About Data● MS Offices Products● Adobe pdf's● Photo's
Lockdown and encrypt your data
● Startup & Users passwords● Put a password on your screensaver● Data stored on computers and
on external drives should
ALWAYS be encrypted● USB Drives !
Harden your wireless connections● Disable SSID Broadcast● MAC Filtration● Change Defaults● Enable Logging● Use Encryption WEP is not secure● WPA2 with AES Algorithm● WPS can be hacked w/ Reaver
Learn how to safely surf the Web
● Safe browser choices = No IE● Disabling some browser features● Controlling which cookies can be stored on
your computer● Preventing pop-ups● Plug-ins turned off by default
Change key default settings
● File Sharing● Administrator account● Normal user account for everyday use● Domain name● Workgroup name
Technology use policy
● Does your office have one?● Law Society has templates● Internet and Email Use Policy
Backup solutions
● Secure ● Encrypted● Onsite● Offsite
Backup details
● Who’s Responsible● Full Backup● Daily Backups● Establish Alerts● Files● E-mail● Logs
Further information
● The Law Society of BC – practice
docs/tips● CBA - Guidelines for Practicing
Ethically with New Information
Technologies● Give us a call
Questions?Contact Information
Darren Thurston
www.hardbox.ca