protecting client data 11.09.11

Protecting Client Data for Professional Responsibility and to

Prevent Identity Theft

Paula S. deWitte, J.D., Ph.D., P.E.

Attorney Liability

• Violate Professional Responsibility Rules• Violate state/federal identity theft statutes• Commit malpractice• Suffer embarrassment and loss of reputation from

being on the front page of the newspaper or the lead story on the 6 p.m. news.

Good business practices to protect all client data – including sensitive personal information.

Three Business Reasons to Know This Material

• 1. Protect you and your law firm

• 2. Advise your clients to safeguard information

• 3. Prepare for new business opportunities

Why Are Law Firms Good Targets?

• To get to the lawyers

• To get to the clients’ information

• General, undirected attack on enterprises that are easily hacked into

Are Lawyers Targets?• http://www.wired.com/threatlevel/2010/02/apt-hacks/

• One mark of APT attacks is that they have especially hit companies with dealings in China, including more than 50 law firms.– Advanced Persistent Threats (APT) -- the attacks are distinctive in the kinds of data the attackers

target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

• “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it,” Mandia says.

• In 2008, Mandiant investigated a breach at a law firm that was representing a client in a lawsuit related to China. The attackers were in the firm’s network for a year before the firm learned from law enforcement that it been hacked. By then, the intruders harvested thousands of e-mails and attachments from mail servers. They also had access to every other server, desktop workstation and laptop on the firm’s network.

•

Read More http://www.wired.com/threatlevel/2010/02/apt-hacks/#ixzz0hsIFsw2n

Manage Your Risk

• Know the terms:– Sensitive Personal Information– Encryption – Business duty – Reasonable procedures

• Know what is required to comply with the law.• You may be liable under the laws of another state! – Massachusetts law is the strictest and requires a

written information security program (WISP).

Your Biggest Hidden Security Threats

• Social engineering: Unintentional and by those you trust

OR

• Insider threat: Intentional and by those internal to your law firm

Identity Theft Is Growing• U.S. Dept. of Veterans Affairs = 1,800,000 (11/07) – stolen laptop

• U.S. Dept. of Veterans Affairs == 76,000,000 – defective hard drive sent out for repair/recycling without proper procedures

• Countrywide Home Loan == 2,000,000 (08/08)

• Overall U.S. identities lost since Jan 2005 => 250,000,000

• Estimated $1 Trillion worth of data stolen (2008)

• Cybercrime up 53%

• Cost to repair average 2008 data = $6,600,000

Bolded statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston, TX.

Sony PlayStation Network and Online Entertainment Breaches

• 100 Million Accounts … – 100,000,000

• Costs of up to $2B … – $2,000,000,000

• Sony market capitalization is $20.5B – $20,500,000,000

• Liable under different nations’ and states’ laws• PR nightmare

What Can Trigger Your Duties

• Security or data breaches by someone who targets your law firm

• Lost, stolen, or strayed computer or laptop• Improperly trashed or donated computers or computer

parts• Lost mobile devices, USBs, or CDs • Weak, limited, or no data encryption• Weak passwords• No/poorly written policies:• E-mailing sensitive data to personal accounts

Security Aspects

• Electronic– Firewalls, Security Software, Intrusion Detection

Systems, • Physical• Administrative/Management – Your biggest vulnerability are people.

The World is Changing

• The “reasonableness” standard• Growing client awareness • Statutory and civil liabilities• Technology:– Readily available– Relatively inexpensive– Minimizes risk of being caught – Web resources

• The ease of being a hacker

Security Framework

• Prevention– Did you prevent unauthorized access?

• Detection– Can you detect if a security breach has occurred?– Can you figure out what and how it happened?

• Remediation– How can you fix the situation?– Do you have remediation plans in place

Statutory/Lawsuit Trend (1/3)

• HIPAA• Gramm-Leach-Bliley Financial Services Modernization

Act • What is the standard to determine liability? • States continue to pass harsher legislation to deal

with a growing identity theft problem.• Federal legislation possible

Statutory/Lawsuit Trend (2/3)• “Sensitive personal information” means … an individual’s first

name or first initial and last name in combination with any one or more of the following items, if the names and the items are not encrypted:

– social security number;– driver’s license number or government-issued identification number;

or– account number or credit or debit card number in combination with

any required security code, access code, or password that would permit access to an individual’s financial account

– Other: biometric data ignored in this presentation.

Statutory/Lawsuit Trend (3/3)

• How does Tex. Bus. & Com. Code § 521.053(b) (2009) apply to lawyers?– Three business duties

• Use reasonable procedures to safeguard SPI…• Destroy or arrange for destruction of SPI…• Notify when a breach is detected or when you are notified of a

breach…– “Many entities don’t discover a breach until someone from law

enforcement notifies them. By then, it’s too late.”

• Tied to the DTPA

What is Sensitive Personal Information (SPI)?

• First initial and last name OR First name and last name

• Combined with any of:– Social security number OR – Drivers license number OR – Account or credit card number in combination

with any required security code, access code, or password that would permit access to that account.

Business Duty 1: Use “reasonable procedures”…

• “..including appropriate corrective action to protect unlawful use or disclosure of any SPI collected or maintained by the business in the regular course of business.”

• Cannot be delegated.

• Liable for the actions of your employees, regardless.

What is the Reasonable Standard?

• The business owner?• The SPI owner (i.e., the potential victim)• IT personnel?• Information assurance (IA) experts?• Prevailing public perception?

Is there a standard?

Reasonable Procedures

• Must be in writing.• Protect against anticipated threats or hazards.• Consider administrative, technical, and physical. • Consider all aspects of the SPI -- collection, storage,

access, use, transmission, and protection.• Consider the security framework of prevention,

detection, and remediation.• Institutionalize procedures. • Train.• Audit.

Continuous Process

• Have a written information security program (WISP).

• Have a third party test your systems.• Document the problems. • Fix the problems.• Conduct periodic reviews.

Business Duty 2: Destroy or Arrange for the Destruction…

• “…of customer records by shredding, erasing, or “otherwise modifying the sensitive PI in the records to make the information unreadable or indecipherable through any means”

• What works?• What doesn’t work?

Business Duty 3: Notify Potential Victims

• “… after discovering or receiving notification of that breach … as quickly as possible”

• How do you discover a breach?• What constitutes “receiving notification of

that breach”? • What does “quickly as possible” mean?• How do I notify potential victims

The Good News

The use of reasonable procedures and proper destruction work for all types of data a law

office might maintain.

What Does the Attorney General Tell an Identity Theft Victim To Do

• http://www.texasfightsidtheft.gov/• Create a written criminal report to protect

themselves from being denied credit.• File report with the Federal Trade

Commission.• Collect as much evidence as possible. This

evidence can be used against you!

Your Liability

• Statutory fines to Texas

• To the SPI Owner:– Lost income – Expenses of fixing credit– Attorney fees– Possible treble damages under DPTA

• Your consequences: – Loss of revenue and reputation

What SPI Do You Routinely Maintain?

• Employee Records– Every employee record has the employee’s name and

social security number• Client Contact Information – Besides SPI, IP and client sensitive information

• Discovery Documents • Statutory exceptions:– Statue excludes publicly available information

available from federal, state, or local governments – Excludes encrypted data

• No statutory definition for “encryption”

Do Not Rely on the Encryption Exception

• Encryption is not a yes/no category.– Encryption is a continuum from weak to strong.

• True encryption requires encryption throughout system; one piece of your system that is not encrypted renders the entire system vulnerable.

Contact

• Paula deWitte, P.L.L.C.• Paula.deWitte@PauladeWitte.com• Cell: 512.633.3791