environmental law seminar
TRANSCRIPT
Ethics: Technology Security Issues for Attorneys
3:30 p.m. - 4:30 p.m.
Presented byBrian McCormac
Brown Winick PLC666 Grand Ave
Suite 200Des Moines, IA 50309
Environmental Law Seminar
Friday, February 17, 2017
1
Ethical Issues and Data SecurityPrepared by James Pray
Presented by Brian McCormac
BrownWinick Law Firm666 Grand Avenue, Suite 2000Des Moines, IA 50309-2510
www.brownwinick.com
What You Will Learn
Why it matters
Ethical Rules requiring the safeguarding of confidential data
Rule 1.6 requiring prevention of client information.
Duty to maintain client confidences
2
What You Will Learn
What Rules Govern the Use of Personal Information and Data
What Information is Protected other than just client information.
What Happens if There is a Breach
How to Start Protecting you and your firm.
Why This Matters?
Major penetrations of large law firms by Government-sponsored hackers
High Profile Breaches (Cravath, Swaine & Moore, Weil, Gotshal & Manges,Cleary Gottlieb, Mayer Brown, Latham & Watkins, Covington & Burling, and Davis Polk & Wardell).
http://dailycaller.com/2016/12/07/china-allegedly-behind-major-security-breach-at-big-time-us-law-firms/#ixzz4XTpq3LWD)
3
Why This Matters?
Some estimate that 1 in 4 law firms have already been breached.
Up to 3 in 4 of major law firms have been breached by some estimates.
Bottom Line Impacts (fines, reputation, PR costs)
Why This Matters?
On December 27, 2016 the Manhattan U.S. Attorney announced the arrest of one foreign national and charges against three others for hacking seven law firms to make more than $4 million from insider trading.
4
Why This Matters?
Litigation threatened against penetrated law firms.
Corporate Clients are asking for proof that law firms are taking steps to protect communications and data.
5
What Rules Apply to Lawyers?
Iowa Ethics Rules
State Privacy Laws (Iowa Code Chapter 715C – Personal Information Security Breach Protection)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)• Business Associate Agreements
Engagement Agreements
Iowa Rules of Professional Conduct
Rule 32:1.6 Confidentiality of Information• (a) A lawyer shall not reveal information
relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted by paragraph (b) or required by paragraph (c).
6
Iowa Rules of Professional Conduct
Rule 32:1.6 Confidentiality of Information• Guess what? Paragraphs (b) through (c )
won’t help (preventing death, crimes, etc.)
Comments 16 and 17 provide guidance.
Iowa Rules of Professional Conduct
Rule 32:1.6 Comment 16:• A lawyer must act competently to safeguard
information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See rules 32:1.1, 32:5.1, and 32:5.3.
7
Iowa Rules of Professional Conduct
Rule 32:1.1 (mentioned at 32.1.6, com. 16:• Rule 32:1.1: COMPETENCE A lawyer shall
provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.
Iowa Rules of Professional Conduct
Rule 32:1.5(a) (mentioned at 32.1.6, com. 16:• A partner in a law firm, and a lawyer who
individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Iowa Rules of Professional Conduct.
8
Iowa Rules of Professional Conduct
Rule 32:1.5(a) Comment 2:• Paragraph (a) requires lawyers with managerial
authority within a firm to make reasonable efforts to establish internal policies and proceduresdesigned to provide reasonable assurance that all lawyers in the firm will conform to the Iowa Rules of Professional Conduct. . . .
Iowa Ethics Opinion 11-01
Question was whether lawyers could ethically use “software as a service” (SaaS)
We commonly refer to SaaS now as “cloud services.”
The Committee turned to Rule 32:1.6 and comment 17.
9
•Opinion begins with Rule 32:1.6 Comment 17:
•When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.
•Rule 32:1.6 Comment 17: •This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions.
10
•Rule 32:1.6 Comment 17: •Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.
•Rule 32:1.6 Comment 17: •A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule.
11
Iowa Ethics Opinion 11-01
Committee suggested: • Preserve access to data if access to SaaS
(Cloud) is lost.
• Due diligence regarding the vendor.
• Know the cost and how to terminate (and erase) after termination of service.
• Password protection and if there is potential public access to data.
• Consider data encryption to protect data.
Iowa Ethics Rules
Opinion and rules, though not updated for current data use, are surprisingly applicable to today’s environment. • Know the risks.
• Avoid loss of data to third parties.
• Install adequate management systems to protect data.
12
Ethics vs. State Law
Lawyers’ obligations to protect client data are also covered by state laws governing the obligation to inform not just clients but third parties whose data may be on your firm server.
Ethics vs. State Law
As an example, social security numbers of both buyers and sellers may be in your real estate and business closing files.
If a hacker has access to your server due to a breach, your firm may have to contact the other side of the deal under applicable state law.
13
State Data Breach Notification Laws
Each state has slightly different laws.
If you or your firm suffer a breach you will need to comply with the laws of EVERY state that your clients or third parties reside in if their information has been breached.
Firm Objectives
Minimize risk to the Clients and Firm.
Decide on reporting to State and Federal agencies.
Coordinate reporting breaches to customers and agencies.
14
Get the facts:
What do we know?
How was it discovered? • Customers
• FBI
• Secret Service
• IT Vendor
• IT Department
Get the facts:
Have specialists been brought in?
What sort of information may have been exposed?
Is the breach over?
Can we trust the firm’s IT department?
15
Confidences
Attorney can conduct a confidential investigation
IT specialists, investigators, and law enforcement are not subject to the attorney-client privilege.
Steps need to be taken to make sure that the attorney-client privilege is maintained.
The Breach:
Internal breach?• Internal: HR issues are
triggered.
• Access lockdown protocols.
• Logging: Your firm has installed logging of activity, right?
16
The Breach:
Loss of a smartphone?
Loss of a tablet or laptop?
Loss of CDs, backup tapes?
Forget to wipe hard drives on printers after the lease is up?
The Breach:
External breach?• Random?
• Targeted? What were they looking for?
• Is it some Ukraniankid or a foreign state?
• What did they get access to?
17
Right team?
Do we have the right IT people? • Can IT be trusted?
• Are they competent?
• Who needs to be hired if not?
After the breach, Lock it down
Restrict Access.
Change passwords.
Copy log files.
Prevent overwriting of backups.
Stop deletion of backups.
Keep track of all steps during lock down.
Preserve all data.
18
Determine what was Accessed/Attacked?
What was accessed? • Private customer files?
• Client assets? (patents, R&D)
• Was it encrypted?
What was attacked? • DOS?
• Defacement?
• Ransomware?
Get the dates:
Dates breaches took place?
Date of breach first suspected? • Note that this is an important date
• May trigger notice deadlines.
Date breach confirmed?
Date private information was confirmed to have been stolen/accessed?
19
Determine if it is private information under state law
Client Confidence may not equal Private Information.
A client confidence could be typed-up notes from the client interview or e-mails from the client: “I may have poured 2,000 gallons of TCE on the back forty”
Private Information could be the client’s SS#.
20
What is private information?• Government Issued Identifier (SSN, Driver’s
License, Pilot License, Inmate Number, Etc…);
• Financial Account Number (credit card / debit card) in combination with any information to grant access to account (Exp., Security Code);
• Username and Password to Financial Account; or• Biometric Data Representation (fingerprint, retina,
or iris);• Health Information.
Next: Notifications.
Is there a crime?
Duty to report?
Will the breach be reported to agencies? • Local Police (good luck)
• FBI (cross-jurisdictional, federal laws)
• Secret Service (banking)
• Regulatory (Defense Department, Treasury, FDIC, State/Federal banking, SEC, and FTC)
21
Notification of Law Enf.
• Criminal Notification. • Law enforcement must determine if notification to
consumers/users of data will reveal sensitive sources and methods or impede the ability of the agency to conduct its investigation.
• Make sure you are prepared. • Backup copies.
• Logs.
Next: Notifications.
22
This is a real law firm notification.
Notification Requirements
Contract Notifications• IT Vendor contracts may require notification of
any breach, regardless of whether information can be identified.
• Client agreements may require notification of breaches.
• Poorly drafted contracts may inadvertently trigger unnecessary notifications.
23
Notification Requirements
Insurance Notifications• Must be timely under the terms of the policy.
• Read the policy.
• Should not be subject to a Criminal Investigation hold. Report.
• Do not assume that you will get this handled and that an unnecessary report will drive up premiums.
• Report it to the carrier.
Iowa Code Chapter 715C Keep in mind that if you have 50 clients in
50 different states then you will have to follow all of the laws of all 50 states.
24
Iowa Code Chapter 715C 715C.1(11) defines a “breach of security” in
relevant part as follows: • “Unauthorized acquisition of personal information
maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information.”
• Iowa is an “acquisition” state. You or your investigatory consultant would need to determine if the breach resulted in a “acquisition.”
• Some states (very few) are “access” states.
Iowa Code Chapter 715C It is possible for a rogue program to
“access” a system without actually acquiring any data. • Difficult but not impossible to prove with sufficient
security logs and monitoring software.
• One example could be a malicious e-mail that launches ransomware. The ransomware will potentially destroy data without transmitting the data to third parties.
25
Iowa Code Chapter 715C 715C.1 defines a “personal information” as”
• SS#
• Government ID (driver’s license)
• Financial Account numbers
• Unique ID that in combination with passwords or codes allows access to a financial account
• Biometric data.
Iowa Code Chapter 715C Requires notification to consumers if
“Personal Information” is accessed
If more than 500 Iowan’s affected, then also notify Attorney General’s office
26
Iowa Code Chapter 715C Data that law firms can have that would
constitute 715C personal information:• Tax Returns (account data, SS#s)
• Payment Systems (credit card numbers)
• Bank Payment information
Note that the firm may have lost very valuable information that constitutes a “client confidence” that does not constitute 715C personal information.
Iowa Code Chapter 715C If personal information is lost then Iowa law
triggers consumer notifications.
Most expeditious manner without unreasonable delay.
Law Enforcement may request a delay.
27
Iowa Code Chapter 715C Iowa is one of the states that has a safe
harbor exception: • Notification is not required if, after an appropriate
investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.
Other States are very different.
There are excellent “large firm” databases that provide reasonably up to date charts with the laws of each state: https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
https://www.bakerlaw.com/files/uploads/documents/data%20breach%20documents/data_breach_charts.pdf
You need to do your own due diligence, however.
28
Other States are very different.
Massachusetts:
• Do not include description of the breach in the letter.
• Do not specify the number of individuals affected.
Most other states:
• DO include a description of the breach.
Other States are very different.
Texas, Arkansas, Minnesota (as an example):
• If an account number or debit card number is stolen, only a notification requirement is required if a security code, access code, or password was also stolen.
Massachusetts, North Carolina, Maryland (as an example):
• Have different notification of consumer rights.
29
State Data Breach Notification
Generally requires notice to people if there is a breach of personal information that is not encrypted.• Indiana, Wyoming, – no.
• New York City, D.C., - no.
Encryption exception may not last much longer. • Was key also stolen? Not encrypted.
State Data Breach Notificationfor Consumers
Many states have many different triggers for state office notifications – some 2015 examples:
Alaska: 1,000
California, Florida and Iowa: 500
Georgia: 10,000
Maryland: First must notify A.G.
Montana, Indiana: 1
30
State Data Breach Deadlines for Notification to Consumers
States have many different triggers – some
examples:
Connecticut: 90 days after discovery.
Florida: no more than 30 days.
Ohio: 45 days after discovery.
State Data Breach Agencies for Notification of Consumers
States list different agencies that require notifications:
New Jersey: State Police
Puerto Rico: Dept. of Consumer Affairs.
Maine: Dept. of Professional & Fin. Reg.
Mass: Office of Consumer Affairs & Reg.
31
“Regular email is not a secure method for sending sensitive data. The better practice is to encrypt any transmission that contains information that could be used by fraudsters or identity thieves.”
Federal Trade Commission’s November 2011 Guide to Business.
32
First Steps Develop & Review Policies and Procedures
Train Employees
Long, Unique Passwords
Multiple Usernames and Passwords (2-Step)
Secure Connections
Encryption
Indemnification of Third-Party Agreements
Add/Review Insurance Coverage
Second Steps Train all staff and attorneys on how to spot bad e-
mails and how to avoid clicking on potentially bad links.
Conduct phishing tests of your attorneys and employees.
Install mobile device management on all tablets, laptops, and smart phones that have access to your system.
33
BrownWinick tests its attorneys and staff every month
Different e-mails are sent out to everyone in the firm to train them not to click on links from unknown or suspicious sources.
Second Steps
Install advanced (new generation) firewalls that can actively monitor information on your system for malicious behavior and not just examine data when it arrives at the firewall.
Install logging software for forensic use.
Consider hiring a security firm to conduct penetration audits of your firm
Consider hiring a security firm to monitor your server and firewall logs
34
Website: www.brownwinick.comToll Free Phone Number: 1-888-282-3515
OFFICE LOCATIONS:
666 Grand Avenue, Suite 2000Des Moines, Iowa 50309-2510
Telephone: (515) 242-2400Facsimile: (515) 283-0231
DISCLAIMER: No oral or written statement made by BrownWinick attorneys shouldbe interpreted by the recipient as suggesting a need to obtain legal counsel fromBrownWinick or any other firm, nor as suggesting a need to take legal action. Do notattempt to solve individual problems upon the basis of general information providedby any BrownWinick attorney, as slight changes in fact situations may cause amaterial change in legal result.