Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015.

Carlsmith Ball LLPCyber Issues For Lawyers Deborah BjesOctober 22nd, 2015

Carlsmith Ball LLP | October 22, 2015 | Deborah Bjes 2

Maintain valuable information

Verizon’s 2015 Data Breach Investigations Report found legal department is far more likely to actually open a phishing e-mail than all other departments.

Why are lawyers targets?

http://www.verizonenterprise.com/DBIR/2015/


•23% of lawyers opened the email

•11% clicked on the attachment

WHY?

Phishing emails:Lawyers easy targets?


Lawyers must work efficientlyLawyers look for new opportunitiesLawyers want to assistLawyers are trusting within relationship

Technologically challenged?

Are lawyers targets?


Lawyers must:

Stay up-to-date with technology.

Secure client & company data.

Avoid mishandling electronic documents.

Changes in technology -Changes in lawyer’s duty:


Maintaining competence

ABA Model Rule 1.1

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.


Confidentiality of information

ABA Model Rule 1.6

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

* * * * * * * *

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.


ABA Model Rule 1.6

Acting Competently to Preserve ConfidentialityComment [18]: ….The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.

Factors: 1) sensitivity of the information, 2) likelihood of disclosure, 3) the cost, and 4) the difficulty of implementing the safeguards.

Comment [19]....This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. …



Negligence

Breach of contract

Waste and conversion

Invasion of privacy

Breach of fiduciary duty

Potential cyber causes of action


• Forensic experts to establish extent of stolen data (who/what)

•Notification costs

• Credit monitoring cost

• Business interruption cost

•Network restoration cost

• Public relations firm fees/costs – restore/mitigate reputational damage

• Fines

Direct costs


Management/executive time

Loss of good will.

Cost of reissuing documents or credit cards

Cost of mailings/expedited postage

Declined credit card transactions

Indirect costs


Management must understand the importance of security.

Avoid “it won’t happen to me” thinking.

Allocate resources!

Obtain upper management buy-in!


Decrease

Incident response team

Extensive use of encryption

Employee training

Board level involvement

Increase

Third party involvement in breach

Quick notification

Lost or stolen device

Engagement of consultants

Expense of cyber breach


Breakdown of claims costs

$62.3 million in pay-outs on 85 claims

48% on crisis services

– $1.5 million in forensics

– $6.15 million in notification costs

– $2.5 million in legal guidance

– $135,000 in public relations

15% on legal defense

10% on legal settlements

10% on regulatory defense

6% on regulatory fines

11% on other fines


Requires prompt notification of unauthorized access to personal information

47 states, DC, Puerto Rico and US VI

Common features relate to:

• Notification trigger

• Notification requirements

• Timing of notice

• Remedies

• Enforcement/fines

State breach notification statutes,Know them (or know someone who does!)


Is it required?

• If not, is there a benefit or other need?

Timing of notification

• Avoid rush to notify v. will media beat you to it?

• Law enforcement may delay notification

Who must be notified?

• Affected individuals

• Government or regulatory agencies

• Banks

• Media

Who drafts notification letter?

Credit monitoring: To offer or not?

Notification considerations


•Create an educated/proactive work force!

•Focus on the weakest link!

•Create an open door for discussion.

•Avoid finger pointing.

•Do all employees know who to call?

•Are all systems security ready before roll out?

•Are outdated systems retro-fitted?


Cyber security plan


Well defined objectivesAgreed upon management planNuts and bolts details

Insurance can assist

Cyber security plan and protocols


Create a Response Plan (75% of the work should be done before incident)

Who is point person? Spokesperson?

Notify law enforcement. (should be aware of identify b/c incident)

Retain privacy counsel! (already lined up)

Retain forensic consultant. (already lined up)

Determine PR issues/ Retain a PR Firm. (already lined up)

Investigate timely notice requirements!

Public company disclosure requirements.

Notice your carrier/broker!

Activate “dark site”.

What do I do? I have had a breach! (Or may have had a breach!)


• Whether to employ routine cyber risk safety audits?

• Should you employ cyber incident drills?

• Should vendors employ cyber risk safety standards? (weakest link)

• Should business partners employ cyber risk safety standards?

• How to decide whether to compensate clients/customer if incident?

• In addition to notice – consider credit monitoring/gift cards?

• Should you build a “dark website”?

Further considerations



•Compare pricing and policies

•Understand what is covered & what is not

•Understand notice requirements

•Determine what is really needed

•Negotiate your needs

No standard cyber policy


Generally: policy covering one or more of the following: • Damage to digital assets (data, software) not considered tangible

property.

• Business interruption triggered either by damage to digital assets or impairment of external services.

• Liabilities arising out of privacy issues, 3rd party infringement of intellectual property, virus transmission, or any other serious trouble.

What is cyber insurance?There is no agreed upon definition.


Crisis management expenses: privacy counsel, public relations or crisis management firm.

Forensic expenses: services to determine cause and scope.

Notification expenses: mandatory notification of customers whose sensitive personal information has been breached.

Credit monitoring expenses: monitoring, credit freezing or fraud alert service expenses for breaches of true identity data.

Cyber insurance


Cyber extortion insurance: Covers expenses to obtain legal, public relations or crisis management services to protect the company’s reputation.

Digital asset loss: Will fund costs incurred to replace or recover data which has been corrupted or destroyed as a result of a network security failure.

Regulatory action coverage: Covers loss (damages, defense costs, civil fines or penalties to the extent insurable by law) resulting from a regulator action.

Cyber insurance


Cyber risk insurance - examples

Risks CoverageTraditionalPolicies

Cyber and Privacy Policy

Legal liability to others for privacy breaches

Privacy liability: harm suffered by others due to the disclosure of confidential information

Legal liability to others for computer security breaches

Network security liability: harm suffered by others from a failure of your network security

Regulatory actions Legal defense for regulatory actions

Identity theft Expenses resulting from identity theft

Privacy notification requirements

Cost to comply with privacy breach notification statutes

Loss or damage to data / information

Property loss: the value of data stolen, destroyed, or corrupted by a computer attack

Extra expense to recover / respond to a computer attack

Cyber extortion: the cost of investigation and the extortion demand

Loss of revenue due to a computer attack

Loss of revenue: business income that is interrupted by a computer attack

Loss or damage to reputation


Thank you!


• ©2015 Swiss Re Corporate Solutions. All rights reserved. You are not permitted to create any modifications or derivatives of this presentation or to use it for commercial or other public purposes without the prior written permission of Swiss Re Corporate Solutions.

• Although all the information used was taken from reliable sources, Swiss Re Corporate Solutions does not accept any responsibility for the accuracy or comprehensiveness of the details given. All liability for the accuracy and completeness thereof or for any damage resulting from the use of the information contained in this presentation is expressly excluded. Under no circumstances shall Swiss Re Corporate Solutions or its Group companies be liable for any financial and/or consequential loss relating to this presentation.

Disclaimer

Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015.

Documents

deborah bjeslawyers

deborah bjes23

lawyers deborah bjesoctober

unauthorized disclosure

deborah bjesaba model

deborah bjesforensic

lawyers duty

lawyers targets