CHAPTER 4 DATA SECURITY/DATA BREACH: WHAT EVERY LAWYER NEEDS TO KNOW TO PROTECT CLIENT INFORMATION Sheila M. Blackford Professional Liability Fund Practice Management Advisor Hong Dao Professional Liability Fund Practice Management Advisor
CHAPTER 4
DATA SECURITY/DATA
BREACH: WHAT EVERY LAWYER
NEEDS TO KNOW TO PROTECT
CLIENT INFORMATION
Sheila M. Blackford
Professional Liability Fund Practice Management Advisor
Hong Dao Professional Liability Fund Practice Management Advisor
Name: Bar Number:
Sponsor of CLE Activity:
Title of CLE Activity: Program Number:
Date: Location:
❑ Activity has been accredited bythe Oregon State Bar for thefollowing credit:
____ General
____ Prof Resp-Ethics
____ Access to Justice
____ Child Abuse Rep.
____ Elder Abuse Rep.
____ Practical Skills
____ Pers. Mgmt/Bus. Dev.*
❑ Full Credit.I attended the entire program andthe total of authorized credits are:
❑ Partial Credit.I attended _________ hours of theprogram and am entitled to thefollowing credits*:
MCLE FORM 1: Recordkeeping Form (Do Not Return This Form to the Bar)
Instructions:Pursuant to MCLE Rule 7.2, every active member shall maintain records of participation in accredited CLE activities. You may wish to use this form to record your CLE activities, attaching it to a copy of the program brochure or other information regarding the CLE activity.
Do not return this form to the Oregon State Bar. This is to be retained in your own MCLE file.
*Credit Calculation:One (1) MCLE credit may be claimed for each sixty (60) minutes of actual participation. Do not include registration, introductions, business meetings and programs less than 30 minutes. MCLE credits may not be claimed for any activity that has not been accredited by the MCLE Administrator. If the program has not been accredited by the MCLE Administrator, you must submit a Group CLE Activity Accreditation application (See MCLE Form 2.)
Caveat: If the actual program length is less than the credit hours approved, Bar members are responsible for making the appropriate adjustments in their compliance reports. Adjustments must also be made for late arrival, early departure or other periods of absence or non-participation.
*Personal Management Assistance/Business Development. See MCLE Rule 5.11 and Regulation 5.300 for additional information regarding Category III activities. Maximum credit that may be claimed for Category III activities is 6.0 in a three-year reporting period and 3.0 in a short reporting period.
8/16:MCLE1
____ General
____ Prof Resp-Ethics
____ Access to Justice
____ Child Abuse Rep.
____ Elder Abuse Rep.
____ Practical Skills
____ Pers. Mgmt/Bus. Dev.*
____ General
____ Prof Resp-Ethics
____ Access to Justice
____ Child Abuse Rep.
____ Elder Abuse Rep.
____ Practical Skills
____ Pers. Mgmt/Bus. Dev.*
C h a p t e r 4
D A T A S E C UR I T Y / D AT A B R E A C H: W HA T E V E R Y L A W Y E R N EE D S T O KN OW T O P R OT E C T
C L I E NT I N FOR M A T I ON
T A B LE OF C ON T E N T S
Page # PowerPoint Slides .................................................................................................................................................................................. 4-1 Protecting Yourself and Law Firm from Data Breach Checklist ....................................................................... 4-12 To view these chapter materials and the additional resources below on or before November 1, go to www.osbplf.org , select Upcoming CLE, select Learning The Ropes, and click on program materials, under Quick Links. After November 1, select Past CLE, Learning The Ropes, and click on program materials, under Quick Links.
Additional Resources
What to Do After a Data Breach, In Brief article, available at: https://www.osbplf.org/assets/in_briefs_issues/What%20to%20Do%20After%20a%20Data%20Breach%20April%202016%20In%20Brief.pdf
What’s Backing Up Your Data, In Brief article, available at: https://www.osbplf.org/assets/in_briefs_issues/Whats%20Backing%20Up%20Your%20Data.pdf
How to Back up Your Computer, PLF practice aid, https://www.osbplf.org/assets/forms/pdfs//How%20to%20Back%20Up%20Your%20Computer.pdf
Beware Ransomware, In Brief article, available at: https://www.osbplf.org/assets/in_briefs_issues/Beware%20Ransomware%20Data%20Encrypting%20Software%20Continues%20to%20Extort%20Money.pdf
Data Security/Data Breach:What Every Lawyer Needs to Know to Protect Client Information
Sheila Blackford & Hong DaoPLF Practice Management Advisors | Attorneys
What is Data Breach
How to Protect Client Data
What to Do When a Breach Occurs
Lawyer’s Other Ethical Obligations
Data
4-1
ORPC 1.1:Provide
competent representation to
a client
OSB Ethics Opinion 211‐187 & ABA Rule 1.1 (Comment 8)Understand
technology and its risk
OCPC 1.15‐1:Client property shall be identified as such and appropriately
safeguarded
• Safeguard client physical property & electronic property
• Understand how to use technology safely
• Have a response plan
Viewed, stolen or used
without authority or knowledge
What is a
data breach?
4-2
Common Methods SE Attack
Dumpster Diving
PretextingPhysical Entry
Phishing
Enticement
Malware Infection
Adware
Spyware
Trojan Horse
Virus
Worm
Ransomware
4-4
Phishing
Anatomy of a Phishing email
Sender’s email doesn’t look right
You weren’t expecting that email
Misspelled words & poor grammar
Ask you to open attachment or click on link
High sense of urgency
References to threat/reward
Request personal information
Ransomware
4-5
Warning!
Phish Infection Ransom Note Pay or restore
ORPC 1.6(c):Confidentiality: Make reasonable Efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
4-6
PasswordInternet Browser
Computer Files Other
Password
• Use strong password• Change frequently• 2 factor authentication• Consider password manager
• Don’t clink on suspicious attachments and links
• Avoid getting spam emails
4-7
Internet Browser
• Update web browser• Enable automatic
updates• Disable pop‐ups
Computer
• Install OS, program & app updates• Install/update anti‐virus & malware
protection• Use firewall • Don’t use free public WiFi• Encrypt hard drive
Files
• Back up | Use 3‐2‐1• Use secured file sharing• Encrypt before upload
4-8
More
• Educate and train • Be vigilant• Ensure files are properly destroyed• Limit facility entry • Question unknown people in
secured areas
Contact Professional Liability Fund
Contact Oregon State Bar Call IT expert Change usernames and
passwords
4-9
Consider placing bank/credit/security freeze
File police report Notify clients Implement “How to protect client
data” tips
Contain the attack Notify the FBI Restore computer
Lawyer’s Other Duties
4-10
ORPC 5.1Responsible for another lawyer’s conduct that
violates the RPCs
ORPC 5.2Responsibilities of
subordinate lawyer
ORPC 5.3Have a duty to supervise staff
Thank you!
Sheila [email protected]
503‐684‐7421
Hong [email protected]‐726‐1467
www.osbplf.org
4-11
Data Breach Checklist Page 1
Protecting Yourself and Law Firm from Data Breach Checklist
Data breach is the unintended exposure of your data to unauthorized viewers. As lawyers, we are entrusted with confidential data about our clients. This checklist is intended to help you to become more secure. Think of it as a cyber security checklist that is helpful for identifying areas of concern for you to discuss with your IT support person. As cyber security is an area of ongoing change due to the increasing sophistication of cyber criminals, you should continue to seek out information about data security. Passwords
1. Use passwords to protect all devices connected to the internet. Create strong passwords that are at least 14 characters or more using upper and lower case letters, numbers and special characters. Use a passphrase such as a sentence to help you to remember it.
2. Use a password manager program to store your passwords security in an encrypted vault on
your computer or in the cloud. Don’t store passwords in files on your computer such as in a Word document or Excel spreadsheet. If you must write down your passwords, secure it in a locked location.
3. Use two-factor authentication which allows you to verify your identity using two methods of the following: something you know (for example a password), something you have (for example a key or hardware authentication device something you are (for example a fingerprint or retina scan). There are authentication devices that provide strong two-factor authentication for example a YubiKey www.yubico.com itself is a two-factor authentication device incorporating a physical key with your fingerprint that plugs into your USB drive and supports one-passwords, public key encryption and authentication. Their YubiKey 4C Nano is the world’s smallest USB-C authentication device for use with USB-C ports.
4. Keep your password confidential. Don’t share it with anyone.
5. Keep your password unique. Don’t re-use important passwords for multiple websites, devices or services.
6. Change your password frequently, such as every 30 or 45 days. Don’t recycle passwords! Hardware and Software
7. Keep your hardware and software as current as possible with upgrades from the vendor.
Those upgrades will typically include improved security features.
8. Secure your server in a locked room. Some cyber criminals have walked through law firms with clipboards posing as IT service personnel. Verify identities before granting access to your server.
9. Use intrusion detection systems. These systems will alert you to attempts to invade your computer system.
4-12
Data Breach Checklist Page 2
10. Use security software suites that include virus and malware protection and keep it up-to-
date.
11. Have your IT support person set up your wireless network to include enabling strong encryption. Disable the WEP and WPA encryption and require WPA2 encyption.
12. Be sure to change the default passwords on all wireless routers and servers. Consult your IT support person for any help.
13. Be sure that any device holding client data is password protected and encrypted, especially if these devices are taken off site. Thumb drives, smart phones, tablets and laptops continue to be most frequently stolen or lost devices.
Protocols
14. Backup all data and do regular periodic test restores of the backup. Store your backup
securely. Backups taken off site or stored on the internet should be encrypted. If you are storing your backup or any data on the internet, be sure that the vendor does not have access to the decryption key.
15. Be sure that your IT support person sets up your backup system so that it cannot be corrupted in the event your computer is attacked by ransomware. Otherwise, ransomware can travel onto your backup.
16. Develop a protocol for internet usage at work. Employees should not be allowed to download and install programs and apps on devices that connect to your server without prior authorization from your IT support person. Freeware frequently is infected with malware. Train your staff to avoid downloading any attachments sent by email especially if the extension ends in .exe which means it is an executable file.
17. Insure that all remote access to the office network occur through the use of a VPN, MiFi, smartphone hotspot or some other type of encrypted connection. Prohibit connecting to the office network using a public computer (such as at a hotel or library) and unsecured open public Wi-Fi network (such as at an airport, hotel, coffee shop, or library). Obtain guidance from your IT support person for setting up a VPN, MiFi, or smartphone hotspot.
18. Do not allow non-employees to have access to your network. This especially includes terminated employees.
19. Conduct an annual internal network security audit to ensure your network is secure. This is most helpful when it includes a vulnerability assessment.
Education
20. Provide mandatory social engineering awareness training to your staff annually.
4-13
Data Breach Checklist Page 3
21. Provide training to staff for how to respond to a cyber breach incident, including disconnecting the device from the internet and office network immediately if staff suspects the device has been breached and contact IT support immediately.
22. Instruct staff on how to properly dispose of any device or digital media that contains client or law firm data.
23. Instruct staff on proper safeguards if they are allowed to use their own device on your network.
24. Instruct staff on how to scrub documents for metadata.
25. Teach staff how to recognize phishing scams.
26. Teach staff to exercise caution on using social media as cyber criminals could use the same information to assist them in personal identity theft or hacking online accounts.
RESOURCES FOR FURTHER STUDY
27. “Back to Basics: 10 Security Best Practices,” DARKReading, Nimmy Reichenberg, September 4, 2015. https://www.darkreading.com/operations/back-to-basics-10-security-best-practices/a/d-id/1322053
4-14
Data Breach Checklist Page 4
28. “Best Practices for a Data Security Plan,” Forbes Technology Council, Chalmers Brown, September 5, 2017. https://www.forbes.com/sites/forbestechcouncil/2017/09/05/best-practices-for-a-data-security-plan/#66d82b675c0e
29. “Data Security,” Federal Trade Commission. https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security
30. Lawyers Mutual Liability Insurance Company of North Carolina Data Breach Incident
Response Plan Toolkit http://files.www.lawyersmutualnc.com/risk-management-resources/risk-management-handouts/Data_Breach_Toolkit.pdf
31. “Protecting yourself from cybercrime dangers: The steps you need to take,” by Tim
Lemieux, December 1, 2013, Practice PRO. http://www.practicepro.ca/2013/12/protecting-yourself-from-cybercrime-dangers-the-steps-you-need-to-take/
32. Schneier on Security: Books by Bruce Schneier https://www.schneier.com/books/
4-15