Data Confidentiality, Security and Recent Changes to the ABA Model Rules

DATA CONFIDENTIALITY, SECURITY

& RECENT CHANGES TO THE ABA MODEL RULES

Scott Aurnou, Esq.

Introduction

• In 2009, the ABA created the Commission on Ethics 20/20 to review the Model Rules in light of the effect of technology on the legal profession.

• Changes pertaining to technology were made in August 2012:– Rule 1.1 – Competence– Rule 1.6 – Confidentiality of Information– Rule 5.3 – Responsibilities Regarding Nonlawyer

Assistance

Rule 1.1 – Competence

• A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

• Comment 8: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Rule 1.6 – Confidentiality of Information• (a) A lawyer shall not reveal information relating to the

representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

• ***• (c) A lawyer shall make reasonable efforts to prevent the

inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

• Comment 18: Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.

Rule 1.6 – Comment 18 Safe Harbor Provision• “The unauthorized access to, or the inadvertent or unauthorized disclosure of,

information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

• Factors to determine reasonableness of the efforts include (but aren’t limited to):– Sensitivity of the data– Likelihood of disclosure if additional safeguards aren’t employed– Cost and difficultly of employing additional safeguards– Extent to which additional safeguards adversely affect the lawyer’s ability to represent

clients

• Also specifically notes that the Rules do not supersede Federal or state laws “that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information”– Safe harbor won’t protect you from state or Federal privacy or post data breach

reporting requirements

Rule 1.6 – Comment 19 Electronic Communication re: Client

• “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”

• Safe harbor provision: “This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy.”

• Factors to determine reasonableness of the expectation of privacy include:– Sensitivity of the data– Extent to which the privacy of the communication is protected by law or a confidentiality

agreement• A client may give informed consent to a method not otherwise permitted

• Also specifically notes that the Rules do not supersede Federal or state laws that require additional steps to safeguard data privacy

• Speaking of those state laws...• 47 states (except AL, NM & SD) require notification of a data breach of unencrypted data• NV, MA & WA require encryption of client data in mobile devices and whenever transmitted electronically– Massachusetts law also applies extraterritorially to any firm doing business with a MA resident

Rule 5.3 – Responsibilities Regarding Nonlawyer Assistance

• With respect to a nonlawyer employed or retained by or associated with a lawyer:

• (c) a lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of Professional Conduct if engaged in by a lawyer if:– (1) the lawyer orders or, with the knowledge of the specific conduct,

ratifies the conduct involved; or– (2) the lawyer is a partner or has comparable managerial authority in

the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.

• Comment 3 expressly references cloud storage services

Not Changed, But Also Relevant

• Rule 5.1 - Responsibilities of a Partner or Supervisory Lawyer

• Paragraph (c) A lawyer shall be responsible for another lawyer's violation of the Rules of Professional Conduct if:– (1) the lawyer orders or, with knowledge of the specific

conduct, ratifies the conduct involved; or– (2) the lawyer is a partner or has comparable managerial

authority in the law firm in which the other lawyer practices, or has direct supervisory authority over the other lawyer, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.

Effect of Changes to the Model Rules

• Short answer: lawyers and law firms do need to stay up-to-date with technology.

• In a practical sense, what steps should you take to secure client & firm data and avoid mishandling electronic evidence?

Agenda• Data Security

– Computer Basics– Security First Steps– Laptop & Desktop Computers– Mobile Devices– Firm Networks– Cloud Computing– What to Do When Something Goes Wrong

• eDiscovery Issues– Mishandling Electronic Evidence– Using Third Party Vendors

• Computer Security & eDiscovery Do’s & Don’ts

How is information stored electronically?

• Magnetic, optical & flash/SSD storage – All data is reduced to binary code, which allows the various

devices to share information– Bits & bytes

• Active, archival & latent data

What is a computer network?

• Client-Server Model

• Includes all devices intended to have access to your firm’s

data

• Remember that the computer traits making it easier to find

your own data also make it easier for a hacker to do so if he or

she gets into your system

Security First Steps• Upper management buy-in is critical to effective security

– Consider data breach insurance• Vulnerability assessment

– Network and data mapping; attack and penetration testing– Find & fix vulnerabilities – should be done twice yearly

• Create an Information Security Policy/Plan• For more detail, read ‘How to Write an Information Security Policy’ from CSO Online:

http://www.csoonline.com/article/495017/how-to-write-an-information-security-policy?page=1

• Incident Response Plan & Team– Identifies and lays out a step by step response to a security incident

• Business Continuity & Disaster Recovery Plan– Intended to keep your firm up and running after a major event– CSO Online – Business Continuity and Disaster Recovery Planning: the Basics:

http://www.csoonline.com/article/204450/business-continuity-and-disaster-recovery-planning-the-basics

• Don’t hesitate to bring in a security consultant to help set these up

• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information)

http://www.csoonline.com/article/495017/how-to-write-an-information-security-policy?page=1



Laptops & Desktop Computers

• Primary threats– Malware and data breaches

• Different types of malware– Virus: dormant until host file is opened– Worm: does not need host file; often used

to create an opening for other malware– Trojan: disguised as something innocuous– Drive-by download: latent threat on

compromised website– Rootkit: essentially burrows underneath

the software you can see to gain greater control over your computer

• Spyware, keyloggers, etc. • Botnets• Unlike television and movie depictions, there is generally no alarm

or warning of any kind when a network is breached • Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information)

Laptops & Desktop Computers II– Physical security

• Actual office intrusion and theft, using USB drive, etc.

• Loss or theft outside of the workplace

– Who else has access to your work computer?

• Co-workers, spouse, children, etc.?

• Introduces potential new avenues of attack

– ‘The space between the chair and the keyboard’

Protecting Your Computer • Importance of keeping software patched

– Secunia, FileHippo, AppFresh– Turn off/reboot your computer to actually install updates– Apple computers are not immune to malware

• Anti-virus software, firewalls and intrusion detection/prevention software

• Limit administrative account privileges– The most senior partners are often targeted by hackers– Also use non-admin account to browse on your personal computer

• Data Encryption – All data on the network, backups, stick drives, tablets,

smartphones, etc.• Using Virtual Private Networks (VPNs) for remote access

• Don’t hesitate to bring in a professional if you aren’t completely comfortable addressing a security concern yourself


Email

• How does e-mail actually work?• Emailing with clients securely– Emailing “as secure as mailing a postcard”– How can you secure it?• 1) Encryption• 2) Include a link to content secured in the cloud –

Cubby, etc. (not DropBox)• 3) Secure Web portal


Social Engineering

• Refers to an attacker tricking a target into giving up access to info or a restricted area

• Comes in numerous forms:– Phishing– Spear Phishing– Whaling– Pretexting (in person or phone call)– Tailgating– Baiting

• What can you do to avoid falling for one of the scams?


Laptops & Desktop Computers: the Human Factor

• Passwords & multifactor authentication – Fingerprint scanners, security tokens, etc.

• Browsing the Web – Websense, etc.– Drive-by downloads

• AdBlock Plus

– Unsecured wi-fi connections and rogue hotspots – Social networks/privacy concerns

• Don’t forget to log out

• Pertinent Model Rules – 1.1 (Competence)

Laptops & Desktops: Privacy Concerns

• Password protected screensaver– For when you step away from your computer

– Keep the time delay brief

• HTTP vs. HTTPS– HTTPS is encrypted and more secure than HTTP

– HTTPS Everywhere

• Tracking cookies– DoNotTrack, Ghostery, Self-Destructing Cookies

– Aviator Web Browser

– Pertinent Model Rules – 1.1 (Competence)

Proper Disposal of Laptop & Desktop Computer Data

• Why is this important?• Include anything that can store data• What actually happens when you delete a file?• Even if the data is eventually overwritten,

there may be other ways to get at it• E-mails


Data Destruction Methods

• Overwriting/“wiping”

• Physical destruction– More than simply damage

– Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information)

• Degaussing/demagnetizing– Only works on magnetic storage

devices/tape

Mobile Devices

• Smartphones, Tablets, other devices

– Connecting to an accounting firm network

– BYOD (bring your own device)

• Primary threats

– Loss and theft

– Apps and permissions

– Jailbroken/rooted phones

– Browsing

• Same dangers as a regular computer

• PLUS mobile-specific browsing risks

– Can’t see URL or hover over links

– QR codes

• Unsecured wi-fi connections and rogue hotspots


QR Code for:TheSecurityAdvocate.com

Protecting Your Mobile Device

• Use the most current operating system and update it whenever updates are

available

• Enable your passcode lock/PIN

• Download a strong mobile security app

• Remote wiping and device tracking software

• Encryption – both for mobile devices and backups

• Be cognizant of access/permission requests when downloading apps

• Be excessively cautious when dealing with unsecured hotspots and QR codes

• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of

Information)

Mobile Devices: the Human Factor• E-mail risk is not diminished on a mobile device

– Phishing/spear phishing/social engineering (fake e-mails from your bank, delivery service, PayPal, etc.)

– Presume that any unsolicited e-mail from your bank, etc. is fraudulent and contact the organization directly via phone, through its official website or visit a branch

• Smishing• Effectively phishing via text message

• Browsing the Web – Drive-by downloads

• Both links and QR codes can pose a risk• Tainted Web search results

– Unsecured wi-fi connections and rogue hotspots – Social networks/privacy concerns

– Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information)

Smishing text message

Proper Disposal of Mobile Devices• Includes anything with a solid state/flash

drive

• Factory reset– Removes all data and downloaded applications– Result of remote wiping

• Overwriting

• Physical destruction


Privacy settings on an Android smartphone

Your Firm Network• Exactly what are you protecting your network from?• Limit access rights – who can see what?• Know your network access points and check for unintended access • Check your wireless network encryption• Network monitoring software• Routers & switches are particularly vulnerable• Firm-wide data encryption • Multi-tiered, off-site encrypted backups• Honeypots• Information Security Policy regarding USB drives – permitted or not?• Application whitelisting• Does your office have a website?


Advanced Persistent Threats

• Stealthy & slow-moving attacks that compromise computer networks & steal data over a period of time

• Basic steps: 1) The attacker finds a way into the network2) Malware planted during the initial intrusion

“phones home” to remotely-located hackers3) Attack quietly makes its way across the network4) Data is surreptitiously stolen from the network5) Attackers cover their tracks

• Security awareness training can reduce likelihood of initial attack succeeding


Your Firm Network: the Human Factor

• Endpoint Security

• Strong passwords/change default passwords immediately

– “Alpine”

• Limit network access as much as possible

– This includes senior partners

• Immediately rescind access (including remote access) for any ex-

employee the moment he or she leaves

– Even later the same day can be too late

• Regular employee training


Data Leakage

• Can be intentional or unintentional to get more work done at home or keep copies of firm data, contacts, research, briefs, etc.

• Common problem is simply forgetting to delete the firm data once you’re done with it


Cloud Computing

• What is it? • Cumulative vulnerabilities • ‘Pockets’ of the cloud on your network• eDiscovery data stored with outside vendors• Privacy concerns

• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information); 5.3 (Responsibilities Regarding Nonlawyer Assistance)

Unexpected Weak Spots

• Your Help Desk• Printers• Videoconferencing equipment• Connected third party systems• Company guest wi-fi access• Firm recycling bins can hold valuable papers• Account passwords/VPN decrypts should never

be saved on your computer


After Something Goes Wrong...• Successful attack

– Data breach – hacker(s) stealing data from your system – Malware infection can damage data in your system – Spyware, Advanced Persistent Threats, keyloggers, etc. – Computer forensics/security experts to assess damage, patch vulnerabilities to prevent

similar attacks in the future, etc. • Data destruction

– Physical damage (fire, flood, etc.) – Some malware will electronically destroy data – Importance of backups

• Disaster recovery plan

• Pertinent Model Rules – 1.1 (Competence); • 1.6 (Confidentiality of Information)

Finding a Network Security Expert

• CEH – Certified Ethical Hacker (governed by International Council of Electronic Commerce Consultants [EC-Council])

• CISSP – Certified Information Systems Security Professional (governed by not-for-profit ISC – Int’l Information Systems Security Certification Consortium)

• CISA – Certified Information Systems Auditor (governed by ISACA, short for Information Systems Audit and Control Association)

• Pertinent Model Rules – 1.1 (Competence); 5.3 (Responsibilities Regarding Nonlawyer Assistance)

eDiscovery & Data Confidentiality

• Mishandling Electronic Evidence• Using Third Party Vendors– Data hosting & e-discovery vendors can have sensitive

client data on their servers– Hackers know this and can use them as a back door to

target client & other non-public info– Do your due diligence re: security practices, etc. before

engaging a vendor

• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information); 5.3 (Responsibilities Regarding Nonlawyer Assistance)

What is Computer Forensics?

• Computer Forensics (a/k/a digital forensics or IT forensics) is the science of identifying, acquiring and preserving potential evidence stored within various forms of electronic media

• Which means what, exactly?

The Forensic Process

• Gaining access to opponents’ digital evidence

• Forensic imaging/evidence acquisition

• Forensic investigation & analysis

• Expert reports & testimony

• NEVER a do-it-yourself project

Forensic Imaging/Evidence Acquisition

• The most critical phase of a Computer Forensics investigation• In order to preserve the digital evidence in its original state, the chain of custody

is documented throughout the process• Cost effectively captures and preserves the digital evidence with an identical, bit

by bit copy of the original digital media• The “bitstream” (identical) copy is then analyzed while the original media is

carefully preserved for potential future evidentiary use– Write blocker– The copied data can be authenticated using hash codes/values

• The bitstream copy is then copied and authenticated in turn to produce a working copy for analysis. Additional working copies can be produced as needed

• If it is not done properly (in a secure and forensically sound manner), critical evidence can be compromised or even inadvertently destroyed

• If you are especially anxious to see electronic evidence found on the incoming digital media, have your computer forensic expert ready to go ASAP


Forensic Investigation & Analysis

• The identical copies of the initial bitstream image are analyzed while the subject digital media is kept in its original state for potential use at trial

• Analyzing the data• Once the electronic information has been accessed, the most

useful evidence can be isolated and provided to counsel


Expert Reports & Testimony

• Computer Forensics services to support litigation– Expert reports– Affidavits– Expert witness testimony– ‘Counter Forensics’


Finding a Qualified Computer Forensic Expert• Various certifications exist, but there is no single standard• Law enforcement/military

– CFCE – Certified Forensic Computer Examiner (offered by the IACIS – Int’l Ass’n of Computer Investigative Specialists)

– CEECS – Certified Electronic Evidence Collection Specialist

• Vendor neutral– CCE – Certified Computer Examiner (offered by the ISFCE –International Society of

Forensic Computer Examiners)– CISSP – Certified Information Systems Security Professional (governed by not-for-profit

ISC – Int’l Information Systems Security Certification Consortium)– GCFA – GIAC Certified Forensic Analyst (offered by Global Information Assurance

Certification)– Expert listings for each

• Vendor specific– ACE: AccessData Certified Examiner (AccessData)– EnCE: EnCase Certified Examiner (Guidance Software)


Admissibility of Electronic Evidence

• FRE 901 and 902 do not differentiate between electronic and physical evidence – Authentication (hashing, etc.)– Chain of custody– Proper handling of digital evidence


eDiscovery Do’s & Don’ts

• Upon receipt of an opposing/third party’s electronic media – DO bring in a computer forensic expert as soon as possible,

confer with him/her and formulate proper search terms for the analysis

– DO NOT alter the computer/electronic media – DO observe the rules of evidence (chain of custody, etc.)

with the original electronic media once the bitstream copies have been made


Computer Security Do’s• DO

– Apply all patches (updates) to the software on your computer & used by your network. Use Secunia, FileHippo or AppFresh to see what needs updating

– If your firm is using software old enough that it is no longer supported (updated) by its manufacturer, replace it with newer software that is supported

– Use integrated security software (firewall, anti-virus, anti-spyware, etc.) & keep it up-to-date

– Control who has access to what and strictly limit who has administrative privileges– Use strong passwords– Change your passwords regularly– Enable screensaver passwords on your computer (and set them to engage

relatively quickly)– Log out of all online services when not using them– Change all default settings (user IDs & passwords) immediately


Computer Security Do’s (continued)

– Enable full encryption on every hard drive (especially in laptops), mobile device, storage device (i.e., USB drives) and backup media

– Have multi-tiered, off-site, encrypted backups– Keep your firm’s servers under lock and key, literally– Use WPA (with the Advanced Encryption Standard) or WPA2 encryption for

your firm’s wireless network– Use an encrypted connection – such as a VPN – for remote access to your

firm network– Prepare any smartphone in your network to be stolen– When an employee is terminated, disable their network access (user ID and

password) immediately– Securely dispose of anything potentially holding firm or client data


Computer Security Don’ts• DON’T

– Have a file called “Passwords” anywhere on your computer– Use the same password over and over – if it gets cracked once, every other account with

that password becomes vulnerable– Keep a post-it note with your password somewhere obvious (under the keyboard, top

right side drawer in your desk, etc.)– E-mail any passwords – an intruder can search your e-mail and find them (party trick:

search your e-mail for “password”)– Give your password to anyone else (including co-workers). If you ever do, change it

immediately afterwards– Use WEP encryption for your wireless network – it was compromised years ago– Use unsecured (i.e., no password needed) wireless access to send or receive any sensitive

data– Enter credit card, financial or login information without seeing ‘HTTPS’ in your browser’s

address bar (i.e., make sure the site is encrypted)– Use cloud services without first making a reasonable inquiry into the state of their

security– Assume that using Apple computers inherently means you can ignore malware (it

doesn’t)


Scott Aurnou, Esq.

Scott Aurnou is an information security consultant, attorney and Vice President at SOHO Solutions, an IT consulting and managed services firm based in New York City. He regularly lectures on information security, computer forensics and ethics relating to technology (particularly for legal professionals) and maintains a website called The Security Advocate. His work has also appeared in the New York Law Journal and Law360. You can connect with Scott on LinkedIn, Facebook and Twitter.

http://www.thesecurityadvocate.com/

http://www.linkedin.com/pub/scott-aurnou/7/826/231

https://www.facebook.com/saurnou

https://twitter.com/saurnou

Data Confidentiality, Security and Recent Changes to the ABA Model Rules

Presentations & Public Speaking

unauthorized disclosure

unauthorized access

competent representation

competence rule

data likelihood of disclosure

data confidentiality

data privacy

reasonable efforts