Law firm information security overview focus on encryption by dave cunningham and meg block mar 2010

• 1. Simplifying Law Firm Information Security Compliance- An Executive BriefingPrepared by: David Cunningham, Managing Director Meg Block, Managing Director March 2010 Excerpt with a Focus on Encryption

2. Table of Contents

• Summary of Relevant Regulatory Information

• Key Regulatory Issues

• Focus on Encryption Expectations

3. Relevant Information Security Regulations

• HI-TECH makes Health Information Portability and Accountability Act (HIPAA) relevant to law firms as business associates of covered health care entities

• International Traffic in Arms Regulations (ITAR) 2009

• Massachusetts Standard for the Protection of Personal Information of Residents of the Commonwealth

• • 201 CMR 17.00implements the provisions ofMassachusetts General Law 93H

• • akaMassachusetts Data Privacy Law

• US EU Safe Harbor Framework

• Red Flags Rule

• International Standards Organization (ISO) 27001-2005

4. Regulatory Summary March 1, 2010 $5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties Personal information about a resident of the Commonwealth of Massachusetts State of Massachusetts Massachusetts Data Privacy Law February 17, 2010 $100 - $50,000 per incident; $1.5M max per year. Protected Health Information aka PHI Health and Human Services HIPAA /HI-TECH Voluntary(replaces Data Transfer Agreements) Up to $12,000 per day for violations Personal information transferred to or from 27 Members States of the European Union US Dept of Commerce / Federal Trade Commission Safe Harbor 60 days in advance of any intended sale or transfer to a foreign person of ownership or control Per violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment Export of technical data and classified defense articles, as defined by the US Munitions List US Department of State ITAR None at this time Currently not applicable to law firms due to ABA objections, but the FTC is appealing Personal identifying information (PII is PHI plus credit card, tax ID, insurance claim, background checks, etc.) Federal Trade Commission Red Flags Rule Regulation Governing Body Information Addressed Penalties Law Firm Compliance Date ISO 27001 International Standards Organization (ISO) Determined by company and its auditor via Statements of Applicability None Voluntary 5. Regulatory Compliance Actions None

• Designation of people to maintain

• Disciplinary actions for violations

• Third party adherence

• Maintain security system/program

• Response actions

Written Information Security Plan; security policies Identify MA personal info; identify and assess internal and external threats Massachusetts Data Privacy Law None

• Administrative, Physical and Technical safeguards

• Business Associate Agreements

• Breach notification procedures

Information Security Policy; DR plan Identify PHI; review information system activity HIPAA /HI-TECH Self-Registration with the US Department of Commerce, plus annual reaffirmations

• User awareness, notice, and choice (opt-in or opt-out)

• Third party adherence

• Compliance verification mechanisms, including annual reaffirmations

• Dispute resolution service

Privacy Policy and Privacy Statement Identify PISafe Harbor Registration with the Directorate of Defense Trade Controls

• Registration application

None Indentify data and systems relevant to US Munitions List ITAR Regulation Assessment Plans and Policies Procedures Needed Registration or Audit ISO 27001 Review policies, objectives, and procedures relevant to info security Information Security Management System

• Plan (Establish ISMS)

• Do (Implement and operate the ISMS)

• Check (Monitor and review the ISMS)

• Act (Maintain and improve the ISMS)

Audit by ISO auditor every two years 6. Massachusetts Data Privacy Law

• Indicative of an emerging legislative trend

• • Similar law in Nevada (but applicable only when doing business in Nevada)

• • New Jersey, Washington, and Michigan are working on privacy legislation

• • Assumed to be eventually trumped by a federal regulation

7. Massachusetts Data Privacy Law

• Excerpt on access control and encryption

• • establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

• • • (2) Secure access control measures that:

• • • • (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

• • • (3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

• • • (5) Encryption of all personal information stored on laptops or other portable devices;

8. Massachusetts Data Privacy Law

• Clarifications

• • All of the computer security provisions apply to a business if they are technically feasible.

• • • Technically feasible means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

• • Risk-based approach

• • • A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business' size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.

• • • Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

9. Massachusetts Data Privacy Law * Answers are excerpts from the Commonwealth of MassachusettsFAQ Regarding 201 CMR 17.00 You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. Backup Tapes Yes, but only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iPhones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops. Portable Devices You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. Third Parties If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information. E-Mail with Personal Information Asset Encryption Expectations* 10. Massachusetts Data Privacy Law

• Further clarifications

• • Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?

• • • No.If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications.

• • Do I have to do an inventory of all my paper and electronic records?

• • • No, you do not have to inventory your records. However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.

• • Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information?

• • • No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.

11. ITAR

• Process

• • Register with the Directorate of Defense Trade Controls

• • The USPTOs patent web portal now requires certification of compliance before users may log into the system.

• Easy to have violations

• • disclosure or transfer to a foreign national,even if within U.S. borders .

• • proprietary company information is not considered to be in the public domain.

12. Safe Harbor

• The FTC and DoT have both stated in letters to the European Commission that they can take enforcement action against organizations that state they are in compliance with the Safe Harbor, but then fail to live up to their statements.

• Of large firms, only Shearman & Sterling is current registered

13. ISO 27001 Family of Standards

• ISO certification is most relevant for government clients, but is a helpful overlay for all regulatory requirements

• Published standards

• • ISO/IEC 27000 Information security management systems Overview and vocabulary

• • ISO/IEC 27001 Information security management systems Requirements

• • ISO/IEC 27002 Code of practice for information security management (previously ISO/IEC 17799:2005)

• • ISO/IEC 27003 Information security management system implementation guidance

• • ISO/IEC 27004 Information security management Measurement

• • ISO/IEC 27005 Information security risk management

• • ISO/IEC 27006 Requirements for bodies providing audit and certification of IS management systems

• • ISO/IEC 27007 Guidelines for information security management systems auditing

• • ISO/IEC 27011 Info security management guidelines for telecom organizations based on ISO/IEC 27002

• In draft

• • ISO/IEC 27008 - a guideline for Information Security Management auditing (focus on security controls)

• • ISO/IEC 27013 - a guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001

• • ISO/IEC 27014 - an information security governance framework

• • ISO/IEC 27015 - information security management guidelines for the finance and insurance sectors

• • ISO/IEC 27031 - a guideline for ICT readiness for business continuity

• • ISO/IEC 27032 - a guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)

• • ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006

• • ISO/IEC 27034 - a guideline for application security

14. Questions

• What relevant information security experience, contacts, or interest do you have?

• What tools and capabilities can you bring to the table to increase the efficiency of the assessments?