The New Rules of Risk: How Technology Exposes Your Firm, and What to Do About It Christopher T. Anderson, J.D. Product Manager, LexisNexis June 25, 2013 CLE CODE: 46657
Mar 26, 2015
The New Rules of Risk:
How Technology Exposes Your Firm, and What to Do About It
Christopher T. Anderson, J.D.Product Manager, LexisNexis
June 25, 2013
CLE CODE: 46657
2
Christopher T. Anderson
Christopher Anderson, J.D.Product Manager for LexisNexis Firm Manager®, LexisNexis •Christopher Anderson is the Product Manager for the LexisNexis Firm Manager® application in Cary North Carolina. •Firm Manager is a web-based practice management system that keeps the attorneys and staff of small law firms connected to all the details of their clients, cases, matters and firm business. •Christopher has presented at various State Bar associations, Law Bulletin Ethics Conference, National CLE conference, ABA TECHSHOW, and draws several hundred to webinars where he presents various topics, including running a law firm; effectively using technology and leveraging staff; and technology and trends.
Formerly:•Managing partner of a full-service law firm in Georgia. •Assistant district attorney in New York City, and in Georgia•Associate General Counsel and Director of Client Services for RealLegal, a legal software company. Mr. Anderson is a graduate of Cornell University, and received his Juris Doctorate from the University Georgia School of Law in 1994. Christopher Anderson is admitted to practice in the federal and state courts of New York and Georgia.
3
Challenges we face
1. Using the Cloud, Communicating Effectively, Yet Maintaining Privilege, and Our Obligations of Confidentiality
2. Establishing, Following and Testing Effective Policies
3. Continuing to Adapt and Manage Ever Changing Risks
4. Understanding Roles: Who Does What to Maintain Security
5. Admitting we Have a Problem
4
Updated Ethical GuidelinesModel Rule of Professional Conduct 1.6: Confidentiality of Information(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent…
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Model Rule of Professional Conduct 1.1 on Competence: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
5
New Thinking on Old Standards
Model Rule of Professional Conduct 1.15: Safekeeping PropertyA lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property. ... [P]roperty shall be identified as such and appropriately safeguarded. Complete records of [the] property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.
6
Soft Target =
Law Firms
7
The World At Your Fingertips … and Theirs
8
Data At Risk
BYOD- Client confidential data on device- Confidential/privileged data shared on cloud- Lost or stolen device
Social Media₋ It’s an open book₋ Responsibility for what others post₋ Unintentional breach of confidentiality
Discarded Devices⁻ Computers⁻ Storage media, i.e. USB drives⁻ Photocopiers!
9
Actual Terms and Conditions:•BRAND X will have no responsibility for any harm to your computer system, loss
or corruption of data, or other harm that results from your access to or use of the Services or Software
•BRAND X: If you add a file to your [Brand X] that has been previously uploaded by you or another user, we may associate all or a portion of the previous file with your account rather than storing a duplicate
•BRAND Y: When you upload … content to our Services, you give Brand Y (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works … communicate, publish, publicly perform, publicly display and distribute such content.
•BRAND Y: Your domain administrator may be able to … access or retain information stored as part of your account [and]restrict your ability to delete or edit information… or privacy settings.
Cloud Storage and Sharing Lots of Options, But Do your Homework
10
Mitigation
Look for the rainbow after the storm
11
Firewalls
12
How Do You Know You’re Being Attacked?
What do you do to shut it down?
13
Strong Passwords
- Measuring password security : http://howsecureismypassword.net- Good source material: http://howsecureismypassword.org
14
Good Hygiene
15
BYOD
16
Residual Data
17
Social Media
Experts say that people should be very cautious when utilizing social network applications. This is because with 6 degrees of separation reduced to two, you can easily find yourself in hot water when attempting to obtain a job (or keep one.) This particular situation applies to one woman who decided to vent angrily about her current job and boss. However she failed to realize that monitoring your posts with Facebook's privacy options is essential. Her boss was made privy to her rant and was none too pleased. Needless to say, the woman no longer had to worry about her unhappy state of affairs.
On Yahoo Voices - Five Most Scandalous Facebook Posts
"Take This Job and Shove It..."
18
Discarded Devices
19
Breach Plan
20
Virtual Private Networks (VPN)
21
No VPN
22
Document Security
• Secure File Sharing• Secure File Sync• Digital Rights Management
• Secure Web Access• Mobile Productivity
What to look for
Watchdox: Secure File Sharing and Mobile Productivity
Secure “Dropbox”
Mobile Productivity
Secure File Sharing
Document Control
Track and Revoke
24
Public Cloud
Data Protection
Availability
Data Ownership
25
Data In the Cloud - Ownership
Questions to ask:
•What are your contract terms/conditions?•Policies on Government requests?•Data return procedures?•What happens when you cancel?•How are third parties vetted?•Use of my data internally?•Is any anonymized information used?
Above all, your confidential client data belongs to your client.
26
Data Protection
27
Ensuring Your Online Data is Properly Protected
28
Private Cloud
29
Encryption
30
Notification
Clear Notification to
Clients of Practices
31
Five Key Take-A-Ways
1. How to balance paranoia with reality to come up with a privacy and security policy that works
2. Having a privacy and security policy is only half of the battle, is it implemented and adhered to? Audit and test it once in a while or hire a company to do it
3. Educate, Educate, Educate! Train your partners, staff and 3rd party vendors, you depend on for services. Privacy and security is not a once and your done type of process, it’s a living
4. Set up a committee who is responsible for meeting and delivering an update to management
5. Know what your risk of attack is and do something!
32
Questions
The New Rules of Risk:
How Technology Exposes Your Firm, and What to Do About It
Christopher T. Anderson, J.D.Product Manager, LexisNexis
June 25, 2013
Thank You!
CLE CODES: 4665777898