logikcull webinar: preventing the next panama papers
TRANSCRIPT
Preventing the Next Panama PapersTips for Protecting Client Data in the Age of Cybercrime
September 22, 2016
Presenters
Brian Focht | Attorney | Stiles Byrum & Horne
Author of The Cyber Advocate: Tools and Tech for Legal Professionals
Eli Wald | Professor, Legal Ethics and Profession |University of Denver Sturm College of Law
Author of Legal Ethics’ Next Frontier: Lawyers and Cybersecurity
Joe Marquette | CEO | Accellis
Cybersecurity consultant and former CTO of publicly traded company
● Overview of recent law firm data breach ● Reasons for increased focus on law firms ● Ethical and professional ramifications of breach ● Considerations for reducing risk of breach
Agenda
2016: The Year of Law Firm Data Breach
Panama Papers: Hack leads to leak of 11.5 million docsbelonging to clients of Mossack Fonseca law firm
April
Major Firms Breached: Two high-profile US firms admitto data breach by hackers seeking M&A material
March
‘Oleras’ Alert: Russian cybercriminal reported to have targeted nearly 50 top U.S. law firms
Feb.
2016: The Year of Law Firm Data Breach
Dropbox Hack Reported: Credentials of more than68 million users stolen in 2012.
Aug.
DNC Emails Leaked: Confidential communications b/tpresidential candidates and law firms exposed
July
Firms Sued Over Breach: Top plaintiff’s firm brings class action suit against unnamed law firms
May
Why are law firms increasingly targeted by hackers?
Law firms are a ‘one-stop shop’ Clearinghouses for client data: Law firms handle
sensitive client data — and only sensitive client dataClients have ‘first-mover advantage’: Entity clients
generally have better underlying cybersecurity infrastructureIncreased competition in legal services: Lawyers are
offering 24/7 services
Law firms are ‘soft underbelly’ of cybersecurity’Downstream Victims’: Companies’ outside lawyers and
vendors are targeted for IP 1 in 4 firms with 100+ attorneys have suffered breaches: According to recent ABA Legal Technology Survey *16% of firms with 2-9 attorneys
What are the ethical and professional consequences of
data breach?
Professional rules related to data breachABA Model Rule 1.6(c): Must make “reasonable efforts”
to prevent unauthorized disclosuresState rules: e.g. CAL. BUS. & PROF. CODE § 6068(e)(1) -
must preserve client secrets at ‘every peril to himself or herself’
Professional rules (continued)ABA Model Rule 1.1: Duty of competence, which includes
keeping abreast of ‘benefits and risks associated with relevant technology’
Duty of Supervision: (e.g. ABA Model Rule 5.3) - Attorneys are responsible for conduct of non-lawyer assistance
ABA Model Rule 1.0(e): Lawyer must get ‘informed consent’
The consequences of breach are severeDamage to reputation
Ancillary costs: crisis management, breach notification, fulfillment of compliance obligations, credit monitoringThreat of malpractice: e.g. Edelson lawsuit against major
firms
Where are law firms most vulnerable to breach?
Too many lawyers don’t appreciate risk… and they don’t have planLack of awareness: “I’m too small to be a target,”
“I don’t open bad websites”
Even firms that don’t handle huge amounts of PII are vulnerable : Because they have money.
IT systems and practices are weak Lots of data in lots of places: Can you answer the
question, “Where is your client’s data right now?”
Encryption is lacking: About 20 percent of attorneys use encryption to protect client files according to 2015 ABA Tech Survey
Law firms are as weak as their weakest link: People Training is infrequent: 2015 ILTA survey conducted with
Digital Defense found ‘employee negligence’ to be top security concern; less than 20% conduct regular training
Phishing/Ransomware attacks on the rise: - In February, Jacksonville firm paid $2,500 to get ransomed client data back - Phishing emails have 23% open rate (via LegalTech News)
- Estimates suggest more than 90% of viruses come from Phishing
The eDiscovery process… Insecure Data Transfer: Via unencrypted channels such
as email and Dropbox, and due to reliance on physical media
Lack of expertise*: Lack of technical skills exacerbated by complexity of tools and process
* See California Ethics Opinion No. 2015-193
What can you do to limitthe risk of breach?
Have a plan!
Bolstering IT systems and policiesIdentify your IT manager
Encrypt your data and limit duplication of it
Implement BYOD policy
Require strong passwords
Train your peoplePeople are first and last line of defense
Conduct regularly scheduled audits and random tests
Make sure leadership takes training seriously
Audit third parties Who has access to your data?
How can you retrieve data from vendor?
Does agreement require vendor to notify you of breach?
How does vendor secure data?
Questions?
The Downright Terrifying Cost of Data Breach
Email [email protected] to request
The costs of data breach
The aftermath of the Panama Papers
Steps to prevent breach