technology 101 for the corporate lawyer
TRANSCRIPT
August 6, 2015
Technology 101 for the
Corporate Lawyer
Page 1
Scott Plichta
Chief Information Security Officer
Corporation Service Company
The Presenters
Jennifer K. Mailander
Associate General Counsel
Corporation Service Company
Page 2
“We have a long history of innovation and using
leading edge technology to provide customer
solutions.”
Caterpillar Inc.
What Company?
Page 3
Describe Yourself
How knowledgeable are you
about technology?
Not at all
Somewhat
Very knowledgeable
I am an expert
Page 4
Ethical Duty
ABA Model Rules
1.1 “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparationreasonably necessary for the representation.”
Comment 8 “A lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
5.3(d) “A lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer.”
Page 5
Ethics: Client Confidences
Model Rule 1.6(c)
“A lawyer shall make
reasonable efforts to
prevent the inadvertent
disclosure of, or
unauthorized access to,
information relating to the
representation of a client.”
Page 6
Cyber Security & Lawyers
According to the FBI, law firms and law departments are among the most vulnerable targets for cyber attacks.
Lawyers are reported to:Have limited resources to dedicate to computer security
Lack a sophisticated appreciation of technology risks
Lack an instinct for cyber security
The ABA Cyber Security Handbook
Page 7
Part of a Larger Phenomenon
Individual IT Empowerment
Page 8
Key Terms and Definitions
Hosting (Website hosting, Web hosting, and Webhosting) – the business of housing, serving, and maintaining files for one or more websites.
The Cloud (Cloud Computing) – a type of Internet-based computing where different services such as servers, storage, and applications are delivered to an organization's computers and devices through the Internet. Examples of Cloud Computing include:
IaaS (Infrastructure as a Service) – a service model that delivers computer infrastructure on an outsourced basis to support enterprise operations. Typically, IaaS provides hardware, storage, servers and data center space or network components; it may also include software.
PaaS (Platform as a Service) – a category of cloud computing services that provides a platform allowing customers to develop, run, and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.
SaaS (Software as a Service ) – a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.
Page 9
A Tasty Example: Pizza as a Service
https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service
Page 10
Key Terms and Definitions (cont.)
Shadow IT – Where a user/department finds Cloud provider to do work because IT is too busy.
SSO (Single Sign-On) – A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.
SAML (Security Assertion Markup Language) – A data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Federation – Refers to different computing entities adhering to certain standards of operations in a collective manner to facilitate communication.
Encryption – The conversion of electronic data into another form, ciphertext, so that it cannot be easily understood by anyone except authorized parties with the key.
PCI DSS (Payment Card Industry Data Security Standard) – Policies and procedures intended to optimize the security of credit, debit, and cash card transactions to protect cardholders against misuse of personal information.
Page 11
Data Types
Data in Use Data in Motion
Data at Rest
Data in Use:
Active data under constant change
stored physically in databases, data
warehouses, spreadsheets, etc.
Data in Motion: Data that is traversing a network or
temporarily residing in computer memory to be read or updated.
Data at Rest: Inactive data physically stored in
databases, data warehouses, spreadsheets, archives, tapes, off-site
backups, etc. Source: Wikipedia JKM figure out how to cite to Wikipedia
Page 12
Key Terms and Definitions (cont.)
Big Data –
Data sets so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, search, sharing, storage, transfer, visualization, and privacy.
High-volume, high-velocity, and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.
Phishing – Broad scattered email fraud where user is duped into revealing personal or confidential information for illicit use.
Spear Phishing – Phishing that targets a specific organization; messages appear to come from trusted source.
Page 13
Information Security
Information Security: Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide:
Integrity – guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity.
Confidentiality – preserving authorized restrictions on access and disclosure.
Availability – ensuring timely and reliable access to and use of information.
Information Security Program
Identify threats, vulnerabilities, and requirements
Implement security controls, monitor
Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.
Page 14
Information Privacy
Not a technology concept, yet inescapably tied to it
“[Privacy is] the appropriate use of personal information
under the circumstances. What is appropriate will depend
on context, law, and the individual's expectations; also,
[privacy is] the right of an individual to control the
collection, use, and disclosure of personal information.” IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, 2011
Privacy Models
Comprehensive – EU
Sectoral – U.S.
Co-Regulatory – Australia
Page 15
Top 10 Tips
Top 10 Tips:
Working with Technology
Page 16
Top 10 Tips
10. Understand your
company’s technology
Page 17
Top 10 Tips
Understand your company’s business and the
technology your company uses on a daily basis
Understand your company’s technology strategy Cloud first to Cloud never
Bring your own technology
Understand who has responsibility for buying
and maintaining technologyWhat is Legal’s role in this?
What is your process for buying technology?
Make sure it includes a process to identify when shadow IT is being
bought or used
Page 18
Top 10 Tips
9. Know your vendors and
vendors’ vendors
Page 19
Top 10 Tips
Know who your vendors are and what
services/products they provide
Connect and work with your security team You both need to know when you find new places to store data
Put a process in place to identify new
technology being usedIt’s happening; you just may not know about it
Page 20
Top 10 Tips
8. Know your law firms’
security practices
Page 21
Top 10 Tips
Understand your obligations as in-house
counsel when working with your law firms
Join the ACC Litigation Committee
Subcommittee on Cyber Security and Law
FirmsEvan Slavitt, [email protected]
Join the ACC Working Group Data Security
for Law FirmsAmar Sarwal, [email protected]
Page 22
Top 10 Tips
7. Be a partner to the
business
Page 23
Top 10 Tips
Find a way to help your business partners understand and mitigate technology risks; help them achieve success
Host a series of lunch and learns with your business and technology counterparts
Present on areas of respective expertise
• Contract and licensing 101
• Technology 101
• Sales 101, Operations 101, etc.
Meet regularly to discuss issues, trends, etc.
Page 24
Top 10 Tips
6. Conduct a data audit
Page 25
Top 10 Tips
Form a cross-functional team to identify data
practices
Understand what and how data is managedWhat is the data?
Who has (and should have) access?
Where does it go?
How long is it stored?
Do you have a DR/BCP?
Conduct a DR/BCP exercise annually
Page 26
Top 10 Tips
5. Assess your individual
data practices
Page 27
Top 10 Tips
Where do you keep your personal data?At home?
At work?
Use a password managerDon’t store a copy of your passwords online
Page 28
Top 10 Tips
4. Know your company’s
breach and incident
response plan and
practices
Page 29
Top 10 Tips
If you don’t have a plan – create one!
Know the plan and practices
Know who has what roles in the plan
Practice, practice, practice
Page 30
Top 10 Tips
3. Employee training on
technology, security, and
privacy
Page 31
Top 10 Tips
Do it!
Page 32
Top 10 Tips
2. Get comfortable with
technology
Page 33
Top 10 Tips
acc.com, ACC Committees and Chapters LQHs, Webcasts, Docket, ACC's Inhouse ACCess blog, eGroups, etc.
David Pogue TED Talkhttp://www.ted.com/talks/david_pogue_10_top_time_saving_tech_tips?language=en
Password storage LastPass - lastpass.com
ABA’s Law Technology Todayhttp://www.lawtechnologytoday.org/
The Lawyeristhttps://lawyerist.com/topic/tech/
Google - iPhone & Android tips
Take a class
Page 34
Top 10 Tips
1. Network inside and
outside your organization
Page 35
Top 10 Tips
Develop a core team of company contacts to
assist on technology issues.
Use your contacts in other parts of the organization
(e.g., IT, Security) to help you keep up to date on
technology developments affecting your business.
Talk to your peers outside the company
regarding best practices and stay current on
new developments.
Page 36
Questions?
Page 37
Contact Us
Scott Plichta
Jennifer K. Mailander