Embed Size (px)
Citation preview
#ClioWeb
Security Basics for Law Firms
JoshuaLenon– ClioChrisWiesinger - CloudMask
#ClioWeb
Instructors
Joshua Lenon
• Lawyer in Residence at Clio• Attorney Admitted in New York• @JoshuaLenon
Chris Wiesinger
• Business Development at CloudMask
#ClioWeb
Agenda
• Confidentiality vs. privacy for law firms• Privacy regulations impacting law firms• Practical challenges• Improve your security posture• Questions
#ClioWeb
At least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011.
#ClioWeb
CONFIDENTIALITY VS. PRIVACY
#ClioWeb
Confidentiality
• Attorney-Client Privilege (Evidentiary Rule)• Work Product Doctrine (Civil Procedure Rule)• MPRC Rule 1.6 (Ethical Duty)
#ClioWeb
Attorney-Client Privilege
“encourage[s] full and frank communication between attorneys and their clients.” Upjohn Co. v. United
States, 449 U.S. 383 (1981).
#ClioWeb
Attorney-Client Privilege
• Limited to communications between the client and attorney• Privilege rests with the client; even beyond the grave, Swidler & Berlin v.
United States, 524 U.S. 399 (1998)• Waiver possible• Inadvertent disclosures is not necessarily waiver, if:– the disclosure is inadvertent;– the holder of the privilege or protection took reasonable steps to prevent
disclosure; and– the holder promptly took reasonable steps to rectify the error
#ClioWeb
Work Product Doctrine
Federal Rules of Civil Procedure Rule 26(b)(3)• “Ordinarily, a party may not discover documents and tangible things
that are prepared in anticipation of litigation...“• Materials may be discovered if the party shows that it has substantial
need for the materials to prepare its case and cannot, without unduehardship, obtain their substantial equivalent by other means.
#ClioWeb
MPRC Rule 1.6
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
#ClioWeb
MPRC Rule 1.6(b)
• prevent reasonably certain death or substantial bodily harm
• prevent the client from committing a crime or fraud
• prevent, mitigate or rectify substantial injury to the financial interests or property of another
• secure legal advice about the lawyer's compliance with these Rules
• establish a claim or defense on behalf of the lawyer
• comply with other law or a court order
• detect and resolve conflicts of interest
#ClioWeb
MRPC 1.6
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
#ClioWeb
Confidentiality vs Privacy
Confidentiality PrivacyPrescriptive
Clientfocused
DerivedfromCommonLaw
Well-documented exceptions
Legal specifc
#ClioWeb
Privacy
• Personally Identifiable information (PII)1. Information that can be used to distinguish or trace an individual‘s
identity • Name, social security number, date and place of birth, mother‘s maiden
name, or biometric record
2. Other information that is linked or linkable to an individual• Medical, educational, financial, and employment information.
#ClioWeb
Privacy Safeguards
• 3 types of safeguards must be considered and implemented1. Administrative 2. Physical3. Technical
#ClioWeb
Privacy
• Notification duties in the event of a breach–Must notify all affected parties
• Reporting duties to regulators• Right of action for impacted individuals
#ClioWeb
Confidentiality vs Privacy
Confidentiality PrivacyPrescriptive DescriptiveClientfocused EveryoneDerivedfromCommonLaw Statutorily createdWell-documented exceptions EnforcedliabilityLegalpracticespecific Outside thecourtroom
#ClioWeb
PRIVACY REGULATIONS IMPACTING LAW FIRMS
#ClioWeb
Law firms need to weigh privacy regulations by geography and subject matter.
#ClioWeb
Privacy Laws Affecting Law Firms
StatePrivacyLaws
ClientBusiness
AreaPrivacyLaws
FederalRegulations
#ClioWeb
State Privacy Laws
Think broadly, it’s not just your location, but the location of all of your clients and contacts
#ClioWeb
Client Business Areas
• Financial information – under the Gramm Leach Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transaction Act (FACTA), Red Flags Rules
• Healthcare information – under the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act
• Children information – as required under the Children Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA)
• Mortgage lending – under Consumer Finance Protection Board, Bulletin 2012-03
• Criminal Justice - Criminal Justice Information Services Division (CJIS)
#ClioWeb
#ClioWeb
Federal Regulations
FTC’s Standard of Care
Take “reasonable and necessary measures” to protect consumer data
#ClioWeb
Privacy for Law Firms
StatePrivacyLaws
ClientBusinessAreaPrivacyLaws
IndustryRegulation
FederalRegulations
#ClioWeb
Privacy rules varies between jurisdictions,
with new regional requirements emerging
frequently.
• Europe– EU-U.S. Safe Harbor / EU-U.S.
Privacy Shield– General Data Privacy Regulation
(GDPR) (2018)• Canada– Personal Information Protection
and Electronic Documents Act (PIPEDA)
– Freedom of Information and Protection of Privacy Act (FOIPPA) (BC)
• South Africa– Protection of Personal Information
Bill.
#ClioWeb
THE PRACTICAL CHALLENGES
#ClioWeb
Key Concerns
• Business– Which cases compromised if opposing forces saw all your data?– Client reaction and response to breaches affecting their cases?– Regulatory implications of data breaches?
• Technical– Landscape of security issues– Tools to effect consistent application of data protection policy
#ClioWeb
Connection and Vulnerability
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
#ClioWeb
Who is the Threat?
• Insiders– Have legitimate, authorized access to
premises and systems
• Outsiders– Hackers, governments– Legal adversaries?– Hacktivists?
• Key Concern– Outsiders always target insider
credentials first
55%Insiders
https://securityintelligence.com/the-threat-is-coming-from-inside-the-network/
#ClioWeb
Protecting (and failing to protect) Credentials
• Most breaches begin with password compromise
• Hard to remember unique passwords so…– Failure to change default passwords– Easy to remember = Easy to Guess– Same password for multiple services
• Your email password– The magic key for “I forgot my password”
August302016
#ClioWeb
What Third Parties Can and Can’t See
• Cloud means third parties handle your data– Consumer Gmail (example)
• Google encrypts in transit to servers• Google scans and analyzes content
– Google for Work (example)• Encrypts data in transit and at rest…. BUT
– Google staff have access to master keys– Who determines “legitimate business purpose”?– National Security Letters?– What if Google employee compromised?
– Challenge for Lawyers: Due Diligence• Who are you really trusting your data to?• Remember the insider concern
“Googleauthorizesonlytrustedindividualstohavelegitimateaccesstosystemsanddatarepositories
containingcustomerdata,includingtheKMS.Thisstrictauthorizationextendstojobdutiesincludingdebuggingandmaintenanceactivitiesthatmightexposedecryptedcustomerdatatoatrustedemployee.Accesstothesesystemsisundertheumbrellaofstrictpoliciesthatareclearlydisplayedforemployeestoreadandalsointhetoolstheyuse.Accesstocustomerdataisonlyallowed
foralegitimatebusinesspurpose.”
#ClioWeb
The Design of Encryption Solutions
• Common Encryption Implementation– Transaction Layer Security (TLS): e.g.,
between browser and app server• Need to trust the people controlling
encryption keys (app server end)– Pretty Good Privacy
• Each end-point (Bob, Alice) has a unique public and private key
• No middlemen with keys
• The Trust Trade-off is about Convenience and Usability
#ClioWeb
HOW TO IMPROVE YOUR SECURITY POSTURE
#ClioWeb
The Upshot
• Protect your credentials with Password Managers• Take control of encrypting your data in key applications like Clio and
Google– YOU must control the encryption key
• This is no longer rocket science• CloudMask: define and automate data protection policy
• These constitute “reasonable steps”– To improve client confidentiality and privacy– To limit your exposure to financial, brand and regulatory risk
#ClioWeb
Password Managers
• Rules and remembering is what software is good for• Fast Identity Online (FIDO) is
the no password future (fidoalliance.org)• In the meantime, select and
use a password manager• Still: Discipline required
NEARFUTURE
TODAY
#ClioWeb
Privacy By Design: Zero Knowledge Applications
• Zero Knowledge– Encryption key remains under user control (private key)– End-to-End encryption: Data encrypted at time of creation to time of viewing on
authorized device by authorized viewer in control of their own key– No third party facilitating the communication of encrypted data has the capacity to see
that data in the clear• E.g.: ISP, Cloud Infrastructure Provider, Software as a Service Provider, Encryption Engine
Provider, etc.
• Zero Trust– No need to trust middlemen with view of sensitive data in the clear– Breaches of masked data yield… meaningless information– Encrypted and Tokenized PII becomes meaningless data (no longer PII), so less likely to
trigger breach notification expense and embarassment
#ClioWeb
Making Zero Trust Easy with Clio and CloudMask
• CloudMask and Clio– An easy to activate zero trust security enhancer
• The CloudMask Engine– Selective, Intelligent Masking
• Selective: choose sensitive standard fields, and any custom field• Intelligent: ensures that masked data is accepted by database• Masking: first encrypt the data, then tokenize and format
• Works beyond Clio– Google for Work (Gmail, Drive)
#ClioWeb
Activating CloudMask from Within Clio
#ClioWeb
Configuring Data Protection Policies
#ClioWeb
CloudMask Capabilities Summary
üMask critical Standard fieldsüContacts, Matters, Tasks, Billing
üMask any Custom fieldüMask any attachmentüSearch both clear and masked dataüDocument automationüCollaborate with outside counsel and clientsüPer record control of masking (turn OFF if necessary)üSupports Chrome and Firefox browsersüComing soon… Android and iOS mobile
#ClioWeb
Automatic Execution of Policy (Authorized View)
#ClioWeb
Automatic Execution of Policy (Unauthorized View)
#ClioWeb
Summary
1. Zero trust, end-to-end encryption solutions like CloudMask make Cloud safer than ever before.
2. With CloudMask, even “insiders” need both your credentials AND your authorized physical device to see data in the clear• Outsiders who compromise credentials to log in from external machines see only
masked data
3. Password Managers are critical to better credential governance4. No need to compromise encryption design for ease of use5. CloudMask: easy to use, automated data masking, with keys under
your control
#ClioWeb
One More Thing: Due Diligence
• How do you know that “the security magic” in the black box works?– Has the security vendor obtained independent validation of functionality and
system integrity, according to an internationally agreed standard?
• CloudMask and Common Criteria Certification– Common Criteria for Information Technology Security Evaluation– www.commoncriteria.org– International Standards Organization – ISO/IEC Standard 15408– “does the software actually perform the functional claims?”– Recognized and often required by federal government security authorities
#ClioWeb
QUESTIONS?
#ClioWeb
Thank You
Joshua Lenon
@JoshuaLenon
Linkedin.com/in/joshualenon
1-888-858-2546
Colin McMahon
Linkedin.com/in/colinmcmahonclio
Support.goclio.com
www.youtube.com/user/ClioVideo
