Law Firm Data Security: What In-house Counsel Need to Know Session #703 Law Firm Data Security: What In-house Counsel Need to Know
Session Speakers Mary Blatch, Director of Government and Regulatory Affairs, ACC Jennifer Mailander, Director, Compliance & Privacy, Associate General Counsel, Corporation Service Company John Murphy, Chair, Shook, Hardy & Bacon, LLP Brennan Torregrossa, Vice President and Associate General Counsel, GSK
Session Agenda Data security threats to law firms Assessing law firm data security Data security practices for in-house legal departments
Data Security Threats to Law Firms
Has one of your law firms been the victim of a cyber attack? Polling Question #1 Has one of your law firms been the victim of a cyber attack? Yes, and the law firm informed our organization directly Yes, we learned of the attack through the media No, and I feel confident that I would know if one of our firms had detected an attack I don’t know
Data Security Threats to Law Firms
Data Security Threats to Law Firms FBI Warnings Nov. 2009 – FBI warns of increased hacking of law and PR firms 2011-2012 – FBI meets with law firms to discuss cyber threat March 2016 – Warning that hackers are specifically targeting law firms as part of insider trading scheme
Data Security Threats to Law Firms Why law firms? Quantity and quality of documents that are easily identified Confidential corporate finance information Confidential information about corporate transactions IP and trade secrets Corporate employee information
Data Security Threats to Law Firms Why law firms? Legal industry has had lower levels of investment in IT than other industries Potential to obtain data about multiple companies through one criminal act Until recently, little focus on law firm data security
Data Security Threats to Law Firms ILTA’s 2016 Study of the Legal Industry’s Information Security Practices
Data Security Threats to Law Firms Types of threats Hacking Malware Phishing Insider threats Inadvertent disclosure
Data Security Threats to Law Firms Types of threats ILTA’s 2016 Study of the Legal Industry’s Information Security Practices
How robust is your data security screening process for law firms? Polling Question #2 How robust is your data security screening process for law firms? We have procedures, standards and controls that we apply to every engagement We evaluate firms’ data security protections, but do not have a formal process for doing so We evaluate firms’ data security protections on an ad hoc basis We do not evaluate our firms’ data security protections (that’s why I’m in this session!)
Lawyers and technology must mix!! Ethical obligations Lawyers and technology must mix!! ABA Model Rule 1.1 – Competence Comment 8: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology� To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology,
Confidentiality includes data security Ethical obligations Confidentiality includes data security ABA Model Rule 1.6(c) – Confidentiality: A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client� Rules don’t define “reasonable” No guidance regarding specific controls a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client
Ethical obligations Comment 18 to Rule 1.6: Factors to be considered […] include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients. �
Ethical obligations State bar association ethics opinions on cloud computing are also a helpful source when considering vendor data security in the context of attorneys’ ethical obligations
Polling Question #3 Which of the following precautions has been recommended by state bar associations? In dealing with providers of cloud computing, lawyers should adopt additional confidentiality safeguards A periodic review of the reasonableness of security precautions may be necessary Lawyers should be aware of limitations in their competence regarding online security measures All of the above
Assessing Law Firm Data Security
Polling Question #4 Who in your organization is responsible for evaluating the data security practices of your law firms? The legal department The procurement department The IT department Some combination of the above
Assessing Law Firm Data Security You are about to engage a new law firm on an important, sensitive legal matter. What do you consider when evaluating the firm’s data security practices?
Assessing Law Firm Data Security Big Picture Separate information security function Certification or adherence to a framework (ISO 27001; NIST; SOC) Formal policies and procedures Employee training Law firm vendors / third party risk Cybersecurity insurance
Data Security Threats to Law Firms ILTA’s 2016 Study of the Legal Industry’s Information Security Practices
Assessing Law Firm Data Security ISO 27001 and Other IT Security Standards Several sets of standards provide requirements for information security management. ISO 27001 – certification available NIST Cybersecurity Framework SOC (Service Organization Control) Greater level of assurance that organization has appropriate systems in place Some can be “certified” against There are a number of standards/frameworks that firms can use to build and maintain data security
Assessing Law Firm Data Security Specifics Expected technical safeguards: Firewalls, anti-virus/malware protection, spam filters, intrusion detection, encryption Vulnerability assessments Written incident response program Mobile devices and security Review of employee access
Data Security Practices for In-house Legal Departments
Polling Question #5 Does your legal department have specific policies or procedures regarding data security? Yes, we have specific policies or procedures that address legal department data security concerns We have informal practices designed to enhance data security within the legal department Our organization as a whole has policies and procedures, and the legal department follows those No organizational policies address data security
Best Practices In-House Risk analysis of engagement data Protocols for safe data transfer Employee training Periodic review or monitoring of ongoing law firm relationships