Presentation is loading. Please wait.

Presentation is loading. Please wait.

Law Firm Data Security: What In-house Counsel Need to Know

Published byUrsula Douglas Modified over 6 years ago

Similar presentations

Presentation on theme: "Law Firm Data Security: What In-house Counsel Need to Know"— Presentation transcript:

1 Law Firm Data Security: What In-house Counsel Need to Know
Session #703 Law Firm Data Security: What In-house Counsel Need to Know

2 Session Speakers Mary Blatch, Director of Government and Regulatory Affairs, ACC Jennifer Mailander, Director, Compliance & Privacy, Associate General Counsel, Corporation Service Company John Murphy, Chair, Shook, Hardy & Bacon, LLP Brennan Torregrossa, Vice President and Associate General Counsel, GSK

3 Session Agenda Data security threats to law firms
Assessing law firm data security Data security practices for in-house legal departments

4 Data Security Threats to Law Firms

5 Has one of your law firms been the victim of a cyber attack?
Polling Question #1 Has one of your law firms been the victim of a cyber attack? Yes, and the law firm informed our organization directly Yes, we learned of the attack through the media No, and I feel confident that I would know if one of our firms had detected an attack I don’t know

6 Data Security Threats to Law Firms

7 Data Security Threats to Law Firms
FBI Warnings Nov – FBI warns of increased hacking of law and PR firms – FBI meets with law firms to discuss cyber threat March 2016 – Warning that hackers are specifically targeting law firms as part of insider trading scheme

8 Data Security Threats to Law Firms
Why law firms? Quantity and quality of documents that are easily identified Confidential corporate finance information Confidential information about corporate transactions IP and trade secrets Corporate employee information

9 Data Security Threats to Law Firms
Why law firms? Legal industry has had lower levels of investment in IT than other industries Potential to obtain data about multiple companies through one criminal act Until recently, little focus on law firm data security

10 Data Security Threats to Law Firms
ILTA’s 2016 Study of the Legal Industry’s Information Security Practices

11 Data Security Threats to Law Firms
Types of threats Hacking Malware Phishing Insider threats Inadvertent disclosure

12 Data Security Threats to Law Firms
Types of threats ILTA’s 2016 Study of the Legal Industry’s Information Security Practices

13 How robust is your data security screening process for law firms?
Polling Question #2 How robust is your data security screening process for law firms? We have procedures, standards and controls that we apply to every engagement We evaluate firms’ data security protections, but do not have a formal process for doing so We evaluate firms’ data security protections on an ad hoc basis We do not evaluate our firms’ data security protections (that’s why I’m in this session!)

14 Lawyers and technology must mix!!
Ethical obligations Lawyers and technology must mix!! ABA Model Rule 1.1 – Competence Comment 8: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology,

15 Confidentiality includes data security
Ethical obligations Confidentiality includes data security ABA Model Rule 1.6(c) – Confidentiality: A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client Rules don’t define “reasonable” No guidance regarding specific controls a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client

16 Ethical obligations Comment 18 to Rule 1.6: Factors to be considered […] include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients. 

17 Ethical obligations State bar association ethics opinions on cloud computing are also a helpful source when considering vendor data security in the context of attorneys’ ethical obligations

18 Polling Question #3 Which of the following precautions has been recommended by state bar associations? In dealing with providers of cloud computing, lawyers should adopt additional confidentiality safeguards A periodic review of the reasonableness of security precautions may be necessary Lawyers should be aware of limitations in their competence regarding online security measures All of the above

19 Assessing Law Firm Data Security

20 Polling Question #4 Who in your organization is responsible for evaluating the data security practices of your law firms? The legal department The procurement department The IT department Some combination of the above

21 Assessing Law Firm Data Security
You are about to engage a new law firm on an important, sensitive legal matter. What do you consider when evaluating the firm’s data security practices?

22 Assessing Law Firm Data Security
Big Picture Separate information security function Certification or adherence to a framework (ISO 27001; NIST; SOC) Formal policies and procedures Employee training Law firm vendors / third party risk Cybersecurity insurance

23 Data Security Threats to Law Firms
ILTA’s 2016 Study of the Legal Industry’s Information Security Practices

24 Assessing Law Firm Data Security
ISO and Other IT Security Standards Several sets of standards provide requirements for information security management. ISO – certification available NIST Cybersecurity Framework SOC (Service Organization Control) Greater level of assurance that organization has appropriate systems in place Some can be “certified” against There are a number of standards/frameworks that firms can use to build and maintain data security

25 Assessing Law Firm Data Security
Specifics Expected technical safeguards: Firewalls, anti-virus/malware protection, spam filters, intrusion detection, encryption Vulnerability assessments Written incident response program Mobile devices and security Review of employee access

26 Data Security Practices for In-house Legal Departments

27 Polling Question #5 Does your legal department have specific policies or procedures regarding data security? Yes, we have specific policies or procedures that address legal department data security concerns We have informal practices designed to enhance data security within the legal department Our organization as a whole has policies and procedures, and the legal department follows those No organizational policies address data security

28 Best Practices In-House
Risk analysis of engagement data Protocols for safe data transfer Employee training Periodic review or monitoring of ongoing law firm relationships

Download ppt "Law Firm Data Security: What In-house Counsel Need to Know"

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.

What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
TECHNOLOGY & ETHICS Association of Corporate Counsel © 2014 1.

TECHNOLOGY & ETHICS Association of Corporate Counsel ©
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
MAINTAINING PRIVACY & DATA SECURITY IN THE VIRTUAL PRACTICE OF LAW.

MAINTAINING PRIVACY & DATA SECURITY IN THE VIRTUAL PRACTICE OF LAW.
Practice Management Quality Control

Practice Management Quality Control
Beyond the Fortress Fortify Your Content Before it Travels Beyond the Firm Walls.

Beyond the Fortress Fortify Your Content Before it Travels Beyond the Firm Walls.
Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015.

Carlsmith Ball LLP Cyber Issues For Lawyers Deborah Bjes October 22 nd, 2015.
Session 8 Confidentiality and disclosure. 1 Contents Part 1: Introduction Part 2: The duty of confidentiality Part 3: The duty of disclosure Part 4: Confidentiality.

Session 8 Confidentiality and disclosure. 1 Contents Part 1: Introduction Part 2: The duty of confidentiality Part 3: The duty of disclosure Part 4: Confidentiality.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Similar presentations

Ads by Google