CHAPTER 4 DATA SECURITY/DATA BREACH: WHAT EVERY LAWYER NEEDS TO KNOW TO PROTECT CLIENT INFORMATION

Transcription

1 CHAPTER 4 DATA SECURITY/DATA BREACH: WHAT EVERY LAWYER NEEDS TO KNOW TO PROTECT CLIENT INFORMATION Sheila M. Blackford Professional Liability Fund Practice Management Advisor Hong Dao Professional Liability Fund Practice Management Advisor

2 MCLE FORM 1: Recordkeeping Form (Do Not Return This Form to the Bar) Instructions: Pursuant to MCLE Rule 7.2, every active member shall maintain records of participation in accredited CLE activities. You may wish to use this form to record your CLE activities, attaching it to a copy of the program brochure or other information regarding the CLE activity. Do not return this form to the Oregon State Bar. This is to be retained in your own MCLE file. Name: Bar Number: Sponsor of CLE Activity: Title of CLE Activity: Program Number: Date: Location: Activity has been accredited by the Oregon State Bar for the following credit: Full Credit. I attended the entire program and the total of authorized credits are: Partial Credit. I attended hours of the program and am entitled to the following credits*: General Prof Resp-Ethics Access to Justice Child Abuse Rep. Elder Abuse Rep. Practical Skills Pers. Mgmt/Bus. Dev.* General Prof Resp-Ethics Access to Justice Child Abuse Rep. Elder Abuse Rep. Practical Skills Pers. Mgmt/Bus. Dev.* General Prof Resp-Ethics Access to Justice Child Abuse Rep. Elder Abuse Rep. Practical Skills Pers. Mgmt/Bus. Dev.* *Credit Calculation: One (1) MCLE credit may be claimed for each sixty (60) minutes of actual participation. Do not include registration, introductions, business meetings and programs less than 30 minutes. MCLE credits may not be claimed for any activity that has not been accredited by the MCLE Administrator. If the program has not been accredited by the MCLE Administrator, you must submit a Group CLE Activity Accreditation application (See MCLE Form 2.) Caveat: If the actual program length is less than the credit hours approved, Bar members are responsible for making the appropriate adjustments in their compliance reports. Adjustments must also be made for late arrival, early departure or other periods of absence or non-participation. *Personal Management Assistance/Business Development. See MCLE Rule 5.11 and Regulation for additional information regarding Category III activities. Maximum credit that may be claimed for Category III activities is 6.0 in a three-year reporting period and 3.0 in a short reporting period. 8/16:MCLE1

3 C h a p t e r 4 DATA SECUR ITY/DATA BREACH: WHAT EVERY LAWYER NEEDS TO KNOW TO PROTECT CLIENT INFORMATION TABLE OF CONTENTS Page # PowerPoint Slides Protecting Yourself and Law Firm from Data Breach Checklist To view these chapter materials and the additional resources below on or before November 1, go to select Upcoming CLE, select Learning The Ropes, and click on program materials, under Quick Links. After November 1, select Past CLE, Learning The Ropes, and click on program materials, under Quick Links. Additional Resources What to Do After a Data Breach, In Brief article, available at: 20Breach%20April%202016%20In%20Brief.pdf What s Backing Up Your Data, In Brief article, available at: How to Back up Your Computer, PLF practice aid, er.pdf Beware Ransomware, In Brief article, available at: ting%20software%20continues%20to%20extort%20money.pdf

4 Data Security/Data Breach: What Every Lawyer Needs to Know to Protect Client Information Sheila Blackford & Hong Dao PLF Practice Management Advisors Attorneys What is Data Breach How to Protect Client Data What to Do When a Breach Occurs Lawyer s Other Ethical Obligations Data 4-1

5 OSB Ethics Opinion & ABA Rule 1.1 (Comment 8) Understand technology and its risk ORPC 1.1: Provide competent representation to a client OCPC : Client property shall be identified as such and appropriately safeguarded Safeguard client physical property & electronic property Understand how to use technology safely Have a response plan What is a data breach? Viewed, stolen or used without authority or knowledge 4-2

6 Lost or Stolen Device Social Engineering 4-3

7 Enticement Dumpster Diving Physical Entry Common Methods SE Attack Pretexting Phishing Malware Infection Adware Spyware Trojan Horse Virus Worm Ransomware 4-4

8 Phishing Anatomy of a Phishing Sender s doesn t look right You weren t expecting that Misspelled words & poor grammar Request personal information High sense of urgency References to threat/reward Ask you to open attachment or click on link Ransomware 4-5

9 Warning! Phish Infection Ransom Note Pay or restore ORPC 1.6(c):Confidentiality: Make reasonable Efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. 4-6

10 Password Internet Browser Computer Files Other Password Use strong password Change frequently 2 factor authentication Consider password manager Don t clink on suspicious attachments and links Avoid getting spam s 4-7

11 Update web browser Enable automatic updates Disable pop ups Internet Browser Install OS, program & app updates Install/update anti virus & malware protection Use firewall Don t use free public WiFi Encrypt hard drive Computer Back up Use Use secured file sharing Encrypt before upload Files 4-8

12 Educate and train Be vigilant Ensure files are properly destroyed Limit facility entry Question unknown people in secured areas More Contact Professional Liability Fund Contact Oregon State Bar Call IT expert Change usernames and passwords 4-9

13 Consider placing bank/credit/security freeze File police report Notify clients Implement How to protect client data tips Contain the attack Notify the FBI Restore computer Lawyer s Other Duties 4-10

14 ORPC 5.1 Responsible for another lawyer s conduct that violates the RPCs ORPC 5.2 Responsibilities of subordinate lawyer ORPC 5.3 Have a duty to supervise staff Thank you! Sheila Blackford sheilab@osbplf.org Hong Dao hongd@osbplf.org

15 Protecting Yourself and Law Firm from Data Breach Checklist Data breach is the unintended exposure of your data to unauthorized viewers. As lawyers, we are entrusted with confidential data about our clients. This checklist is intended to help you to become more secure. Think of it as a cyber security checklist that is helpful for identifying areas of concern for you to discuss with your IT support person. As cyber security is an area of ongoing change due to the increasing sophistication of cyber criminals, you should continue to seek out information about data security. Passwords 1. Use passwords to protect all devices connected to the internet. Create strong passwords that are at least 14 characters or more using upper and lower case letters, numbers and special characters. Use a passphrase such as a sentence to help you to remember it. 2. Use a password manager program to store your passwords security in an encrypted vault on your computer or in the cloud. Don t store passwords in files on your computer such as in a Word document or Excel spreadsheet. If you must write down your passwords, secure it in a locked location. 3. Use two-factor authentication which allows you to verify your identity using two methods of the following: something you know (for example a password), something you have (for example a key or hardware authentication device something you are (for example a fingerprint or retina scan). There are authentication devices that provide strong two-factor authentication for example a YubiKey itself is a two-factor authentication device incorporating a physical key with your fingerprint that plugs into your USB drive and supports one-passwords, public key encryption and authentication. Their YubiKey 4C Nano is the world s smallest USB-C authentication device for use with USB-C ports. 4. Keep your password confidential. Don t share it with anyone. 5. Keep your password unique. Don t re-use important passwords for multiple websites, devices or services. 6. Change your password frequently, such as every 30 or 45 days. Don t recycle passwords! Hardware and Software 7. Keep your hardware and software as current as possible with upgrades from the vendor. Those upgrades will typically include improved security features. 8. Secure your server in a locked room. Some cyber criminals have walked through law firms with clipboards posing as IT service personnel. Verify identities before granting access to your server. 9. Use intrusion detection systems. These systems will alert you to attempts to invade your computer system. Data Breach Checklist Page

16 10. Use security software suites that include virus and malware protection and keep it up-todate. 11. Have your IT support person set up your wireless network to include enabling strong encryption. Disable the WEP and WPA encryption and require WPA2 encyption. 12. Be sure to change the default passwords on all wireless routers and servers. Consult your IT support person for any help. 13. Be sure that any device holding client data is password protected and encrypted, especially if these devices are taken off site. Thumb drives, smart phones, tablets and laptops continue to be most frequently stolen or lost devices. Protocols 14. Backup all data and do regular periodic test restores of the backup. Store your backup securely. Backups taken off site or stored on the internet should be encrypted. If you are storing your backup or any data on the internet, be sure that the vendor does not have access to the decryption key. 15. Be sure that your IT support person sets up your backup system so that it cannot be corrupted in the event your computer is attacked by ransomware. Otherwise, ransomware can travel onto your backup. 16. Develop a protocol for internet usage at work. Employees should not be allowed to download and install programs and apps on devices that connect to your server without prior authorization from your IT support person. Freeware frequently is infected with malware. Train your staff to avoid downloading any attachments sent by especially if the extension ends in.exe which means it is an executable file. 17. Insure that all remote access to the office network occur through the use of a VPN, MiFi, smartphone hotspot or some other type of encrypted connection. Prohibit connecting to the office network using a public computer (such as at a hotel or library) and unsecured open public Wi-Fi network (such as at an airport, hotel, coffee shop, or library). Obtain guidance from your IT support person for setting up a VPN, MiFi, or smartphone hotspot. 18. Do not allow non-employees to have access to your network. This especially includes terminated employees. 19. Conduct an annual internal network security audit to ensure your network is secure. This is most helpful when it includes a vulnerability assessment. Education 20. Provide mandatory social engineering awareness training to your staff annually. Data Breach Checklist Page

17 21. Provide training to staff for how to respond to a cyber breach incident, including disconnecting the device from the internet and office network immediately if staff suspects the device has been breached and contact IT support immediately. 22. Instruct staff on how to properly dispose of any device or digital media that contains client or law firm data. 23. Instruct staff on proper safeguards if they are allowed to use their own device on your network. 24. Instruct staff on how to scrub documents for metadata. 25. Teach staff how to recognize phishing scams. 26. Teach staff to exercise caution on using social media as cyber criminals could use the same information to assist them in personal identity theft or hacking online accounts. RESOURCES FOR FURTHER STUDY 27. Back to Basics: 10 Security Best Practices, DARKReading, Nimmy Reichenberg, September 4, Data Breach Checklist Page

18 28. Best Practices for a Data Security Plan, Forbes Technology Council, Chalmers Brown, September 5, Data Security, Federal Trade Commission Lawyers Mutual Liability Insurance Company of North Carolina Data Breach Incident Response Plan Toolkit Protecting yourself from cybercrime dangers: The steps you need to take, by Tim Lemieux, December 1, 2013, Practice PRO Schneier on Security: Books by Bruce Schneier Data Breach Checklist Page