Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't Diligence Information Security for Lawyers


Published on

Dont Diligence -Information Security for Lawyers : Cloud Security, the Law Society and what every lawyer needs to know - Darren Thurston - hardBox Solutions

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Don't Diligence Information Security for Lawyers

  1. 1. Dont Diligence -Information Security for LawyersCloud Security, the Law Society and what every lawyerneeds to knowDarren Thurston – hardBox Solutions
  2. 2. Information technology solutions forhigh and medium security officeenvironmentsSecure data storage, sharing &retrieval
  3. 3. Our Clients IncludeEdelmann & Company Law Office●Helps Law Corporation●Wilson, Buck, Butcher and Sears●Browning, Ray, Soga, Dunne, Mirsky & Ng●Phillip A. Riddell●Don Morrison●
  4. 4. Who Are You?
  5. 5. What size is your firm?- Solo- 2 to 5- 6 to 20- 21 to 75- Over 75- Crown Counsel
  6. 6. Security breaches are happening every day.Reputation is the first thing to be effected when a breach occurs.
  7. 7. What is the cloud
  8. 8. Cloud Services● DropBox● Google● iCloud● AmazonCloudDrive● WindowsLive
  9. 9. Law Specific Cloud Services● PCLaw / TimeMatters - LexisNexis●● Clio●●
  10. 10. Report Of The Cloud Computing Working GroupLaw Society of B.C. Gavin Hume, QC (Chair) Bruce LeRose, QC Peter Lloyd, FCA Stacy Kuiack
  11. 11. Cloud Issues● Location of data and jurisdictional issues● Security and data privacy issues● Legal compliance issues● Ownership issues● Access and retention issues● Force majeure issues● Liability issues● Termination issues
  12. 12. Where is my data?
  13. 13. Jurisdictional Issues There are several problems with lawyers havingtheir business records stored or processed outsideBritish Columbia. Lawyers have a professionalobligation to safeguard clients’ information toprotect confidentiality and privilege. When a lawyerentrusts client information to a cloud provider thelawyer will often be subjecting clients’ informationto a foreign legal system. The foreign laws mayhave lower thresholds of protection than Canadianlaw with respect to accessing information. A lawyermust understand the risks (legal, political, etc.) ofhaving client data stored and processed in foreignjurisdictions.
  14. 14. Jurisdictional Issues● US PATRIOT Act● Alberta, Canada: “Bill 54” and Personal Information Protection Act (PIPA)● UK Regulation of Investigatory Powers Act of 2000● EU Data Protection Directive● India Information Technology (Amendment) Act, 2008 (the IT Act)
  15. 15. Security and Data Privacy● Confidentiality provisions● SAS 70● Statement on Standards for Attestation Engagements No. 16 (SSAE 16)● ISO 27002● Annual independent audits or assessments● Incident Response Plan
  16. 16. Legal compliance issues● The Personal Information Protection and Electronic Documents Act Personal Information Protection Act, B.C. of 2003● Sarbanes-Oxley Act of 2002 (SOX)● Health Insurance Portability and Accountability Act of 1996 (HIPAA)● Health Information Technology for Economic and Clinical Health (HITECH) Act● Gramm-Leach-Bliley Act (GLB)● Payment Card Industry Data Security Standard (PCIDSS)
  17. 17. Potential impact on Rule 4-43...the Law Society revised Rule 4-43 (in 2008) to create a process toprotect personal information. The balance that was sought recognized thatthe Law Society has the authority to copy computer records andinvestigate lawyers, but the process of making a forensic copy ofcomputer records can capture irrelevant personal information. In light ofthis, the Law Society created a process to allow irrelevant personalinformation to be identified and segregated, so it was not accessed by theLaw Society. Cloud computing creates a situation where that processmight not be able to be followed.
  18. 18. Ownership issues My data, right?● Google has recently been sued for mining data● Can your data be exported - PCLaw?!?@#
  19. 19. Access and Retention Issues● Litigation Hold● Audit Trail
  20. 20. How is my data stored? - Virtualization - Multi-tenancy - Other
  21. 21. Other issues● Force Majeure Issues natural disaster, act of war, etc.● Liability Issues services and not responsible for their downtime● Termination Issues exit strategy
  22. 22. Security Incidents
  23. 23. DropBoxThe problem child of cloudservices
  24. 24. Not just cloud services
  25. 25. The dangers..and your obligations● Unprotected computers infected/hacked within minutes of connecting to Internet● Lost / stolen cell phones or laptops● Theft of client, firm or personal data● Rules of professional conduct oblige you to protect client data
  26. 26. Information Security Best Practices ● How much time, effort and money do you invest? ● Absolute security is impossible ● Safety vs. convenience ● Find balance between: ● Allowable risk ● Acceptable cost/effort
  27. 27. Keep your electronic data secure and private Steps you must ensure:● Install all latest software updates● Use strong passwords● Antivirus software is essential● Install a firewall on your Internet connection● Avoid the dangers of e-mail● Beware the dangers of metadata
  28. 28. Keep your electronic data secure and private (cont.)● Lockdown and encrypt your data● Harden your wireless connections● Learn how to safely surf the Web● Change key default settings● Implement a technology use policy● A backup solution, can save your practice
  29. 29. Install updates...● Microsoft products particularly prone● Update all software regularly!● Microsoft / Apple Macs● Don’t forget non-OS software! Java / Flash / Adobe PDF● Check on a regular schedule
  30. 30. Further update issues● Turn on Automatic Updates● Automatic vs. ask to install● Periodically check Microsoft website● Critical updates ASAP● Watch for “optional” software● Backup before you install updates● Create Restore point (Windows)
  31. 31. A few thoughts on passwords How many of you re-use passwords?Use a your childs or pets name or birthdate?
  32. 32. Top used passwords 1) password 2) 123456 3) 12345678 4) 1234 5) qwerty 6) 12345 7) dragon 8) pussy 9) baseball 10) football 11) letmein 12) monkey 13) 696969 14) abc123
  33. 33. Use strong passwordsFrankiepoo1 = BADm%")FZTm"d*A = DECENTa{3xQXbDZ`k=/T8z>Mx = GOOD
  34. 34. Proper use● Passwords are the keys to “unlock” your computer● Essential for securing your electronic data and entire corporate network● You need to be conscientious about how to set them up and use them
  35. 35. Proper use● Don’t use the same password for everything● Don’t tell anyone your passwords, EVER!!● Be wary of saving passwords in your browser
  36. 36. Proper use● Never write them down● If you must store them securely (safe)● Be careful about storing passwords on your computer – Use an encrypted password safe● A security breach can compromise your entire network● Rotate important passwords every 60 to 90 days
  37. 37. Anti-virus software Essential● Protect your computer and data from malware - Viruses - Worms - Trojan Horses - Key Stroke Recorders - Backdoors - Rootkits
  38. 38. Anti-Virus Use● Decent free anti-virus is available Microsoft Security Essentials● Needs to set up correctly● Daily scans of all data● Regularl updates of your virus definition or signature files
  39. 39. False Security● The anti-virus game is one of catch-up● 20 % of viruses will get past most anti-virus products
  40. 40. Use a Firewall● A gatekeeper that ensures incoming and outgoing communications are legitimate● All computers on the Internet can see one another● Lines of communication are established through ports● Open ports can allow unwanted access to a computer
  41. 41. E-mail dangers● Protect access with passwords● Use privacy statements Please note that this email correspondence is *not* encrypted or secured in any way. If you are sending sensitive information or attachments you may wish to send them in another format. If you choose to communicate with us by email, you agree to accept the possible risk of loss of privacy. The information in this internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this internet email by anyone else is unauthorized .
  42. 42. Smart email use● Read email in text format not html● Be wary of phishing emails● Be wary of links & attachments in emails● Implement a spam filter
  43. 43. metadata● Data About Data● MS Offices Products● Adobe pdfs● Photos
  44. 44. Lockdown and encrypt your data● Startup & Users passwords● Put a password on your screensaver● Data stored on computers and on external drives should ALWAYS be encrypted● USB Drives !
  45. 45. Harden your wireless connections● Disable SSID Broadcast● MAC Filtration● Change Defaults● Enable Logging● Use Encryption WEP is not secure● WPA2 with AES Algorithm● WPS can be hacked w/ Reaver
  46. 46. Learn how to safely surf the Web● Safe browser choices = No IE● Disabling some browser features● Controlling which cookies can be stored on your computer● Preventing pop-ups● Plug-ins turned off by default
  47. 47. Change key default settings● File Sharing● Administrator account● Normal user account for everyday use● Domain name● Workgroup name
  48. 48. Technology use policy● Does your office have one?● Law Society has templates● Internet and Email Use Policy
  49. 49. Backup solutions● Secure● Encrypted● Onsite● Offsite
  50. 50. Backup details● Who’s Responsible● Full Backup● Daily Backups● Establish Alerts● Files● E-mail● Logs
  51. 51. Further information● The Law Society of BC – practice docs/tips● CBA - Guidelines for Practicing Ethically with New Information Technologies● Give us a call
  52. 52. Questions?Contact Information Darren