Law firm cybersecurity in the cloud
According to the 2017 ABA Legal Technology Survey, 22% of law firms faced a cyberattack or data breach—and you don’t want your firm to be one of them.
That’s why staying up to date with the latest legal technology is key to managing your firm’s cybersecurity and keeping your clients’ data as secure as possible.
Learn how law firms can utilize cloud technology to create greater cybersecurity than what they have now.
In this CLE-eligible webinar, you’ll learn:
Top cybersecurity risks for law firms
How to eliminate high cyber-risk vectors
How to recover from a cyber incident
Duration: 60 minutes
https://landing.clio.com/law-firm-cybersecurity.html
3. Agenda
• Why cybersecurity? (10 minutes)
• Top cybersecurity risks for law firms (10 minutes)
• How to eliminate high cyber-risk vectors (15
minutes)
• How to recover from a cyber incident (10 minutes)
• Questions (10 minutes)
6. Model Rules of Professional Conduct
• Rule 1.1 – Competency
• [8] “lawyer should keep abreast of changes in the law
and its practice, including the benefits and risks
associated with relevant technology…”
• Rule 1.6 – Confidentiality
• “lawyer shall not reveal information relating to the
representation of a client unless the client gives
informed consent, the disclosure is impliedly authorized
in order to carry out the representation…”
7. MRPC 1.6
(c) A lawyer shall make reasonable efforts
to prevent the inadvertent or unauthorized
disclosure of, or unauthorized access to,
information relating to the representation of a
client.
8. MRPC 1.6 – Comment 18
“Reasonable efforts” non-exclusive factors
• the sensitivity of the information,
• the likelihood of disclosure if additional safeguards are not
employed,
• the cost of employing additional safeguards,
• the difficulty of implementing the safeguards, and
• the extent to which the safeguards adversely affect the lawyer’s
ability to represent
• clients (e.g., by making a device or important piece of software
excessively difficult to use).
10. ABA Formal Opinion 477
1. Understand the Nature of the
Threat.
2. Understand How Client
Confidential Information is
Transmitted and Where It Is
Stored.
3. Understand and Use
Reasonable Electronic Security
Measures.
4. Determine How Electronic
Communications About
Clients Matters Should Be
Protected.
5. Label Client Confidential
Information.
6. Train Lawyers and Nonlawyer
Assistants in Technology and
Information Security.
7. Conduct Due Diligence on
Vendors Providing
Communication Technology.
13. Lawyers’ Legal Obligations
Federal Trade Commission (FTC)
• Established in 1914 by the Federal Trade Commission
Act
• Section 5 of the Federal Trade Commission Act, 15
U.S.C. § 45 grants the FTC power to investigate and
prevent unfair or deceptive trade practices (UDAP
Authority)
• 50 cybersecurity enforcement actions since 2002
16. Client Business Areas
• Financial information – under
the Gramm Leach Bliley Act
(GLBA), Fair Credit Reporting
Act (FCRA), Fair and Accurate
Credit Transaction Act
(FACTA), Red Flags Rules
• Healthcare information –
under the Health Insurance
Portability and Accountability
Act (HIPAA) and the HITECH
Act
• Children information – as
required under the Children
Online Privacy Protection Act
(COPPA) and Family
Educational Rights and Privacy
Act (FERPA)
• Mortgage lending – under
Consumer Finance Protection
Board, Bulletin 2012-03
• Criminal Justice - Criminal
Justice Information Services
Division (CJIS)
23. Cybersecurity Preparedness in Law
Firms
• 24% have no security awareness training
• 37% have no intrusion detection system
• 42% have no intrusion prevention system
• 72% have no data loss prevention
• 71% have no administration password management
• 96% have no 2-factor authentication for internal access
Source: ILTA 2018 Tech Survey
24. Through 2022, at least
95% of cloud security failures
will be the customer’s fault.
Source: ‘Is the Cloud Secure’, Gartner.com, March 27, 2018
26. 1. Start with Security
2. Control Access to Data
Sensibly
3. Require Secure Passwords
and Authentication
4. Store Sensitive Personal
Information Securely and
Protect it During Transmission
5. Segment Your Network and
Try to Monitor Who is Trying
to Get in and Out
6. Secure Remote Access to
Your Network
7. Apply Sound Security
Practices When Developing
New Products
8. Make Sure Your Service
Providers Implement
Reasonable Security
Measures
9. Put Procedures in Place to
Keep Your Security Current
and Address Vulnerabilities
That May Arise
10. Secure Paper, Physical
Media, and Devices
Source: Start with Security, Federal
Trade Commission
30. Vendor Review –
ABA Formal Opinion 08-451
• Reference checks and vendor credentials;
• Vendor’s security policies and protocols;
• Vendor’s hiring practices;
• Use of confidentiality agreements;
• Vendor’s conflicts check system to screen for adversity; and
• Availability and accessibility of a legal forum for legal relief for
violations of
• Vendor agreement.
44. ABA Formal Opinion 483
1. Duty to monitor
2. Stopping the breach and restoring systems
3. Determining what occurred
4. Notify current and former clients
46. Cybersecurity Framework
• “Framework for Improving Critical Infrastructure
Cybersecurity”
• Published by NIST in February 2014
• Provides Core, Tiers and Profiles