SlideShare a Scribd company logo
1 of 61
Download to read offline
Law Firm Security: How to
Protect Your Client Data
and Stay Compliant
Host: Joshua Lenon
Housekeeping
● Session length: 60 minutes
● Recording & slides emailed tomorrow (*CLE is only available for the live
webinar/ the recording is NOT eligible for CLE)
● Use to engage with fellow webinar attendees
and select “Everyone” in the dropdown
● Use to ask questions directly to panellists
● Please fill out the survey at the end of the session
CLE / CPD Information
To qualify for credit, you must:
1. Be logged in on your own device under the email/name you registered with
(cannot share logins).
2. Attend the entire live webinar.
3. Participate in the polls during the live session.
*If you have met the participation requirements, you will receive a personalized
CLE/CPD affidavit from mcle-clio@americanbar.org for the webinar you attended
to completion. Please check your spam or junk folders as these emails often end up
there. Please note you have to fill out an affidavit for each individual webinar. Once
you complete the affidavit, you will be able to download your certificate(s) of
attendance and they will be emailed to you as well from
mcle-clio@americanbar.org.
Law Firm Security: How to
Protect Your Client Data
and Stay Compliant
Host: Joshua Lenon
Lawyer in Residence
5
Joshua Lenon
TODAY’S SPEAKER
● Attorney admitted into New York
● Certified Privacy Professional
● @JoshuaLenon
● Executive Director for CREST International
(Incident Response / Penetration Testing /
Security Operations)
● CIO for Mandlebaum Barrett PC
● A Certified CLIO Solutions Consultant
● United States Marine Veteran
● @brennantom
6
Tom Brennan
TODAY’S PANELIST
Email: tom.brennan@crest-approved.org
Phone: 1+ (973) 298-1160
● Cybersecurity
● Privacy
● Chief Cyber/Legal Officer
7
Steven Teppler
TODAY’S PANELIST
Email: steppler@sterlington.net
Phone: 1+ (202) 253-5670
8
Agenda
● Introductions
● Why cybersecurity matters to law firms
● 100% Security
● Attorneys and Cybersecurity
● CLE / CPD Info
● Q&A
9
Is your law firm
prepared for a security
breach?
a. No
b. Somewhat
c. Yes
d. I don’t know
Why
cybersecurity
matters
to law firms?
Joshua Lenon
Lawyers’ Reasons for Cybersecurity
Ethics duties
Legal
obligations
Operational
Continuance
Fiscal
Prudence
Model Rules of Professional Conduct
● Rule 1.1 – Competency
○ [8] “lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks associated with
relevant technology…”
● Rule 1.6 – Confidentiality
○ “lawyer shall not reveal information relating to the
representation of a client unless the client gives informed
consent, the disclosure is impliedly authorized in order to
carry out the representation…”
Ethics Opinions
ABA Formal Opinion 477R - Securing Communication of
Protected Client Information
ABA Formal Opinion 482 - Ethical Obligations Related to
Disasters
ABA Formal Opinion 483 - Lawyers Obligations After an
Electronic Data Breach or Cyberattack
ABA Formal Opinion 477
Understand the Nature of the Threat.
Understand How Client Confidential Information is Transmitted and Where It Is Stored.
Understand and Use Reasonable Electronic Security Measures.
Determine How Electronic Communications About Clients Matters Should Be Protected.
Label Client Confidential Information.
Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
Conduct Due Diligence on Vendors Providing Communication Technology.
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Avoid Using Public
Internet/Free Wi-Fi
Use Virtual Private
Networks (VPNs) to
Enhance Security
Use Two-Factor or
Multi-Factor
Authentication
Use Strong
Passwords to
Protect Your Data
and Devices
Assure that Video
Conferences are
Secure
Backup Any Data
Stored Remotely
Security is Essential
for Remote
Locations and
Devices
Users Should Verify
That Websites Have
Enhanced Security
Lawyers Should Be
Cognizant of Their
Obligation to Act
with Civility
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
20
Managing cost is the
biggest issue in cloud
usage
When asked about the most important initiatives
in their organizations pertaining to public cloud
adoption, 30% of all respondents said “managing
cost.” Further concerns were:
● modernizing applications (19%)
● performance optimization (13%)
● cloud migration itself (11%).
Operational
Continuance
Cybersecurity is necessary to
keep the lights on.
Cloud usage by category
Top Security Risks for Law Firms
Employee
s
Failure to
plan
Failure to
invest
Outsid
e
Actors
Cloud threats by category
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Fiscal
Prudence
Cybersecurity
failures are costly.
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Lawyers are
not taking
necessary
security
precautions.
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Law Firm Security: How to Protect Your Client Data and Stay Compliant
100% Security
Tom Brennan
Law Firm are Targets
Hackers are intentionally targeting law firms, and are likely to continue doing so for the foreseeable future. Headlines have exposed recent
breaches at some large and prominent firms, like Goodwin Proctor, Seyfarth Shaw, Cadwalader, and Peabody & Arnold. But, it would be a
mistake to believe that hackers targeted only those types of firms. The lists maintained on the websites of the Attorneys General for New
Hampshire and Massachusetts reveal that hacks of small and medium sized firms are far more common and damaging.
● Campbell Conroy & O'Neil serves a large array of Fortune 500 companies, including Ford, Boeing, Exxon Mobil,
Quest Diagnostics, Liberty Mutual, Johnson & Johnson, Walgreens, Monsanto, FedEx and Coca-Cola, among others.
The hack was first detected on Feb. 27, sparking an investigation, the firm said in its disclosure
https://www.cnn.com/2021/07/19/tech/ransomware-law-firm/index.html
● The U.S. Attorneyʼs Office for the District of New Jersey has charged a California man with money laundering after
a New Jersey law firmʼs email account was hacked and $560,000 was fraudulently obtained from a client of the firm.
https://www.law.com/njlawjournal/2021/03/18/law-firm-hacked-560000-stolen-from-client/
● McCarter & English Suffers Data Security Incident. An internal email confirmed that attorneys at the New Jersey firm
lost access to email and remote work systems. Meanwhile, Pennsylvaniaʼs Stevens & Lee is grappling with the
consequences of a 2021 breach
https://www.law.com/americanlawyer/2022/04/19/mccarter-english-suffers-data-security-incident/
● Hackers have stolen and leaked files belonging to the Jones Day law firm, one of the largest law firms in the world.
The firm famously and controversially worked on some of Donald Trumpʼs immediate challenges to the 2020 election
results
https://www.vice.com/en/article/88a7jv/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-el
ection-challenges
Are you compliant with reasonable controls?
● American Bar Association Formal Opinion 477R - In the context of electronic communications, lawyers
must establish policies and procedures, and periodically train employees, subordinates and others assisting
in the delivery of legal services, in the use of reasonably secure methods of electronic communications with
clients.
● Payment Card Industry Data Security Standards (PCI DSS) – Information security standard for
organizations that handle branded credit cards from the major card schemes.
● Health Insurance Portability and Accountability Act (HIPAA) (including Omnibus Rule) – ensures equal
access to specific health and human services and protects the privacy and security of health information
● The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the
European Parliament, the Council of the European Union, and the European Commission intend to
strengthen and unify data protection for all individuals within the European Union (EU).
● California Consumer Privacy Act (CCPA) – Privacy rights and consumer protection for residents of
California.
● DFARS 252.204-7019 requires primes and subcontractors to submit self-assessment of NIST 800-171
controls through the Supplier Performance Risk System (SPRS)
Table Top Exercise Example
What Can You Do to be Proactive?
● Partner with accredited providers and
Certified individuals
● Measure your business controls to a
commercially reasonable framework.
(Example NIST Cyber Security
Framework, Center for Internet Security
V8)
● Conduct quarterly tabletop exercises
and document outcome and corrective
actions like a fire drill.
● Establish basic organization policy, build
procedures and put in place controls.
● Budget for People, Process and
Technology
Policy - Procedures - Roles & Responsibilities
● Acceptable Use Policy - Everyone
● Anti-Malware Policy - IT
● Backup Policy - IT
● Change Management Policy - IT
● Data Retention Policy - Everyone
● Disposal Policy -Everyone
● Encryption Policy - Everyone
● Password Policy - Everyone
● Patch Management Policy - IT
● Personnel Security Policy - Everyone
● Privacy Policy - Clients/Staff
● Remote Access Policy - Everyone
● Security Policy - Everyone
● Website Privacy Policy - Everyone
● Workstation Security Policy - Everyone
Law Firm Security: How to Protect Your Client Data and Stay Compliant
You have been BREACHED now what?
PRESERVE — COORDINATE — RESPOND
Do not disconnect
Many targeted data breaches go on for months before detection. When a compromised system is hastily
disconnected, it is highly probable that the attacker will compromise additional systems to establish new forms of
persistence that may go undetected, or they may have already prepared backdoors for these situations.
Attacker behavior is likely to change, and a game of "whack-a-mole" may ensue once they know they have been
detected. This is why the natural reaction of wanting to swiftly disconnect all affected systems can be
counterproductive in the long term.
If a computer must be disconnected, ensure that a forensic image (including a memory image) of the system is
preserved prior to disconnecting from the network.
Continued…
PRESERVE — COORDINATE — RESPOND
Formulating a response to a data breach requires internal communication and coordination within your
organization. At a minimum, key players from IT, security, legal, management and public relations must be kept
informed of the status of the data breach.
Each player fulfills key functions that enable the investigation, the formulation of a response and the
communication with regulatory agencies as well as customers. In some cases, if there is reason to believe internal
network communications may be compromised, out-of-band communication and collaboration channels should
be established and utilized by the response team
Regulation
All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have established data breach
laws to protect consumers. These laws generally require organizations to notify individuals in the case of a data
breach involving certain personal identifying information. In addition, the following topics are also addressed in many
data breach notification laws:
● Notice to the Attorney General: Some states require a notice be sent to the state attorney general or a state
agency informing them of a breach.
● Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent
out to individuals.
● Risk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment
of the risk of harm to the affected individuals.
● Encryption Safe Harbor: States have different laws affecting the definition of a breach and the notification
requirements based on whether the data was encrypted.
● Paper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials,
or both.
Continued..
When determining whether to pursue a data breach matter, attorneys general may consider several criteria:
● Violation of statute
● Severity and scope
● Remedies available
● Legal value of the case
● Resources
The severity and scope of a data breach is an important component attorneys general must consider when
pursuing a data breach case. Additional factors include:
● Data sensitivity
● Number and type of consumers affected
● Impact on consumers
● Is the harm ongoing?
● Can the compromised information be modified to the detriment of the consumer?
● How culpable is the entity for the breach?
● Liability for vendors or third-parties
Continued..
Following a successful action against a company in violation of data breach laws, attorneys general may pursue
different remedies:
● Injunctions: Companies may be required to take steps to protect consumer data, or update their systems and/or
corporate governance.
● Civil penalties: Most state consumer protection laws list penalties for each violation.
● Consumer restitution: This could include free credit monitoring or freezes.
● Attorneys fees/costs.
What should I look for?
1) User reports of suspicious activity such as clicking on
a phishing link, lost/stolen media or device.
2) Web server log entries that indicate the use of a
vulnerability scanner.
3) Antivirus software alerts detecting that a host is
infected with malware.
4) A network administrator noticing unusual network
traffic flow.
5) An email administrator noticing a large number of
bounced email messages with suspicious content.
6) An application logging multiple failed login attempts from
an unfamiliar remote system.
7) A hostʼs audit log recording a change in its configuration.
8) A threatened attack upon the firm from a hacktivist or
similar group.
9) An announcement of an exploit targeting known
vulnerabilities of the firmʼs mail server.
10) A network intrusion detecting sensor alerting of a buffer
overflow attempt on a database server
https://www.crest-approved.org
Law Firm Security: How to Protect Your Client Data and Stay Compliant
Attorneys and
Cybersecurity –
Know the Basics
Steven Teppler
THE LETTER NO LAWYER WANTS TO SEND
ABA Ethics Rules Relevant to Cybersecurity
Model Rule 1.1 - Competence
Model Rule 1.3 - Diligence
Model Rule 1.6 - Confidentiality
Model Rule 5.2 - Supervisory Responsibility (lawyers and
non-lawyer assistants)
Laws and Regulations to Which Attorneys are Subject
● 50 State (and D.C.) Breach Notification Laws
● State Privacy Law
● Cybersecurity Laws (e.g, NYCRR Part 500)
● HIPAA
● Regulatory Discipline
● Malpractice
● Civil Class Action
Risks I
•INTERNAL
•Employees, Associates, Contractors (domestic and…)
•Service Providers and MSPs
•EXTERNAL
•Former employees, associates, and contractors
•TECHNOLOGY
•Work from home
•Remote/virtualized work
Assessing and Addressing Risk
ASSESSING RISK – allows a lawyer/firm to provide a reality check on which risks are real and which are
unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely
to occur.
ACTING ON THE RISK
•RISK ACCEPTANCE – Risk acceptance is the choice that you must make when the cost of
implementing any of the other responses exceeds the value of the harm (financial AND non-monetary)
that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the
lawyer or law firm is unaware of its existence; it has to be an identified risk for which those involved
understand the potential cost or damage and agree to accept it.
•RISK MITIGATION – Implementing controls to mitigate risk. (Never total)
•RISK TRANSFERENCE – Insurance, Contract indemnification, etc. (Not perfect)
•RISK AVOIDANCE – Avoiding the activity that creates the risk (Not possible)
What Attorneys Need to Hear
● Information is your most valuable asset – protecting it is an essential business function
Even for law firms
● Information compromise – is far costlier than managing risk
● Do you have defensible security over your information?
● Failure to identify, assess and manage risks can result in many types of civil liability and
regulatory penalties
● Cyber insurance may not cover losses AND WONʼT PUT YOU IN STATUS QUO ANTE
● Ransomware payments may invoke government scrutiny and enforcement
● Policy development and supervision (disaster and business recovery, backup,
cybersecurity, remote) must be done in lockstep with technology development
55
Additional Resources
& Questions
Clio EasyStart
Track your time and get paid
Everything you need to track your time, bill your clients, and get paid—plus some extras!
Clio Essentials
Optimize firm operations
Includes critical law practice management tools that allow you to work smarter, customize
how your firm gets organized, and communicate with clients and co-counsel.
Clio Advance
Scale your impact
Introduces unlimited access to new productivity tools and more business and financial
oversight. Priority on-call support ensures you get the most out of Clio.
Clio Complete
Grow your business
Scale your business by adding Clio Grow to improve and automate your client intake with
online forms, online appointment bookings, automated emails follow-ups, and more.
Lawyaw
New software for solo, small- and mid-sized legal practices that can help streamline
information gathering and document assembly, along with built-in e-sign and other features.
Visit clio.com/pricing to learn more.
Clio’s Offerings
Clio Payments
Clio Manageʼs new online payments platform makes it easy for
your clients to pay online using a credit card, debit card, or
eCheck—without the need for a third-party payment processor.
Clio Drive
Securely create, access, edit, store, and collaborate on
documents without ever leaving your desktop.
Clio for Clients
Clio for Clients, Clioʼs new secure client portal allows you to
streamline communication with your clients.
Text Notifications and Reminders
Use text notifications and reminders to avoid the costly
no-shows and unnecessary administrative overhead that comes
with organizing client meetings.
Visit clio.com/features/whats-new to learn more.
What’s New In Clio
Polls for Non-Clio and Clio Customers
Poll 1: For Non-Clio Customers
Would you like to learn more about Clio?
a. Yes, I would like to learn more about Clioʼs products
b. Yes, I would like to learn about the Clio Cloud
Conference
c. No, Iʼm not interested
d. No, Iʼm already a Clio Customer
58
Poll 2: For Clio Customers
Would you like to learn more about:
a. Adding Clio Grow to streamline client intake
b. Adding Clio Payments
c. The Clio Cloud Conference
d. No, Iʼm not interested
or I already use Clio Grow/Clio Payments
Additional Resources
59
● Blog: 2022 Law Firm Data Security Guide: How to Keep Your Law Firm Secure
● CLE-eligible webinar: Leveraging Technology to Design Efficient Law Firm
Processes, September 7
● Meetup Series: The Legal Marketing Masterclass Series
● Clio Cloud Conference October 10-11, 2022: Get your pass
60
Questions
CLE / CPD Information
To qualify for credit, you must:
1. Be logged in on your own device under the email/name you registered with
(cannot share logins).
2. Attend the entire live webinar.
3. Participate in the polls during the live session.
*If you have met the participation requirements, you will receive a personalized
CLE/CPD affidavit from mcle-clio@americanbar.org for the webinar you attended
to completion. Please check your spam or junk folders as these emails often end up
there. Please note you have to fill out an affidavit for each individual webinar. Once
you complete the affidavit, you will be able to download your certificate(s) of
attendance and they will be emailed to you as well from
mcle-clio@americanbar.org.

More Related Content

What's hot

How Clio Customers Take a Stress-Free Summer: Streamlining Client Intake
How Clio Customers Take a Stress-Free Summer: Streamlining Client IntakeHow Clio Customers Take a Stress-Free Summer: Streamlining Client Intake
How Clio Customers Take a Stress-Free Summer: Streamlining Client IntakeClio - Cloud-Based Legal Technology
 
Clio's In Your Court: How Clio Features Help Lawyers Navigate the Court System
Clio's In Your Court: How Clio Features Help Lawyers Navigate the Court SystemClio's In Your Court: How Clio Features Help Lawyers Navigate the Court System
Clio's In Your Court: How Clio Features Help Lawyers Navigate the Court SystemClio - Cloud-Based Legal Technology
 
Homebuying seminar for realtors to use
Homebuying seminar for realtors to useHomebuying seminar for realtors to use
Homebuying seminar for realtors to useheatherjs821
 
2017 Buyer Presentation
2017 Buyer Presentation2017 Buyer Presentation
2017 Buyer PresentationGreg Eskritt
 
Free Call Center Training | Call Center Best Practices
Free Call Center Training | Call Center Best PracticesFree Call Center Training | Call Center Best Practices
Free Call Center Training | Call Center Best PracticesMetricNet
 
An Introduction to DocuSign for Salesforce
An Introduction to DocuSign for SalesforceAn Introduction to DocuSign for Salesforce
An Introduction to DocuSign for SalesforceDocuSign
 
Leadership Strategies for High Performance Contact Centres
Leadership Strategies for High Performance Contact CentresLeadership Strategies for High Performance Contact Centres
Leadership Strategies for High Performance Contact CentresTina Arora
 

What's hot (20)

Cultural Competence for Law Firms
Cultural Competence for Law FirmsCultural Competence for Law Firms
Cultural Competence for Law Firms
 
Online Marketing Strategies to Attract Clients
Online Marketing Strategies to Attract ClientsOnline Marketing Strategies to Attract Clients
Online Marketing Strategies to Attract Clients
 
How To Set Up a Scalable Client Intake System
How To Set Up a Scalable Client Intake SystemHow To Set Up a Scalable Client Intake System
How To Set Up a Scalable Client Intake System
 
Reclaim Your Time in 2023 with Clio’s Newest Features
Reclaim Your Time in 2023 with Clio’s Newest FeaturesReclaim Your Time in 2023 with Clio’s Newest Features
Reclaim Your Time in 2023 with Clio’s Newest Features
 
Watch How Law Firms Use Clio - June 2022
Watch How Law Firms Use Clio - June 2022Watch How Law Firms Use Clio - June 2022
Watch How Law Firms Use Clio - June 2022
 
90-Day Goal Setting for Legal Professionals
90-Day Goal Setting for Legal Professionals90-Day Goal Setting for Legal Professionals
90-Day Goal Setting for Legal Professionals
 
Disaster and Succession Planning for Law Firms
Disaster and Succession Planning for Law FirmsDisaster and Succession Planning for Law Firms
Disaster and Succession Planning for Law Firms
 
How Clio Customers Take a Stress-Free Summer: Streamlining Client Intake
How Clio Customers Take a Stress-Free Summer: Streamlining Client IntakeHow Clio Customers Take a Stress-Free Summer: Streamlining Client Intake
How Clio Customers Take a Stress-Free Summer: Streamlining Client Intake
 
Get To Know Clio’s New Payment Platform
Get To Know Clio’s New Payment PlatformGet To Know Clio’s New Payment Platform
Get To Know Clio’s New Payment Platform
 
How Automating Client Intake Increases Client Confidence
How Automating Client Intake Increases Client ConfidenceHow Automating Client Intake Increases Client Confidence
How Automating Client Intake Increases Client Confidence
 
Improve your client intake process with Clio Grow
Improve your client intake process with Clio GrowImprove your client intake process with Clio Grow
Improve your client intake process with Clio Grow
 
Clio's In Your Court: How Clio Features Help Lawyers Navigate the Court System
Clio's In Your Court: How Clio Features Help Lawyers Navigate the Court SystemClio's In Your Court: How Clio Features Help Lawyers Navigate the Court System
Clio's In Your Court: How Clio Features Help Lawyers Navigate the Court System
 
Homebuying seminar for realtors to use
Homebuying seminar for realtors to useHomebuying seminar for realtors to use
Homebuying seminar for realtors to use
 
Key Insights from the 2021 Legal Trends Report
Key Insights from the 2021 Legal Trends ReportKey Insights from the 2021 Legal Trends Report
Key Insights from the 2021 Legal Trends Report
 
Billing Week Stress to Collections Success Webinar.pdf
Billing Week Stress to Collections Success Webinar.pdfBilling Week Stress to Collections Success Webinar.pdf
Billing Week Stress to Collections Success Webinar.pdf
 
2017 Buyer Presentation
2017 Buyer Presentation2017 Buyer Presentation
2017 Buyer Presentation
 
Free Call Center Training | Call Center Best Practices
Free Call Center Training | Call Center Best PracticesFree Call Center Training | Call Center Best Practices
Free Call Center Training | Call Center Best Practices
 
Understanding Law Firm Financials: Making the Numbers Work
Understanding Law Firm Financials: Making the Numbers WorkUnderstanding Law Firm Financials: Making the Numbers Work
Understanding Law Firm Financials: Making the Numbers Work
 
An Introduction to DocuSign for Salesforce
An Introduction to DocuSign for SalesforceAn Introduction to DocuSign for Salesforce
An Introduction to DocuSign for Salesforce
 
Leadership Strategies for High Performance Contact Centres
Leadership Strategies for High Performance Contact CentresLeadership Strategies for High Performance Contact Centres
Leadership Strategies for High Performance Contact Centres
 

Similar to Law Firm Security: How to Protect Your Client Data and Stay Compliant

Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Recommendation For Current It Security Policy
Recommendation For Current It Security PolicyRecommendation For Current It Security Policy
Recommendation For Current It Security PolicyKatie Parker
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSPreetiDevidas
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 

Similar to Law Firm Security: How to Protect Your Client Data and Stay Compliant (20)

Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Essay About Tft2
Essay About Tft2Essay About Tft2
Essay About Tft2
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Recommendation For Current It Security Policy
Recommendation For Current It Security PolicyRecommendation For Current It Security Policy
Recommendation For Current It Security Policy
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONSIMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
IMPACT OF REMOTE WORK:NEW THREATS AND SOLUTIONS
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 

More from Clio - Cloud-Based Legal Technology

Slideshare - How to Grow a Law Firm - The Outsized Impact of Outsourcing
Slideshare - How to Grow a Law Firm - The Outsized Impact of OutsourcingSlideshare - How to Grow a Law Firm - The Outsized Impact of Outsourcing
Slideshare - How to Grow a Law Firm - The Outsized Impact of OutsourcingClio - Cloud-Based Legal Technology
 
Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...
Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...
Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...Clio - Cloud-Based Legal Technology
 
Work Less and Make More by Standardizing Intake Processes With Clio Grow
Work Less and Make More by Standardizing Intake Processes With Clio GrowWork Less and Make More by Standardizing Intake Processes With Clio Grow
Work Less and Make More by Standardizing Intake Processes With Clio GrowClio - Cloud-Based Legal Technology
 
How to Grow a Law Firm: Shaking Things Up With the Consultancy Model
How to Grow a Law Firm: Shaking Things Up With the Consultancy ModelHow to Grow a Law Firm: Shaking Things Up With the Consultancy Model
How to Grow a Law Firm: Shaking Things Up With the Consultancy ModelClio - Cloud-Based Legal Technology
 

More from Clio - Cloud-Based Legal Technology (19)

2023 Legal Trends for Solo Law Firms
2023 Legal Trends for Solo Law Firms2023 Legal Trends for Solo Law Firms
2023 Legal Trends for Solo Law Firms
 
Increase Your Profits While Reducing Burnout
Increase Your Profits While Reducing BurnoutIncrease Your Profits While Reducing Burnout
Increase Your Profits While Reducing Burnout
 
Insights from the 2022 Legal Trends Report - Slides.pdf
Insights from the 2022 Legal Trends Report - Slides.pdfInsights from the 2022 Legal Trends Report - Slides.pdf
Insights from the 2022 Legal Trends Report - Slides.pdf
 
Legal Tech Roundup: Tools and Services Your Firm Needs in 2023
Legal Tech Roundup: Tools and Services Your Firm Needs in 2023Legal Tech Roundup: Tools and Services Your Firm Needs in 2023
Legal Tech Roundup: Tools and Services Your Firm Needs in 2023
 
Slideshare - How to Grow a Law Firm - The Outsized Impact of Outsourcing
Slideshare - How to Grow a Law Firm - The Outsized Impact of OutsourcingSlideshare - How to Grow a Law Firm - The Outsized Impact of Outsourcing
Slideshare - How to Grow a Law Firm - The Outsized Impact of Outsourcing
 
2022 in Review: What's Working for Your Firm and What Isn't
2022 in Review: What's Working for Your Firm and What Isn't2022 in Review: What's Working for Your Firm and What Isn't
2022 in Review: What's Working for Your Firm and What Isn't
 
How to Grow a Law Firm_ From Startup to Success
How to Grow a Law Firm_ From Startup to SuccessHow to Grow a Law Firm_ From Startup to Success
How to Grow a Law Firm_ From Startup to Success
 
Cloud Software: The Key to Staff Success and Satisfaction
Cloud Software: The Key to Staff Success and SatisfactionCloud Software: The Key to Staff Success and Satisfaction
Cloud Software: The Key to Staff Success and Satisfaction
 
How to Generate New Business With Client Reviews
How to Generate New Business With Client ReviewsHow to Generate New Business With Client Reviews
How to Generate New Business With Client Reviews
 
Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...
Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...
Clio App Spotlight: How Clio and Klyant integrate to provide a compliant and ...
 
Key Insights from the 2022 Legal Trends Report
Key Insights from the 2022 Legal Trends ReportKey Insights from the 2022 Legal Trends Report
Key Insights from the 2022 Legal Trends Report
 
Streamline Your Court Interactions With Technology
Streamline Your Court Interactions With TechnologyStreamline Your Court Interactions With Technology
Streamline Your Court Interactions With Technology
 
Work Less and Make More by Standardizing Intake Processes With Clio Grow
Work Less and Make More by Standardizing Intake Processes With Clio GrowWork Less and Make More by Standardizing Intake Processes With Clio Grow
Work Less and Make More by Standardizing Intake Processes With Clio Grow
 
Personal Productivity Tips for Actual Results
Personal Productivity Tips for Actual ResultsPersonal Productivity Tips for Actual Results
Personal Productivity Tips for Actual Results
 
Utilizing Technology to Design Efficient Law Firm Processes
Utilizing Technology to Design Efficient Law Firm ProcessesUtilizing Technology to Design Efficient Law Firm Processes
Utilizing Technology to Design Efficient Law Firm Processes
 
How to Stand Out on TikTok, Facebook, and Instagram
How to Stand Out on TikTok, Facebook, and InstagramHow to Stand Out on TikTok, Facebook, and Instagram
How to Stand Out on TikTok, Facebook, and Instagram
 
How to Grow a Law Firm: Shaking Things Up With the Consultancy Model
How to Grow a Law Firm: Shaking Things Up With the Consultancy ModelHow to Grow a Law Firm: Shaking Things Up With the Consultancy Model
How to Grow a Law Firm: Shaking Things Up With the Consultancy Model
 
Growing Your Firm Through Support Groups and Staffing
Growing Your Firm Through Support Groups and StaffingGrowing Your Firm Through Support Groups and Staffing
Growing Your Firm Through Support Groups and Staffing
 
Building Out Your Law Firm Tool Box
Building Out Your Law Firm Tool BoxBuilding Out Your Law Firm Tool Box
Building Out Your Law Firm Tool Box
 

Recently uploaded

Exploring the Essential Elements Included in eSports Licensing Agreements
Exploring the Essential Elements Included in eSports Licensing AgreementsExploring the Essential Elements Included in eSports Licensing Agreements
Exploring the Essential Elements Included in eSports Licensing AgreementsFinlaw Consultancy Pvt Ltd
 
Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...
Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...
Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...Finlaw Associates
 
1038220242024-03-11-527359.pdfKIpokpikfkkovk
1038220242024-03-11-527359.pdfKIpokpikfkkovk1038220242024-03-11-527359.pdfKIpokpikfkkovk
1038220242024-03-11-527359.pdfKIpokpikfkkovkbhavenpr
 
VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...
VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...
VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...Dr. Oliver Massmann
 
16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk
16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk
16902_2015_Order_12-Apr-2019.pdfp;kp;kpodkbhavenpr
 
Planned Giving Presentation for Ottawa County Parks Foundation
Planned Giving Presentation for Ottawa County Parks FoundationPlanned Giving Presentation for Ottawa County Parks Foundation
Planned Giving Presentation for Ottawa County Parks FoundationP. Haans Mulder, JD, MST, CFP®
 
The Concept of Rule of law : origin, development & Indian Constitution.
The Concept of  Rule of law : origin, development & Indian Constitution.The Concept of  Rule of law : origin, development & Indian Constitution.
The Concept of Rule of law : origin, development & Indian Constitution.legalpuja22
 
Jeremey Tevebaugh Indicted for Check Forgery
Jeremey Tevebaugh Indicted for Check ForgeryJeremey Tevebaugh Indicted for Check Forgery
Jeremey Tevebaugh Indicted for Check ForgeryAbdul-Hakim Shabazz
 
Biography Presentation of Manoj sharma [IPS]
Biography Presentation of Manoj  sharma [IPS]Biography Presentation of Manoj  sharma [IPS]
Biography Presentation of Manoj sharma [IPS]theunheardstories45
 
Canada PR_ Top 10 Eligibility, Requirements, and Criteria.pdf
Canada PR_ Top 10 Eligibility, Requirements, and Criteria.pdfCanada PR_ Top 10 Eligibility, Requirements, and Criteria.pdf
Canada PR_ Top 10 Eligibility, Requirements, and Criteria.pdfvisa gurukul
 
Doctrine of Part Performance in Transfer of property.pptx
Doctrine of Part Performance in Transfer of property.pptxDoctrine of Part Performance in Transfer of property.pptx
Doctrine of Part Performance in Transfer of property.pptxjanayana1
 
UAE Labour Law - Brief Presentation PPT - 2017.pptx
UAE Labour Law - Brief Presentation PPT - 2017.pptxUAE Labour Law - Brief Presentation PPT - 2017.pptx
UAE Labour Law - Brief Presentation PPT - 2017.pptxhrlestars
 
GS Holistic Court Opinion in Trademark Dispute
GS Holistic Court Opinion in Trademark DisputeGS Holistic Court Opinion in Trademark Dispute
GS Holistic Court Opinion in Trademark DisputeMike Keyes
 
Commercialization of IPR – From Lawyerperspective Strategies and Challenges...
Commercialization of IPR – From Lawyerperspective   Strategies and Challenges...Commercialization of IPR – From Lawyerperspective   Strategies and Challenges...
Commercialization of IPR – From Lawyerperspective Strategies and Challenges...vijuchowbe
 
tort pptx by Abebayehu .pdf extra contractual
tort pptx by Abebayehu .pdf extra contractualtort pptx by Abebayehu .pdf extra contractual
tort pptx by Abebayehu .pdf extra contractualHananAmdemariam
 
Public Health and Intellectual Property Rights
Public Health and Intellectual Property RightsPublic Health and Intellectual Property Rights
Public Health and Intellectual Property RightsPratiksha Mishra
 
legal-Complaint-emery-unified-assault.pdf
legal-Complaint-emery-unified-assault.pdflegal-Complaint-emery-unified-assault.pdf
legal-Complaint-emery-unified-assault.pdfE'ville Eye
 

Recently uploaded (20)

Report Centre of Policy and Legal Reform 2022.pdf
Report Centre of Policy and Legal Reform 2022.pdfReport Centre of Policy and Legal Reform 2022.pdf
Report Centre of Policy and Legal Reform 2022.pdf
 
Aggressive Advocate for Assault Charges
Aggressive Advocate for Assault ChargesAggressive Advocate for Assault Charges
Aggressive Advocate for Assault Charges
 
Exploring the Essential Elements Included in eSports Licensing Agreements
Exploring the Essential Elements Included in eSports Licensing AgreementsExploring the Essential Elements Included in eSports Licensing Agreements
Exploring the Essential Elements Included in eSports Licensing Agreements
 
Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...
Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...
Digital Forensics and Evidence Gathering: A Lawyer's Approach to Phishing and...
 
1038220242024-03-11-527359.pdfKIpokpikfkkovk
1038220242024-03-11-527359.pdfKIpokpikfkkovk1038220242024-03-11-527359.pdfKIpokpikfkkovk
1038220242024-03-11-527359.pdfKIpokpikfkkovk
 
VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...
VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...
VIETNAM - LEGAL ALERT ON CIRCULAR PROVIDING REGULATIONS ON METHOD TO FORMULAT...
 
16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk
16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk
16902_2015_Order_12-Apr-2019.pdfp;kp;kpodk
 
Planned Giving Presentation for Ottawa County Parks Foundation
Planned Giving Presentation for Ottawa County Parks FoundationPlanned Giving Presentation for Ottawa County Parks Foundation
Planned Giving Presentation for Ottawa County Parks Foundation
 
The Concept of Rule of law : origin, development & Indian Constitution.
The Concept of  Rule of law : origin, development & Indian Constitution.The Concept of  Rule of law : origin, development & Indian Constitution.
The Concept of Rule of law : origin, development & Indian Constitution.
 
Project Esther Qualifications for Kairos Capital
Project Esther Qualifications for Kairos CapitalProject Esther Qualifications for Kairos Capital
Project Esther Qualifications for Kairos Capital
 
Jeremey Tevebaugh Indicted for Check Forgery
Jeremey Tevebaugh Indicted for Check ForgeryJeremey Tevebaugh Indicted for Check Forgery
Jeremey Tevebaugh Indicted for Check Forgery
 
Biography Presentation of Manoj sharma [IPS]
Biography Presentation of Manoj  sharma [IPS]Biography Presentation of Manoj  sharma [IPS]
Biography Presentation of Manoj sharma [IPS]
 
Canada PR_ Top 10 Eligibility, Requirements, and Criteria.pdf
Canada PR_ Top 10 Eligibility, Requirements, and Criteria.pdfCanada PR_ Top 10 Eligibility, Requirements, and Criteria.pdf
Canada PR_ Top 10 Eligibility, Requirements, and Criteria.pdf
 
Doctrine of Part Performance in Transfer of property.pptx
Doctrine of Part Performance in Transfer of property.pptxDoctrine of Part Performance in Transfer of property.pptx
Doctrine of Part Performance in Transfer of property.pptx
 
UAE Labour Law - Brief Presentation PPT - 2017.pptx
UAE Labour Law - Brief Presentation PPT - 2017.pptxUAE Labour Law - Brief Presentation PPT - 2017.pptx
UAE Labour Law - Brief Presentation PPT - 2017.pptx
 
GS Holistic Court Opinion in Trademark Dispute
GS Holistic Court Opinion in Trademark DisputeGS Holistic Court Opinion in Trademark Dispute
GS Holistic Court Opinion in Trademark Dispute
 
Commercialization of IPR – From Lawyerperspective Strategies and Challenges...
Commercialization of IPR – From Lawyerperspective   Strategies and Challenges...Commercialization of IPR – From Lawyerperspective   Strategies and Challenges...
Commercialization of IPR – From Lawyerperspective Strategies and Challenges...
 
tort pptx by Abebayehu .pdf extra contractual
tort pptx by Abebayehu .pdf extra contractualtort pptx by Abebayehu .pdf extra contractual
tort pptx by Abebayehu .pdf extra contractual
 
Public Health and Intellectual Property Rights
Public Health and Intellectual Property RightsPublic Health and Intellectual Property Rights
Public Health and Intellectual Property Rights
 
legal-Complaint-emery-unified-assault.pdf
legal-Complaint-emery-unified-assault.pdflegal-Complaint-emery-unified-assault.pdf
legal-Complaint-emery-unified-assault.pdf
 

Law Firm Security: How to Protect Your Client Data and Stay Compliant

  • 1. Law Firm Security: How to Protect Your Client Data and Stay Compliant Host: Joshua Lenon
  • 2. Housekeeping ● Session length: 60 minutes ● Recording & slides emailed tomorrow (*CLE is only available for the live webinar/ the recording is NOT eligible for CLE) ● Use to engage with fellow webinar attendees and select “Everyone” in the dropdown ● Use to ask questions directly to panellists ● Please fill out the survey at the end of the session
  • 3. CLE / CPD Information To qualify for credit, you must: 1. Be logged in on your own device under the email/name you registered with (cannot share logins). 2. Attend the entire live webinar. 3. Participate in the polls during the live session. *If you have met the participation requirements, you will receive a personalized CLE/CPD affidavit from mcle-clio@americanbar.org for the webinar you attended to completion. Please check your spam or junk folders as these emails often end up there. Please note you have to fill out an affidavit for each individual webinar. Once you complete the affidavit, you will be able to download your certificate(s) of attendance and they will be emailed to you as well from mcle-clio@americanbar.org.
  • 4. Law Firm Security: How to Protect Your Client Data and Stay Compliant Host: Joshua Lenon
  • 5. Lawyer in Residence 5 Joshua Lenon TODAY’S SPEAKER ● Attorney admitted into New York ● Certified Privacy Professional ● @JoshuaLenon
  • 6. ● Executive Director for CREST International (Incident Response / Penetration Testing / Security Operations) ● CIO for Mandlebaum Barrett PC ● A Certified CLIO Solutions Consultant ● United States Marine Veteran ● @brennantom 6 Tom Brennan TODAY’S PANELIST Email: tom.brennan@crest-approved.org Phone: 1+ (973) 298-1160
  • 7. ● Cybersecurity ● Privacy ● Chief Cyber/Legal Officer 7 Steven Teppler TODAY’S PANELIST Email: steppler@sterlington.net Phone: 1+ (202) 253-5670
  • 8. 8 Agenda ● Introductions ● Why cybersecurity matters to law firms ● 100% Security ● Attorneys and Cybersecurity ● CLE / CPD Info ● Q&A
  • 9. 9 Is your law firm prepared for a security breach? a. No b. Somewhat c. Yes d. I don’t know
  • 11. Lawyers’ Reasons for Cybersecurity Ethics duties Legal obligations Operational Continuance Fiscal Prudence
  • 12. Model Rules of Professional Conduct ● Rule 1.1 – Competency ○ [8] “lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” ● Rule 1.6 – Confidentiality ○ “lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation…”
  • 13. Ethics Opinions ABA Formal Opinion 477R - Securing Communication of Protected Client Information ABA Formal Opinion 482 - Ethical Obligations Related to Disasters ABA Formal Opinion 483 - Lawyers Obligations After an Electronic Data Breach or Cyberattack
  • 14. ABA Formal Opinion 477 Understand the Nature of the Threat. Understand How Client Confidential Information is Transmitted and Where It Is Stored. Understand and Use Reasonable Electronic Security Measures. Determine How Electronic Communications About Clients Matters Should Be Protected. Label Client Confidential Information. Train Lawyers and Nonlawyer Assistants in Technology and Information Security. Conduct Due Diligence on Vendors Providing Communication Technology.
  • 16. Avoid Using Public Internet/Free Wi-Fi Use Virtual Private Networks (VPNs) to Enhance Security Use Two-Factor or Multi-Factor Authentication Use Strong Passwords to Protect Your Data and Devices Assure that Video Conferences are Secure Backup Any Data Stored Remotely Security is Essential for Remote Locations and Devices Users Should Verify That Websites Have Enhanced Security Lawyers Should Be Cognizant of Their Obligation to Act with Civility
  • 20. 20 Managing cost is the biggest issue in cloud usage When asked about the most important initiatives in their organizations pertaining to public cloud adoption, 30% of all respondents said “managing cost.” Further concerns were: ● modernizing applications (19%) ● performance optimization (13%) ● cloud migration itself (11%).
  • 22. Cloud usage by category
  • 23. Top Security Risks for Law Firms Employee s Failure to plan Failure to invest Outsid e Actors
  • 24. Cloud threats by category
  • 35. Law Firm are Targets Hackers are intentionally targeting law firms, and are likely to continue doing so for the foreseeable future. Headlines have exposed recent breaches at some large and prominent firms, like Goodwin Proctor, Seyfarth Shaw, Cadwalader, and Peabody & Arnold. But, it would be a mistake to believe that hackers targeted only those types of firms. The lists maintained on the websites of the Attorneys General for New Hampshire and Massachusetts reveal that hacks of small and medium sized firms are far more common and damaging. ● Campbell Conroy & O'Neil serves a large array of Fortune 500 companies, including Ford, Boeing, Exxon Mobil, Quest Diagnostics, Liberty Mutual, Johnson & Johnson, Walgreens, Monsanto, FedEx and Coca-Cola, among others. The hack was first detected on Feb. 27, sparking an investigation, the firm said in its disclosure https://www.cnn.com/2021/07/19/tech/ransomware-law-firm/index.html ● The U.S. Attorneyʼs Office for the District of New Jersey has charged a California man with money laundering after a New Jersey law firmʼs email account was hacked and $560,000 was fraudulently obtained from a client of the firm. https://www.law.com/njlawjournal/2021/03/18/law-firm-hacked-560000-stolen-from-client/ ● McCarter & English Suffers Data Security Incident. An internal email confirmed that attorneys at the New Jersey firm lost access to email and remote work systems. Meanwhile, Pennsylvaniaʼs Stevens & Lee is grappling with the consequences of a 2021 breach https://www.law.com/americanlawyer/2022/04/19/mccarter-english-suffers-data-security-incident/ ● Hackers have stolen and leaked files belonging to the Jones Day law firm, one of the largest law firms in the world. The firm famously and controversially worked on some of Donald Trumpʼs immediate challenges to the 2020 election results https://www.vice.com/en/article/88a7jv/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-el ection-challenges
  • 36. Are you compliant with reasonable controls? ● American Bar Association Formal Opinion 477R - In the context of electronic communications, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients. ● Payment Card Industry Data Security Standards (PCI DSS) – Information security standard for organizations that handle branded credit cards from the major card schemes. ● Health Insurance Portability and Accountability Act (HIPAA) (including Omnibus Rule) – ensures equal access to specific health and human services and protects the privacy and security of health information ● The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). ● California Consumer Privacy Act (CCPA) – Privacy rights and consumer protection for residents of California. ● DFARS 252.204-7019 requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)
  • 38. What Can You Do to be Proactive? ● Partner with accredited providers and Certified individuals ● Measure your business controls to a commercially reasonable framework. (Example NIST Cyber Security Framework, Center for Internet Security V8) ● Conduct quarterly tabletop exercises and document outcome and corrective actions like a fire drill. ● Establish basic organization policy, build procedures and put in place controls. ● Budget for People, Process and Technology
  • 39. Policy - Procedures - Roles & Responsibilities ● Acceptable Use Policy - Everyone ● Anti-Malware Policy - IT ● Backup Policy - IT ● Change Management Policy - IT ● Data Retention Policy - Everyone ● Disposal Policy -Everyone ● Encryption Policy - Everyone ● Password Policy - Everyone ● Patch Management Policy - IT ● Personnel Security Policy - Everyone ● Privacy Policy - Clients/Staff ● Remote Access Policy - Everyone ● Security Policy - Everyone ● Website Privacy Policy - Everyone ● Workstation Security Policy - Everyone
  • 41. You have been BREACHED now what? PRESERVE — COORDINATE — RESPOND Do not disconnect Many targeted data breaches go on for months before detection. When a compromised system is hastily disconnected, it is highly probable that the attacker will compromise additional systems to establish new forms of persistence that may go undetected, or they may have already prepared backdoors for these situations. Attacker behavior is likely to change, and a game of "whack-a-mole" may ensue once they know they have been detected. This is why the natural reaction of wanting to swiftly disconnect all affected systems can be counterproductive in the long term. If a computer must be disconnected, ensure that a forensic image (including a memory image) of the system is preserved prior to disconnecting from the network.
  • 42. Continued… PRESERVE — COORDINATE — RESPOND Formulating a response to a data breach requires internal communication and coordination within your organization. At a minimum, key players from IT, security, legal, management and public relations must be kept informed of the status of the data breach. Each player fulfills key functions that enable the investigation, the formulation of a response and the communication with regulatory agencies as well as customers. In some cases, if there is reason to believe internal network communications may be compromised, out-of-band communication and collaboration channels should be established and utilized by the response team
  • 43. Regulation All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have established data breach laws to protect consumers. These laws generally require organizations to notify individuals in the case of a data breach involving certain personal identifying information. In addition, the following topics are also addressed in many data breach notification laws: ● Notice to the Attorney General: Some states require a notice be sent to the state attorney general or a state agency informing them of a breach. ● Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent out to individuals. ● Risk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment of the risk of harm to the affected individuals. ● Encryption Safe Harbor: States have different laws affecting the definition of a breach and the notification requirements based on whether the data was encrypted. ● Paper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials, or both.
  • 44. Continued.. When determining whether to pursue a data breach matter, attorneys general may consider several criteria: ● Violation of statute ● Severity and scope ● Remedies available ● Legal value of the case ● Resources The severity and scope of a data breach is an important component attorneys general must consider when pursuing a data breach case. Additional factors include: ● Data sensitivity ● Number and type of consumers affected ● Impact on consumers ● Is the harm ongoing? ● Can the compromised information be modified to the detriment of the consumer? ● How culpable is the entity for the breach? ● Liability for vendors or third-parties
  • 45. Continued.. Following a successful action against a company in violation of data breach laws, attorneys general may pursue different remedies: ● Injunctions: Companies may be required to take steps to protect consumer data, or update their systems and/or corporate governance. ● Civil penalties: Most state consumer protection laws list penalties for each violation. ● Consumer restitution: This could include free credit monitoring or freezes. ● Attorneys fees/costs.
  • 46. What should I look for? 1) User reports of suspicious activity such as clicking on a phishing link, lost/stolen media or device. 2) Web server log entries that indicate the use of a vulnerability scanner. 3) Antivirus software alerts detecting that a host is infected with malware. 4) A network administrator noticing unusual network traffic flow. 5) An email administrator noticing a large number of bounced email messages with suspicious content. 6) An application logging multiple failed login attempts from an unfamiliar remote system. 7) A hostʼs audit log recording a change in its configuration. 8) A threatened attack upon the firm from a hacktivist or similar group. 9) An announcement of an exploit targeting known vulnerabilities of the firmʼs mail server. 10) A network intrusion detecting sensor alerting of a buffer overflow attempt on a database server https://www.crest-approved.org
  • 48. Attorneys and Cybersecurity – Know the Basics Steven Teppler
  • 49. THE LETTER NO LAWYER WANTS TO SEND
  • 50. ABA Ethics Rules Relevant to Cybersecurity Model Rule 1.1 - Competence Model Rule 1.3 - Diligence Model Rule 1.6 - Confidentiality Model Rule 5.2 - Supervisory Responsibility (lawyers and non-lawyer assistants)
  • 51. Laws and Regulations to Which Attorneys are Subject ● 50 State (and D.C.) Breach Notification Laws ● State Privacy Law ● Cybersecurity Laws (e.g, NYCRR Part 500) ● HIPAA ● Regulatory Discipline ● Malpractice ● Civil Class Action
  • 52. Risks I •INTERNAL •Employees, Associates, Contractors (domestic and…) •Service Providers and MSPs •EXTERNAL •Former employees, associates, and contractors •TECHNOLOGY •Work from home •Remote/virtualized work
  • 53. Assessing and Addressing Risk ASSESSING RISK – allows a lawyer/firm to provide a reality check on which risks are real and which are unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely to occur. ACTING ON THE RISK •RISK ACCEPTANCE – Risk acceptance is the choice that you must make when the cost of implementing any of the other responses exceeds the value of the harm (financial AND non-monetary) that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the lawyer or law firm is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. •RISK MITIGATION – Implementing controls to mitigate risk. (Never total) •RISK TRANSFERENCE – Insurance, Contract indemnification, etc. (Not perfect) •RISK AVOIDANCE – Avoiding the activity that creates the risk (Not possible)
  • 54. What Attorneys Need to Hear ● Information is your most valuable asset – protecting it is an essential business function Even for law firms ● Information compromise – is far costlier than managing risk ● Do you have defensible security over your information? ● Failure to identify, assess and manage risks can result in many types of civil liability and regulatory penalties ● Cyber insurance may not cover losses AND WONʼT PUT YOU IN STATUS QUO ANTE ● Ransomware payments may invoke government scrutiny and enforcement ● Policy development and supervision (disaster and business recovery, backup, cybersecurity, remote) must be done in lockstep with technology development
  • 56. Clio EasyStart Track your time and get paid Everything you need to track your time, bill your clients, and get paid—plus some extras! Clio Essentials Optimize firm operations Includes critical law practice management tools that allow you to work smarter, customize how your firm gets organized, and communicate with clients and co-counsel. Clio Advance Scale your impact Introduces unlimited access to new productivity tools and more business and financial oversight. Priority on-call support ensures you get the most out of Clio. Clio Complete Grow your business Scale your business by adding Clio Grow to improve and automate your client intake with online forms, online appointment bookings, automated emails follow-ups, and more. Lawyaw New software for solo, small- and mid-sized legal practices that can help streamline information gathering and document assembly, along with built-in e-sign and other features. Visit clio.com/pricing to learn more. Clio’s Offerings
  • 57. Clio Payments Clio Manageʼs new online payments platform makes it easy for your clients to pay online using a credit card, debit card, or eCheck—without the need for a third-party payment processor. Clio Drive Securely create, access, edit, store, and collaborate on documents without ever leaving your desktop. Clio for Clients Clio for Clients, Clioʼs new secure client portal allows you to streamline communication with your clients. Text Notifications and Reminders Use text notifications and reminders to avoid the costly no-shows and unnecessary administrative overhead that comes with organizing client meetings. Visit clio.com/features/whats-new to learn more. What’s New In Clio
  • 58. Polls for Non-Clio and Clio Customers Poll 1: For Non-Clio Customers Would you like to learn more about Clio? a. Yes, I would like to learn more about Clioʼs products b. Yes, I would like to learn about the Clio Cloud Conference c. No, Iʼm not interested d. No, Iʼm already a Clio Customer 58 Poll 2: For Clio Customers Would you like to learn more about: a. Adding Clio Grow to streamline client intake b. Adding Clio Payments c. The Clio Cloud Conference d. No, Iʼm not interested or I already use Clio Grow/Clio Payments
  • 59. Additional Resources 59 ● Blog: 2022 Law Firm Data Security Guide: How to Keep Your Law Firm Secure ● CLE-eligible webinar: Leveraging Technology to Design Efficient Law Firm Processes, September 7 ● Meetup Series: The Legal Marketing Masterclass Series ● Clio Cloud Conference October 10-11, 2022: Get your pass
  • 61. CLE / CPD Information To qualify for credit, you must: 1. Be logged in on your own device under the email/name you registered with (cannot share logins). 2. Attend the entire live webinar. 3. Participate in the polls during the live session. *If you have met the participation requirements, you will receive a personalized CLE/CPD affidavit from mcle-clio@americanbar.org for the webinar you attended to completion. Please check your spam or junk folders as these emails often end up there. Please note you have to fill out an affidavit for each individual webinar. Once you complete the affidavit, you will be able to download your certificate(s) of attendance and they will be emailed to you as well from mcle-clio@americanbar.org.