Law Firm Security: How to Protect Your Client Data and Stay Compliant
1. Law Firm Security: How to
Protect Your Client Data
and Stay Compliant
Host: Joshua Lenon
2. Housekeeping
● Session length: 60 minutes
● Recording & slides emailed tomorrow (*CLE is only available for the live
webinar/ the recording is NOT eligible for CLE)
● Use to engage with fellow webinar attendees
and select “Everyone” in the dropdown
● Use to ask questions directly to panellists
● Please fill out the survey at the end of the session
3. CLE / CPD Information
To qualify for credit, you must:
1. Be logged in on your own device under the email/name you registered with
(cannot share logins).
2. Attend the entire live webinar.
3. Participate in the polls during the live session.
*If you have met the participation requirements, you will receive a personalized
CLE/CPD affidavit from mcle-clio@americanbar.org for the webinar you attended
to completion. Please check your spam or junk folders as these emails often end up
there. Please note you have to fill out an affidavit for each individual webinar. Once
you complete the affidavit, you will be able to download your certificate(s) of
attendance and they will be emailed to you as well from
mcle-clio@americanbar.org.
4. Law Firm Security: How to
Protect Your Client Data
and Stay Compliant
Host: Joshua Lenon
5. Lawyer in Residence
5
Joshua Lenon
TODAY’S SPEAKER
● Attorney admitted into New York
● Certified Privacy Professional
● @JoshuaLenon
6. ● Executive Director for CREST International
(Incident Response / Penetration Testing /
Security Operations)
● CIO for Mandlebaum Barrett PC
● A Certified CLIO Solutions Consultant
● United States Marine Veteran
● @brennantom
6
Tom Brennan
TODAY’S PANELIST
Email: tom.brennan@crest-approved.org
Phone: 1+ (973) 298-1160
12. Model Rules of Professional Conduct
● Rule 1.1 – Competency
○ [8] “lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks associated with
relevant technology…”
● Rule 1.6 – Confidentiality
○ “lawyer shall not reveal information relating to the
representation of a client unless the client gives informed
consent, the disclosure is impliedly authorized in order to
carry out the representation…”
13. Ethics Opinions
ABA Formal Opinion 477R - Securing Communication of
Protected Client Information
ABA Formal Opinion 482 - Ethical Obligations Related to
Disasters
ABA Formal Opinion 483 - Lawyers Obligations After an
Electronic Data Breach or Cyberattack
14. ABA Formal Opinion 477
Understand the Nature of the Threat.
Understand How Client Confidential Information is Transmitted and Where It Is Stored.
Understand and Use Reasonable Electronic Security Measures.
Determine How Electronic Communications About Clients Matters Should Be Protected.
Label Client Confidential Information.
Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
Conduct Due Diligence on Vendors Providing Communication Technology.
16. Avoid Using Public
Internet/Free Wi-Fi
Use Virtual Private
Networks (VPNs) to
Enhance Security
Use Two-Factor or
Multi-Factor
Authentication
Use Strong
Passwords to
Protect Your Data
and Devices
Assure that Video
Conferences are
Secure
Backup Any Data
Stored Remotely
Security is Essential
for Remote
Locations and
Devices
Users Should Verify
That Websites Have
Enhanced Security
Lawyers Should Be
Cognizant of Their
Obligation to Act
with Civility
20. 20
Managing cost is the
biggest issue in cloud
usage
When asked about the most important initiatives
in their organizations pertaining to public cloud
adoption, 30% of all respondents said “managing
cost.” Further concerns were:
● modernizing applications (19%)
● performance optimization (13%)
● cloud migration itself (11%).
35. Law Firm are Targets
Hackers are intentionally targeting law firms, and are likely to continue doing so for the foreseeable future. Headlines have exposed recent
breaches at some large and prominent firms, like Goodwin Proctor, Seyfarth Shaw, Cadwalader, and Peabody & Arnold. But, it would be a
mistake to believe that hackers targeted only those types of firms. The lists maintained on the websites of the Attorneys General for New
Hampshire and Massachusetts reveal that hacks of small and medium sized firms are far more common and damaging.
● Campbell Conroy & O'Neil serves a large array of Fortune 500 companies, including Ford, Boeing, Exxon Mobil,
Quest Diagnostics, Liberty Mutual, Johnson & Johnson, Walgreens, Monsanto, FedEx and Coca-Cola, among others.
The hack was first detected on Feb. 27, sparking an investigation, the firm said in its disclosure
https://www.cnn.com/2021/07/19/tech/ransomware-law-firm/index.html
● The U.S. Attorneyʼs Office for the District of New Jersey has charged a California man with money laundering after
a New Jersey law firmʼs email account was hacked and $560,000 was fraudulently obtained from a client of the firm.
https://www.law.com/njlawjournal/2021/03/18/law-firm-hacked-560000-stolen-from-client/
● McCarter & English Suffers Data Security Incident. An internal email confirmed that attorneys at the New Jersey firm
lost access to email and remote work systems. Meanwhile, Pennsylvaniaʼs Stevens & Lee is grappling with the
consequences of a 2021 breach
https://www.law.com/americanlawyer/2022/04/19/mccarter-english-suffers-data-security-incident/
● Hackers have stolen and leaked files belonging to the Jones Day law firm, one of the largest law firms in the world.
The firm famously and controversially worked on some of Donald Trumpʼs immediate challenges to the 2020 election
results
https://www.vice.com/en/article/88a7jv/hacker-leaks-files-from-jones-day-law-firm-which-represented-trump-in-el
ection-challenges
36. Are you compliant with reasonable controls?
● American Bar Association Formal Opinion 477R - In the context of electronic communications, lawyers
must establish policies and procedures, and periodically train employees, subordinates and others assisting
in the delivery of legal services, in the use of reasonably secure methods of electronic communications with
clients.
● Payment Card Industry Data Security Standards (PCI DSS) – Information security standard for
organizations that handle branded credit cards from the major card schemes.
● Health Insurance Portability and Accountability Act (HIPAA) (including Omnibus Rule) – ensures equal
access to specific health and human services and protects the privacy and security of health information
● The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the
European Parliament, the Council of the European Union, and the European Commission intend to
strengthen and unify data protection for all individuals within the European Union (EU).
● California Consumer Privacy Act (CCPA) – Privacy rights and consumer protection for residents of
California.
● DFARS 252.204-7019 requires primes and subcontractors to submit self-assessment of NIST 800-171
controls through the Supplier Performance Risk System (SPRS)
38. What Can You Do to be Proactive?
● Partner with accredited providers and
Certified individuals
● Measure your business controls to a
commercially reasonable framework.
(Example NIST Cyber Security
Framework, Center for Internet Security
V8)
● Conduct quarterly tabletop exercises
and document outcome and corrective
actions like a fire drill.
● Establish basic organization policy, build
procedures and put in place controls.
● Budget for People, Process and
Technology
41. You have been BREACHED now what?
PRESERVE — COORDINATE — RESPOND
Do not disconnect
Many targeted data breaches go on for months before detection. When a compromised system is hastily
disconnected, it is highly probable that the attacker will compromise additional systems to establish new forms of
persistence that may go undetected, or they may have already prepared backdoors for these situations.
Attacker behavior is likely to change, and a game of "whack-a-mole" may ensue once they know they have been
detected. This is why the natural reaction of wanting to swiftly disconnect all affected systems can be
counterproductive in the long term.
If a computer must be disconnected, ensure that a forensic image (including a memory image) of the system is
preserved prior to disconnecting from the network.
42. Continued…
PRESERVE — COORDINATE — RESPOND
Formulating a response to a data breach requires internal communication and coordination within your
organization. At a minimum, key players from IT, security, legal, management and public relations must be kept
informed of the status of the data breach.
Each player fulfills key functions that enable the investigation, the formulation of a response and the
communication with regulatory agencies as well as customers. In some cases, if there is reason to believe internal
network communications may be compromised, out-of-band communication and collaboration channels should
be established and utilized by the response team
43. Regulation
All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have established data breach
laws to protect consumers. These laws generally require organizations to notify individuals in the case of a data
breach involving certain personal identifying information. In addition, the following topics are also addressed in many
data breach notification laws:
● Notice to the Attorney General: Some states require a notice be sent to the state attorney general or a state
agency informing them of a breach.
● Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent
out to individuals.
● Risk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment
of the risk of harm to the affected individuals.
● Encryption Safe Harbor: States have different laws affecting the definition of a breach and the notification
requirements based on whether the data was encrypted.
● Paper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials,
or both.
44. Continued..
When determining whether to pursue a data breach matter, attorneys general may consider several criteria:
● Violation of statute
● Severity and scope
● Remedies available
● Legal value of the case
● Resources
The severity and scope of a data breach is an important component attorneys general must consider when
pursuing a data breach case. Additional factors include:
● Data sensitivity
● Number and type of consumers affected
● Impact on consumers
● Is the harm ongoing?
● Can the compromised information be modified to the detriment of the consumer?
● How culpable is the entity for the breach?
● Liability for vendors or third-parties
45. Continued..
Following a successful action against a company in violation of data breach laws, attorneys general may pursue
different remedies:
● Injunctions: Companies may be required to take steps to protect consumer data, or update their systems and/or
corporate governance.
● Civil penalties: Most state consumer protection laws list penalties for each violation.
● Consumer restitution: This could include free credit monitoring or freezes.
● Attorneys fees/costs.
46. What should I look for?
1) User reports of suspicious activity such as clicking on
a phishing link, lost/stolen media or device.
2) Web server log entries that indicate the use of a
vulnerability scanner.
3) Antivirus software alerts detecting that a host is
infected with malware.
4) A network administrator noticing unusual network
traffic flow.
5) An email administrator noticing a large number of
bounced email messages with suspicious content.
6) An application logging multiple failed login attempts from
an unfamiliar remote system.
7) A hostʼs audit log recording a change in its configuration.
8) A threatened attack upon the firm from a hacktivist or
similar group.
9) An announcement of an exploit targeting known
vulnerabilities of the firmʼs mail server.
10) A network intrusion detecting sensor alerting of a buffer
overflow attempt on a database server
https://www.crest-approved.org
50. ABA Ethics Rules Relevant to Cybersecurity
Model Rule 1.1 - Competence
Model Rule 1.3 - Diligence
Model Rule 1.6 - Confidentiality
Model Rule 5.2 - Supervisory Responsibility (lawyers and
non-lawyer assistants)
51. Laws and Regulations to Which Attorneys are Subject
● 50 State (and D.C.) Breach Notification Laws
● State Privacy Law
● Cybersecurity Laws (e.g, NYCRR Part 500)
● HIPAA
● Regulatory Discipline
● Malpractice
● Civil Class Action
52. Risks I
•INTERNAL
•Employees, Associates, Contractors (domestic and…)
•Service Providers and MSPs
•EXTERNAL
•Former employees, associates, and contractors
•TECHNOLOGY
•Work from home
•Remote/virtualized work
53. Assessing and Addressing Risk
ASSESSING RISK – allows a lawyer/firm to provide a reality check on which risks are real and which are
unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely
to occur.
ACTING ON THE RISK
•RISK ACCEPTANCE – Risk acceptance is the choice that you must make when the cost of
implementing any of the other responses exceeds the value of the harm (financial AND non-monetary)
that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the
lawyer or law firm is unaware of its existence; it has to be an identified risk for which those involved
understand the potential cost or damage and agree to accept it.
•RISK MITIGATION – Implementing controls to mitigate risk. (Never total)
•RISK TRANSFERENCE – Insurance, Contract indemnification, etc. (Not perfect)
•RISK AVOIDANCE – Avoiding the activity that creates the risk (Not possible)
54. What Attorneys Need to Hear
● Information is your most valuable asset – protecting it is an essential business function
Even for law firms
● Information compromise – is far costlier than managing risk
● Do you have defensible security over your information?
● Failure to identify, assess and manage risks can result in many types of civil liability and
regulatory penalties
● Cyber insurance may not cover losses AND WONʼT PUT YOU IN STATUS QUO ANTE
● Ransomware payments may invoke government scrutiny and enforcement
● Policy development and supervision (disaster and business recovery, backup,
cybersecurity, remote) must be done in lockstep with technology development
56. Clio EasyStart
Track your time and get paid
Everything you need to track your time, bill your clients, and get paid—plus some extras!
Clio Essentials
Optimize firm operations
Includes critical law practice management tools that allow you to work smarter, customize
how your firm gets organized, and communicate with clients and co-counsel.
Clio Advance
Scale your impact
Introduces unlimited access to new productivity tools and more business and financial
oversight. Priority on-call support ensures you get the most out of Clio.
Clio Complete
Grow your business
Scale your business by adding Clio Grow to improve and automate your client intake with
online forms, online appointment bookings, automated emails follow-ups, and more.
Lawyaw
New software for solo, small- and mid-sized legal practices that can help streamline
information gathering and document assembly, along with built-in e-sign and other features.
Visit clio.com/pricing to learn more.
Clio’s Offerings
57. Clio Payments
Clio Manageʼs new online payments platform makes it easy for
your clients to pay online using a credit card, debit card, or
eCheck—without the need for a third-party payment processor.
Clio Drive
Securely create, access, edit, store, and collaborate on
documents without ever leaving your desktop.
Clio for Clients
Clio for Clients, Clioʼs new secure client portal allows you to
streamline communication with your clients.
Text Notifications and Reminders
Use text notifications and reminders to avoid the costly
no-shows and unnecessary administrative overhead that comes
with organizing client meetings.
Visit clio.com/features/whats-new to learn more.
What’s New In Clio
58. Polls for Non-Clio and Clio Customers
Poll 1: For Non-Clio Customers
Would you like to learn more about Clio?
a. Yes, I would like to learn more about Clioʼs products
b. Yes, I would like to learn about the Clio Cloud
Conference
c. No, Iʼm not interested
d. No, Iʼm already a Clio Customer
58
Poll 2: For Clio Customers
Would you like to learn more about:
a. Adding Clio Grow to streamline client intake
b. Adding Clio Payments
c. The Clio Cloud Conference
d. No, Iʼm not interested
or I already use Clio Grow/Clio Payments
59. Additional Resources
59
● Blog: 2022 Law Firm Data Security Guide: How to Keep Your Law Firm Secure
● CLE-eligible webinar: Leveraging Technology to Design Efficient Law Firm
Processes, September 7
● Meetup Series: The Legal Marketing Masterclass Series
● Clio Cloud Conference October 10-11, 2022: Get your pass
61. CLE / CPD Information
To qualify for credit, you must:
1. Be logged in on your own device under the email/name you registered with
(cannot share logins).
2. Attend the entire live webinar.
3. Participate in the polls during the live session.
*If you have met the participation requirements, you will receive a personalized
CLE/CPD affidavit from mcle-clio@americanbar.org for the webinar you attended
to completion. Please check your spam or junk folders as these emails often end up
there. Please note you have to fill out an affidavit for each individual webinar. Once
you complete the affidavit, you will be able to download your certificate(s) of
attendance and they will be emailed to you as well from
mcle-clio@americanbar.org.