The document discusses the importance of protecting client data for law firms to prevent identity theft and legal liability. It highlights the growing risks of cyberattacks, especially against firms involved with sensitive clients, and outlines three key business duties: safeguarding sensitive personal information (SPI), properly destroying it when no longer needed, and notifying clients of breaches. The document emphasizes implementing reasonable procedures, compliance with laws, and maintaining a structured information security program to mitigate risks.

1. Protecting Client Data for
Professional Responsibility and to
Prevent Identity Theft
Paula S. deWitte, J.D., Ph.D., P.E.

2. Attorney Liability
• Violate Professional Responsibility Rules
• Violate state/federal identity theft statutes
• Commit malpractice
• Suffer embarrassment and loss of reputation from
being on the front page of the newspaper or the lead
story on the 6 p.m. news.
Good business practices to protect all client data –
including sensitive personal information.

3. Three Business Reasons to Know This
Material
• 1. Protect you and your law firm
• 2. Advise your clients to safeguard
information
• 3. Prepare for new business opportunities

4. Why Are Law Firms Good Targets?
• To get to the lawyers
• To get to the clients’ information
• General, undirected attack on enterprises that
are easily hacked into

5. Are Lawyers Targets?
• http://www.wired.com/threatlevel/2010/02/apt-hacks/
• One mark of APT attacks is that they have especially hit companies with dealings in China,
including more than 50 law firms.
– Advanced Persistent Threats (APT) -- the attacks are distinctive in the kinds of data the attackers
target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions
grab a foothold into a company’s network, sometimes for years, even after a company has
discovered them and taken corrective measures.
• “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re
compromised and it’s very probable there’s not much you can do about it,” Mandia says.
• In 2008, Mandiant investigated a breach at a law firm that was representing a client in a
lawsuit related to China. The attackers were in the firm’s network for a year before the firm
learned from law enforcement that it been hacked. By then, the intruders harvested
thousands of e-mails and attachments from mail servers. They also had access to every other
server, desktop workstation and laptop on the firm’s network.
•
Read More http://www.wired.com/threatlevel/2010/02/apt-hacks/#ixzz0hsIFsw2n

6. Manage Your Risk
• Know the terms:
– Sensitive Personal Information
– Encryption
– Business duty
– Reasonable procedures
• Know what is required to comply with the law.
• You may be liable under the laws of another
state!
– Massachusetts law is the strictest and requires a
written information security program (WISP).

7. Your Biggest Hidden Security Threats
• Social engineering: Unintentional and by
those you trust
OR
• Insider threat: Intentional and by those
internal to your law firm

8. Identity Theft Is Growing
• U.S. Dept. of Veterans Affairs = 1,800,000 (11/07) – stolen laptop
• U.S. Dept. of Veterans Affairs == 76,000,000 – defective hard drive sent out
for repair/recycling without proper procedures
• Countrywide Home Loan == 2,000,000 (08/08)
• Overall U.S. identities lost since Jan 2005 => 250,000,000
• Estimated $1 Trillion worth of data stolen (2008)
• Cybercrime up 53%
• Cost to repair average 2008 data = $6,600,000
Bolded statistics credited to USAF Lt Gen (ret) Harry Raduege, Chairman, Center
for Network Innovation, Deloitte, July 2009, World Affairs Council, Houston,
TX.

9. Sony PlayStation Network and Online
Entertainment Breaches
• 100 Million Accounts …
– 100,000,000
• Costs of up to $2B …
– $2,000,000,000
• Sony market capitalization is $20.5B
– $20,500,000,000
• Liable under different nations’ and states’ laws
• PR nightmare

10. What Can Trigger Your Duties
• Security or data breaches by someone who
targets your law firm
• Lost, stolen, or strayed computer or laptop
• Improperly trashed or donated computers or
computer parts
• Lost mobile devices, USBs, or CDs
• Weak, limited, or no data encryption
• Weak passwords
• No/poorly written policies:
• E-mailing sensitive data to personal accounts

11. Security Aspects
• Electronic
– Firewalls, Security Software, Intrusion Detection
Systems,
• Physical
• Administrative/Management
– Your biggest vulnerability are people.

12. The World is Changing
• The “reasonableness” standard
• Growing client awareness
• Statutory and civil liabilities
• Technology:
– Readily available
– Relatively inexpensive
– Minimizes risk of being caught
– Web resources
• The ease of being a hacker

13. Security Framework
• Prevention
– Did you prevent unauthorized access?
• Detection
– Can you detect if a security breach has occurred?
– Can you figure out what and how it happened?
• Remediation
– How can you fix the situation?
– Do you have remediation plans in place

14. Statutory/Lawsuit Trend (1/3)
• HIPAA
• Gramm-Leach-Bliley Financial Services
Modernization Act
• What is the standard to determine liability?
• States continue to pass harsher legislation to deal
with a growing identity theft problem.
• Federal legislation possible

15. Statutory/Lawsuit Trend (2/3)
• “Sensitive personal information” means … an individual’s first
name or first initial and last name in combination with any
one or more of the following items, if the names and the
items are not encrypted:
– social security number;
– driver’s license number or government-issued identification number;
or
– account number or credit or debit card number in combination with
any required security code, access code, or password that would
permit access to an individual’s financial account
– Other: biometric data ignored in this presentation.

16. Statutory/Lawsuit Trend (3/3)
• How does Tex. Bus. & Com. Code § 521.053(b) (2009)
apply to lawyers?
– Three business duties
• Use reasonable procedures to safeguard SPI…
• Destroy or arrange for destruction of SPI…
• Notify when a breach is detected or when you are notified of a
breach…
– “Many entities don’t discover a breach until someone from law
enforcement notifies them. By then, it’s too late.”
• Tied to the DTPA

17. What is Sensitive Personal Information
(SPI)?
• First initial and last name OR First name and
last name
• Combined with any of:
– Social security number OR
– Drivers license number OR
– Account or credit card number in combination
with any required security code, access code, or
password that would permit access to that
account.

18. Business Duty 1: Use “reasonable
procedures”…
• “..including appropriate corrective action to protect
unlawful use or disclosure of any SPI collected or
maintained by the business in the regular course of
business.”
• Cannot be delegated.
• Liable for the actions of your employees, regardless.

19. What is the Reasonable Standard?
• The business owner?
• The SPI owner (i.e., the potential victim)
• IT personnel?
• Information assurance (IA) experts?
• Prevailing public perception?
Is there a standard?

20. Reasonable Procedures
• Must be in writing.
• Protect against anticipated threats or hazards.
• Consider administrative, technical, and physical.
• Consider all aspects of the SPI -- collection,
storage, access, use, transmission, and
protection.
• Consider the security framework of prevention,
detection, and remediation.
• Institutionalize procedures.
• Train.
• Audit.

21. Continuous Process
• Have a written information security program
(WISP).
• Have a third party test your systems.
• Document the problems.
• Fix the problems.
• Conduct periodic reviews.

22. Business Duty 2: Destroy or Arrange
for the Destruction…
• “…of customer records by shredding, erasing,
or “otherwise modifying the sensitive PI in the
records to make the information unreadable
or indecipherable through any means”
• What works?
• What doesn’t work?

23. Business Duty 3: Notify Potential
Victims
• “… after discovering or receiving notification
of that breach … as quickly as possible”
• How do you discover a breach?
• What constitutes “receiving notification of
that breach”?
• What does “quickly as possible” mean?
• How do I notify potential victims

24. The Good News
The use of reasonable procedures and proper
destruction work for all types of data a law
office might maintain.

25. What Does the Attorney General Tell
an Identity Theft Victim To Do
• http://www.texasfightsidtheft.gov/
• Create a written criminal report to protect
themselves from being denied credit.
• File report with the Federal Trade
Commission.
• Collect as much evidence as possible. This
evidence can be used against you!

26. Your Liability
• Statutory fines to Texas
• To the SPI Owner:
– Lost income
– Expenses of fixing credit
– Attorney fees
– Possible treble damages under DPTA
• Your consequences:
– Loss of revenue and reputation

27. What SPI Do You Routinely Maintain?
• Employee Records
– Every employee record has the employee’s name and
social security number
• Client Contact Information
– Besides SPI, IP and client sensitive information
• Discovery Documents
• Statutory exceptions:
– Statue excludes publicly available information
available from federal, state, or local governments
– Excludes encrypted data
• No statutory definition for “encryption”

28. Do Not Rely on the Encryption
Exception
• Encryption is not a yes/no category.
– Encryption is a continuum from weak to strong.
• True encryption requires encryption
throughout system; one piece of your system
that is not encrypted renders the entire
system vulnerable.

29. Contact
• Paula deWitte, P.L.L.C.
• Paula.deWitte@PauladeWitte.com
• Cell: 512.633.3791