Presentation for the North Carolina State Bar seminar on Real Estate Hot Topics on February 20, 2015. This presentation focuses on email security and its role in complying with the ALTA Best Practice on Privacy and Protection of Non-Public Personal Information.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Law firm cybersecurity in the cloud
According to the 2017 ABA Legal Technology Survey, 22% of law firms faced a cyberattack or data breach—and you don’t want your firm to be one of them.
That’s why staying up to date with the latest legal technology is key to managing your firm’s cybersecurity and keeping your clients’ data as secure as possible.
Learn how law firms can utilize cloud technology to create greater cybersecurity than what they have now.
In this CLE-eligible webinar, you’ll learn:
Top cybersecurity risks for law firms
How to eliminate high cyber-risk vectors
How to recover from a cyber incident
Duration: 60 minutes
https://landing.clio.com/law-firm-cybersecurity.html
Get the insights you need to elevate your legal practice.
The annual Legal Trends Report sheds light on the most important issues faced within the legal profession. This year’s report features a multi-year analysis of 2,000 law firms’ revenue growth, as well as a survey of 2,000 legal consumers, and a test of 1,000 law firms’ responses to client inquiries. Informed with this research, the report examines:
What differentiates growing law firms from stagnating practices.
What potential clients want when they look for a lawyer.
How today’s law firms fare at interacting with potential clients—and where they can improve.
In this 60 minute webinar, join George Psiharis, Clio’s Chief Operating Officer, and Joshua Lenon, Clio’s Lawyer in Residence, as they explore the 2019 Legal Trends Report in detail to identify the report’s most important findings and contextualize what the data means for legal professionals and firms.
By watching this Legal Trends Report webinar, you will learn:
The biggest takeaways from Clio’s research into 2019 legal trends.
Our top recommended actions for legal professionals based on the report.
Additional insights on how to take a more data-driven approach at your firm.
https://landing.clio.com/2019-Legal-Trends-Report.html
Privacy rules matter—make sure your firm stays compliant.
While every lawyer knows the basic rules behind confidentiality and attorney-client privilege, the significance of privacy law is less well-known—and that lack of knowledge can impact your law firm. Emerging privacy rights and rights of action are impacting businesses of all types—including those in the legal profession. Local, national, and even international laws are making privacy the next frontier in data management for lawyers.
Are you prepared to adjust to the new demands of privacy for law firms, and move beyond confidentiality?
Join Joshua Lenon—an IAPP Certified Information Privacy Professional and Clio’s Lawyer in Residence and Data Protection Officer—as he explains how these privacy laws can impact law firms and what your firm should do to ensure compliance.
In this free 1-hour CLE-eligible webinar, you’ll learn:
Why law firm data must conform with emerging privacy regulations
The impact of clients’ compliance with privacy law on firm operations
Future privacy laws that may affect your law firm—no matter where you operate
https://www.clio.com/events/webinar-law-firm-privacy/
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Law firm cybersecurity in the cloud
According to the 2017 ABA Legal Technology Survey, 22% of law firms faced a cyberattack or data breach—and you don’t want your firm to be one of them.
That’s why staying up to date with the latest legal technology is key to managing your firm’s cybersecurity and keeping your clients’ data as secure as possible.
Learn how law firms can utilize cloud technology to create greater cybersecurity than what they have now.
In this CLE-eligible webinar, you’ll learn:
Top cybersecurity risks for law firms
How to eliminate high cyber-risk vectors
How to recover from a cyber incident
Duration: 60 minutes
https://landing.clio.com/law-firm-cybersecurity.html
Get the insights you need to elevate your legal practice.
The annual Legal Trends Report sheds light on the most important issues faced within the legal profession. This year’s report features a multi-year analysis of 2,000 law firms’ revenue growth, as well as a survey of 2,000 legal consumers, and a test of 1,000 law firms’ responses to client inquiries. Informed with this research, the report examines:
What differentiates growing law firms from stagnating practices.
What potential clients want when they look for a lawyer.
How today’s law firms fare at interacting with potential clients—and where they can improve.
In this 60 minute webinar, join George Psiharis, Clio’s Chief Operating Officer, and Joshua Lenon, Clio’s Lawyer in Residence, as they explore the 2019 Legal Trends Report in detail to identify the report’s most important findings and contextualize what the data means for legal professionals and firms.
By watching this Legal Trends Report webinar, you will learn:
The biggest takeaways from Clio’s research into 2019 legal trends.
Our top recommended actions for legal professionals based on the report.
Additional insights on how to take a more data-driven approach at your firm.
https://landing.clio.com/2019-Legal-Trends-Report.html
Privacy rules matter—make sure your firm stays compliant.
While every lawyer knows the basic rules behind confidentiality and attorney-client privilege, the significance of privacy law is less well-known—and that lack of knowledge can impact your law firm. Emerging privacy rights and rights of action are impacting businesses of all types—including those in the legal profession. Local, national, and even international laws are making privacy the next frontier in data management for lawyers.
Are you prepared to adjust to the new demands of privacy for law firms, and move beyond confidentiality?
Join Joshua Lenon—an IAPP Certified Information Privacy Professional and Clio’s Lawyer in Residence and Data Protection Officer—as he explains how these privacy laws can impact law firms and what your firm should do to ensure compliance.
In this free 1-hour CLE-eligible webinar, you’ll learn:
Why law firm data must conform with emerging privacy regulations
The impact of clients’ compliance with privacy law on firm operations
Future privacy laws that may affect your law firm—no matter where you operate
https://www.clio.com/events/webinar-law-firm-privacy/
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered the presentation Legal Issues Associated with Third-Party Risk at the ISACA CSX 2017 North America conference in Washington, DC.
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
This Webinar featuring guests from the EU Commission, the French data regulator CNIL, DLA Piper and IBM provided an overview of the new EU data protection and privacy perspective from the perspective of the regulation author, regulator, legal advisor and technology providers.
On-demand recording link:https://info.trustarc.com/WB-2019-06-19-GDPR-Compliance-Convince-Customers-Partners-Board.html?utm_source=slideshare
Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including records of processing, DPIA reports and much more. But how can you demonstrate to internal stakeholders, clients and partners that you have a comprehensive program and that your processes and products are GDPR-compliant?
This webinar will provide these key takeaways:
-The current state of an official GDPR certification and codes of conduct
-Case studies of how companies are demonstrating compliance
-The benefits of an external third party GDPR validation
Taking your open source email security to the next levelCyren, Inc
Presentation by Commtouch at WorldHostingDays 2010 describing how hosting providers utilizing open source solutions can save money, increase revenues and improve antispam detection.
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered the presentation Legal Issues Associated with Third-Party Risk at the ISACA CSX 2017 North America conference in Washington, DC.
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
Retailers are liable for identity theft and can be subject to fines and criminal prosecution for breach. What consumer information is considered Personally Identifiable Information (PII)? What laws should retailers be aware of? What are the 6 General Mandates that affect every retailer? What can merchants do to secure their electronic payments systems and procedures?
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
NetIQ was a Platinum sponsor for “Plugging the Leaks: Finding and Fixing the IT Security Holes in Your Enterprise,” a virtual trade show (VTS) produced by Information Week Magazine and Dark Reading.
This was our presentation deck: "Proven Practices to Protect Critical Data" presented by Matt Mosley, Senior Product Manager, and Matt Ulery, Director of Product Management during a live presentation. They explored some of the most significant problems facing security teams tasked with protecting critical data. And, they will reveal some of the most effective approaches and technology that can be used to quickly identify real threats.
The trends continue to point upward for data incidents and 2013 is becoming a pace setter. The shifting regulatory landscape promises to add further complications for companies struggling to prepare for and respond to data privacy incidents.
This webinar will feature two leading data breach experts who have performed a two year trend analysis across hundreds of cases to offer a powerful and up-to-date perspective on what has happened and their predictions for the future. It will also cover how these factors are shaping regulations which are in turn influencing decision-making in the C-Suite.
Our featured speakers for this timely webinar will be:
-Bill Hardin, Director of Data Privacy Response & Investigations, Navigant
-Jennifer Coughlin, Privacy and Data Security Attorney, Nelson, Levine
-Gant Redmon, Esq. General Counsel and VP of Business Development, Co3 Systems
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
This Webinar featuring guests from the EU Commission, the French data regulator CNIL, DLA Piper and IBM provided an overview of the new EU data protection and privacy perspective from the perspective of the regulation author, regulator, legal advisor and technology providers.
On-demand recording link:https://info.trustarc.com/WB-2019-06-19-GDPR-Compliance-Convince-Customers-Partners-Board.html?utm_source=slideshare
Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including records of processing, DPIA reports and much more. But how can you demonstrate to internal stakeholders, clients and partners that you have a comprehensive program and that your processes and products are GDPR-compliant?
This webinar will provide these key takeaways:
-The current state of an official GDPR certification and codes of conduct
-Case studies of how companies are demonstrating compliance
-The benefits of an external third party GDPR validation
Taking your open source email security to the next levelCyren, Inc
Presentation by Commtouch at WorldHostingDays 2010 describing how hosting providers utilizing open source solutions can save money, increase revenues and improve antispam detection.
Paper multi-modal biometric system using fingerprint , face and speechAalaa Khattab
Biometric system is often not able to meet the desired performance requirements.
In order to enable a biometric system to operate effectively in different applications and environments, a multimodal biometric system is preferred.
In this paper introduce a multimodal biometric system which integrates fingerprint verification , face recognition and speaker verification.
Multimodal biometric systems are those that utilize more than one physical or behavioural characteristic for enrolment , verification, or identification.
Discover the latest confidential stats and facts charting the rise of Spam, Malware, Ransonware and Phishing in 2015. It makes for sobering reading for any responsible IT Manager.
This presentation provides you with an overview of Email Management (EMM). The slides are from AIIM's EMM Certificate Program, which is a training program designed from global best practices among AIIM's 65,000 Associate and Professional members.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
Continuing legal education (CLE) presentation regarding data confidentiality, information security, computer forensics and legal ethics in light of technology-related changes made to the American Bar Association's Model Rules of Professional Conduct.
Lawyers are required to enact 'reasonable' safeguards when storing client files. They must also deal with an ever-increasing number of new privacy regulations imposed on them and their clients. When handling sensitive client data, lawyers need to balance issues of confidentiality and privacy against building productive workflows. Failure to keep client information secure can lead to a potential waiver of privilege, malpractice claims, and even fines from various government agencies. Law firms need rigorous security, no matter their firm’s size or practice area.
A law firm’s security plan must include three components: user training and access controls, secure technology, and a recovery plan.
Join Clio’s lawyer in residence, Joshua Lenon, as he shows you how to enact a security plan for your law firm with guest Chris Wiesinger of CloudMask, an encryption service provider for cloud-based technologies.
In this free, CLE-accredited presentation1, attendees will learn:
The difference between confidentiality and privacy for law firms
The regulations that apply to all law firms, as well as those for specific practice areas
The security planning tips you can use to assess and protect your law firm
The tools to improve your law firm’s security profile
Why law firms are vulnerable to cyber attack
What are lawyer's ethical duties
The value of privilege & how to obtain it
The value of the security assessment
The value of continuous security monitoring
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
This presentation showcases the reasoning for and the importance of cyberseucrity in the not-for-profit sector. Case studies reinforce the importance of being ahead of the curve when managing cyber risk.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Preventing Internet Fraud By Preventing Identity TheftDiane M. Metcalf
This project concentrates on the area of internet fraud called “Identity Theft”. It focuses on the responsibility of the individual cardholder in preventing or reducing fraud. It is based upon a belief that educating and empowering consumers has the ability to decrease internet/e-Commerce fraud by way of reducing identity theft.
Many executives are concerned about the security of their data and network infrastructure. Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
E. Andrew Keeney led a Cybersecurity Workshop at The Credit Union League of Connecticut's Compliance Series: Social Media Compliance Risks on February 10, 2015.
An overview of the Massachusetts 201 CMR 17 Data Privacy Law which goes in to effect on March 1. Contact information is available for each presenter in the slidedeck.
Please contact any of us with questions.
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
The Compliancy Group offers FREE HIPAA education with industry experts from across the industry. This months webinar with Axis Technology focuses on Health IT and the challenges that come with it. Register for our upcoming webinars at www.compliancy-group.com/webinar
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.
Similar to Raising the Bar for Email Security: Confidentiality and Privacy Standards that Lawyers Should Follow (20)
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
4. How email seems to work
Company NetworkCompany Network
Router
Router
DLP
Router
Router
AS/AV
How email actually works
The Cloud
Email is Cloud Data
5. Unencrypted Email
“Email sent in the ‘default’
manner over the Internet
is inherently insecure.”
Benefits of Secure Email:
• Integrity
• Confidentiality
• Privacy
• Authenticity
• Proof of receipt
• Nonrepudiation
“Now is the time to get serious
about your email system.”
8. Slide 9
Spying by N.S.A. Ally Entangled U.S. Law Firm
By JAMES RISEN and LAURA POITRAS FEB. 15, 2014
The list of those caught up in the global surveillance net cast by the
National Security Agency and its overseas partners, from social media
users to foreign heads of state, now includes another entry: American
lawyers.
A top-secret document, obtained by the former N.S.A. contractor
Edward J. Snowden, shows that an American law firm was monitored
while representing a foreign government in trade disputes with the
United States. The disclosure offers a rare glimpse of a specific
instance in which Americans were ensnared by the eavesdroppers, and
is of particular interest because lawyers in the United States with
clients overseas have expressed growing concern that their
confidential communications could be compromised by such
surveillance.
10. Man-in-the-Middle Attacks
• SSL Certificate Spoofing
• Several SSL Certificate Authorities hacked
• Courts in The Netherlands advised lawyers to stop
using email
11.
12. Targeting Real Estate Professionals
Thieves intercept from title agencies
emails providing wire transfer
information for borrowers
Thieves alter the email by replacing the
title company’s bank account information
with their own, and then send it along to
the borrowers
The emails appear to be genuine -
containing the title agency’s email
information and branding
Unsuspecting borrowers transmit earnest
money to the thieves
15. North Carolina Data Breach Notice Law
GS § 75-65. Protection from security breaches
– Applies to any business that owns, licenses, maintains or
possesses “personal information” of North Carolina residents
Requires notice of a “security breach”
– An incident of unauthorized access to and acquisition of
unencrypted and unredacted records or data containing personal
information where illegal use of the personal information has
occurred or is reasonably likely to occur or that creates a material
risk of harm to a consumer
– Any incident of unauthorized access to and acquisition of encrypted
records or data containing personal information along with the
confidential process or key shall constitute a security breach
Safe Harbor: encryption and a secure key
– "Encryption“ means the use of an algorithmic process to transform
data into a form in which the data is rendered unreadable or
unusable without use of a confidential process or key
16. Federal Data Breach Notice Standard?
White House proposed in January 2015 a federal data
breach reporting standard that would preempt the various
state laws
Proposal would create a safe-harbor, exempting
companies from the notice requirements, if an assessment
concludes that there is no reasonable risk of harm
Rebuttable presumption there is no reasonable risk of
harm if the data “was rendered unusable, unreadable, or
indecipherable through a security technology or
methodology generally accepted by experts in the field of
information security”
In other words, using strong encryption would provide a
safe-harbor for businesses
17. GLBA Safeguards Rule
Gramm-Leach-Bliley Act (GLBA) requires financial
institutions to ensure the security and confidentiality of
customers’ personally identifiable financial information
Financial institution means any business that is
significantly engaged in providing financial products or
services
Term includes:
– Mortgage brokers
– Non-bank lenders
– Loan servicers
– Real estate settlement services
– Real estate appraisers
18. GLBA Safeguards Rule
Nonpublic financial information means:
– Personally identifiable financial information; and
– Any list, description, or other grouping of consumers (and publicly
available information pertaining to them) that is derived using any
personally identifiable financial information that is not publicly
available
Personally identifiable financial information means:
– Information a consumer provides to obtain a financial product or
service
– Information about a consumer resulting from any transaction
involving a financial product or service
– Information otherwise obtained about a consumer in connection
with providing a financial product or service to that consumer
19. GLBA Safeguards Rule
Protect customer information
– The Safeguards Rule requires companies to assess and address
the risks to customer information in all areas of their operation,
including three areas that are particularly important to information
security:
Employee Management and Training
Information Systems
Detecting and Managing System Failures
Develop a written information security plan
– Flexible standard appropriate to each company’s:
size and complexity
nature and scope of activities
sensitivity of customer information handled
20. Information Security Plan
Plan must cover:
• designate employees to coordinate the information security
program
• identify and assess risks to customer information in each relevant
area of the company’s operation
• evaluate the effectiveness of the current safeguards for controlling
these risks
• design and implement a safeguards program, and regularly monitor
and test it
• evaluate and adjust the program in light of relevant circumstances,
including changes in the firm’s business or operations, or the
results of security testing and monitoring.
• select service providers that can maintain appropriate safeguards
• make sure contracts requires service providers to maintain
safeguards
• oversee service providers’ handling of customer information
21. Oversight of Service Providers
CFPB Bulletin 2012-03 - Consumer Financial Protection
Bureau expects financial institutions to oversee compliance
with GLBA Safeguards by any person that provides a
material service in connection with a consumer financial
product or service
Financial institutions should take steps to ensure that
service providers do not present unwarranted risks to
consumers, including:
– Due diligence to verify compliance with GLBA
– Review service provider’s policies, procedures, internal controls
and training materials about compliance with GLBA
– Contractual provisions addressing compliance with GLBA
– Establish internal controls and ongoing monitoring to determine
compliance with GLBA
– Take prompt action to address fully any problems
22. Title Industry Standards
ALTA Best Practices: Pillar #3 – Protecting NPI
Written Plan: Adopt and maintain a written privacy and
information security program to protect Non-public
Personal Information as required by local, state and federal
law
Procedures include: Use only secure delivery methods
when transmitting Non‐public Personal Information.
23. GLBA Email Security Guidance
“Take steps to ensure the secure transmission
of customer information”
“If you must transmit sensitive data by email over the
Internet, be sure to encrypt the data”
25. Encryption Considerations
Client’s instructions
Degree of sensitivity of the information
Possible client impact from disclosure
Data breach laws
Likelihood of disclosure
Inherent level of security
Reasonable steps to increase security
Cost of additional safeguards
Urgency of the situation
Legal ramifications of unauthorized interception,
access or use
28. Channel Encryption
From the Experts: SSL Hacked!
Enterprise can't rely on encrypted communications anymore, but
corporate counsel can champion a fix
Security of HTTPS channel encryption
relies on trust in SSL certificates
Browser
Website Server
Identity inquiry
SSL certificate
Trust confirmation
Acknowledgement
Encrypted channel session
30. How can users
connect with so many
roadblocks?
• Portals
• Passwords
• Secure attachments
• Password resets
• Extra steps
31
THE FRUSTRATION OF SEPARATE
COMMUNITIES
Encryption Key Management
31. An elegant solution
works without you
even knowing it.
Encrypts every email
within the community
32
THE POWER OF ONE COMMUNITY
Shared Key Directory
33. Zix Customer
Sending
ZixGateway
Zix Customer
Receiving
through
ZixGateway
Non-Zix Customer
Receiving through
ZixPort
Non-Zix Customer
Receiving through
TLS or ZixDirect
Mail Server
ZixDirectory
of 43 million
shared public keys
Sender’s Email Environment Zix Cloud External Recipients
ZixPort
Zix Customer
Receiving
through
ZixMail
DETERMINES MOST SECURE AND EFFICIENT DELIVERY METHOD
BEST METHOD OF DELIVERY®
35. Automated Email Encryption
• Email composed and read
in normal inbox
• Content scanned and encrypted
automatically
– Attachments too
• Inbound messages decrypt
automatically
– Can scan inbound messages for policy
compliance
36. With many email
encryption tools,
recipients are unable to
easily open encrypted
email on mobile devices.
The result:
• User frustration
• Interrupted workflow
• Reduced productivity
WHAT ABOUT MOBILE DELIVERY?
37
There is NO SECURITY inherent in email or in the Internet
Unlike enterprise firewallintrusion detection – you cannot tell if email has been intercepted.
Lawyers are increasingly focused on ensuring the security of client data stored in the cloud. What many lawyers fail to recognize is that internet-based email is data that is transmitted and stored in the cloud. Cloud-based email presents different, additional risks than do other cloud data services. With internet email, the lawyer does not control the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, the ability of third parties to access the data or the terms and conditions of all of the relevant email service participants. In other words, there is a heightened risk that data in unencrypted email could be intercepted and accessed by third parties.
After a user composes a message in an e-mail client program,2 a program called a mail transfer agent ("MTA") formats that message and sends it to another program that "packetizes" it and sends the packets out to the Internet. Computers on the network then pass the packets from one to another; each computer along the route stores the packets in memory, retrieves the addresses of their final destinations, and then determines where to send them next. At various points the packets are reassembled to form the original e-mail message, copied, and then repacketized for the next leg of the journey.
Sometimes messages cannot be transferred immediately and must be saved for later delivery. Even when delivery is immediate, intermediate computers often retain backup copies, which they delete later. This method of transmission is commonly called "store and forward" delivery.
Once all the packets reach the recipient's mail server, they are reassembled to form the e-mail message.
There is no security inherent in the internet or in internet email
Using secure, encrypted email provides a number of benefits
Besides the obvious:
Confidentiality = secrecy
Privacy = identity protection
It also provides:
Integrity = non alteration
Authenticity = validating sender identity
Proof of receipt = certified delivery
Nonrepudiation = non-denial of origination or receipt
In April 2010, a Chinese Telecom was successful in routing 15 percent of the Internet so that traffic flowed through its data centers in China. That traffic could easily have been copied and methodically searched. If there was encrypted email in that message flow, the Chinese company would not have been able to read it.
For more information on how the China Telecom attack worked, I recommend this site:http://bgpmon.net/blog
USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, USAPA), H.R. 3162
In April 2010, a huge amount of Internet traffic was diverted by hackers traced to China. Diverted email messages could easily have been copied and methodically searched.
Wikipedia
E-mail is vulnerable to both passive and active attacks. Passive threats include Release of message contents, and Traffic analysis while active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional e-mail protocols [1]:
Disclosure of Information: Most of e-mails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the e-mail contents.
Traffic analysis: It is believed that some countries are routinely monitoring e-mail messages as part of their surveillance. This is not just for counter-terrorism reasons but also to facilitate combat against industrial espionage and to carry out political eavesdropping. However, it is not devoted to the national agencies since there is a thriving business in providing commercial and criminal elements with the information within e-mails.
Modification of messages: E-mail contents can be modified during transport or storage. Here, the man-in-the-middle attack does not necessarily require the control of gateway since an attacker that resides on the same Local Area Network (LAN), can use an Address Resolution Protocol (ARP) spoofing tool such as "ettercap" to intercept or modify all the e-mail packets going to and from the mail server or gateway.
Masquerade: It is possible to send a message in the name of another person or organization.
Replay of previous messages: Previous messages may be resent to other recipients. This may lead to loss, confusion, or damage to the reputation of an individual or organization. It can cause some damage if e-mail is used for certain applications such as funds transferring, registration, and reservation.
Spoofing: False messages may be inserted into mail system of another user. It can be accomplished from within a LAN, or from an external environment using Trojan horses.
Denial of Service: It can put a mail system out of order by overloading it with mail shots. It can be carried out using Trojan horses or viruses sent to users within the contents of e-mails. It is also possible to block the user accounts by repeatedly entering wrong passwords in the login.
Increasing Risks of Unsecured Internet Email
Many lawyers believe they can rely on HTTPS browser sessions for secure transmission of client email over the web. That protocol relies on the validity of SSL certificates, which validate the identity of the email Web site. An HTTPS session creates an encrypted “pipeline” or “channel” between the user’s computer and the Webmail server. The problem is that both HTTP and HTTPS sessions are vulnerable to interception.
Courts in the Netherlands recently advised lawyers to stop using email. In July 2011, a hacker infiltrated DigiNotar, the digital certificate authority used by the Dutch government, and issued false SSL certificates. That allowed the hacker to imitate the official government Web sites. According to the Wall Street Journal, Dutch lawyers were urged in September to use fax machines and old-fashioned paper mail instead of email. One lawyer described the situation as “an administrative nightmare.”
Wikipedia
E-mail is vulnerable to both passive and active attacks. Passive threats include Release of message contents, and Traffic analysis while active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional e-mail protocols [1]:
Disclosure of Information: Most of e-mails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the e-mail contents.
Traffic analysis: It is believed that some countries are routinely monitoring e-mail messages as part of their surveillance. This is not just for counter-terrorism reasons but also to facilitate combat against industrial espionage and to carry out political eavesdropping. However, it is not devoted to the national agencies since there is a thriving business in providing commercial and criminal elements with the information within e-mails.
Modification of messages: E-mail contents can be modified during transport or storage. Here, the man-in-the-middle attack does not necessarily require the control of gateway since an attacker that resides on the same Local Area Network (LAN), can use an Address Resolution Protocol (ARP) spoofing tool such as "ettercap" to intercept or modify all the e-mail packets going to and from the mail server or gateway.
Masquerade: It is possible to send a message in the name of another person or organization.
Replay of previous messages: Previous messages may be resent to other recipients. This may lead to loss, confusion, or damage to the reputation of an individual or organization. It can cause some damage if e-mail is used for certain applications such as funds transferring, registration, and reservation.
Spoofing: False messages may be inserted into mail system of another user. It can be accomplished from within a LAN, or from an external environment using Trojan horses.
Denial of Service: It can put a mail system out of order by overloading it with mail shots. It can be carried out using Trojan horses or viruses sent to users within the contents of e-mails. It is also possible to block the user accounts by repeatedly entering wrong passwords in the login.
Because e-mail connects through many routers and mail servers on its way to the recipient, it is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place emphasis on security; information is transferred in plain text, and mail servers regularly conduct unprotected backups of e-mail that passes through. In effect, every e-mail leaves a digital papertrail in its wake that can be easily inspected months or years later.
The e-mail can be read by any cracker who gains access to an inadequately protected router. Some security professionals argue[citation needed] that e-mail traffic is protected from such "casual" attack by security through obscurity - arguing that the vast numbers of e-mails make it difficult for an individual cracker to find, much less to exploit, any particular e-mail. Others argue that with the increasing power of personal computers and the increasing sophistication and availability of data-mining software, such protections are at best temporary.
Intelligence agencies, using intelligent software, can screen the contents of e-mail with relative ease. Although these methods have been decried by civil rights activists as an invasion of privacy, agencies such as the U.S. Federal Bureau of Investigation conduct screening operations regularly.[citation needed]
ISPs and mail service providers may also compromise e-mail privacy because of commercial pressure. Many online e-mail providers, such as Yahoo! Mail or Google's Gmail, display context-sensitive advertisements depending on what the user is reading. While the system is automated and typically protected from outside intrusion, industry leaders have expressed concern over such data mining.
Even with other security precautions in place, recipients can compromise e-mail privacy by indiscrimate forwarding of e-mail. This can reveal contact information (like e-mail addresses, full names, and phone numbers), internal use only information (like building locations, corporate structure, and extension numbers), and confidential information (trade secrets and planning).
In the United States and some other countries lacking secrecy of correspondence laws, e-mail exchanges sent over company computers are considered company property and are thus accessible by management. Employees in such jurisdictions are often explicitly advised that they may have no expectation of a right to privacy for messages sent or received over company equipment. This can become a privacy issue if employee and management expectations are mismatched.
Only applies to NC citizens. Doesn’t mandate reasonable data security measure.
Personal Information - A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b).
SSN, employers taxpayer ID #, drivers license, state ID card, or passport #, checking or savings account #, credit or debit card #, PIN code, electronic ID #, electronic mail names or addresses, internet account #, internet ID names, digital signatures, any other numbers or info that can be used to access a person's financial resources, biometric data, fingerprints, passwords, and parent’s legal surname prior to marriage.
Location, location, location. Laws in almost every state require that businesses–including law firms–take reasonable steps to protect sensitive personal information. Texas Business and Commerce Code section 521.052, for example, requires businesses to “implement and maintain reasonable procedures” to protect sensitive personal information, and it provides a safe harbor from data breach notification requirements if the information was encrypted. Even if you’re in a state that does not require the protection of personal data, you may be subject to long-arm privacy laws. Massachusetts 201 CMR 17.00 and Nevada S.B. No. 227 require that personal information of their states’ residents be encrypted when it is transmitted in email, no matter who sends or receives the email or where they’re located. Nowadays, the standards for reasonable procedures to protect sensitive information clearly include using encrypted email.
This is similar to the legislative change recently proposed in the State of Washington, which would replace the blanket encryption safe harbor with one that requires a risk of harm assessment
Here is a link to the proposed legislative wording.
Section 313.3(k) of the GLBA Privacy Rule and Financial Activities Regulations
Section 313.3(n) and (o) of the GLBA Privacy Rule and Financial Activities Regulations
Portable media
Mobile devices
WiFi
Bluetooth
Cellular
Text Messaging (SMS)
Instant Messaging (IM)
Email
The degree of care, and level of data security, should be reasonable in the circumstances. Digital security is not binary. It is not simply “on” or “off.”
There is a balance between reasonable security and reasonable convenience
But … Security is like insurance - everybody thinks they have enough until they discover they have too little
What do you mean by encryption of email in transit?
When an email is encrypted in transit, that means it’s protected against being read by someone with access to the networks through which the email is traveling, on its way from the sender to the destination. You can think of it as a temporary envelope of security that is wrapped around your email to keep it private while it is being transmitted to its intended recipient. Transport Layer Security (TLS) is the standard means of performing encryption in transit for email.
What TLS doesn’t do is encrypt data at rest—that is to say, it does not encrypt email while it is stored on a server.
Improvements expected from Internet Protocol version 6 (IPv6)
From the Experts: SSL Hacked!
Enterprise can't rely on encrypted communications anymore, but corporate counsel can champion a fix.
Steve Roosa All Articles
Corporate Counsel
September 28, 2011
Creates a HTTPS browser session – the channel is encrypted
Vulnerable to session hijacking and MTM attacks
EFF identified problem with Certificate Authorities improperly issuing SSL certificates
Comodo issued fraudulent digital certificates to hackers.http://nyti.ms/hNJswe
DigiNotar hack
Why an encrypted "channel" is not as good as encrypting "content": Researchers decrypt data on mobile networks http://j.mp/or33Nm
Sniffer Hijacks SSL Traffic From Unpatched iPhones http://bit.ly/nTJPJ0
The Register
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Hackers break SSL encryption used by millions of sites
Beware of BEAST decrypting secret PayPal cookies
By Dan Goodin in San Francisco • Get more from this author
Posted in ID, 19th September 2011 21:10 GMT
Free whitepaper – Smarter Networking for a smarter data centre
Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.
The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.
At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.
End-to-end encryption – most secure … but least convenient
Encryption key is stored on one device
Best Method of Delivery
Send to anyone
Content encryption versus session encryption
End-to-End versus server-to-server encryption
TLS = Transport Layer Security
Opportunistic TLS versus mandatory TLS
Guaranteed encrypted replies
Push (secure attachment) versus Pull (portal delivery)
Header information is never encrypted
Sender email address
Recipient email addresses
Subject description