In Federal Trade Commission v. Wyndham Worldwide Corp., 799 F.3d 236, (3d Cir. 2015), the FTC alleged Wyndham’s poor cybersecurity practices let hackers steal personal and financial information from hundreds of thousands of consumers on three different occasions. Are your cybersecurity practices leaving your law firm similarly vulnerable? The FTC has presented 10 guidelines business should be following to build cybersecurity into their operations. Law firms can learn from these guidelines, developed by the FTC after 50 different cases. Learn from the errors of others in this unique presentation. Presented by Joshua Lenon, lawyer-in-residence at Clio and Julianne Walsh, attorney-in-residence at Nextpoint, learn: - How courts have recently interpreted the FTC’s power to regulate the cybersecurity practices of corporations and law firms; - 10 practical tips for protecting your clients’ data in the cloud; and - What legal technology providers are doing to build security into your law firm from the ground up.

1. #ClioWeb
Security by Design forLaw Firms
A Clio& NextpointWebinar
Joshua Lenon & Fiona Finn – Clio
Julianne Walsh - Nextpoint

2. #ClioWeb
• Legal Marketing Specialist at Clio
• Bachelor of Civil Law & Masters of
Laws (LLM)
• @FionaFinn
Instructors
Joshua Lenon
• Lawyer in Residence at Clio
• Attorney Admitted in New York
• @JoshuaLenon
Fiona Finn

3. #ClioWeb
Instructors
Julianne Walsh
• Attorney in Residence at
Nextpoint
• Attorney Admitted in Illinois
• jwalsh@nextpoint.com

4. #ClioWeb
Agenda
• Securityby Design (5 minutes)
• FTC’s regulationof cybersecurity(10 minutes)
• 10 Tips for protectingclient datain the cloud (35 minutes)
• LegalTechnology SecurityEvolves(5 minutes)
• Questions(5 minutes)

5. #ClioWeb
SECURITY BY DESIGN

6. #ClioWeb
Security by Design
Formalizesaccountdesign, automatessecurity controls, andstreamlines
auditing
Phase 1 – Understandyourrequirements.
Phase 2 – Build a “secure environment”thatfitsyourrequirementsand
implementation.
Phase 3 – Enforce the use of the templates.
Phase 4 – Performvalidationactivities.

7. #ClioWeb
FTC’S REGULATION OF CYBERSECURITY

8. #ClioWeb
FTC & Cybersecurity
FederalTradeCommission(FTC)
• Establishedin 1914 by the FederalTradeCommissionAct
• Section 5 of the FederalTradeCommissionAct, 15 U.S.C. §
45 grants the FTC powerto investigateand preventunfairor
deceptivetrade practices (UDAP Authority)
• 50 cybersecurityenforcementactions since 2002

9. #ClioWeb
Federal Trade Commission v. Wyndham
Worldwide Corp., 799 F.3d 236, (3d Cir. 2015)

10. #ClioWeb
FTC’sStandardof Care
Take “reasonableand
necessarymeasures”to
protect consumer data

11. #ClioWeb
LawyerEthical Requirementsfor Security
Rule 1.6 Confidentiality
• (a) A lawyer shallnot reveal information
relating to the representation of a client
unlessthe client gives informed consent, the
disclosureisimpliedlyauthorized inorder to
carry out the representation…
• [Comment 18]
– ...inadvertent or unauthorized
disclosure of information relating
to the representation of a client
does not constitute a violation if
the lawyer has made reasonable
efforts to prevent the access or
disclosure.

12. #ClioWeb
10 TIPS FOR PROTECTING CLIENT DATA
IN THE CLOUD

13. #ClioWeb
1. Start with Security
2. Control Access to Data Sensibly
3. Require Secure Passwords and
Authentication
4. Store Sensitive Personal Information
Securely and Protect it During
Transmission
5. Segment Your Network and Try to
Monitor Who is Trying to Get in and
Out
6. Secure Remote Accessto Your
Network
7. Apply Sound Security Practices
When Developing New Products
8. Make Sure Your Service Providers
Implement Reasonable Security
Measures
9. Put Proceduresin Place to Keep Your
Security Current and Address
Vulnerabilities That May Arise
10. Secure Paper, Physical Media, and
Devices
Source: Start with Security, Federal
Trade Commission

14. #ClioWeb
1. Start with Security
Don’tcollectpersonalinformationyoudon’tneed.
No one can stealwhatyoudon’thave.
• Collectinformationinstages: potentialclient, client, ex-client
Hold onto informationonlyas longas youhave a legitimate
businessneed.
Securely dispose personalinformationonce there’slongerhada
legitimate needforit.
• Returnclientfiles at the endof engagements
Don’tuse personalinformationwhenit’snotnecessary.

15. #ClioWeb
2. Control Access to DataSensibly
Restrictaccesstosensitivedata.
Implementpropercontrolsto ensure thatonly authorizedemployeeswith
a businessneedhave access
• Use job rolesand permissionsto controlaccess
• MRPC Rule 1.10ImputationOfConflictsOfInterest
Limit administrativeaccess.
Tailoradministrative controlsto jobneeds.
• Administrative accessis requiredforchanging users& permissions

16. #ClioWeb
2. Control Access to DataSensibly

17. #ClioWeb
2. Control Access to DataSensibly

18. #ClioWeb
3. Require Secure Passwords & Authentication
Use a strong password.
Your passwordshouldcontain atleast three of the four followingtypes of characters,and
preferably all four:
Upper case,lower case,numbers and special characters (includingspace)
Store passwordssecurely.
Don’tmake it easy for passwords tobe accessed.
•Havepolicies andprocedures in place to storecredentials securely.
Change passwordsregularly.
A passwordchangeis recommended every 90 days.
•Donot usethe same passwordfor multiple sites.
Preventbrute force attacks.
Lock outaccounts after a defined number of incorrectpasswordattempts.
Protectagainstauthenticationbypass.
Address vulnerabilities in authentication mechanisms.

19. #ClioWeb

20. #ClioWeb
4. Store & Transmit Sensitive
Personal Information Securely
Keep sensitive informationsecure through its lifecycle.
Data does not stay in oneplace.
• Client information shouldbe protected fromcollection through transmission,useanddestruction.
Use industry-tested and accepted and methods.
All of the certifications listed are usedto gain confidenceandplace trust in a service
organization’s systems.
• Type 2 SOC 2 certification
• ISO 27001 certification
• ISO 27018 certification
Ensure properconfiguration.
Technology is notenough.
• Makesureencryption technologies areproperly configured,deployed andupdated or they may be ineffective.

21. #ClioWeb

22. #ClioWeb
5. Segment & Monitor Your Network
Segmentyour network.
Notevery computerinyoursystemneedsto be able to
communicate withevery otherone.
• Protect particularly sensitive client data by housing it in a separate
secure place onyournetwork.
Monitor access.
Knowwho is accessingyournetwork.

23. #ClioWeb

24. #ClioWeb

25. #ClioWeb
6. Secure Remote Access to Your Network
Ensureendpointsecurity.
• Access your& yourclients’security setup
• Use ClientPortalsto minimize risks
– ABA Formal Ethics Opinion 11-459 – Duty to Protect the Confidentiality of Email
Communications with One’s Client
Putsensibleaccesslimitsin place.
• Only share whatyouneedto withclientsand others

26. #ClioWeb

27. #ClioWeb
7. Apply Sound Security Practices
When DevelopingNew Products
Trainyour engineersinsecurecoding.
Followplatformguidelinesfor security.
Verify thatprivacyandsecurityfeatureswork.
• Trust butverify. Don’ttake security forgranted
Testfor commonvulnerabilities.

28. #ClioWeb

29. #ClioWeb
8. Make Sure Your Service Providers
Implement Reasonable Security Measures
Put it in writing.
Insist that appropriate security standards are part of your contracts.
• The Service Agreement should include terms to abide by attorney-client
confidentiality in the Privacy Policy, thereby ensuring that the online data storage
provider has an enforceable obligation to preserve confidentiality and security.
Verify compliance.
Security can’t be a “take our word for it” thing
• The Service Agreement should include your right to audit performance records and
access daily service quality statistics.

30. #ClioWeb
www.legalcloudcomputingassociation.org

31. #ClioWeb

32. #ClioWeb
9. Proceduresto Keep Your Security Current
Update and patch third-party software.
Outdated software undermines security.
• Compromising software for lawyers: InternetExplorer
• Prioritize patches, incorporate updates into standard compliance practice.
Heed credible security warnings and move quickly to x them.
Have a process in place to address security vulnerability reports.
• Identify and assess vulnerability reports.
• Align combatting team and assets
• Notify clients and maintain open flow of information via a clearly publicized
and accessible channel.

33. #ClioWeb
9. Proceduresto Keep Your Security Current
Think sharedresponsibility
betweenusersandvendors,
and a consistentapproachof
updatingand awareness-
there’s no once off solution to
ensurefull securityof
sensitiveinformation.

34. #ClioWeb
10. SecurePaper,Physical Media, and Devices
Securely store sensitive files.
If it is necessary to retain important paperwork, take steps to keep it secure.
• ABA Model Rules ofProfessional Conduct 1.15(a) – Safekeeping Property
Protect devices that store personal information.
Keep safety standards in place when data is en route.
• Limit the instances when attorneys need to be out and about with sensitive data in their possession.
Dispose of sensitive data securely.
• Use available technology to wipe devices that are not in use.

35. #ClioWeb

36. #ClioWeb
LEGAL TECHNOLOGY SECURITY EVOLVES

37. #ClioWeb
www.legalcloudcomputingassociation.org

38. #ClioWeb
http://www.legalcloudcomputingassociation.org/standards/

39. #ClioWeb
QUESTIONS?

40. #ClioWeb
Thank You
JoshuaLenon
joshua@clio.com
@JoshuaLenon
Linkedin.com/in/joshualenon