technology 101 and the practice of law: keeping your firm safe

Technology 101 andthe Practice of Law:

Keeping Your Firm Safe

Powered by

© Corporation Service Company®. All Rights Reserved.

© Corporation Service Company. All Rights Reserved.

The Presenters

Jennifer K. MailanderAssociate General Counsel

Corporation Service Company

Scott PlichtaChief Information Security Officer

Corporation Service Company


“We have a long history of innovation and using leading edge technology to

provide customer solutions.”

What Company?

Caterpillar Inc.



How knowledgeable are you about technology?

Not at allSomewhatVery knowledgeableI am an expert

Describe Yourself



ABA Model Rules1.1 “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”

Comment 8 “A lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

5.3(d) “A lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer.”

Ethical Duty



Model Rule 1.6(c)“A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”

Ethics: Client Confidences



According to the FBI, law firms and law departments are among the most vulnerable targets for cyber attacks. Lawyers are reported to:

Have limited resources to dedicateto computer securityLack a sophisticated appreciationof technology risksLack an instinct for cyber security

The ABA Cyber Security Handbook

Cyber Security and Lawyers



Individual IT Empowerment

Part of a Larger Phenomenon


Key Terms and Definitions*


Hosting (Website hosting, Web hosting, and Webhosting): the business of housing, serving, and maintaining files for one or more websites.The Cloud (Cloud Computing): a type of Internet-based computing where different services such as servers, storage, and applications are delivered to an organization's computers and devices through the Internet. Examples of Cloud Computing include:

Infrastructure as a Service (IaaS): a service model that delivers computer infrastructure on an outsourced basis to support enterprise operations. Typically, IaaS provides hardware, storage, servers and data center space or network components; it may also include software.

Platform as a Service (PaaS): a category of cloud computing services that provides a platform allowing customers to develop, run, and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application.

Software as a Service (SaaS): a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network.

*Technology terminology sources include: Wikipedia, Technopedia, Internationals Association of Privacy Professionals (IAPP), ABA, ACC, The Shared Assessments Program, Merriam-Webster, and Ponemon Institute.


A Tasty Example: Pizza as a Service

TraditionalOn-Premises(On Prem)

Made at Home

Dining Table

Soda

Electric / Gas

Oven

Fire

Pizza Dough

Tomato Sauce

Toppings

Cheese

Take and Bake Pizza Delivered Dining Out

www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service

You Manage

Vendor Manages

Infrastructureas a Service

(IaaS)

Dining Table

Soda

Electric / Gas

Oven

Fire

Pizza Dough

Tomato Sauce

Toppings

Cheese

Platformas a Service

(PaaS)

Dining Table

Soda

Electric / Gas

Oven

Fire

Pizza Dough

Tomato Sauce

Toppings

Cheese

Softwareas a Service

(SaaS)

Dining Table

Soda

Electric / Gas

Oven

Fire

Pizza Dough

Tomato Sauce

Toppings

Cheese



Shadow IT: Where a user/department finds a cloud provider to do work because IT is too busy, and usually without knowledge/oversight controls of IT/IT security/legal.

Single Sign-On (SSO): A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. May be used interchangeably with “federation” or “federated login.”

Security Assertion Markup Language (SAML): A data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Federation: Refers to different computing entities adhering to certain standards of operations in a collective manner to facilitate communication.

Encryption: The conversion of electronic data into another form, ciphertext, so that it cannot be easily understood by anyone except authorized parties with the key. Types of encrypted data include: Data in Use, Data at Rest, Data in Motion.

Payment Card Industry Data Security Standard (PCI DSS): Industry created policies and procedures intended to optimize the security of credit, debit, and cash card transactions to protect cardholders against misuse of personal information and financial loss.

Key Terms and Definitions (cont.)



Data Types

Data in Use: Active data under constant change stored physically in

databases, data warehouses, spreadsheets,

etc.

Data in Motion: Data that is traversing a network or temporarily

residing in computer memory to be read or updated.

Data at Rest: Inactive data physically stored in

databases, data warehouses, spreadsheets, archives, tapes, off-site backups, etc.



Big Data:Data sets so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, search, sharing, storage, transfer, visualization, and privacy. High-volume, high-velocity, and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.

Internet of Things (IoT): Network of physical objects embedded with electronics, software, and sensors enabling connectivity (remote data exchange) between manufacturer, operator, and other devices. Resulting in improved efficiency, accuracy, and economic benefits.

Phishing: Broad scattered email fraud where user is duped into revealing personal or confidential information for illicit use.

Spear Phishing: Phishing that targets a specific organization; messages appear to come from trusted source.

Key Terms and Definitions (cont.)



Information Security: Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide:

Integrity – guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity.Confidentiality – preserving authorized restrictions on access and disclosure.Availability – ensuring timely and reliable access to and use of information.

Information Security Program:Identify threats, vulnerabilities, and requirementsImplement security controls, monitor

Cyber Security: Measures taken to protect a computer or computer system against unauthorized access or attacks.

Information Security



Not a technology concept, yet inescapably tied to it.

Privacy is not security.

“[Privacy is] the appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individual's expectations; also, [privacy is] the right of an individual to control the collection, use, and disclosure of personal information.” IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, 2011

Notable privacy events:Safe Harbor and Privacy ShieldEstablishment of Federal Privacy Council • Cybersecurity National Action Plan

New FTC rules for Internet service providersGeneral Data Protection Regulation

Information Privacy


Top 10 Tips:Working with Technology


Tip #10:Understand Your Company’s

Technology



Understand your company’s business and the technology your company uses daily

Understand your company’s technology strategy: Cloud first to cloud neverBring your own technology

Understand who has responsibility for buying and maintaining technology:

What is legal’ s role in this?What is your process for buying technology?Make sure it includes a process to identify when shadowIT is being bought or used.

Tip #10: Understand Your Company’s Technology


Tip #9:Know Your Vendors and Vendors’

Vendors



Know who your vendors are and what services/products they provide.

Connect and work with your security team: You both need to know when you find new places to store data

Put a process in place to identify new technologybeing used:

It’s happening; you just may not know about it

Tip #9: Know Your Vendors and Vendors’ Vendors


Tip #8:Know Your Law Firms’ Security

Practices



Tip #8: Know Your Law Firms’ Security Practices


Understand your obligations as in-house counsel when working with your law firms.

Join the ACC Litigation Committee Subcommittee on Cyber Security and Law Firms:

Evan Slavitt, [email protected]

Join the ACC Working Group Data Security forLaw Firms:

Amar Sarwal, [email protected]

Join Legal Services Information Sharing and Analysis Organization (LS-ISAO) Services for law firms.

mailto:[email protected]

mailto:[email protected]

Tip #7:Be a Partner to the Business



Find a way to help your business partnersunderstand and mitigate technology risks; helpthem achieve success.

Host a series of lunch and learns with your business and technology counterparts:

Present on areas of respective expertise• Contract and licensing 101• Technology 101• Sales 101, Operations 101, etc.

Meet regularly to discuss issues, trends, etc.

Tip #7: Be a Partner to the Business

Tip #6:Conduct a Data Audit



Form a cross-functional team to identify data practices

Understand what and how data is managed:What is the data?Who has (and should have) access?Where does it go?How long is it stored?Do you have a disaster recovery (DR)/business continuity plan (BCP)?

Conduct a DR/BCP exercise annually

Tip #6: Conduct a Data Audit


Tip #5:Assess Your Individual Data

Practices



Where do you keep your personal data?At home?At work?

Use a password manager:Don’t store a copy of your passwords onlineUse two-factor authentication everywhere

Tip #5: Assess Your Individual Data Practices


Tip #4:Know Your Company’s Breach and

Incident Response Plan and Practice It



If you don’t have a plan – create one!

Know the plan.

Know who has what roles in the plan.

Practice, practice, practice!

Tip #4: Know Your Company’s Breach andIncident Response Plan and Practice It


Tip #3:Train Employees on Technology,

Security, and Privacy



Do it!

Tip #3: Train Employees on Technology,Security, and Privacy


Tip #2:Get Comfortable with Technology



Tip #2: Get Comfortable with Technology


ACC.com, ACC committees, and chapters ACC Litigation Committee and Cyber Security Working Group

LegalTechNews - legaltechnews.comABA’s Law Technology Today - lawtechnologytoday.orgPinHawk - pinhawk.comPocket - getpocket.comTwo Factor Authentication - twofactorauth.orgPassword storage

LastPass - lastpass.comDashlane - dashlane.comRoboform – roboform.com

Take a classRead

Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, by Marc GoodmanThe Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Business People, by David W. TollenThe Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, by Gene Kim, Kevin Behr, George Spafford

http://www.legaltechnews.com/

http://www.lawtechnologytoday.org/

http://www.pinhawk.com/

https://getpocket.com/

https://twofactorauth.org/

Tip #1:Network Inside and Outside

Your Organization



Develop a core team of company contacts to assist on technology issues:

Use your contacts in other parts of the organization (e.g., IT, security) to help you keep up-to-date on technology developments affecting your business.

Talk to your peers outside the company regarding best practices and stay current on new developments.

Tip #1: Network Inside and Outside Your Organization


Question and Answer



Contact Us

Jennifer K. MailanderAssociate General Counsel

Corporation Service [email protected]

Scott PlichtaChief Information Security Officer

Corporation Service [email protected]
