Risk Management for Law Firm Executive Management

Dave Cunningham Chief Information Officer - Winston & Strawn LLP Jeffrey Lolley Head of Global Information Security - Hogan Lovells Lindsay Philiben Counsel in Attorneys’ Liability Assurance Society - ALAS Dan Sheeran Chief Financial Officer - Duane Morris LLP Introductions

 Confidentiality o Information security o Sovereign hacking o Closed vs. open document management environment o Intrusion detection/prevention o Data on mobile devices, including laptops  Integrity / compliance o Regulatory compliance o Electronic client files (beyond records management) o Internal, global e-discovery o Copyright compliance o Jurisdictional considerations  Availability o IT continuity o High availability applications Risks

 Right to Audit  Client RFPs, Outside Counsel Guidelines, and Audits  Compliance requirements  Business Associate / Vendor Compliance  Example of Canadian firms targeted and breached  BYOD considerations  Insurance needs analysis Pressures

We All Know About the Headlines… 5 January 30, 2013 Hackers in China Attacked The Times for Last 4 Months NICOLE PERLROTH SAN FRANCISCO — For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and security experts have expelled the attackers and kept them from breaking back in. February 1, 2013 Twitter Hacked: Data for 250,000 Users May Be Stolen NICOLE PERLROTH Twitter announced late Friday that it had been breached and that data for 250,000 Twitter users was vulnerable. The company said in a blog post that it detected unusual access patterns earlier this week and found that user information — usernames, addresses and encrypted passwords — for 250,000 users may have been accessed in what it described as a “sophisticated attack.” February 1, 2013 A Cybersecurity Blanket: New Executive Order Means a Broad Review for Lawyers, Clients TODD RUGER The federal government’s new push to bolster cybersecurity will create an array of legal questions and potential pitfalls for companies in the coming months.

Many Specific to Legal 6

And They Have Lead To Client mandated security requirements integrated into Outside Counsel Guidelines (OCG’s) ABA Rule 1.6 (c) HIPAA & Various State Regulations EU Data Protection Directive Presidential Executive Order on Cybersecurity 7

Risk Program

Governance at Hogan Lovells 1.Understand the strategic implications and outcomes of initiatives being pursued in the protection of information and assets 2.Appreciate the significance of information security for all major stakeholders and represent their interests 3.Be an advocate for broad support of information security initiatives and projects Information Security Governance Committee The primary function of the Information Security Governance Committee is to make decisions related to protecting stakeholder information and securing the enterprise that enables the delivery of services to those stakeholders. The committee will also provide strategic direction and oversight over the information security function at Hogan Lovells.

What is Risk Management You need a process…whatever it is Decisions need to follow that process It’s about making informed decisions

Risk management process (ISO 27002/5) Must have a consistent and repeatable process for assessment and decision making relative to security risk in order to: –Ensure compliance with all applicable laws –Protect information and assets –Protect the brand New Projects Assessments Regulatory Constraints Someone must analyze and quantify risks Input should be gathered from all impacted stakeholders and presented as part of the decision process Actions with limited fiscal or business process impact are made outside of governance All impacting decisions are inclusive of governance All open and accepted risks are tracked and reported regularly Step 1: Identify Risks Step 2: Analyze & Quantify Step 3: Determine Action Step 4: Track & Report Yearly re-analysis and quantification

How You Make the Decision Risk was identified and rated Controls were applied Risk was re-evaluated Decision was made

Policy Structure Defines the firms commitment to Information Security and management processes Outlines policies covering the entire firm Outlines policies covering an local country or office Provides technical guidelines for configuring products to meet policies The goal of the structure of Information Security Policies for Hogan Lovells is to provide a hierarchical set of policy documents that allow for both overarching policies that cover the entire firm and policies unique to operating locations. Policy Statement Global Security Operating Standards Local Security Operating Standards Configuration Guidelines

Identifying and Managing Policies? Publish Policy Need Identified Develop/Refine Policy Educate Review & Evaluate Policies must be evaluated on a yearly basis to insure a continued need and determine if defined controls are adequate. Refinement must be made if necessary. Impacted parties must be educated on both the existence and need for a new policy. Policy development must incorporate all stakeholders and have buy-in at the highest levels of the company. A need must exist before any policy is created. Policies must be published in a consistent manor and readily available to stakeholders

Example Policy Issues Texting as a Client Record Security of Personal Devices Unique Passwords Retention / Destruction of Paper and Electronic Records 15

Certifications/Best Practices/Regulations ISO HIPAA EU DPD It’s a process, not a one-time activity! Use assessments to drive your program!

As a table group, discuss the question “What to do when a PC is lost?” Talk about developing roles, processes, communications, and timing to react appropriately. (10 minutes) A few tables will be asked to share their comments Audience Exercise

Q & A