Presentation is loading. Please wait.

Presentation is loading. Please wait.

Law Firm Data Security: What In-house Counsel Need to Know

Similar presentations


Presentation on theme: "Law Firm Data Security: What In-house Counsel Need to Know"— Presentation transcript:

1 Law Firm Data Security: What In-house Counsel Need to Know
Session #703 Law Firm Data Security: What In-house Counsel Need to Know

2 Session Speakers Mary Blatch, Director of Government and Regulatory Affairs, ACC Jennifer Mailander, Director, Compliance & Privacy, Associate General Counsel, Corporation Service Company John Murphy, Chair, Shook, Hardy & Bacon, LLP Brennan Torregrossa, Vice President and Associate General Counsel, GSK

3 Session Agenda Data security threats to law firms
Assessing law firm data security Data security practices for in-house legal departments

4 Data Security Threats to Law Firms

5 Has one of your law firms been the victim of a cyber attack?
Polling Question #1 Has one of your law firms been the victim of a cyber attack? Yes, and the law firm informed our organization directly Yes, we learned of the attack through the media No, and I feel confident that I would know if one of our firms had detected an attack I don’t know

6 Data Security Threats to Law Firms

7 Data Security Threats to Law Firms
FBI Warnings Nov – FBI warns of increased hacking of law and PR firms – FBI meets with law firms to discuss cyber threat March 2016 – Warning that hackers are specifically targeting law firms as part of insider trading scheme

8 Data Security Threats to Law Firms
Why law firms? Quantity and quality of documents that are easily identified Confidential corporate finance information Confidential information about corporate transactions IP and trade secrets Corporate employee information

9 Data Security Threats to Law Firms
Why law firms? Legal industry has had lower levels of investment in IT than other industries Potential to obtain data about multiple companies through one criminal act Until recently, little focus on law firm data security

10 Data Security Threats to Law Firms
ILTA’s 2016 Study of the Legal Industry’s Information Security Practices

11 Data Security Threats to Law Firms
Types of threats Hacking Malware Phishing Insider threats Inadvertent disclosure

12 Data Security Threats to Law Firms
Types of threats ILTA’s 2016 Study of the Legal Industry’s Information Security Practices

13 How robust is your data security screening process for law firms?
Polling Question #2 How robust is your data security screening process for law firms? We have procedures, standards and controls that we apply to every engagement We evaluate firms’ data security protections, but do not have a formal process for doing so We evaluate firms’ data security protections on an ad hoc basis We do not evaluate our firms’ data security protections (that’s why I’m in this session!)

14 Lawyers and technology must mix!!
Ethical obligations Lawyers and technology must mix!! ABA Model Rule 1.1 – Competence Comment 8: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology,

15 Confidentiality includes data security
Ethical obligations Confidentiality includes data security ABA Model Rule 1.6(c) – Confidentiality: A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client Rules don’t define “reasonable” No guidance regarding specific controls a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client

16 Ethical obligations Comment 18 to Rule 1.6: Factors to be considered […] include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients. 

17 Ethical obligations State bar association ethics opinions on cloud computing are also a helpful source when considering vendor data security in the context of attorneys’ ethical obligations

18 Polling Question #3 Which of the following precautions has been recommended by state bar associations? In dealing with providers of cloud computing, lawyers should adopt additional confidentiality safeguards A periodic review of the reasonableness of security precautions may be necessary Lawyers should be aware of limitations in their competence regarding online security measures All of the above

19 Assessing Law Firm Data Security

20 Polling Question #4 Who in your organization is responsible for evaluating the data security practices of your law firms? The legal department The procurement department The IT department Some combination of the above

21 Assessing Law Firm Data Security
You are about to engage a new law firm on an important, sensitive legal matter. What do you consider when evaluating the firm’s data security practices?

22 Assessing Law Firm Data Security
Big Picture Separate information security function Certification or adherence to a framework (ISO 27001; NIST; SOC) Formal policies and procedures Employee training Law firm vendors / third party risk Cybersecurity insurance

23 Data Security Threats to Law Firms
ILTA’s 2016 Study of the Legal Industry’s Information Security Practices

24 Assessing Law Firm Data Security
ISO and Other IT Security Standards Several sets of standards provide requirements for information security management. ISO – certification available NIST Cybersecurity Framework SOC (Service Organization Control) Greater level of assurance that organization has appropriate systems in place Some can be “certified” against There are a number of standards/frameworks that firms can use to build and maintain data security

25 Assessing Law Firm Data Security
Specifics Expected technical safeguards: Firewalls, anti-virus/malware protection, spam filters, intrusion detection, encryption Vulnerability assessments Written incident response program Mobile devices and security Review of employee access

26 Data Security Practices for In-house Legal Departments

27 Polling Question #5 Does your legal department have specific policies or procedures regarding data security? Yes, we have specific policies or procedures that address legal department data security concerns We have informal practices designed to enhance data security within the legal department Our organization as a whole has policies and procedures, and the legal department follows those No organizational policies address data security

28 Best Practices In-House
Risk analysis of engagement data Protocols for safe data transfer Employee training Periodic review or monitoring of ongoing law firm relationships


Download ppt "Law Firm Data Security: What In-house Counsel Need to Know"

Similar presentations


Ads by Google