Dont Diligence -Information Security for Lawyers : Cloud Security, the Law Society and what every lawyer needs to know - Darren Thurston - hardBox Solutions
SQL Database Design For Developers at php[tek] 2024
Don't Diligence Information Security for Lawyers
1. Don't Diligence -
Information Security for Lawyers
Cloud Security, the Law Society and what every lawyer
needs to know
Darren Thurston – hardBox Solutions
3. Our Clients Include
Edelmann & Company Law Office
●
Helps Law Corporation
●
Wilson, Buck, Butcher and Sears
●
Browning, Ray, Soga, Dunne, Mirsky & Ng
●
Phillip A. Riddell
●
Don Morrison
●
11. Law Specific Cloud Services
● PCLaw / TimeMatters - LexisNexis
● EsiLaw.com
● Clio
● AmicusAttorney.com
● Rocketmatter.com
12. Report Of The Cloud Computing
Working Group
Law Society of B.C.
Gavin Hume, QC (Chair)
Bruce LeRose, QC
Peter Lloyd, FCA
Stacy Kuiack
http://www.lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf
13. Cloud Issues
● Location of data and jurisdictional issues
● Security and data privacy issues
● Legal compliance issues
● Ownership issues
● Access and retention issues
● Force majeure issues
● Liability issues
● Termination issues
15. Jurisdictional Issues
There are several problems with lawyers having
their business records stored or processed outside
British Columbia. Lawyers have a professional
obligation to safeguard clients’ information to
protect confidentiality and privilege. When a lawyer
entrusts client information to a cloud provider the
lawyer will often be subjecting clients’ information
to a foreign legal system. The foreign laws may
have lower thresholds of protection than Canadian
law with respect to accessing information. A lawyer
must understand the risks (legal, political, etc.) of
having client data stored and processed in foreign
jurisdictions.
16. Jurisdictional Issues
● US PATRIOT Act
● Alberta, Canada: “Bill 54” and Personal
Information Protection Act (PIPA)
● UK Regulation of Investigatory Powers Act of 2000
● EU Data Protection Directive
● India Information Technology (Amendment) Act,
2008 (the IT Act)
17. Security and Data Privacy
● Confidentiality provisions
● SAS 70
● Statement on Standards for Attestation
Engagements No. 16 (SSAE 16)
● ISO 27002
● Annual independent audits or
assessments
● Incident Response Plan
18. Legal compliance issues
● The Personal Information Protection and Electronic Documents Act
Personal Information Protection Act, B.C. of 2003
● Sarbanes-Oxley Act of 2002 (SOX)
● Health Insurance Portability and Accountability Act of
1996 (HIPAA)
● Health Information Technology for Economic and
Clinical Health (HITECH) Act
● Gramm-Leach-Bliley Act (GLB)
● Payment Card Industry Data Security Standard
(PCIDSS)
19. Potential impact on Rule 4-43
...the Law Society revised Rule 4-43 (in 2008) to create a process to
protect personal information. The balance that was sought recognized that
the Law Society has the authority to copy computer records and
investigate lawyers, but the process of making a forensic copy of
computer records can capture irrelevant personal information. In light of
this, the Law Society created a process to allow irrelevant personal
information to be identified and segregated, so it was not accessed by the
Law Society. Cloud computing creates a situation where that process
might not be able to be followed.
20. Ownership issues
My data, right?
● Google has recently been sued
for mining data
● Can your data be exported -
PCLaw?!?@#
23. How is my data stored?
- Virtualization
- Multi-tenancy
- Other
24. Other issues
● Force Majeure Issues
natural disaster, act of war, etc.
● Liability Issues
services and not responsible for their downtime
● Termination Issues
exit strategy
29. The dangers..
and your obligations
● Unprotected computers infected/hacked
within minutes of connecting to Internet
● Lost / stolen cell phones or laptops
● Theft of client, firm or personal data
● Rules of professional conduct
oblige you to protect client data
30.
31. Information Security Best Practices
● How much time, effort and
money do you invest?
● Absolute security is impossible
● Safety vs. convenience
● Find balance between:
● Allowable risk
● Acceptable cost/effort
32. Keep your electronic
data secure and private
Steps you must ensure:
● Install all latest software updates
● Use strong passwords
● Antivirus software is essential
● Install a firewall on your Internet
connection
● Avoid the dangers of e-mail
● Beware the dangers of metadata
33. Keep your electronic
data secure and private (cont.)
● Lockdown and encrypt your data
● Harden your wireless connections
● Learn how to safely surf the Web
● Change key default settings
● Implement a technology use policy
● A backup solution, can save your practice
34. Install updates...
● Microsoft products particularly prone
● Update all software regularly!
● Microsoft / Apple Mac's
● Don’t forget non-OS software!
Java / Flash / Adobe PDF
● Check on a regular schedule
35. Further update issues
● Turn on Automatic Updates
● Automatic vs. ask to install
● Periodically check Microsoft website
● Critical updates ASAP
● Watch for “optional” software
● Backup before you install updates
● Create Restore point (Windows)
36. A few thoughts on passwords
How many of you re-use
passwords?
Use a your child's or pet's name
or birthdate?
39. Proper use
● Passwords are the keys to
“unlock” your computer
● Essential for securing your
electronic data and entire corporate
network
● You need to be conscientious about
how to set them up and use them
40. Proper use
● Don’t use the same password
for everything
● Don’t tell anyone your
passwords, EVER!!
● Be wary of saving passwords
in your browser
41. Proper use
● Never write them down
● If you must store them securely (safe)
● Be careful about storing passwords on
your computer – Use an encrypted
password safe
● A security breach can compromise your
entire network
● Rotate important passwords every
60 to 90 days
42. Anti-virus software Essential
● Protect your computer and data from malware
- Viruses
- Worms
- Trojan Horses
- Key Stroke Recorders
- Backdoors
- Rootkits
43. Anti-Virus Use
● Decent free anti-virus is available
Microsoft Security Essentials
● Needs to set up correctly
● Daily scans of all data
● Regularl updates of your
virus definition or signature files
44. False Security
● The anti-virus game is one of
catch-up
● 20 % of viruses will get past most
anti-virus products
45. Use a Firewall
● A gatekeeper that ensures incoming and
outgoing communications are legitimate
● All computers on the Internet can see
one another
● Lines of communication are established
through ports
● Open ports can allow unwanted
access to a computer
46. E-mail dangers
● Protect access with passwords
● Use privacy statements
Please note that this email correspondence is *not*
encrypted or secured in any way. If you are sending
sensitive information or attachments you may wish
to send them in another format. If you choose to
communicate with us by email, you agree to accept
the possible risk of loss of privacy.
The information in this internet email is
confidential and may be legally privileged. It is
intended solely for the addressee. Access to this
internet email by anyone else is unauthorized .
47. Smart email use
● Read email in text format not html
● Be wary of phishing emails
● Be wary of links & attachments
in emails
● Implement a spam filter
48. metadata
● Data About Data
● MS Offices Products
● Adobe pdf's
● Photo's
49. Lockdown and encrypt your data
● Startup & Users passwords
● Put a password on your screensaver
● Data stored on computers and
on external drives should
ALWAYS be encrypted
● USB Drives !
50. Harden your wireless connections
● Disable SSID Broadcast
● MAC Filtration
● Change Defaults
● Enable Logging
● Use Encryption WEP is not secure
● WPA2 with AES Algorithm
● WPS can be hacked w/ Reaver
51. Learn how to safely surf the Web
● Safe browser choices = No IE
● Disabling some browser features
● Controlling which cookies can be stored on
your computer
● Preventing pop-ups
● Plug-ins turned off by default
52. Change key default settings
● File Sharing
● Administrator account
● Normal user account for everyday use
● Domain name
● Workgroup name
53. Technology use policy
● Does your office have one?
● Law Society has templates
● Internet and Email Use Policy
56. Further information
● The Law Society of BC – practice
docs/tips
● CBA - Guidelines for Practicing
Ethically with New Information
Technologies
● Give us a call