Dont Diligence -Information Security for Lawyers : Cloud Security, the Law Society and what every lawyer needs to know - Darren Thurston - hardBox Solutions

1. Don't Diligence -
Information Security for Lawyers
Cloud Security, the Law Society and what every lawyer
needs to know
Darren Thurston – hardBox Solutions

2. Information technology solutions for
high and medium security office
environments
Secure data storage, sharing &
retrieval

3. Our Clients Include
Edelmann & Company Law Office
●
Helps Law Corporation
●
Wilson, Buck, Butcher and Sears
●
Browning, Ray, Soga, Dunne, Mirsky & Ng
●
Phillip A. Riddell
●
Don Morrison
●

4. Who Are You?

5. What size is your firm?
- Solo
- 2 to 5
- 6 to 20
- 21 to 75
- Over 75
- Crown Counsel

6. Security breaches are
happening every day.
Reputation is the first thing to
be effected when a breach
occurs.

8. What is the cloud

10. Cloud Services
● DropBox
● Google
● iCloud
● AmazonCloudDrive
● WindowsLive

11. Law Specific Cloud Services
● PCLaw / TimeMatters - LexisNexis
● EsiLaw.com
● Clio
● AmicusAttorney.com
● Rocketmatter.com

12. Report Of The Cloud Computing
Working Group
Law Society of B.C.
Gavin Hume, QC (Chair)
Bruce LeRose, QC
Peter Lloyd, FCA
Stacy Kuiack
http://www.lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf

13. Cloud Issues
● Location of data and jurisdictional issues
● Security and data privacy issues
● Legal compliance issues
● Ownership issues
● Access and retention issues
● Force majeure issues
● Liability issues
● Termination issues

14. Where is my data?

15. Jurisdictional Issues
There are several problems with lawyers having
their business records stored or processed outside
British Columbia. Lawyers have a professional
obligation to safeguard clients’ information to
protect confidentiality and privilege. When a lawyer
entrusts client information to a cloud provider the
lawyer will often be subjecting clients’ information
to a foreign legal system. The foreign laws may
have lower thresholds of protection than Canadian
law with respect to accessing information. A lawyer
must understand the risks (legal, political, etc.) of
having client data stored and processed in foreign
jurisdictions.

16. Jurisdictional Issues
● US PATRIOT Act
● Alberta, Canada: “Bill 54” and Personal
Information Protection Act (PIPA)
● UK Regulation of Investigatory Powers Act of 2000
● EU Data Protection Directive
● India Information Technology (Amendment) Act,
2008 (the IT Act)

17. Security and Data Privacy
● Confidentiality provisions
● SAS 70
● Statement on Standards for Attestation
Engagements No. 16 (SSAE 16)
● ISO 27002
● Annual independent audits or
assessments
● Incident Response Plan

18. Legal compliance issues
● The Personal Information Protection and Electronic Documents Act
Personal Information Protection Act, B.C. of 2003
● Sarbanes-Oxley Act of 2002 (SOX)
● Health Insurance Portability and Accountability Act of
1996 (HIPAA)
● Health Information Technology for Economic and
Clinical Health (HITECH) Act
● Gramm-Leach-Bliley Act (GLB)
● Payment Card Industry Data Security Standard
(PCIDSS)

19. Potential impact on Rule 4-43
...the Law Society revised Rule 4-43 (in 2008) to create a process to
protect personal information. The balance that was sought recognized that
the Law Society has the authority to copy computer records and
investigate lawyers, but the process of making a forensic copy of
computer records can capture irrelevant personal information. In light of
this, the Law Society created a process to allow irrelevant personal
information to be identified and segregated, so it was not accessed by the
Law Society. Cloud computing creates a situation where that process
might not be able to be followed.

20. Ownership issues
My data, right?
● Google has recently been sued
for mining data
● Can your data be exported -
PCLaw?!?@#

22. Access and Retention Issues
● Litigation Hold
● Audit Trail

23. How is my data stored?
- Virtualization
- Multi-tenancy
- Other

24. Other issues
● Force Majeure Issues
natural disaster, act of war, etc.
● Liability Issues
services and not responsible for their downtime
● Termination Issues
exit strategy

25. Security Incidents

26. DropBox
The problem child of cloud
services

28. Not just cloud services

29. The dangers..
and your obligations
● Unprotected computers infected/hacked
within minutes of connecting to Internet
● Lost / stolen cell phones or laptops
● Theft of client, firm or personal data
● Rules of professional conduct
oblige you to protect client data

31. Information Security Best Practices
● How much time, effort and
money do you invest?
● Absolute security is impossible
● Safety vs. convenience
● Find balance between:
● Allowable risk
● Acceptable cost/effort

32. Keep your electronic
data secure and private
Steps you must ensure:
● Install all latest software updates
● Use strong passwords
● Antivirus software is essential
● Install a firewall on your Internet
connection
● Avoid the dangers of e-mail
● Beware the dangers of metadata

33. Keep your electronic
data secure and private (cont.)
● Lockdown and encrypt your data
● Harden your wireless connections
● Learn how to safely surf the Web
● Change key default settings
● Implement a technology use policy
● A backup solution, can save your practice

34. Install updates...
● Microsoft products particularly prone
● Update all software regularly!
● Microsoft / Apple Mac's
● Don’t forget non-OS software!
Java / Flash / Adobe PDF
● Check on a regular schedule

35. Further update issues
● Turn on Automatic Updates
● Automatic vs. ask to install
● Periodically check Microsoft website
● Critical updates ASAP
● Watch for “optional” software
● Backup before you install updates
● Create Restore point (Windows)

36. A few thoughts on passwords
How many of you re-use
passwords?
Use a your child's or pet's name
or birthdate?

37. Top used passwords
1) password
2) 123456
3) 12345678
4) 1234
5) qwerty
6) 12345
7) dragon
8) pussy
9) baseball
10) football
11) letmein
12) monkey
13) 696969
14) abc123

38. Use strong passwords
Frankiepoo1 = BAD
m%")FZTm"d*A = DECENT
a{3xQXbDZ`k=/T8z>Mx = GOOD

39. Proper use
● Passwords are the keys to
“unlock” your computer
● Essential for securing your
electronic data and entire corporate
network
● You need to be conscientious about
how to set them up and use them

40. Proper use
● Don’t use the same password
for everything
● Don’t tell anyone your
passwords, EVER!!
● Be wary of saving passwords
in your browser

41. Proper use
● Never write them down
● If you must store them securely (safe)
● Be careful about storing passwords on
your computer – Use an encrypted
password safe
● A security breach can compromise your
entire network
● Rotate important passwords every
60 to 90 days

42. Anti-virus software Essential
● Protect your computer and data from malware
- Viruses
- Worms
- Trojan Horses
- Key Stroke Recorders
- Backdoors
- Rootkits

43. Anti-Virus Use
● Decent free anti-virus is available
Microsoft Security Essentials
● Needs to set up correctly
● Daily scans of all data
● Regularl updates of your
virus definition or signature files

44. False Security
● The anti-virus game is one of
catch-up
● 20 % of viruses will get past most
anti-virus products

45. Use a Firewall
● A gatekeeper that ensures incoming and
outgoing communications are legitimate
● All computers on the Internet can see
one another
● Lines of communication are established
through ports
● Open ports can allow unwanted
access to a computer

46. E-mail dangers
● Protect access with passwords
● Use privacy statements
Please note that this email correspondence is *not*
encrypted or secured in any way. If you are sending
sensitive information or attachments you may wish
to send them in another format. If you choose to
communicate with us by email, you agree to accept
the possible risk of loss of privacy.
The information in this internet email is
confidential and may be legally privileged. It is
intended solely for the addressee. Access to this
internet email by anyone else is unauthorized .

47. Smart email use
● Read email in text format not html
● Be wary of phishing emails
● Be wary of links & attachments
in emails
● Implement a spam filter

48. metadata
● Data About Data
● MS Offices Products
● Adobe pdf's
● Photo's

49. Lockdown and encrypt your data
● Startup & Users passwords
● Put a password on your screensaver
● Data stored on computers and
on external drives should
ALWAYS be encrypted
● USB Drives !

50. Harden your wireless connections
● Disable SSID Broadcast
● MAC Filtration
● Change Defaults
● Enable Logging
● Use Encryption WEP is not secure
● WPA2 with AES Algorithm
● WPS can be hacked w/ Reaver

51. Learn how to safely surf the Web
● Safe browser choices = No IE
● Disabling some browser features
● Controlling which cookies can be stored on
your computer
● Preventing pop-ups
● Plug-ins turned off by default

52. Change key default settings
● File Sharing
● Administrator account
● Normal user account for everyday use
● Domain name
● Workgroup name

53. Technology use policy
● Does your office have one?
● Law Society has templates
● Internet and Email Use Policy

54. Backup solutions
● Secure
● Encrypted
● Onsite
● Offsite

55. Backup details
● Who’s Responsible
● Full Backup
● Daily Backups
● Establish Alerts
● Files
● E-mail
● Logs

56. Further information
● The Law Society of BC – practice
docs/tips
● CBA - Guidelines for Practicing
Ethically with New Information
Technologies
● Give us a call

57. Questions?
Contact Information
Darren Thurston
darren@hardbox.ca
www.hardbox.ca