Lawyers are required to enact 'reasonable' safeguards when storing client files. They must also deal with an ever-increasing number of new privacy regulations imposed on them and their clients. When handling sensitive client data, lawyers need to balance issues of confidentiality and privacy against building productive workflows. Failure to keep client information secure can lead to a potential waiver of privilege, malpractice claims, and even fines from various government agencies. Law firms need rigorous security, no matter their firm’s size or practice area. A law firm’s security plan must include three components: user training and access controls, secure technology, and a recovery plan. Join Clio’s lawyer in residence, Joshua Lenon, as he shows you how to enact a security plan for your law firm with guest Chris Wiesinger of CloudMask, an encryption service provider for cloud-based technologies. In this free, CLE-accredited presentation1, attendees will learn: The difference between confidentiality and privacy for law firms The regulations that apply to all law firms, as well as those for specific practice areas The security planning tips you can use to assess and protect your law firm The tools to improve your law firm’s security profile

1. #ClioWeb
Security Basics
for Law Firms
Joshua Lenon – Clio
Chris Wiesinger - CloudMask

2. #ClioWeb
Instructors
Joshua Lenon
• Lawyer in Residence at Clio
• Attorney Admitted in New York
• @JoshuaLenon
Chris Wiesinger
• Business Development at
CloudMask

3. #ClioWeb
Agenda
• Confidentiality vs. privacy for law firms
• Privacy regulations impacting law firms
• Practical challenges
• Improve your security posture
• Questions

4. #ClioWeb
At least 80 of the 100 biggest firms in the country, by
revenue, have been hacked since 2011.

5. #ClioWeb
CONFIDENTIALITY VS. PRIVACY

6. #ClioWeb
Confidentiality
• Attorney-Client Privilege (Evidentiary Rule)
• Work Product Doctrine (Civil Procedure Rule)
• MPRC Rule 1.6 (Ethical Duty)

7. #ClioWeb
Attorney-Client Privilege
“encourage[s] full and frank communication between
attorneys and their clients.” Upjohn Co. v. United
States, 449 U.S. 383 (1981).

8. #ClioWeb
Attorney-Client Privilege
• Limited to communications between the client and attorney
• Privilege rests with the client; even beyond the grave, Swidler & Berlin v.
United States, 524 U.S. 399 (1998)
• Waiver possible
• Inadvertent disclosures is not necessarily waiver, if:
– the disclosure is inadvertent;
– the holder of the privilege or protection took reasonable steps to prevent
disclosure; and
– the holder promptly took reasonable steps to rectify the error

9. #ClioWeb
Work Product Doctrine
Federal Rules of Civil Procedure Rule 26(b)(3)
• “Ordinarily, a party may not discover documents and tangible things
that are prepared in anticipation of litigation...“
• Materials may be discovered if the party shows that it has substantial
need for the materials to prepare its case and cannot, without undue
hardship, obtain their substantial equivalent by other means.

10. #ClioWeb
MPRC Rule 1.6
(a) A lawyer shall not reveal information relating to the
representation of a client unless the client gives informed
consent, the disclosure is impliedly authorized in order to
carry out the representation or the disclosure is permitted by
paragraph (b).

11. #ClioWeb
MPRC Rule 1.6(b)
• prevent reasonably certain death
or substantial bodily harm
• prevent the client from
committing a crime or fraud
• prevent, mitigate or rectify
substantial injury to the financial
interests or property of another
• secure legal advice about the
lawyer's compliance with these
Rules
• establish a claim or defense on
behalf of the lawyer
• comply with other law or a court
order
• detect and resolve conflicts of
interest

12. #ClioWeb
MRPC 1.6
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or
unauthorized disclosure of, or unauthorized access to, information
relating to the representation of a client.

13. #ClioWeb
Confidentiality vs Privacy
Confidentiality Privacy
Prescriptive
Client focused
Derived from Common Law
Well-documented exceptions
Legal specifc

14. #ClioWeb
Privacy
• Personally Identifiable information (PII)
1. Information that can be used to distinguish or trace an individual‘s
identity
• Name, social security number, date and place of birth, mother‘s maiden
name, or biometric record
2. Other information that is linked or linkable to an individual
• Medical, educational, financial, and employment information.

15. #ClioWeb
Privacy Safeguards
• 3 types of safeguards must be considered
and implemented
1. Administrative
2. Physical
3. Technical

16. #ClioWeb
Privacy
• Notification duties in the event of a breach
–Must notify all affected parties
• Reporting duties to regulators
• Right of action for impacted individuals

17. #ClioWeb
Confidentiality vs Privacy
Confidentiality Privacy
Prescriptive Descriptive
Client focused Everyone
Derived from Common Law Statutorily created
Well-documented exceptions Enforced liability
Legal practice specific Outside the courtroom

18. #ClioWeb
PRIVACY REGULATIONS IMPACTING LAW FIRMS

19. #ClioWeb
Law firms need to weigh privacy regulations by
geography and subject matter.

20. #ClioWeb
Privacy Laws Affecting Law Firms
State Privacy
Laws
Client
Business
Area Privacy
Laws
Federal
Regulations

21. #ClioWeb
State Privacy Laws
Think broadly, it’s not just
your location, but the
location of all of your clients
and contacts

22. #ClioWeb
Client Business Areas
• Financial information – under the
Gramm Leach Bliley Act (GLBA), Fair
Credit Reporting Act (FCRA), Fair and
Accurate Credit Transaction Act
(FACTA), Red Flags Rules
• Healthcare information – under the
Health Insurance Portability and
Accountability Act (HIPAA) and the
HITECH Act
• Children information – as required
under the Children Online Privacy
Protection Act (COPPA) and Family
Educational Rights and Privacy Act
(FERPA)
• Mortgage lending – under Consumer
Finance Protection Board, Bulletin
2012-03
• Criminal Justice - Criminal Justice
Information Services Division (CJIS)

23. #ClioWeb

24. #ClioWeb
Federal Regulations
FTC’s Standard of Care
Take “reasonable and
necessary measures” to
protect consumer data

25. #ClioWeb
Privacy for Law Firms
State Privacy Laws
Client
Business
Area
Privacy
Laws
Industry Regulation
Federal
Regulations

26. #ClioWeb
Privacy rules varies
between jurisdictions,
with new regional
requirements emerging
frequently.
• Europe
– EU-U.S. Safe Harbor / EU-U.S.
Privacy Shield
– General Data Privacy Regulation
(GDPR) (2018)
• Canada
– Personal Information Protection
and Electronic Documents Act
(PIPEDA)
– Freedom of Information and
Protection of Privacy Act (FOIPPA)
(BC)
• South Africa
– Protection of Personal Information
Bill.

27. #ClioWeb
THE PRACTICAL CHALLENGES

28. #ClioWeb
Key Concerns
• Business
– Which cases compromised if opposing forces saw all your data?
– Client reaction and response to breaches affecting their cases?
– Regulatory implications of data breaches?
• Technical
– Landscape of security issues
– Tools to effect consistent application of data protection policy

29. #ClioWeb
Connection and Vulnerability
http://www.informationisbeautiful.net/visualiz
ations/worlds-biggest-data-breaches-hacks/

30. #ClioWeb
Who is the Threat?
• Insiders
– Have legitimate, authorized access to
premises and systems
• Outsiders
– Hackers, governments
– Legal adversaries?
– Hacktivists?
• Key Concern
– Outsiders always target insider
credentials first
55% Insiders
https://securityintelligence.com/the-threat-is-coming-
from-inside-the-network/

31. #ClioWeb
Protecting (and failing to protect) Credentials
• Most breaches begin with password
compromise
• Hard to remember unique passwords
so…
– Failure to change default passwords
– Easy to remember = Easy to Guess
– Same password for multiple services
• Your email password
– The magic key for “I forgot my password”
August 30 2016

32. #ClioWeb
What Third Parties Can and Can’t See
• Cloud means third parties handle your data
– Consumer Gmail (example)
• Google encrypts in transit to servers
• Google scans and analyzes content
– Google for Work (example)
• Encrypts data in transit and at rest…. BUT
– Google staff have access to master keys
– Who determines “legitimate business purpose”?
– National Security Letters?
– What if Google employee compromised?
– Challenge for Lawyers: Due Diligence
• Who are you really trusting your data to?
• Remember the insider concern
“Google authorizes only trusted individuals to have
legitimate access to systems and data repositories
containing customer data, including the KMS. This strict
authorization extends to job duties including debugging
and maintenance activities that might expose decrypted
customer data to a trusted employee. Access to these
systems is under the umbrella of strict policies that are
clearly displayed for employees to read and also in the
tools they use. Access to customer data is only allowed
for a legitimate business purpose.”

33. #ClioWeb
The Design of Encryption Solutions
• Common Encryption
Implementation
– Transaction Layer Security (TLS): e.g.,
between browser and app server
• Need to trust the people controlling
encryption keys (app server end)
– Pretty Good Privacy
• Each end-point (Bob, Alice) has a unique
public and private key
• No middlemen with keys
• The Trust Trade-off is about
Convenience and Usability

34. #ClioWeb
HOW TO IMPROVE YOUR SECURITY POSTURE

35. #ClioWeb
The Upshot
• Protect your credentials with Password Managers
• Take control of encrypting your data in key applications like Clio and
Google
– YOU must control the encryption key
• This is no longer rocket science
• CloudMask: define and automate data protection policy
• These constitute “reasonable steps”
– To improve client confidentiality and privacy
– To limit your exposure to financial, brand and regulatory risk

36. #ClioWeb
Password Managers
• Rules and remembering is
what software is good for
• Fast Identity Online (FIDO) is
the no password future
(fidoalliance.org)
• In the meantime, select and
use a password manager
• Still: Discipline required
NEAR FUTURE
TODAY

37. #ClioWeb
Privacy By Design: Zero Knowledge Applications
• Zero Knowledge
– Encryption key remains under user control (private key)
– End-to-End encryption: Data encrypted at time of creation to time of viewing on
authorized device by authorized viewer in control of their own key
– No third party facilitating the communication of encrypted data has the capacity to see
that data in the clear
• E.g.: ISP, Cloud Infrastructure Provider, Software as a Service Provider, Encryption Engine
Provider, etc.
• Zero Trust
– No need to trust middlemen with view of sensitive data in the clear
– Breaches of masked data yield… meaningless information
– Encrypted and Tokenized PII becomes meaningless data (no longer PII), so less likely to
trigger breach notification expense and embarassment

38. #ClioWeb
Making Zero Trust Easy with Clio and CloudMask
• CloudMask and Clio
– An easy to activate zero trust security enhancer
• The CloudMask Engine
– Selective, Intelligent Masking
• Selective: choose sensitive standard fields, and any custom field
• Intelligent: ensures that masked data is accepted by database
• Masking: first encrypt the data, then tokenize and format
• Works beyond Clio
– Google for Work (Gmail, Drive)

39. #ClioWeb
Activating CloudMask from Within Clio

40. #ClioWeb
Configuring Data Protection Policies

41. #ClioWeb
CloudMask Capabilities Summary
üMask critical Standard fields
üContacts, Matters, Tasks, Billing
üMask any Custom field
üMask any attachment
üSearch both clear and masked data
üDocument automation
üCollaborate with outside counsel and clients
üPer record control of masking (turn OFF if necessary)
üSupports Chrome and Firefox browsers
üComing soon… Android and iOS mobile

42. #ClioWeb
Automatic Execution of Policy (Authorized View)

43. #ClioWeb
Automatic Execution of Policy (Unauthorized View)

44. #ClioWeb
Summary
1. Zero trust, end-to-end encryption solutions like CloudMask make
Cloud safer than ever before.
2. With CloudMask, even “insiders” need both your credentials AND
your authorized physical device to see data in the clear
• Outsiders who compromise credentials to log in from external machines see only
masked data
3. Password Managers are critical to better credential governance
4. No need to compromise encryption design for ease of use
5. CloudMask: easy to use, automated data masking, with keys under
your control

45. #ClioWeb
One More Thing: Due Diligence
• How do you know that “the security magic” in the black box works?
– Has the security vendor obtained independent validation of functionality and
system integrity, according to an internationally agreed standard?
• CloudMask and Common Criteria Certification
– Common Criteria for Information Technology Security Evaluation
– www.commoncriteria.org
– International Standards Organization – ISO/IEC Standard 15408
– “does the software actually perform the functional claims?”
– Recognized and often required by federal government security authorities

46. #ClioWeb
QUESTIONS?

47. #ClioWeb
Thank You
Joshua Lenon
joshua@clio.com
@JoshuaLenon
Linkedin.com/in/joshualenon
1-888-858-2546
Colin McMahon
Linkedin.com/in/colinmcmahonclio
Support@clio.com
Support.goclio.com
www.youtube.com/user/ClioVideo