Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Cyber Security - The Saint Lucia Legal Professions Act and Practice PDF

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 37 Anzeige

Cyber Security - The Saint Lucia Legal Professions Act and Practice PDF

Herunterladen, um offline zu lesen

A one hour presentation exploring data protection issues (re cyber security) that rest on legal practitioners under the current duties set out in the Code of Ethics enshrined by the Legal Professions Act of Saint Lucia.

A brief look at GDPR was also looked at within the context of legal practice within Saint Lucia.

A one hour presentation exploring data protection issues (re cyber security) that rest on legal practitioners under the current duties set out in the Code of Ethics enshrined by the Legal Professions Act of Saint Lucia.

A brief look at GDPR was also looked at within the context of legal practice within Saint Lucia.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Cyber Security - The Saint Lucia Legal Professions Act and Practice PDF (20)

Anzeige

Aktuellste (20)

Cyber Security - The Saint Lucia Legal Professions Act and Practice PDF

  1. 1. Saint Lucia Bar Association & Eastern Caribbean Telecommunications Authority Cyber Security: The Legal Professions Act and Your Practice 28th June 2018 Mikhail A. X. Charles Legal Counsel (Locum) ECTEL
  2. 2. Speaker Bio : Mikhail A.X. Charles 1 Legal Counsel / Officer (Locum) at ECTEl 2 Professional Background –LL.B(Hons) [University of Wales], LL.M Corporateand InsolvencyLaw [NottinghamLawSchool] 3 AdmittedtotheBars of EnglandandWales [Inner Temple] (2012), Saint Vincent andthe Grenadines (2013), GrenadaandSaint Lucia (2015). 4 General practiceinthe Chambers of Hon. Rene M. BaptisteCMG (sabbatical) 5 Legal Officer – Commonwealth Secretariat (Ruleof Law Division–Governance andPeaceDirectorate) 6 ExecutiveMember of the SVGBar Associationand theSVGChapter of the CharteredInstituteof Arbitrators
  3. 3. EASTERN CARIBBEAN TELECOMMUNICATIONS AUTHORITY https://www.ectel.int/about-ectel/ • WHO • WHAT • WHERE • WHEN • UPCOMING PROJECTS – EC Bill, Cross Border Frequency • DISCLAIMER Presentations are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the participants individually and, unless expressly stated to the contrary, are not the opinion or position of ECTEL, its cosponsors, or its committees. ECTEL does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented.
  4. 4. INDEX Intro / Definition / to Cyber Security : 5 – 8 OECS Level : 9 – 10 The Law (Saint Lucia): 11 – 22 Observations: 23 – 25 A Word on GPDR: 26 – 35 Conclusion: 36 - 37
  5. 5. CARICOM AND CYBER CRIME / SECURITY • There has beensignificant growthinCybercrime inthe Caribbean- Government websites have been hacked, child online exploitation has infiltratedschools andthe increasing use of cryptocurrencies tofund criminal activities are but a fewof the manifestations of criminal activity in cyberspace impacting the region. • According tothe Commonwealth“Major cybercrimes reportedinthe region todate include the theft of $150 millionfromaninternational bank in2014; individuals claiming tobe local ISIS supporters hacking government websites in2015; and, inthe same year, hackers infecting tax authorities with ransomware, whichblocks users fromaccessing their systems anddemands money”. • These activities point tothe existence of significant cyber security vulnerabilities inthe protectionframeworks for persons, possessions and privacy andwhichextendmore generally tothe informationandcritical national infrastructures. Cybercrime couldhave a devastating impact on national security and, if not addressedurgently, couldseverely hamper social andeconomic development of our CaribbeanStates. CARICOMCyber Security and Cyber Crime Action Plan 2016 Gros – Islet, Communique – The CaribbeanStakeholders Meeting onCyber Security andCyber Crime
  6. 6. JURISDICTIONS WITH(OUT) PRIVACY LAWS •With •Antigua & Barbuda 2013, Aruba 2011, Bahamas 2003, Bermuda 2016, Caribbean Netherlands (Bonaire, Saint Eustatius and Saba) 2010, Cayman Islands 2017, Curacao2010, Dominican Republic 2013, Guadeloupe 2018, Martinique 2018, Saint Kitts and Nevis 2018, Saint Lucia 2011, Saint Martin 2018, Saint Vincent & The Grenadines 2003, Sint Maarten 2010, Trinidad and Tobago 2011 •Without • •Anguilla, Barbados, Belize, British Virgin Islands, Cuba, Dominica, Grenada, Guyana, Haiti, Jamaica, Montserrat, Puerto Rico, Saint Barthelemy, Suriname, Turks and Caicos, U.S. Virgin Islands ‘State of Privacy Laws in CARICOM’ CARICOM SECRETARIAT WORSHOP, Guyana 2018 By Carlton Samuels (ACCENDI Caribbean Ltd.) and Bartlett Morgan (Lex Caribbean)
  7. 7. Law and Cyber Security For instance, the combination of consumer-friendly mobile devices and cloud computing means that attorneys now have the technology to obtain access to all their work data with any device, at any time, as long as they have an Internet connection. Nonetheless, new technologies create new threats to the confidentiality of client data. Sweeping advances in technology are not only changing the law that attorneys practice, they are also bringing profound changes to the way attorneys practice law.
  8. 8. A Duty for Cyber Security? Perhaps when one reads the duties under the SLU LPA - the core duties under the ethics rules may have some bearing on information security: the duty of confidentiality, the duty of competence, and the duty to supervise. No OECS Bar Association position paper
  9. 9. OECS CODE OF ETHICS http://www.oecsbar.org/index.php/en/about-us/about-oecs-bar/code- of-ethics An attorney-at-law owes a duty to the State to maintain its integrity, its constitution and its laws and not to aid, abet, counsel or assist anyone to act in any way contrary to those laws. An attorney-at-law shall always act in the best interest of his client, represent him honestly, competently and zealously and endeavour by all fair and honourable means to obtain for him the benefit of any and every remedy and defence which is authorised by law, steadfastly bearing in mind that the duties and responsibilities of the attorney-at-law are to be carried out within the bounds of the law.
  10. 10. An attorney-at-law shall scrupulously guard and never divulge his client's secrets and confidences. An attorney-at-law shall deal with his client's business with all due expedition and shall whenever reasonably so required by the client provide him with full information as to the progress of the client's business
  11. 11. 22. LIABILITY FOR NEGLIGENCE AND LACK OF SKILL (1) Subject to subsection (2) an attorney-at-law shall not enjoy immunity from action for any loss or damage caused by his or her negligence or lack of skill in the performance of his or her functions. (2) An attorney-at-law is immune from suit in negligence in respect of his or her conduct of litigation only. (3) The immunity referred to in subsection (2) is not confined to proceedings in court but extends to such pre-trial work as is so intimately connected with the conduct of the case in court that it could be said to be a preliminary decision affecting the way the case is to be conducted at the hearing. (4) In this section “function” means a function undertaken by an attorney-at-law in relation to the conduct or management of litigation or prospective litigation, whether performed in or out of court or before, during or after any court proceedings. LEGAL PROFESSIONS ACT CAP. 2.04
  12. 12. • 35. RULES TO GOVERN PROFESSIONAL PRACTICE (1) The rules contained in the Code of Ethics set out in Schedule 3 shall regulate the professional practice, etiquette, conduct and discipline of attorneys-at-law. (2) A breach of the rules in— • (a) Part A of the Code of Ethics may constitute professional misconduct; • (b) Part B of the Code of Ethics shall constitute professional misconduct. (3) Where no provision is made by the rules in respect of any matter, the rules and practice of the legal profession which before the commencement of this Act govern the particular matter shall apply in so far as is practicable. ……….. (5) An attorney-at-law whose name is entered on the Roll shall be deemed to have notice of the provisions of the Code of Ethics.
  13. 13. SCHEDULE 3 (Section 35) 26. (1) An attorney-at-law shall deal with his or her client's business with all due expedition and shall whenever reasonably so required by the client provide him or her with full information as to the progress of the client's business. 22. (2) An attorney-at-law shall scrupulously guard and never divulge his or her client's secrets and confidences.
  14. 14. PART B MANDATORY PROVISIONS AND SPECIFIC PROHIBITIONS • 18. An attorney-at-law shall never disclose, unless lawfully ordered to do so by the Court or required by statute, what has been communicated to him or her in his or her capacity as an attorney-at-law by his or her client and this duty not to disclose extends to his or her partners, to junior attorneys- at-law assisting him or her and to his or her employees provided however that an attorney-at-law may reveal confidences or secrets necessary to establish or collect his or her fee or to defend himself or herself or his or her employees or associates against an accusation of wrongful conduct. • 20. An attorney-at-law shall not delegate to a person not legally qualified and not in his or her employment or under his or her control, any functions which are by the Laws of Saint Lucia only to be performed by a qualified attorney-at-law. • 21. In the performance of his or her duties an attorney-at-law shall not act with inexcusable or undue delay, negligence or neglect.
  15. 15. 34. In pecuniary matters an attorney-at-law shall be most punctual and diligent, he or she shall never mingle funds of others with his or her own and he or she shall at all times be able to refund money he or she holds for others. 35. (1) An attorney-at-law shall keep such accounts as clearly and accurately distinguish the financial position between himself or herself and his or her client as and when required. 38. Where no provision is made in these rules in respect of any matter, the rules and practice of the legal profession which formerly governed the particular matter shall apply in so far as is practicable.
  16. 16. DATA PROTECTION ACT 2011 Cap. 8.18 Laws of Saint Lucia AN ACT to make provision for the protection of individuals in relation to personal data and to regulate the collection, processing, use, and disclosure of personal data in a manner that recognizes the right of privacy of individuals with respect to their personal information and for related matters. Commencement [On Order]
  17. 17. “personal data” means information about a data subject that is recorded in any form including— (a) information relating to the race, national or ethnic origin, religion, age, sexual orientation, sexual life or marital status of the data subject; the education, medical, criminal or employment history of the data subject or information relating to the financial transactions in which the individual has been involved or which refers to the data subject; (c) any identifying number, symbol or other particular designated to the data subject; (d) the address, fingerprints, Deoxyribonucleic Acid (DNA), or blood type of the data subject; (e) the name of the data subject where it appears with other personal data relating to the data subject or where the disclosure of the name itself would reveal information about the data subject; (f) correspondence sent to an establishment by the data subject that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; or (g) the views or opinions of any other person about the data subject;
  18. 18. “processing” in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— (a) organization, adaptation or alteration of the information or data; (b) retrieval, consultation or use of the information or data; (c) disclosure of the information or data by transmission, dissemination, or otherwise making available; or (d) alignment, combination, blocking, erasure or destruction of the information or data;
  19. 19. “sensitive personal data” means personal data consisting of information on a data subject’s— (a) racial or ethnic origins; (b) political opinions; (c) religious beliefs or other beliefs of a similar nature; (d) physical or mental health or condition; (e) sexual orientation or sexual life; or (f) criminal or financial record; “third party” means a person other than the data subject, the data controller and such other person who under the direct responsibility of the data controller is authorized to process personal data.
  20. 20. 3. Application (1) This Act applies to a data controller in respect of any data if— •(a) the data controller is established in Saint Lucia and the data is processed in the context of the business of that establishm ent; 32. Data Protection Principles The data controller shall comply with the Data Protection Principles set out in Schedule 2, in relation to all personal data processed by the data controller. 33. Collection of personal data (1) Subject to Part 6, a data controller shall not collect personal data unless— (a) the data is collected for a lawful purpose connected with a function or activity of the data controller; and (b) the collection of the data is necessary for that purpose. (2) Where a data controller collects personal data directly from a data subject, the data controller shall at the time of collecting the personal data ensure that the data subject concerned is informed
  21. 21. • 34. Consent for processing of personal data • (1) Subject to subsection (2), a data controller shall not process personal data unless the data controller has obtained the express consent of the data subject. • (2) Notwithstanding subsection (1), a data controller may process personal data without obtaining the express consent of the data subject where the processing is necessary— • 36. Processing of sensitive personal data • The data controller may process sensitive personal data if appropriate safeguards are adopted and the processing is necessary—
  22. 22. They also require attorneys to practice competently and to supervise office staff and third parties with access to client data. The operation of these rules will require attorneys and law firms to implement reasonable information security practices to protect the confidentiality, integrity, and availability of client data. The failure to protect client data may lead to attorney discipline or malpractice liability. Information security is not just a “technology issue” that can be delegated without supervision to information technology support staff. Attorneys themselves have an obligation to manage and oversee the security function in their firms. Lessons learned from other industries and industry standard security frameworks can help law firms implement effective security programs. Ethics and Cybersecurity: Obligations to Protect Client Data, Stephen Wu and Drew Shimshaw, March 2015
  23. 23. • Small businesses – and these include solicitors firms and barristers’ chambers – are just as vulnerable, if not more so. • They hold highly sensitive personal information and can provide an easy gateway to obtaining information about their clients including government, corporates, and people suspected of criminal offences. They are seen as softer targets as they have NO IT budgets and less likely to invest in the necessary preventive infrastructure. • In small as in large organisations, the human factor is usually the weakest link in a business’s cyber defences and staff breaches, malicious or inadvertent, are just as likely to occur in either, taking into account factors such as holidays and temporary staffing and the requirement to ensure the required protocols are observed.
  24. 24. Most lawyers are self- employed and belong to a set of chambers where they share central resources. The majority of information they hold is in a digital form and is a lucrative target for potential criminals. Barristers invariably have their own PCs, smartphones and other devices and invariably use them when working in chambers, in court, at home and when travelling. Saint Lucian Lawyers have a professional duty of confidentiality to their clients under the LPA and an individual responsibility to preserve their clients’ confidentiality as ‘data controllers’ under the Data Protection Act [not in force]. Barristers’ individual responsibilities impose a crucial burden on chambers administration. It is ideal that chambers have a written cyber security policy in place affecting all their members, pupils / associates and staff and the maintenance of up to date IT and communications and facilities.
  25. 25. EXAMPLE • Dominic Nicholas John Ruck Keene of Lincolns Inn Date of decision: 22 January 2018 In breach of Professional misconduct contrary to Core Duty 6 of the Code of Conduct of the Bar of England and Wales (9th Edition) Details of Offence Mr Ruck-Keene, being a barrister, on 7 August 2015, failed to preserve the confidentiality of confidential and highly sensitive data by failing to take adequate or appropriate security measures against accidental loss of personal data in that he left documents on the London Underground. Sentence: Reprimand
  26. 26. A Word on GPDR• THINK FATCA for data protection law – EXTRA TERRITORIAL IN EFFECT • Any business, including chambers and any individual barrister, which processes personal data on those residing in the EU must comply with the GDPR. A failure to do so can result in enforcement action by the Information Commissioner’s Office (ICO), including hefty fines, and even prosecution. Processing data includes doing almost anything with personal data, including its collection and storage. • The Regulation has extraterritorial effect and will apply to controllers and processors who are not established in the EU but supply goods or services to data subjects within the EU or carry out the monitoring of their behavior. < https://blogs.thomsonreuters.com/legal-uk/2018/04/10/how-the-gdpr-will-impact- the-bar/ > Accessed 30th May 2018
  27. 27. • GDPR demands that individual barristers and chambers take proactive action to ensure that systems are in place that meets the onerous requirements of GDPR. • The challenge is to devise policies, processes and solutions which meet the requirements of GDPR. Systems innovation and security should be at the heart of that. • As many others have advised, the starting point has to be a chambers wide audit followed by an individual assessment, by individual barristers, of what tasks and functions they are performing and whether they engage the GDPR and, if so, how to adapt them to meet the obligations. Fundamental to an understanding of the imposed obligations is an awareness that an individual barrister can be both a data processor and controller as too can be their chambers.
  28. 28. • Articles 24, 28, 29 and 32 set out a number of obligations concerning the maintenance and confidentiality of data and they warrant special attention. • Article 24 provides that data controllers, which will often be individual barristers and chambers through the provision of collective IT facilities, must implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the Regulations and must be reviewed and updated where necessary. It is sobering to note that as well as bearing personal responsibility for their own processing, an individual barrister may also be held personally responsible for a failure by Chamber’s staff to adopt proper precautions, including IT support staff, in their role as a data processor of the personal data for which the barrister is a data controller. • The problemis that barristers and chambers may only use providers whose terms contain obligations only to process personal data on documented instructions fromthe controller and to delete personal data after the end of the provision of services. I don’t know if I have missed anything here, but I haven’t seen Google or Dropbox opening up branch offices in the Inns of Courts for the negotiation and formulation or agreed GDPR compliant contracts.
  29. 29. • Attorneys and chambers should be alert to how material is stored and accessed by any third party internet or storage provider. This will require you to become familiar with the terms of service offered rather than simply continuing to ‘tick the box’ to show that you agree to those terms!
  30. 30. CONCLUSION • “… you must protect the confidentiality of each client’s affairs, except for such disclosures as are required or permitted by law or to which your client gives informed consent”. • It is your individual responsibility as a barrister / solicitor / attorney to preserve the confidentiality of your client’s affairs.
  31. 31. • Virtually all law practices today are vulnerable to cyber attacks which have the potential to disrupt delivery of legal services and compromise the security of clients’ confidential information. All staff need to understand how cyber attacks commonly occur and firms need to implement appropriate risk management measures. • It is essential for firms to have as many safeguards as possible and to understand the current threats. THANK YOU!

×