Data Confidentiality, Security and Recent Changes to the ABA Model Rules

DATA CONFIDENTIALITY, SECURITY
& RECENT CHANGES TO THE
ABA MODEL RULES
Scott Aurnou, Esq.

Introduction
• In 2009, the ABA created the Commission on
Ethics 20/20 to review the Model Rules in light
of the effect of technology on the legal
profession.
• Changes pertaining to technology were made
in August 2012:
– Rule 1.1 – Competence
– Rule 1.6 – Confidentiality of Information
– Rule 5.3 – Responsibilities Regarding Nonlawyer
Assistance

Rule 1.1 – Competence
• A lawyer shall provide competent representation to a client.
Competent representation requires the legal knowledge, skill,
thoroughness and preparation reasonably necessary for the
representation.
• Comment 8: To maintain the requisite knowledge and skill, a
lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks associated with
relevant technology, engage in continuing study and
education and comply with all continuing legal education
requirements to which the lawyer is subject.

Rule 1.6 – Confidentiality of Information
• (a) A lawyer shall not reveal information relating to the
representation of a client unless the client gives informed consent,
the disclosure is impliedly authorized in order to carry out the
representation or the disclosure is permitted by paragraph (b).
• ***
• (c) A lawyer shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized access
to, information relating to the representation of a client.
• Comment 18: Paragraph (c) requires a lawyer to act competently to
safeguard information relating to the representation of a client
against unauthorized access by third parties and against inadvertent
or unauthorized disclosure by the lawyer or other persons who are
participating in the representation of the client or who are subject
to the lawyer’s supervision.

Rule 1.6 – Comment 18 Safe Harbor Provision
• “The unauthorized access to, or the inadvertent or unauthorized
disclosure of, information relating to the representation of a client does
not constitute a violation of paragraph (c) if the lawyer has made
reasonable efforts to prevent the access or disclosure.”
• Factors to determine reasonableness of the efforts include (but aren’t
limited to):
– Sensitivity of the data
– Likelihood of disclosure if additional safeguards aren’t employed
– Cost and difficultly of employing additional safeguards
– Extent to which additional safeguards adversely affect the lawyer’s ability to
represent clients
• Also specifically notes that the Rules do not supersede Federal or state
laws “that govern data privacy or that impose notification requirements
upon the loss of, or unauthorized access to, electronic information”
– Safe harbor won’t protect you from state or Federal privacy or post data
breach reporting requirements

Rule 1.6 – Comment 19 Electronic Communication re: Client
• “When transmitting a communication that includes information relating to the
representation of a client, the lawyer must take reasonable precautions to prevent
the information from coming into the hands of unintended recipients.”
• Safe harbor provision: “This duty, however, does not require that the lawyer use
special security measures if the method of communication affords a reasonable
expectation of privacy.”
• Factors to determine reasonableness of the expectation of privacy include:
– Sensitivity of the data
– Extent to which the privacy of the communication is protected by law or a confidentiality
agreement
• A client may give informed consent to a method not otherwise permitted
• Also specifically notes that the Rules do not supersede Federal or state laws that
require additional steps to safeguard data privacy
• Speaking of those state laws...
• 47 states (except AL, NM & SD) require notification of a data breach of unencrypted data
• NV, MA & WA require encryption of client data in mobile devices and whenever transmitted
electronically
– Massachusetts law also applies extraterritorially to any firm doing business with a MA resident

Rule 5.3 – Responsibilities Regarding Nonlawyer Assistance
• With respect to a nonlawyer employed or retained by or
associated with a lawyer:
• (c) a lawyer shall be responsible for conduct of such a
person that would be a violation of the Rules of
Professional Conduct if engaged in by a lawyer if:
– (1) the lawyer orders or, with the knowledge of the specific
conduct, ratifies the conduct involved; or
– (2) the lawyer is a partner or has comparable managerial
authority in the law firm in which the person is employed, or
has direct supervisory authority over the person, and knows of
the conduct at a time when its consequences can be avoided or
mitigated but fails to take reasonable remedial action.
• Comment 3 expressly references cloud storage services

Not Changed, But Also Relevant
• Rule 5.1 - Responsibilities of a Partner or Supervisory
Lawyer
• Paragraph (c) A lawyer shall be responsible for another
lawyer's violation of the Rules of Professional Conduct
if:
– (1) the lawyer orders or, with knowledge of the specific
conduct, ratifies the conduct involved; or
– (2) the lawyer is a partner or has comparable managerial
authority in the law firm in which the other lawyer
practices, or has direct supervisory authority over the
other lawyer, and knows of the conduct at a time when its
consequences can be avoided or mitigated but fails to take
reasonable remedial action.

Effect of Changes to the Model Rules
• Short answer: lawyers and law firms do need
to stay up-to-date with technology.
• In a practical sense, what steps should you
take to secure client & firm data and avoid
mishandling electronic evidence?

Agenda
• Data Security
– Computer Basics
– Security First Steps
– Laptop & Desktop Computers
– Mobile Devices
– Firm Networks
– Cloud Computing
– What to Do When Something Goes Wrong
• eDiscovery Issues
– Mishandling Electronic Evidence
– Using Third Party Vendors
• Computer Security & eDiscovery Do’s & Don’ts

How is information stored electronically?
• Magnetic, optical & flash/SSD storage
– All data is reduced to binary code, which allows the various
devices to share information
– Bits & bytes
• Active, archival & latent data

What is a computer network?
• Client-Server Model
• Includes all devices intended to have access to your firm’s
data
• Remember that the computer traits making it easier to find
your own data also make it easier for a hacker to do so if he or
she gets into your system

Security First Steps
• Upper management buy-in is critical to effective security
– Consider data breach insurance
• Vulnerability assessment
– Network and data mapping; attack and penetration testing
– Find & fix vulnerabilities – should be done twice yearly
• Create an Information Security Policy/Plan
• For more detail, read ‘How to Write an Information Security Policy’ from CSO Online:
http://www.csoonline.com/article/495017/how-to-write-an-information-security-policy?page=1
• Incident Response Plan & Team
– Identifies and lays out a step by step response to a security incident
• Business Continuity & Disaster Recovery Plan
– Intended to keep your firm up and running after a major event
– CSO Online – Business Continuity and Disaster Recovery Planning: the Basics:
http://www.csoonline.com/article/204450/business-continuity-and-disaster-recovery-planning-the-
basics
• Don’t hesitate to bring in a security consultant to help set these up
• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information)

Laptops & Desktop Computers
• Primary threats
– Malware and data breaches
• Different types of malware
– Virus: dormant until host file is opened
– Worm: does not need host file; often
used to create an opening for other
malware
– Trojan: disguised as something
innocuous
– Drive-by download: latent threat on
compromised website
– Rootkit: essentially burrows underneath
the software you can see to gain greater
control over your computer
• Spyware, keyloggers, etc.
• Botnets
• Unlike television and movie depictions, there is generally no alarm
or warning of any kind when a network is breached

Laptops & Desktop Computers II
– Physical security
• Actual office intrusion and theft, using USB drive, etc.
• Loss or theft outside of the workplace
– Who else has access to your work computer?
• Co-workers, spouse, children, etc.?
• Introduces potential new avenues of attack
– ‘The space between the chair and the keyboard’

Protecting Your Computer
• Importance of keeping software patched
– Secunia, FileHippo, AppFresh
– Turn off/reboot your computer to actually install updates
– Apple computers are not immune to malware
• Anti-virus software, firewalls and intrusion
detection/prevention software
• Limit administrative account privileges
– The most senior partners are often targeted by hackers
– Also use non-admin account to browse on your personal computer
• Data Encryption
– All data on the network, backups, stick drives, tablets,
smartphones, etc.
• Using Virtual Private Networks (VPNs) for remote access
• Don’t hesitate to bring in a professional if you aren’t completely comfortable
addressing a security concern yourself

Email
• How does e-mail actually work?
• Emailing with clients securely
– Emailing “as secure as mailing a postcard”
– How can you secure it?
• 1) Encryption
• 2) Include a link to content secured in the cloud –
Cubby, etc. (not DropBox)
• 3) Secure Web portal
• Pertinent Model Rules – 1.1 (Competence); 1.6
(Confidentiality of Information)

Social Engineering
• Refers to an attacker tricking a target into giving up
access to info or a restricted area
• Comes in numerous forms:
– Phishing
– Spear Phishing
– Whaling
– Pretexting (in person or phone call)
– Tailgating
– Baiting
• What can you do to avoid falling for one of the scams?
• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of
Information)

Laptops & Desktop Computers: the Human Factor
• Passwords & multifactor authentication
– Fingerprint scanners, security tokens, etc.
• Browsing the Web
– Websense, etc.
– Drive-by downloads
• AdBlock Plus
– Unsecured wi-fi connections and rogue hotspots
– Social networks/privacy concerns
• Don’t forget to log out
• Pertinent Model Rules – 1.1 (Competence)

Laptops & Desktops: Privacy Concerns
• Password protected screensaver
– For when you step away from your computer
– Keep the time delay brief
• HTTP vs. HTTPS
– HTTPS is encrypted and more secure than HTTP
– HTTPS Everywhere
• Tracking cookies
– DoNotTrack, Ghostery, Self-Destructing Cookies
– Aviator Web Browser
– Pertinent Model Rules – 1.1 (Competence)

Proper Disposal of Laptop & Desktop Computer Data
• Why is this important?
• Include anything that can store data
• What actually happens when you delete a
file?
• Even if the data is eventually overwritten,
there may be other ways to get at it
• E-mails

Data Destruction Methods
• Overwriting/“wiping”
• Physical destruction
– More than simply damage
– Pertinent Model Rules – 1.1 (Competence);
1.6 (Confidentiality of Information)
• Degaussing/demagnetizing
– Only works on magnetic storage
devices/tape

Mobile Devices
• Smartphones, Tablets, other devices
– Connecting to an accounting firm network
– BYOD (bring your own device)
• Primary threats
– Loss and theft
– Apps and permissions
– Jailbroken/rooted phones
– Browsing
• Same dangers as a regular computer
• PLUS mobile-specific browsing risks
– Can’t see URL or hover over links
– QR codes
• Unsecured wi-fi connections and rogue hotspots
QR Code for:
TheSecurityAdvocate.com

Protecting Your Mobile Device
• Use the most current operating system and update it whenever updates are
available
• Enable your passcode lock/PIN
• Download a strong mobile security app
• Remote wiping and device tracking software
• Encryption – both for mobile devices and backups
• Be cognizant of access/permission requests when downloading apps
• Be excessively cautious when dealing with unsecured hotspots and QR codes
Information)

Mobile Devices: the Human Factor
• E-mail risk is not diminished on a mobile device
– Phishing/spear phishing/social engineering (fake e-mails from your bank, delivery
service, PayPal, etc.)
– Presume that any unsolicited e-mail from your bank, etc. is fraudulent and contact
the organization directly via phone, through its official website or visit a branch
• Smishing
• Effectively phishing via text message
• Browsing the Web
– Drive-by downloads
• Both links and QR codes can pose a risk
• Tainted Web search results
– Unsecured wi-fi connections and rogue hotspots
– Social networks/privacy concerns
– Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information)
Smishing text message

Proper Disposal of Mobile Devices
• Includes anything with a solid state/flash
drive
• Factory reset
– Removes all data and downloaded
applications
– Result of remote wiping
• Overwriting
• Physical destruction
• Pertinent Model Rules – 1.1
(Competence); 1.6 (Confidentiality of
Information)
Privacy settings on an Android smartphone

Your Firm Network
• Exactly what are you protecting your network from?
• Limit access rights – who can see what?
• Know your network access points and check for unintended access
• Check your wireless network encryption
• Network monitoring software
• Routers & switches are particularly vulnerable
• Firm-wide data encryption
• Multi-tiered, off-site encrypted backups
• Honeypots
• Information Security Policy regarding USB drives – permitted or not?
• Application whitelisting
• Does your office have a website?
Information)

Advanced Persistent Threats
• Stealthy & slow-moving attacks that compromise
computer networks & steal data over a period of time
• Basic steps:
1) The attacker finds a way into the network
2) Malware planted during the initial intrusion
“phones home” to remotely-located hackers
3) Attack quietly makes its way across the network
4) Data is surreptitiously stolen from the network
5) Attackers cover their tracks
• Security awareness training can reduce likelihood of
initial attack succeeding
Information)

Your Firm Network: the Human Factor
• Endpoint Security
• Strong passwords/change default passwords immediately
– “Alpine”
• Limit network access as much as possible
– This includes senior partners
• Immediately rescind access (including remote access) for any ex-
employee the moment he or she leaves
– Even later the same day can be too late
• Regular employee training

Data Leakage
• Can be intentional or unintentional to get
more work done at home or keep copies of
firm data, contacts, research, briefs, etc.
• Common problem is simply forgetting to
delete the firm data once you’re done with it

Cloud Computing
• What is it?
• Cumulative vulnerabilities
• ‘Pockets’ of the cloud on your network
• eDiscovery data stored with outside vendors
• Privacy concerns
• Pertinent Model Rules – 1.1 (Competence); 1.6 (Confidentiality of Information);
5.3 (Responsibilities Regarding Nonlawyer Assistance)

Unexpected Weak Spots
• Your Help Desk
• Printers
• Videoconferencing equipment
• Connected third party systems
• Company guest wi-fi access
• Firm recycling bins can hold valuable papers
• Account passwords/VPN decrypts should never
be saved on your computer

After Something Goes Wrong...
• Successful attack
– Data breach – hacker(s) stealing data from your system
– Malware infection can damage data in your system
– Spyware, Advanced Persistent Threats, keyloggers, etc.
– Computer forensics/security experts to assess damage, patch vulnerabilities to
prevent similar attacks in the future, etc.
• Data destruction
– Physical damage (fire, flood, etc.)
– Some malware will electronically destroy data
– Importance of backups
• Disaster recovery plan
• Pertinent Model Rules – 1.1 (Competence);
• 1.6 (Confidentiality of Information)

Finding a Network Security Expert
• CEH – Certified Ethical Hacker (governed by
International Council of Electronic Commerce
Consultants [EC-Council])
• CISSP – Certified Information Systems Security
Professional (governed by not-for-profit ISC – Int’l
Information Systems Security Certification
Consortium)
• CISA – Certified Information Systems Auditor
(governed by ISACA, short for Information Systems
Audit and Control Association)
• Pertinent Model Rules – 1.1 (Competence); 5.3 (Responsibilities
Regarding Nonlawyer Assistance)

eDiscovery & Data Confidentiality
• Mishandling Electronic Evidence
• Using Third Party Vendors
– Data hosting & e-discovery vendors can have sensitive
client data on their servers
– Hackers know this and can use them as a back door to
target client & other non-public info
– Do your due diligence re: security practices, etc.
before engaging a vendor
(Confidentiality of Information); 5.3 (Responsibilities

What is Computer Forensics?
• Computer Forensics (a/k/a digital forensics or
IT forensics) is the science of identifying,
acquiring and preserving potential evidence
stored within various forms of electronic
media
• Which means what, exactly?

The Forensic Process
• Gaining access to opponents’ digital evidence
• Forensic imaging/evidence acquisition
• Forensic investigation & analysis
• Expert reports & testimony
• NEVER a do-it-yourself project

Forensic Imaging/Evidence Acquisition
• The most critical phase of a Computer Forensics investigation
• In order to preserve the digital evidence in its original state, the chain of
custody is documented throughout the process
• Cost effectively captures and preserves the digital evidence with an
identical, bit by bit copy of the original digital media
• The “bitstream” (identical) copy is then analyzed while the original media
is carefully preserved for potential future evidentiary use
– Write blocker
– The copied data can be authenticated using hash codes/values
• The bitstream copy is then copied and authenticated in turn to produce a
working copy for analysis. Additional working copies can be produced as
needed
• If it is not done properly (in a secure and forensically sound manner),
critical evidence can be compromised or even inadvertently destroyed
• If you are especially anxious to see electronic evidence found on the
incoming digital media, have your computer forensic expert ready to go
ASAP
• Pertinent Model Rules – 1.1 (Competence); 5.3 (Responsibilities Regarding Nonlawyer Assistance)

Forensic Investigation & Analysis
• The identical copies of the initial bitstream image are
analyzed while the subject digital media is kept in its original
state for potential use at trial
• Analyzing the data
• Once the electronic information has been accessed, the most
useful evidence can be isolated and provided to counsel

Expert Reports & Testimony
• Computer Forensics services to support
litigation
– Expert reports
– Affidavits
– Expert witness testimony
– ‘Counter Forensics’

Finding a Qualified Computer Forensic Expert
• Various certifications exist, but there is no single standard
• Law enforcement/military
– CFCE – Certified Forensic Computer Examiner (offered by the IACIS – Int’l
Ass’n of Computer Investigative Specialists)
– CEECS – Certified Electronic Evidence Collection Specialist
• Vendor neutral
– CCE – Certified Computer Examiner (offered by the ISFCE –International
Society of Forensic Computer Examiners)
– CISSP – Certified Information Systems Security Professional (governed by
not-for-profit ISC – Int’l Information Systems Security Certification
Consortium)
– GCFA – GIAC Certified Forensic Analyst (offered by Global Information
Assurance Certification)
– Expert listings for each
• Vendor specific
– ACE: AccessData Certified Examiner (AccessData)
– EnCE: EnCase Certified Examiner (Guidance Software)
(Responsibilities Regarding Nonlawyer Assistance)

Admissibility of Electronic Evidence
• FRE 901 and 902 do not differentiate between
electronic and physical evidence
– Authentication (hashing, etc.)
– Chain of custody
– Proper handling of digital evidence

eDiscovery Do’s & Don’ts
• Upon receipt of an opposing/third party’s electronic
media
– DO bring in a computer forensic expert as soon as possible,
confer with him/her and formulate proper search terms
for the analysis
– DO NOT alter the computer/electronic media
– DO observe the rules of evidence (chain of custody, etc.)
with the original electronic media once the bitstream
copies have been made

Computer Security Do’s
• DO
– Apply all patches (updates) to the software on your computer & used by your
network. Use Secunia, FileHippo or AppFresh to see what needs updating
– If your firm is using software old enough that it is no longer supported
(updated) by its manufacturer, replace it with newer software that is
supported
– Use integrated security software (firewall, anti-virus, anti-spyware, etc.) &
keep it up-to-date
– Control who has access to what and strictly limit who has administrative
privileges
– Use strong passwords
– Change your passwords regularly
– Enable screensaver passwords on your computer (and set them to engage
relatively quickly)
– Log out of all online services when not using them
– Change all default settings (user IDs & passwords) immediately
Information)

Computer Security Do’s (continued)
– Enable full encryption on every hard drive (especially in laptops),
mobile device, storage device (i.e., USB drives) and backup media
– Have multi-tiered, off-site, encrypted backups
– Keep your firm’s servers under lock and key, literally
– Use WPA (with the Advanced Encryption Standard) or WPA2
encryption for your firm’s wireless network
– Use an encrypted connection – such as a VPN – for remote access to
your firm network
– Prepare any smartphone in your network to be stolen
– When an employee is terminated, disable their network access (user
ID and password) immediately
– Securely dispose of anything potentially holding firm or client data
Information)

Computer Security Don’ts
• DON’T
– Have a file called “Passwords” anywhere on your computer
– Use the same password over and over – if it gets cracked once, every other account
with that password becomes vulnerable
– Keep a post-it note with your password somewhere obvious (under the keyboard,
top right side drawer in your desk, etc.)
– E-mail any passwords – an intruder can search your e-mail and find them (party
trick: search your e-mail for “password”)
– Give your password to anyone else (including co-workers). If you ever do, change it
immediately afterwards
– Use WEP encryption for your wireless network – it was compromised years ago
– Use unsecured (i.e., no password needed) wireless access to send or receive any
sensitive data
– Enter credit card, financial or login information without seeing ‘HTTPS’ in your
browser’s address bar (i.e., make sure the site is encrypted)
– Use cloud services without first making a reasonable inquiry into the state of their
security
– Assume that using Apple computers inherently means you can ignore malware (it
doesn’t)

Scott Aurnou, Esq.
Scott Aurnou is an information security
consultant, attorney and Vice President at
SOHO Solutions, an IT consulting and
managed services firm based in New York
City. He regularly lectures on information
security, computer forensics and ethics
relating to technology (particularly for legal
professionals) and maintains a website
called The Security Advocate. His work
has also appeared in the New York Law
Journal and Law360. You can connect
with Scott on LinkedIn, Facebook and
Twitter.

Data Confidentiality, Security and Recent Changes to the ABA Model Rules

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (10)

Ähnlich wie Data Confidentiality, Security and Recent Changes to the ABA Model Rules

Ähnlich wie Data Confidentiality, Security and Recent Changes to the ABA Model Rules (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Data Confidentiality, Security and Recent Changes to the ABA Model Rules

Hinweis der Redaktion