Cybersecurity: Cyber Risk Management for Lawyers and Clients

Spencer Fane LLP | spencerfane.com
Cybersecurity:
Cyber Risk Management
for Lawyers and Clients
16th Annual Advanced Business Law Course
Texas Bar CLE
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma

The Problem for Lawyers
• Cybersecurity and privacy are issues that most
attorneys would prefer to ignore but are uniquely
obligated to address.
• Cybersecurity and privacy impact all lawyers and
law firms alike.
• Clients demanding adequate security (firms are
their third-party risk).
• Law firms are an increasingly popular target.
– Value and sensitivity of data.
– Data for multiple clients.

The Ethics for Lawyers
“A lawyer should preserve the confidences
and secrets of a client.”
• Ethics Opinion 384 (Sept. 1975)
• Canon No. 4, Code of Professional
Responsibility
• Disciplinary Rule (DR) 4-101 (A) and (B)
• New duty of “technical competence” for lawyers

Can you hear me now?
• ABA Ethics Opinion 483
• Lawyers’ Obligations After an
Electronic Data Breach of
Cyberattack
• October 17, 2018

Ethics Opinion 483
• Lawyers’ Obligations After an Electronic Data Breach or
Cyberattack
– Proactive obligations
– “data breach” ≠ “data breach”
• “data breach” – “a data event where material client
confidential information is misappropriated, destroyed or
otherwise compromised, or where a lawyer’s ability to
perform the legal services for which the lawyer is hired is
significantly impaired by the episode.”
• Ransomware?
• Service provider network outage, even if no access or
exfiltraton?

Ethics Opinion 483
• Focus is on the overall process of protecting information, not
the result.
• Requires lawyers to:
1. Be competent by keeping abreast of the benefits and risks
associated with relevant technology;
2. Have reasonable cybersecurity safeguards in place;
3. Follow appropriate data destruction procedures;
4. Actively monitor for breaches of client information;
5. Address third-party risk;
6. Investigate, respond to, and mitigate incidents;
7. Develop and implement an incident response plan; and
8. Notify clients in an appropriate manner when there has been a
“data breach.”

Cybersecurity is no longer just an IT
issue—it is an overall business risk issue.

“Security and IT protect companies’ data;
Legal protects companies from their data.”
Security and IT protect companies’ data;
Legal protects companies from their data.

Laws & Regulations
Types
• Security
• Privacy
• Unauthorized Access
International Laws
• GDPR
• Privacy Shield
• China’s Cybersecurity Law
Federal Laws and Regs
• FTC, SEC, HIPAA
State Laws
• All 50 States
– Privacy + security (some)
• NYDFS, Colo FinServ, CaCPA
Industry Groups
• PCI
• FINRA
Contracts
• 3rd Party Bus. Assoc.
• Privacy / Data Security /
Cybersecurity Addendum
Banks & Financial Institutions
• GLBA
• Dodd Frank
• FFIEC (Federal Financial
Institutions Examination Council)

2 Themes to Remember
• Cyber law is an expedition
• The “issues” usually aren’t really that new

The Real Threats
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017

Cybersecurity Best Practices
• Risk assessment
• Policies and procedures focused
on cybersecurity
– Culture
– Social engineering, password, security
questions
• Train workforce on P&P, security
• Phish all workforce
• Multi-factor authentication
• Internal controls / access controls
to restrict unnecessary data risk
• Data retention policy
• Signature based antivirus and
malware detection
• No outdated or unsupported
software
• Patch management process
• Backups segmented offline, cloud,
redundant
• Incident response plan
• Encrypt sensitive and air-gap
hypersensitive data
• Adequate logging and retention
• Third-party security risk
management program
• Firewall, intrusion detection and
prevention systems
• Managed services provider (MSP)
or managed security services
provider (MSSP)
• Cyber risk insurance

Canary in the Coal Mine
• What is your role?
• How does your firm or client
handle:
– P&P + Training
– MFA
– Phishing
– Backups
– IR Team + IRP
– Cyber Insurance

How mature is your bank’s cyber risk
management program?
“GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter
maintain, a comprehensive information security program that is reasonably designed to protect
the security, confidentiality, and integrity of personal information collected from or about
consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
“We believe disclosures regarding a company’s cybersecurity risk management program and
how the board of directors engages with management on cybersecurity issues allow investors
to assess how a board of directors is discharging its risk oversight responsibility in this
increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018)
“Institutions should maintain effective information security programs commensurate with their
operational complexities. Information security programs should have strong board and senior
management support, promote integration of security activities and controls throughout the
institution’s business processes, and establish clear accountability for carrying out security
responsibilities.” FFIEC Examination Handbook (Sept. 2016)
“Each Covered Entity shall maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS
Cybersecurity Regulations § 500.02
“Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the controller and the processor shall implement
appropriate technical and organizational measures to ensure a level of security appropriate to
the risk, including …” GDPR, Art. 32

Too little –
“just check the
box”
Too much –
“boiling the
ocean”
What is reasonable
cybersecurity?

Identify:
Assess Cyber
Risk
Identify &
Protect:
Strategic
Planning
Protect &
Detect:
Implement
Strategy &
Deploy Assets
Protect:
Develop,
Implement &
Train on P&P
Protect: Third
Party Risk
Protect &
Respond: Develop
IR Plan & Tabletop
Recover &
Identify:
Reassess,
Refine &
Mature
Cyber Risk
Management
Program Process

What should a cyber risk management
program look like?
• Based on a risk assessment1,2,3,4,5,6
• Implemented and maintained (i.e.,
maturing)1,2,3,6
• Fully documented in writing for both
content and implementation1,2,3,6
• Comprehensive1,2,3,4,5,6
• Contain administrative, technical,
and physical safeguards1,2,3,6
• Reasonably designed to protect
against risks to network and
data1,2,3,4,5,6
• Identify and assess internal and
external risks2,6
• Use defensive infrastructure and
policies and procedures to protect
network and data1,2,3,4,5,6
• Workforce training2,3,6
• Detect events2,6
• Respond to events to mitigate
negative impact2,6
• Recover from events to restore
normalcy2,6
• Regularly review network activity
such as audit logs, access reports,
incident tracking reports3,6
• Assign responsibility for security to
an individual3,5,6
• Address third-party risk2,3,5,6
• Certify compliance by Chair of
Board or Senior Officer or Chief
Privacy Officer2
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.02
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 32
6. FFIEC IT Examination Handbook

A few words about privilege
• Great sales pitch → the magic wand!
• Mature understanding → not so simple!
• Prepare by doing everything possible to ensure the applicability of
privileges but carry out the work as though there will be no privilege.
– Retain experienced cyber counsel to assess cyber risk, develop and lead
cyber risk management program.
– List role in engagement agreement.
– Develop communications protocol at the outset.
• i.e., “if it doesn’t need to be in writing …”
• Counsel must actively lead and stay engaged in the process.
• Counsel should hire, direct, and receive info from consultants.
• If incident, consider multiple tracks:
– proactive risk management;
– normal business investigation;
– Investigation in anticipation of litigation.
Photo credit: dave_7
Link: https://www.flickr.com/photos/daveseven/1910839183/in/photostream/

A few words about privilege
• Great sales pitch → the magic wand!
• Mature understanding → not so simple!
• Prepare by doing everything possible to ensure the applicability of
privileges but carry out the work as though there will be no privilege.
– Retain experienced cyber counsel to assess cyber risk, develop and lead
cyber risk management program.
– List role in engagement agreement.
– Develop communications protocol at the outset.
• i.e., “if it doesn’t need to be in writing …”
• Counsel must actively lead and stay engaged in the process.
• Counsel should hire, direct, and receive info from consultants.
• If incident, consider multiple tracks:
– proactive risk management;
– normal business investigation;
– Investigation in anticipation of litigation.

Without a magic wand, how does
cyber legal counsel help?

Cyber Insurance
Key considerations about cyber insurance:
• If you don’t know you have it, you don’t!
• Does your broker really “get” cyber?
• Is your coverage based on your risk?
• Was security/IT involved in procurement?
• Does your coverage include social engineering?
• Does your coverage include contractual liability?
• Do you have first-party and third-party coverage?
• Do you understand your sublimits?
• Can you chose your counsel and vendors?

Practitioner Editor, Bloomberg BNA – Texas Cybersecurity &
Data Privacy Law
Board of Directors & General Counsel, Cyber Future Foundation
Board of Advisors, North Texas Cyber Forensics Lab
Policy Council, National Technology Security Coalition
Cybersecurity & Data Privacy Law Trailblazers, National Law
Journal
SuperLawyers - Top 100 Lawyers in Dallas (2016)
SuperLawyers (2015-18)
D Magazine - Best Lawyers in Dallas (2014-18)
Officer, Computer & Technology Section, State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
College of the State Bar of Texas
Board of Directors, Collin County Bench Bar Conference
Past Chair, Civil Litigation Section, Collin County Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Shawn E. Tuma
Spencer Fane LLP
Partner & Co-Chair,
Cybersecurity & Data
Privacy Practice
O 972.324.0317
M 214.726.2808
stuma@spencerfane.com
web: spencerfane.com
blog: shawnetuma.com
@shawnetuma

Cybersecurity: Cyber Risk Management for Lawyers and Clients

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Cybersecurity: Cyber Risk Management for Lawyers and Clients

Ähnlich wie Cybersecurity: Cyber Risk Management for Lawyers and Clients (20)

Mehr von Shawn Tuma

Mehr von Shawn Tuma (14)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cybersecurity: Cyber Risk Management for Lawyers and Clients