Reginald A. Hirsch and Shawn E. Tuma presented this talk at the Annual Meeting of the State Bar of Texas for the Law Practice Management Section of the State Bar of Texas. The date of the talk was June 22, 2018, and the location was Houston, Texas.

1. Reginald A. Hirsch
Law Offices of Reginald A. Hirsch
Shawn E. Tuma
Scheef & Stone, LLP
Something is Phishy
Cybersecurity Scams & How to Avoid Them

2. “A lawyer should preserve the
confidences and secrets of a client.”
•Ethics Opinion 384 (Sept. 1975)
•Canon No. 4, Code of Professional
Responsibility
•Disciplinary Rule (DR) 4-101 (A) and (B)
The Ethics

3. Are most cybersecurity and privacy
incidents:
•Sophisticated James Bond-like attacks?
or
•Simple things, like people doing dumb
things?
The Question

4. Usually the real-world threats are not so sophisticated
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017

5. 1. Analysis of overall business risk.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
1. Training of all workforce on P&P, then security.
2. Phish all workforce (esp. leadership).
3. Multi-factor authentication.
4. Signature based antivirus and malware detection.
5. Internal controls / access controls.
6. No outdated or unsupported software.
7. Security patch updates management policy.
8. Backups segmented offline, cloud, redundant.
9. Incident response plan.
10. Encrypt sensitive and air-gap hypersensitive data.
11. Adequate logging and retention.
12. Third-party security risk management program.
13. Firewall, intrusion detection and prevention systems.
14. Managed services provider (MSP) or managed security services
provider (MSSP).
15. Cyber risk insurance.
Common
Cybersecurity
Best Practices
Promoting Good Cyber Hygiene
Act of 2017 (federal bill)

7. What is social engineering and phishing?
Social Engineering is the art of manipulating, influencing, or deceiving you in
order to gain control over your computer system. The hacker might use the
phone, email, snail mail or direct contact to gain illegal access. Phishing, spear
phishing, and CEO Fraud are all examples. (see KnowBe4)
Phishing is the process of attempting to acquire sensitive information such as
usernames, passwords, and credit card details by masquerading as a
trustworthy entity using bulk email which tries to evade spam filters. (see
KnowBe4)
Variants are spearphishing (highly targeted), vishing (voice), smishing (SMS).

8. Phishing

20. 1. Determine whether incident justifies escalation.
2. Begin documentation of decisions and actions.
3. Begin mitigation of compromise.
4. Engage experienced legal counsel to guide through process, determine privilege vs
disclosure tracks.
5. Activate Incident Response Plan and notify and convene Incident Response Team.
6. Notify cyber insurance carrier.
7. Notify affected business partners per contractual obligations.
8. Engage forensics to mitigate continued harm, gather evidence, and investigate.
9. Assess scope and nature of data compromised.
10. Ransomware? Do you pay?
11. Preliminarily determine legal obligations based on type of data and jurisdictions.
12. Determine whether to notify law enforcement.
13. Begin preparing public relations message.
14. Engage notification/ credit services vendor.
15. Resolve whether data has been “breached” or non-reportable incident.
16. Determine when notification “clock” started.
17. Remediate and protect against future breaches.
18. Assemble contact information for notifications.
19. Prepare and drop notification letters, frequently asked questions, call centers, PR
message.
20. Administrative reporting (AGs, HHS, FTC, SEC).
21. Implement Cyber Risk Management Program.
Responding to
a Cyber
Incident