CYBERSECURITY COMPLIANCE FOR ATTORNEYS STEVEN M BUCHER CYBERSECURITY
CYBERSECURITY COMPLIANCE FOR ATTORNEYS STEVEN M. BUCHER
CYBERSECURITY READINESS ▸ Data and information systems under your control ▸ Likely threats and vulnerabilities ▸ Legal landscape ▸ Information security standards for the legal profession ▸ Event response and loss mitigation
WHAT IS INFORMATION SECURITY AND WHY IS IT IMPORTANT? ▸ What is Information Security? • Data • Information systems • Internet privacy ▸ Why is it Important? • High risk: Intentional attacks, unintentional disclosures, non-tech disasters, etc. • Lawyers are target rich information pools • Cyber events can cause considerable loss
WHAT’S AT STAKE? ▸ Loss of data ▸ Hardware, software, and network integrity ▸ Business interruption ▸ Loss of future business ▸ Harm to reputation ▸ Legal exposure
LEGAL LANDSCAPE ▸ Federal laws ▸ State laws ▸ Industry standards ▸ International laws ▸ Guidance on best practices
LEGAL PROFESSION AND INFORMATION SECURITY ▸ Rules of Professional Responsibility: ABA versus Louisiana ▸ ABA Formal Opinion 477 R ▸ Competence, Rule 1. 1 ▸ Confidentiality, Rule 1. 6 ▸ Communication, Rule 1. 4 ▸ Supervisory duties, Rules 5. 1 - 5. 3
SECURING CLIENT INFORMATION AND WORK PRODUCT ▸ Keep abreast of the changes, laws, benefits, and risks of technology ▸ Make reasonable efforts to avoid unauthorized access or disclosure of client information • “Reasonable efforts” are generally sufficient • “Special security precautions” are necessary in some circumstances ▸ Address information security with clients and third parties ▸ Implement periodic employee training
INSTITUTIONAL CONSIDERATIONS ▸ Security by design - stick to the basics ▸ Know what you have, where you have it, what laws apply to it, and when/how it should be disposed ▸ Make reasonable efforts to impose preventive measures ▸ Business continuity and breach response ▸ Vendor management ▸ Cybersecurity insurance ▸ Revise internal policy annually or as circumstances change
TAKEAWAYS ▸ Every company has a responsibility to manage its cyber risk ▸ Keep informed about the technology you use in your practice and whether it is consistent with your professional obligations ▸ Assess what you have, where it is located, and who has access to it ▸ Assess your vulnerabilities and prepare a WISP ▸ Have an incident response plan ▸ Train your employees ▸ Manage your vendors ▸ Continually evaluate and update your security policies
- Slides: 9