CYBERSECURITY: ETHICALLYPROTECTING YOUR CONFIDENTIALDATA IN A BREACH-A-DAY WORLDPresented by theAmerican Bar AssociationLaw Practice Division,Section of State and Local Government Law,Young Lawyers Division,Division for Public Services andCenter for Professional Development

American Bar AssociationCenter for Professional Development321 North Clark Street, Suite 1900Chicago, IL 60654-7598www.americanbar.org800.285.2221CDs, DVDs, ONLINE COURSES, DOWNLOADS, and COURSE MATERIALSABA self-study products are offered in a variety of formats.Find our full range of options at www.ShopABA.orgSubmit a QuestionVisit SV 2uB91twXeymw6FL&pCode CE1604LPIto submit a question on the content of this course to program faculty. We’ll route your question to afaculty member or qualified commentator in 2 business days.The materials contained herein represent the opinions of the authors and editors and should not beconstrued to be the action of the American Bar Association Law Practice Division, Section of State andLocal Government Law, Young Lawyers Division, Division for Public Services or Center for ProfessionalDevelopment unless adopted pursuant to the bylaws of the Association.Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, andreaders are responsible for obtaining such advice from their own legal counsel. This book and any formsand agreements herein are intended for educational and informational purposes only. 2016 American Bar Association. All rights reserved.This publication accompanies the audio program entitled “Cybersecurity: Ethically Protecting YourConfidential Data in a Breach-A-Day World” broadcast on April 27, 2016 (event code: CE1604LPI).

TABLE OF CONTENTS1. Presentation Slides2. Cybersecurity: Ethically Protecting Your Confidential Data in a Breach-A-Day WorldIvan Hemmans and David G. Ries


Cybersecurity:Ethically Protecting Your ConfidentialData in a Breach-A-Day WorldWednesday, April 27, 2016 1:00 PM EasternSponsored by the ABA Law Practice Division, Section of State and LocalGovernment Law, Young Lawyers Division, Division for Public Services and theABA Center for Professional www.abacle.orgIvan HemmansO’Melveny & Myers LLPLos Angeles, [email protected] RiesClark Hill PLCPittsburgh, [email protected]

1. Current Threats3“I am convinced that there are only twotypes of companies: those that have beenhacked and those that will be. And eventhey are converging into one category:companies that have been hacked and willbe hacked again.”FBI Director Robert MuellerRSA Cybersecurity ConferenceMarch 20124

Threat Actors CybercriminalsHackersHactivistsGovernment surveillanceState sponsored / condoned espionageInsiders(disgruntled / dishonest / bored / untrained)5Attack Vectors Direct attackWatering hole attackDNS compromisePhishing / social engineeringMalware / crimeware / ransomwareMisuse of admin toolsInfected devicesDenial of serviceSupply chain attackPhysical theft / loss6

What They’re After MoneyPersonally identifiable informationIntellectual propertyTrade secretsInformation on litigation &transactionsNational security dataDeny / disrupt service “ because that’swhere the money is.”7What They’re After“Ask hackers why they attack law firms,and their reply - to riff on bank robberWillie Sutton's famous quip - would nodoubt be: ‘Because that's where thesecrets are.’"infoRisk Today (April 7, 2016)8

Law Firms are Targets!910

FBI WarningsAlerts to law firms: Nov 2009, Jan 2010Briefing in NYC – 200 largest firms: Nov 2011LegalTech New York Keynote: Jan 2013“We have hundreds of law firms that we have seenincreasingly being targeted by hackers.”11FBI WarningsCriminal seeks hacker –to break into international law firms12

“A Russian cyber criminal has targeted nearly 50elite law firms, including four in Chicago, tocollect confidential client information for financialgain.”13“Hackers broke into the computer networks atsome of the country’s most prestigious law firms,and federal investigators are exploring whetherthey stole confidential information for the purposeof insider trading.”14

CEO e-mail schemesOct 2013 through Feb 2016 - 17,642 victims.More than 2.3 billion in losses.15W-2 phishing schemesProskauer Rose Snapchat Seagate 16

RansomwareHow do you get it? What does it do? How do you get your databack? How do you engineerbackups that are imperviousto ransomware? 172. Attorneys’ Duty to Safeguard18

Duty to SafeguardEthics RulesCommon LawContractsLaws & Regulations19Duty to SafeguardRule 1.1 CompetenceRule 1.6 ConfidentialityRule 1.4 CommunicationRules 5.1, Supervision5.2, 5.320

Aug. 2012 AmendmentsModel Rule 1.1 CompetenceAmendment to Comment [8]Maintaining Competence“ a lawyer should keep abreast ofchanges in the law and its practice,including the benefits and risksassociated with relevant technology ”Adopted by 20 states as of Mar. 20162121Aug. 2012 AmendmentsModel Rule 1.6Confidentiality of InformationAddition to rule“(c) A lawyer shall make reasonable efforts toprevent the unintended disclosure of, orunauthorized access to, information relatingto the representation of a client.” Comments [18] [19]2222

Risk-Based ApproachAug. 2012 addition to Comment [18]“reasonable efforts”: the sensitivity of the informationthe likelihood of disclosure if additional safeguardsare not employedsafeguards:–––costdifficulty of implementingextent to which they adversely affect the lawyer’sability to represent clientsABA Cybersecurity Resolution, Aug. 2014RESOLVED, That the American Bar Associationencourages all private and public sectororganizations to develop, implement, andmaintain an appropriate cybersecurity programthat complies with applicable ethical and legalobligations and is tailored to the nature andscope of the organization and the data andsystems to be protected.24

Unencrypted Email “A Postcard”Bruce Schneier (1995, 2000 ) (“postcard”)Larry Rogers (2001) (“postcard written in pencil”)Google Official Blog (June 3, 2014) (“postcard”)New York Times (July 16, 2014) (“postcard”)A Reasonable Expectationof Privacy?25Encryption: E-MailNew Jersey Opinion 701 (2006)California Formal Opinion No. 2010-179Pennsylvania Formal Opinion 2011-200Texas Opinion No. 648 (Apr 2015)26

Encryption: mobile and portable devices“Considering the high frequency oflost assets, encryption is as close to ano-brainer solution as it gets for thisincident pattern. Sure, the asset isstill missing, but at least it will save alot of worry, embarrassment, andpotential lawsuits by simply beingable to say the information within itwas protected.”Competent and Reasonable Efforts273. Security Overview28

Information SecurityPeopleProcessPolicies & ProceduresTechnologySECURE29Information ySECURE30

Information Security31NIST Cybersecurity Framework32

The New Cybersecurity MantraOld:Identify, Protect, Detect, Respond, RecoverNew:Identify, Protect, Detect, Respond, RecoverGartner: by 2020, 60% of enterprises' information security budgets willbe allocated for rapid detection and response approaches, up fromless than 10% in 2014.33Standards / Frameworks / ControlsNIST Framework ISO 27000 series standards: InformationSecurity Management Systems NIST Special Publication 800-53, Rev 4 numerous additional standards ILTA LegalSEC Centerfor Internet SecurityCIS Controls for Effective Cyber Defense Version 6.034

Standards and FrameworksSmall Firms:– NIST’s Small Business InformationSecurity: The Fundamentals, DraftNISTR 7621– U.S.-CERT: resources for SMBs35Incident response plan Don’t just rely on templates!Titles of those responsible for plan functionsContact info– digital forensics consultant– FBI regional office– data breach lawyer– insurance carrier (attach policy)Notice obligations / data breach notification law(s)36

4. Practical Security Steps37What’s Wrong with Passwords?Matt HohanNovember 201238

Access ControlAuthenticationEstablishes identityof user (or device) AuthorizationDetermines whatidentified user (or device)can access or do39What’s Wrong with Passwords?Strong passwords are long and complex but that makes them difficult to rememberand use.QX&m3p09?M62kT40

Authentication factorsFactor:Only the User:KnowledgePossessionInherenceKnowsHasIsAccess Granted41Only User KnowsPasswordsPassphrasesPINsSwipe PatternChallenge Q & A42

Strong Passwords / PassphrasesCurrent recommendations forstrong passwords or passphrases:–Minimum length of 14 characters– 8, 10, 12 still commonly used– Contain lower and upper case letters– Include number(s)– Include symbol(s)– Avoid dictionary ronger: Break dictionary words with randomletters, numbers, or symbols.44

PassphrasesWIw7,mstmsritt. When I was seven, my sister threwmy stuffed rabbit in the toilet.Wow, doestcst. Wow, does that couch smell terrible.Bruce Schneier45Only user hasHardware tokensSoftware tokensSecurity code transmitted to smartphoneSmart cardsUSB keys46

Some examples RSASecureID SecureAuth Office 365 Google Dropbox Yubico Duo Security Windows 1047Hardware tokenCode changesevery minute.Token is synchronized with authentication server during original set-up.After that, no wireless or cell data connectivity of token is needed.48

Transmitted security code1. User logs on to network, website, or service oncomputer.2. Code is sent to phone from network, website, orservice.(email, text, app)3. User enters code from phone on computer.Wireless or cell data connectivity is needed for most implementations.49GoogleGoogle Verification CodeCodes sent by text to phones.50

Only user isBiometrics:–fingerprint– palm print– eye (retina, iris)– faceConsumer v.Enterprise / Govt.51Authorization SegmentationLeast privilegeDoes a secretary need accessto financial records?Access control is usuallyinadequateAccess control frequently goesunreviewed – must be doneregularlyWho monitors the person whosets the access?Is everything logged?52

Encryption53Encryption An electronic process to protect dataTransforms readable data into unreadable dataRequires a key to make data readable again54

ProtectData at Rest–Servers, Desktops, Laptops, Tablets, PortableMedia, Smartphones, etc.Data in Motion–Wired Networks, Wireless Networks, Internet,Cell Networks, etc.55Encryption Whole DiskDefined VolumePortable DevicesHardware– Biometrics– TPMEnterprise Admin– “Back Door”56

Encryption options Windows BitLockerMac FileVaultSymantec Encryption (PGP)Kaspersky Endpoint SecurityDell Data ProtectionMcAfee CompleteCheck Point Full DiskDriveCrypt PlusSophos SafeGuardWinMagic57 ZixCorpSophosMimecastProofpointHP SecureMailEdgeWaveTrend pted e-mail58

Encrypting a document Password protect it – the OPEN passwordMS Office, PDF and WinZip – Encrypt with passwordLimited protection!59Do not send passwords in an e-mail!60

Smartphones1. PIN / passphrase2. Encrypt3. Auto logoff after x mins4. Lock / wipe after x attempts5. Enable remote locate / wipe6. Management tools61Encryption: bottom lineEncryption is increasingly required in areas likebanking and health care and by new state dataprotection laws.As these requirements continue to increase, it willbecome more and more difficult for attorneys tojustify avoidance of encryption.It has now reached the point where all attorneysshould generally understand encryption, have itavailable for use when appropriate, and makeinformed decisions about when encryption shouldbe used and when it is acceptable to avoid it.62

Cloud Computing EthicsEncryptionMaster decrypt keyTerms of ServiceData LocationExit Strategy“Zero knowledge”63Secure remote access VPNTerminal ServerCitrixiTwinRemote Control––– LogMeInLogMeIn IgnitionGoToMyPCMultifactor authentication64

Wireless Networks Default values – changethe defaults!Drive-byUsed by spammersUsed by neighbors toride your access,download porn, etc.65Wireless WiFi–––– HotspotsWEPWPAWPA2MiFi– TetheringHow do you connectsafely? VPN – or use ahotspot on your phone66

Public Wi-Fi67Questions?All attendees can submit questions via the chatfeature on the webinar


April 27, 2016Ivan HemmansDave Ries

Ivan HemmansO’Melveny & Myers LLPLos Angeles, [email protected] G. RiesClark Hill PLCPittsburgh, [email protected]

SAFEGUARDING CONFIDENTIAL INFORMATIONAttorneys’ Ethical and Legal ObligationsDavid G. RiesClark Hill PLCPittsburgh, [email protected] 20161.ContentsThe Threats . 2A.Outside Attacks . 3B.Lost and Stolen Devices . 8C.Inside Threats . 9D.Government Surveillance . 11E.Summary of Threats. 132.Duty to Safeguard . 13A.Ethics Rules . 13B.Ethics Opinions . 16C.Ethics Rules – Electronic Communications . 19D.Ethics Opinions – Electronic Communications . 22E.Common Law Duties . 24F.Laws and Regulations Covering Personal Information . 24G.Summary of Duties. 273.Information Security Basics . 274.Reasonable Safeguards . 29A.Security Frameworks and Standards . 29B.Consensus Security Controls . 31C.Laptops and Portable Devices . 33Conclusion . 34Additional Information . 35 David G. Ries 2016. All rights reserved.

Introduction1Confidential data in computers and information systems,including those used by attorneys and law firms, faces greatersecurity threats today than ever before. And they continue togrow! They take a variety of forms, ranging from e-mailphishing scams and social engineering attacks to sophisticatedtechnical exploits resulting in long term intrusions into law firmnetworks. They also include lost or stolen laptops, tablets,smartphones, and USB drives, as well as inside threats malicious, untrained, inattentive, and even bored personnel.These threats are a particular concern to attorneys because of their duty of confidentiality.Attorneys have ethical and common law duties to take competent and reasonable measuresto safeguard information relating to clients. They also often have contractual and regulatoryduties to protect client information and other types of confidential information.Effective information security requires an ongoing, comprehensive process that addressespeople, policies and procedures, and technology, including training. It also requires anunderstanding that security is everyone’s responsibility and constant security awareness byall users of technology.1. The ThreatsFor years, technology attorneys and information security professionals warned lawyers thatit was not a question of whether law firms would become victims of successful hackingattacks - it was a matter of when. They pointed to numerous law firm incidents of dishonestinsiders and lost or stolen laptops and portable media, but there were not disclosedincidents of successful hacking attacks. It has now reached the “when” – over the last severalyears, there have been increasing reports in the popular, legal, and security media ofsuccessful attacks on attorneys and law firms. They have occurred and are occurring - andattorneys and law firms need to comprehensively address security.Breaches are becoming so prevalent that there is a new mantra in cybersecurity today – it’s“when not if” a law firm or other entity will suffer a breach. Robert Mueller, then the FBIDirector, put it this way in an address at a major information security conference in 2012:I am convinced that there are only two types of companies: those that havebeen hacked and those that will be. And even they are converging into onecategory: companies that have been hacked and will be hacked again.Parts of this paper are adapted from prior materials prepared by the author, including David G.Ries, “Safeguarding Confidential Data: Your Ethical and Legal Obligations,” Law Practice (July/August2010) and David G. Ries, “Cybersecurity for Attorneys: Understanding the Ethical Obligations,” LawPractice TODAY (March 2012). This paper is an overview. For more detailed information, see SharonD. Nelson, David G. Ries and John W. Simek, Locked Down: Practical Information Security forAttorneys, Second Edition (American Bar Association 2016) and the other materials listed in theAdditional Information section.12

This observation is true for attorneys and law firms as well as companies.A. Outside AttacksLaw firms are considered by attackers to be “one stop shops” for attackers because theyhave high value information that is well organized, often with weaker security than clients.Hackers target money, personally identifiable information that can be converted to money,client business strategy, intellectual property and technology, and information about dealsand litigation. Threat actors include cybercriminals, hackers, governments, hactivists (withpolitical agendas), and insiders.As a recent article explained it: 2Ask hackers why they attack law firms, and their reply - to riff on bank robberWillie Sutton's famous quip - would no doubt be: "Because that's where thesecrets are."A December 2009 FBI alert warned that law firms and public relations firms were beingtargeted with spear phishing e-mails 3 containing malicious payloads. 4 In January 2010, theFBI issued another alert, this time warning law firms about counterfeit check schemes thatused e-mails to lure them into relationships with fraudulent overseas “clients.” 5The news reports of law firm breaches started with a February, 2010, Wired Magazine articlethat reported on advanced persistent threats (APTs), a particularly nasty form ofsophisticated and extended hacking attack. It discussed an example of a 2008 APT attack ona law firm that was representing a client in Chinese litigation: 6The attackers were in the firm’s network for a year before the firm learnedfrom law enforcement that it had been hacked. By then, the intrudersharvested thousands of e-mails and attachments from mail servers. They alsohad access to every other server, desktop workstation and laptop on thefirm’s network.This attack was investigated by Mandiant, a leading information security firm that specializesin investigation of data breaches. 7 Mandiant discovered that the network had been2Matthew J. Schwartz, “Cyberattacks: Why Law Firms Are Under Fire,” infoRisk Today (April 7, 2016).“Spear phishing” is fraudulent e-mail that falsely appears to be from a trusted source and targets aspecific organization or individual, seeking unauthorized access to confidential data, often log oncredentials.3FBI Release, “Spear Phishing E-mails Target U.S. Law Firms and Public Relations Firms” (November17, 2009).5FBI Release, “New Twist on Counterfeit Check Schemes Targeting U.S. Law Firms” (January 21,2010)46Kim Zetter, “Report Details Hacks Targeting Google, Others,” Wired Magazine (February 3, 2010).See Mandiant’s M-Trends 2010 The Advanced Persistent eat-report.html.73

breached for more than a year before the law firm was tipped off to the breach by lawenforcement. They could not determine the initial attack vector because the law firm did nothave system logs available. The intruders at the law firm were able to obtain more than 30sets of user credentials, compromise approximately three dozen workstations, and gain fullaccess to all servers and computers on the network for an extended time.A National Law Journal article in March, 2010, reported that Mandiant assisted over 50 lawfirms after security breaches. 8 A Mandiant forensics specialist stated in an interview thatMandiant spent approximately 10% of its time in 2010 investigating data breaches at lawfirms. 9The same month, an article in the San Francisco Chronicle, “Law Firms Are Lucrative Targetsof Cyberscams,” discussed recent attacks on attorneys, ranging from phishing scams to deepintrusions into law firm networks to steal lawsuit-related information. 10 It reported:Security experts said criminals gain access into law firms’ networks usinghighly tailored schemes to trick attorneys into downloading customizedmalware into their computers. It is not uncommon for them to remainundetected for long periods of time and come and go as they please, theysaid.In November, 2011, the FBI held a meeting for the 200 largest law firms in New York toadvise them about the increasing number of attacks. Bloomberg News reported: 11Over snacks in a large meeting room, the FBI issued a warning to the lawyers:Hackers see attorneys as a back door to the valuable data of their corporateclients.“We told them they need a diagram of their network; they need to know howcomputer logs are kept,” Galligan [the head of the FBI cyber division in NewYork City] said of the meeting. “Some were really well prepared; others didn’tknow what we were talking about.”Karen Sloan, “Firms Slow to Awaken to Cybersecurity Threat,” The National Law Journal (March 8,2010) 1202445679728?slreturn 20140103163537.8Kelly Jackson, “Law Firms under Siege,” Dark Reading (April 6, s-under-siege/229401089.9Alejandro Martínez-Cabrera, “Law Firms Are Lucrative Targets of Cyberscams,” San FranciscoChronicle (March 20, 2010).10Michael A. Riley and Sophia Pearson, “China-Based Hackers Target Law Firms to Get Secret Deal Data”Bloomberg News (January 31, d-hackers-target-law-firms.html114

Successful attacks on law firms have continued. Bloomberg News published “China-BasedHackers Target Law Firms to Get Secret Deal Data” in January, 2012. 12 It described a group ofmajor hacking incidents in which attackers successfully targeted 7 Canadian law firms and 2Canadian government agencies to get information about a transactioninvolving the sale of potash mines in Western Canada.The SANS Institute, a highly regarded information security research,education, and certification organization, has published an interviewwith the managing partner and IT partner of a New York law firm thathad been hacked. 13 The attorneys said that the FBI told the law firmthat “our files had been found on a server in another country. Theserver was used as a way station for sending data to a large Asian country.” It was “all ourfiles.”Effective information security is now a requirement for attorneys. In June, 2012, the WallStreet Journal published “Client Secrets at Risk as Hackers Target Law Firms.” 14 It startedwith:Think knowing how to draft a contract, file a motion on time and keep yourmouth shut fulfills your lawyerly obligations of competence andconfidentiality?Not these days. Cyberattacks against law firms are on the rise, and thatmeans attorneys who want to protect their clients’ secrets are having toreboot their skills for the digital age.Security threats to law firms continue to grow. In February, 2013, an FBI agent gave akeynote presentation on law firm security threats at LegalTech New York. In an articlereporting on it, the special agent in charge of the FBI’s cyber operations in New York City isquoted as stating: 15“We have hundreds of law firms that we see increasingly being targeted byhackers. We all understand that the cyberthreat is our next great challenge.Cyber intrusions are all over the place, they’re dangerous, and they’re muchmore sophisticated” than they were just a few years ago.In August, 2013, ILTA (the International Legal Technology Association) presented "The FBIand Experts Present Security Updates and Strategies for Firms of All Sizes" at its Annual12Id.SANS Institute, “Conversations about ybersecurity-conversations.13Jennifer Smith, “Client Secrets at Risk as Hackers Target Law Firms,” Wall Street Journal Law Blog(June 25, 2012).14Evan Koblenz, “LegalTech Day Three: FBI Security Expert Urges Law Firm Caution,” Law TechnologyNews (February 1, 2013), 1202586539710?slreturn 20140103164728.155

Education Conference. An FBI speaker called the cyberattacks “a paradigm shift” and notedthat attackers are “already in the system.” Another speaker observed that several practiceareas appear to be most vulnerable to attack, including oil and gas, technology, andtechnology patents.16Shane McGee, the general counsel and vice president of legal affairs at Mandiant Corp.,explained the sophistication of attacks on law firms in a September, 2013 ABA Journalarticle: 17Law firms need to understand that they’re being targeted by the best, mostadvanced attackers out there These attackers will use every resource attheir disposal to compromise law firms because they can, if successful, stealthe intellectual property and corporate secrets of not just a single companybut of the hundreds or thousands of companies that the targeted law firmrepresents. Law firms are, in that sense, ‘one-stop shops’ for attackers.At a security conference in October, 2014, Mandiant reported on a law firm data breach thatit investigated. The attackers used the law firm’s e-mail systemThe attackers used theas a platform to infiltrate biotechnology and pharmaceuticallaw firm’s e-mail systemclients. The attackers first sent phishing e-mails to the law firm as a platform to infiltrateand used information stolen through them to take control of biotechnology andthe e-mail system. They then sent e-mails with malicious pharmaceutical clients.attachments from the law firm e-mail system to individuals atclients who had received law firm e-mails with attachments in the past. When some of theclient personnel opened the attachments, malware designed to steal information wasinstalled on the clients’ systems. 18In May of 2014, five Chinese military officers were indicted in federal court in Pittsburgh,charged with hacking attacks on energy companies, suppliers to them, and a labor union.19While the indictment does not include any charges for hacking a law firm, it does includetargeting confidential attorney-client communications. While the hacking in the indictmentwas taking place, a law firm representing one of the energy companies was also hacked. Thefirm represented the solar energy company in an antidumping matter against China.2016Monica Bay, “Bring in the FBI: Your Paranoia is Justified,” Law Technology News (August 26, 2013).Joe Dysart, “New hacker technology threatens lawyers’ mobile devices,” ABA Journal Law NewsNow (September 1, 2103) hacker technology threatens lawyers mobile devices.17BSides DC 2014, “Opening Acts: How Attackers Get Their Big Breaks” j1JC59QjPQs.18U.S. Department of Justice Press Release, May 19, 2014, ns-and-labor.19Michael Riley and Dune Lawrence, “Hackers Linked to China’s Army Seen from EU to D.C.”Bloomberg Business (July 26, 2012) or.206

Although reports of law firm data breaches have been limited, breaches have beenwidespread. A March, 2015 article reports that “Cybersecurity firm Mandiant says at least 80of the 100 biggest firms in the country, by revenue, have been hacked since 2011.”21Mandiant has reported that 7% of the intrusions that it investigated in 2014 were in the legalservices industry. 22Law firm breaches continue to be in the headlines in early 2016. On March 4, 2016, the FBIissued a Private Industry Alert directed to the legal profession about hacking for insidertrading. Its summary states:A financially motivated cyber crime insider trading scheme targetsinternational law firm information used to facilitate business ventures. Thescheme involves a hacker compromising the law firm’s computer networksand monitoring them for material, non-public information (MNPI). Thisinformation, gained prior to a public announcement, is then used by acriminal with international stock market expertise to strategically place bidsand generate a monetary profit.A few weeks later, Crain’s Chicago Business reported that the scheme targeted nearly 50elite law firms, inclu

– LogMeIn – LogMeIn Ignition . Drive-by Used by spammers Used by neighbors to ride your acc