Robert Brownstone - Greetings from the San Francisco Bay area. This is Robert Brownstone with today's webinar on Cybersecurity When Working From Home, otherwise known as WFH or working remotely.
We are going to cover a wide range of topics, you can see them here on slide two, I'm not gonna read this list to you. It's a very ambitious agenda, but I'm confident we can get through this in the 60 minutes.
First a couple housekeeping issues. If you have not attended one of my presentations before, please learn that I use the slide deck for two purposes. One is for presentation of the material in, on the day of the show, or if you're looking at it after the fact and the others is a research tool. So anything you see that is colored and underlined is a live hyperlink to other resources. So you'll be able to drill down on one to many resources, articles, websites, et cetera, on any or all of the topics that you find of interest in this talk.
So let's start at talking about the current landscape which many of us are of course familiar with, if not all of us. Things accelerated in terms of remote work and working from home because of the pandemic. Articles on this page are designed to give you some background on trends that you may not be aware of and the kind of ways that organizations, including the federal government are coming up with processes and trainings and other issues to try to address what we're losing in terms of the interpersonal contact, especially for young people, young adults and college students et cetera, anyone who is doing any kind of work remotely without the personal contact or without the degree of personal contact, that would be ideal is definitely having a harder time in my experience anecdotally, and what I keep abreast of in my readings.
In addition, these have had a great impact on law practice these being the current conditions. These are articles linked off of slide four. Talk about some of the issues that have come up in the legal world, which I believe some or all of you attendees are in. The one issue is that the comp, the law firms and legal departments that have been less agile and less quick to adjust to the new reality of people expecting to be able to work remotely are perhaps losing people in the job market to law firms and companies that are more, modernized or were better positioned in terms of technology and experience when the pandemic hit two years ago. And then we've got all kinds of issues dealing with lawsuits and the like the fact that some trials are being conducted remotely, AKA virtually has resulted in a number of incidents of folks who are supposed to be paying attention as jurors, vaping, eating, even sleeping. If you wanna learn more about that, you can read that article by Ms. Morris.
Another interesting topic that we'll touch on in section three below more broadly is what about remote depositions? Is there some kind of implied consent to people recording the deposition? They could be recording it in Zoom or whatever platform the call, so to speak. The video call is taking place in this ALM article makes a number of interesting points. It focuses a bit on New York Law and New York civil practice, but also on various different rules around the country about recording people in calls in general.
One of the points that makes, which is a really good one is basically we're all carrying around recorders with us all the time. Our smartphones could be used. Someone could be recording in that way, every, any, and everything that's going on on screen and from the audio. Whether or not the Zoom or other video call platform has been set to record what's going on. The other point, it makes that we will most certainly come back to in section three is the overall notion that some states it is a minority, but some states across the country have rules such as the following that you have to have the consent of everyone before you record any sort of call before you make any kind of audio recording. That's true of California, which is one of the states where I practiced for decades. The other one is New York. And the issue there is well what if some people are in a strict state like California or one person, even one person is on the call. What if the deposition is being taken by or of someone in a strict state? So in general, I've advised a lot of clients. I'm both a lawyer and a technologist. I've advised a lot of clients over the last 20 years, whether they are or legal departments or standalone corporations, per se, doing process improvement on how to record calls or whether record calls.
And typically, I think you're probably familiar with what happens when you call your brokerage house or your bank or an insurance company and you get the outgoing message before you get through to a person, if you get through to a person, of course ha ha. You get the message that calls are being recorded to improve customer service. The reason for that is of course, to give people a chance to opt out of leaving a voicemail. Cause voicemails, if you leave a voicemail, you really have no expectation of privacy, but if you move forward with a call, knowing that it's recorded, that's a big difference. I usually like in a lot of areas where I advise clients on process and on compliance, and there are laws all in all the different states then I always advise clients to follow the strictest rules. So it's always safer in any kind of setting where you plan to record a session, whether it's a deposition or some other meeting or training or discussion, to make sure everyone knows and has a chance to opt out at a minimum, whether however you do that, whether you do that with a prompt or you do it orally, or both that that is up to the individual situation.
There's a video we've probably all seen, and if you haven't it is quite entertaining. The cat filter that was applied by a, a secretary or an assistant as the case may be on a computer of a lawyer and the lawyer did a court proceeding and he looked like a cat. And when he was moving his mouth, it was an animated cat moving its mouth and the lawyer assured the judge that he was not in fact a cat, but that he was ready to move forward. You gotta love we lawyers who plow ahead sometimes, no matter what, but in any event, there have been all kinds of things that have happened online. And we will be circling back to those.
Some of the cautionary tales let's call them. I call that the educational or the, perhaps the sadistic portion of the show, but we will get back to the, this issue of recording in section three. But I wanted to point out some of the issues that have already been arising in law practice in our new world. So again, before we move into the substantive sections, I have been a lawyer for over three decades on both coasts, New York and California. I'm still admitted in both. And for the last 20 years, I have also been a techie. So everything I do relates to electronic information, I was at a major Silicon valley law firm for 20 years. And starting a couple years ago, I went out on my own and I had have my own law practice, my own tech consulting company aimed at legal departments in corporations and at law firms and my own public speaking company. I'm thrilled to be doing this presentation for Quimbee today. And I hope you get a lot out of it. Everything I do and have done for the past 22 years relates to electronic information. So I like talking about all this stuff and hopefully informing you of things that you know, but maybe don't know in terms of a drill down way, and of course, issues that you may not be aware of and what the current law and practices are.
So with all that said, let's look at section one the big picture of cyber security. For those who like numbers, the identity theft resource center does a great job as do some other sites of keeping track of the reported data breaches throughout the US. The 2021 totals were pretty staggering. The overall number was up quite a bit since 2020, it was a new record. And it passed the, the previous all time high by quite a bit as well. I also, whenever I start talking about the possibility of the compromised data, to the point where it's an actual breach, where the data's been seen, that shouldn't have been, or where information has not only been seen, but it's been exfiltrated, which is a fancy, chancy IT word way of saying copied and pulled out of a system and then used and somewhere else by someone who was not supposed to see it, I always like to talk about, well who could be affected by a leak or a breach? And of course, entities, friend that are friendly to your firm or company or to your client. And it, but also adverse entities. Why do I say that? Because in the way modern legal practice works and frankly, the way any entity operates, whether it's a legal department or a law firm or something else, we all have a lot of information on other entities. What be they friend or foe whether they are a joint venture, they are a co-counsel, they are friendly company with whom a deal is potentially pending or an adverse entity, whether it is someone more adverse, and there's a fierce contract negotiation going on, or there's a corporate merger and acquisition, or a deal in M and A, a lot of the work, some of you I'm sure know is due diligence. So you get tons of information on your side, on a target, if you are the potential acquirer or the council for the potential inquirer. So that's why I say that we've got both friendly entities and adverse entities, and we could have information on all of them could be proprietary.
It also could be on individuals. It could impact individuals privacy. So there are customers, users, clients, of a given entity, your entity let's say, or your client. And then there are employees and ex-employees of that client or customer or friendly entity as I've called it. Then we've got the same for the other entities, be the adverse or not. We've got their users, we've got their employees or ex-employees. So there's a whole host of individuals whose information is also all over the place and shared and is subject to potential leakage, or to actually being compromised in an unauthorized way. Talking about in situations where there are laws across all the 50 states. The consent to recording is by no means the only area, the over a period from approximately 2002 until 2018, one by one the various 50 states, plus four other us jurisdictions, DC, Guam, Puerto Rico, and the Virgin islands. Each of them adopted their own identity thefts set of statues. Which is for the most part said some of the same things. They said, if data's encrypted and it relates to individual's privacy in terms of their financial accounts, some states also cover medical information and gives the thief, the one who the bad actor, the ability to access that private information, if the data's not encrypted, then the party that had that information that essentially owned it, or had it shared with it must give notice of breach to everyone who's been affected. So that is a huge issue. It can result in statutory penalties for each person affected. It can result in now in California, under the CCPA and class actions, but it's a huge hit in the court of public opinion. I've done a lot of data breach response. I do hold presentations and client simulations on what to do in the throws of a data breach. But these 50 state laws are an attempt to protect against identity theft, but they don't really have affirmative requirements to encrypt or to take any other protective measures as to individual's privacy.
I think of the, these notice of breach laws across the country again, they're all a little different, but they have some common denominators. I think of them as a get outta notice free card. Now in my experience, pretty much every client and if there's any doubt about whether the situation fits within the elements of the given breach statute, they tend to want to be the ones to give notice. But one of the other penalties is if you have had more than X number of individuals affected, for example, in California, if it's 500 California residents, you have to notify the state attorney general. And you have to go through you or your client, what went wrong essentially, you have to say, how did this happen? How was this data compromised? In essence, you're laying out deficiencies in the security, whether the security must not have been used reasonable measures, that it would not have been a hacked there would not have been a breach subject to notification. Encryption tends to not be required. One or two states in certain situations require encryption. But again, it's kind of a get outta notice free card, like an old monopoly game, get outta jail free card. If the data's encrypted and the encryption key, meaning the lengthy alpha numeric password has not been stolen as well then you don't have to give notice. So that's pretty much all that those laws do. But now in the last couple years, we've seen a rash of many states led by California enacting or trying to enact more substantive privacy laws, not just, hey, you have to tell people if the data wasn't encrypted and it's hacked.
The CCPA, California Consumer Privacy Act out here in California, took effect at the begin of 2020. It is discussed in detail in a slide deck from a couple years ago, by someone I co presented a webinar with regulations took shape, took shape over time and were promulgated about six months after the effective date. They lead to the California attorney general being able to enforce the provisions of the CCPA as I've already mentioned, class actions are now possible. So it's a much more beefed up set of substanent privacy rules than it ever been seen in the US. It's much like the EU general data protection regulation, or GDPR that came in 2018. There were some add-ons passed. The CPRA was passed by the voters out here in California on November 3rd. It takes effect in full in about a, a year from now, January 1st, 2023. I've linked you to an article that lists some highlights. And the bottom line here is it's not just California, Washington state, Virginia, Colorado, et cetera, have jumped into the fray and have past laws and or are amending those laws and, or are coming up with new laws in the, on the privacy front. And many of them are like the CCPA more or less some or less so. And there are, in addition, there are some cybersecurity requirements in them.
What's the difference between privacy and cybersecurity> I haven't hit that completely directly so far, but cybersecurity is a set of measures that in terms of, anything that's internet connected is protecting data in any of the ways we'll be talking about throughout the rest of the show. It could be protecting any kind of information, intellectual property, proprietary customer lists that name entities and not individuals. And then privacy is a subset of data security. Privacy, and the laws relating to privacy relate to individual's information that if compromised could lead to theft of funds, identity theft, medical, health insurance fraud, et cetera, et cetera. There are many other statutes pending that cover privacy and or site for security. When I say statutes pending, I mean, bill pending that may or may not be passed. There is a law firm called Hush Blackwell. I'm not affiliated with them, but they do a great job of keeping abreast of the various developments they have the best site I've seen out there. That tries to make sense of everything that's happening as quickly as possible. They have a weekly blast you can get, I recommend those links to you at the bottom of slide six. I mentioned cybersecurity rules. Those tend to not find their way into statutes.
However, certain state agencies in Colorado, New York and Vermont, in each instance, the entity charged with regulating the financial services sector has passed a series of cyber regs. What do I mean by that? When I talk about the financial services sector, I'm thinking about investment banks, banks insurance companies, et cetera. They are regulated typically by one enforcement agency in a given state. The three states, and I've linked you to their rules here, have had their respective agencies, promulgate regulations over the last five to six, seven years that put out some very affirmative cybersecurity measures that have to be taken by entities in that sector. Things like, you have to have a chief information security officer or CISO. You have to encrypt all personally identifiable information, whether it rests or in transit, things of that nature. The New York regs I've advised at least one client on them in the financial services sector. It was an insurer. They're about I, when it, they first came out, I believe they've been amended since then. They had 14 requirements that had to be adopted by any company in that sector. So this is an interesting development. It is part and parcel of the patchwork that we have in the US. There is no overarching federal law on privacy. There are sector based federal privacy laws, such as HIPAA on medical information and the regs that were added there too, when there was a set of amendments to HIPAA in 2009. And in addition, there is Gramm-Leach-Bliley that has privacy and security rules for a certain sector on the federal in sense of federal law. Same kind of entities I mentioned earlier that are suddenly now being regulated by the states. I alluded to EU. So when you have information or your client does on a resident or citizen of an EU country, there are very, very strict privacy rules in place. There had been a privacy act passed that applied across the EU in 1995.
In addition, each EU country adopted its own rules. A part of the genesis of the GDPR that was initiated in 2015 and passed the EU commission in 2020 was to try to standardize and frankly, to try to be more strict and more protective of EU citizens and residents privacy. There still are different enforcement authorities and some different rules in each EU country. The GDPR on the whole has very strict rules on having to give notice of a breach in a very short timeframe potentially to the regulator in a given country, the data protection authority or DPA. And also so having to notify the affected individuals. There are also have been since 1995, but they are now beefed up. There were rules in the GDPR on, you're not supposed to maintain private information for any longer than any given time. You're supposed to protect it from being compromised. And you both do not send it by transfer to a country that does not treat privacy to the, with the same degree of protection that EU law does. Hint, hint the United States is not a civilized country or has not been considered as such privacy wise by the EU. The EU has considered Israel and Canada for example, as very protective of privacy, but not the US. There was a safe Harbor. And then there was something called the privacy shield, which was on basic level a self certification process in each instance where a US company could register itself and subject itself to the jurisdiction of certain one or more federal agencies here in the US, and then had to attest to the world that it treated data with care. But when the in 2013, when the Edward Snowden revelations about the NSA came to light, the EU took the strong position that it, if everything's being sped on here in the US, how can there possibly be appropriate protections or adequate protection as it's called in the US a privacy, the way there is in the EU. Now there are what are known as standard contractual clauses, or SCC that are approved by the European data protection board that have been revised over time. If a company enters into an agreement that has those clauses, then that can be a mechanism to bring data from the EU into the US that has private information on EU citizens.
There's also something called binding corporate rules or BCR where a EU outlet of a, a US company can have a, a set of rules in place that are also approved by that European data protection board. And that can enable transfer of data from the EU to the states. The bottom line is since 1995 and in an accelerated way, since may of 2018, when the GDPR took shape, there had been increased protections over time for EU citizens and residents privacy, and the whole world has gotten on board. There have been more strict rules passed in Brazil, for example, in Japan, even in China, all over the place on privacy. A key thing to keep in mind for both the CCPA, including us, it will be amended by the CPRA officially in a year. And the GDPR is the notion of data subject requests. What does this mean? It means that unlike in the past there now has to be transparency to a given individual on what information a company has on him or her.
There are three rights in this realm. One is the right to access in other words, to have disclosed to you or, or him or her all personally identifiable information being held by a given country. All information that on its own and in or in the aggregate identifies someone in particular. That's both in the GDPR and the CCPA. The third one here on the list is also in, been in and now is in effect under GDPR and CCPA. It's the right to have erased or deleted all the PII on that individual. It's the so-called right to be forgotten it isn't called that in the statute. It's called that colloquially. And then the middle one here, the right to say, hey, you have incorrect information. I mean, you need to rectified or correct it that has been enforced under the GDPR since May, 2018 and is going to be enforced under CCPA/CCPRA in a year. So the bottom line here is DSRs or data subject access requests, or DSARs, whatever you call them are a huge issue. You have to be able to know what you have, that's private and be able to gather it in response to one of these requests.
The last thing I'll mention that is true of the CCPA and the GDPR. I alluded to it kind of in passing on the prior slide in talking about standard contractual causes, but like HIPAA, which requires a business associate agreement or BAA where any com any entity that has is covered by HIPAA that has health or medical or insurance information that allows that information to be stored elsewhere has to have an agreement that HIPAA's gonna be enforced all the way down the trail that that data goes. Same thing is true of data protection agreements for under the CCPA and the GDPR. Anywhere data travels that is subject to the privacy laws of either CCPA or GDPR. There has to be an appropriate agreement in place that says that each entity down the line, will maintain the privacy and security of that information. And all this is the background, as we're about to get into the weeds on all the measures that should be taken extra measures should we say, not just within the virtual and physical walls of an organization, but when folks are working from home. Class actions have always been an issue under federal privacy laws. There is now the right of a class action under the CCPA. The federal trade commission for decades now has taken on really on its own front enforcement of FTC Act, section five, which forbids unfair or deceptive practices. I've linked you here to a set of their enforcement proceedings going all the way back.
These are great resources to kind of see what the FTC expects that any US company impacting interstate commerce is going to put enforce to have reasonable security measures. What do these enforcement proceedings entail? The FTC has taken the position that for the most part has been upheld in the courts that even without the FTC act mentioning privacy, and even without the FTC not promulgating any regulations on privacy or data security that the FTC has the power to go after companies and it's not just publicly traded companies. It's any US company impacting interstate commerce other than nonprofits. And it can go after a company for unfair practices, unfair would be that there's not reasonable data security, and therefore the user or consumer or customer was not treated well. It can also go after companies for deceptive practices, meaning whatever is in the outward facing privacy policy and or website terms of use that discuss privacy. For example, we do not share your data with anyone else, if that is false and the data actually is being shared or used, or both in contravention of the outward facing privacy policy that is considered deceptive by the FTC.
So that's kind of the landmine of laws that are out there. Bringing things closer to the actual workplace. It's crucial for our employers to have a couple policies directed at their employees. And one has always been important. I've advised on this for years. A lot of my work overlaps with HR and employment or what I call E workplace policies. The so-called bring your own device or BYOD policy, which should also be an agreement. It should also include consent to mobile device management or MDM. What do I mean by all that? If anyone is going to use a mobile device, a laptop, a home, a personal smartphone or the like to connect to a network that is a company network, there should be an agreement and a policy in place that lays out how that is. Now most a lot of companies now, I should say some companies had four force used to force people to use two phones. Some still do. Some employees choose to use two phones, one that they connect to their work network and one that they don't. These are all the kind of things that are kind of philosophical decisions. Some companies that I work with rare, very rare, but some have said, no one gets a company issued phone, unless you're at the top level of the company, or some have even even rarer said, no one gets a company issued phone. I'm sorry, let me back up. Some say that, another minority say that you never get to use a personal phone in the network. Some say, you do get to use the phone if you are approved, all these things should be hashed out. Reimbursement issues should be hashed out. Some states have their own rules on this kind of issue.
When I talk about MDM increasingly it's, it's very possible for an IT leader and an administrative console to control certain apps that have the company information in them. Whether they are an email system or something that is, should be controlled by the company that has company information, there's a way it can so-called containerize or segregate those apps and have a mobile device management platform that enables someone in IT to control and maybe even kill what's in those apps at any given time to protect company information and maybe not touch anything else that's on the phone like text or, the like, or photos. But every company has to come up with its own approach. This is so super important now that pretty much every company is allowing some or all of its employees to work at home. The other key policy in this realm of many, but another key one is that what I call the tile for the technology acceptable use policy, it should be periodically updated. It should be involve periodic training, and it should, there enforcement should be as consistent as possible. And folks should be the, HR should keep track of when they actually enforce it and tell people you are misusing one of our company's systems. A key goal is to monitor employees. You can't really have a policy that says you can do that as to EU employees. There's extreme privacy there again, even for workers on work machines in work networks. But in the US you can have a no employee expectation of privacy provision, where essentially you say that any and everything stored, maintained, created, passing through maintained on a company provided you could even add and or supported and or cost reimbursed system or device is something the company can look at. It's in its sole discretion as long as it's complying with the law. You can stake out very broad rights. The goal there is to decrease the possible viability of any invasion of privacy claim, why? Because no court is gonna find privacy was invaded that there was some kind of constitutional claim or tort or statutory claim for privacy from a worker. If the reason expectation of privacy element was taken away by the terms of a tort of a policy and by how it was enforced consistently in the trenches.
Now I have written and spoken on this for 10 to 20 years, I have a huge set of white papers I've linked you to the latest one here at the bottom of slide nine. Ethical duties everything we're gonna talk about in the last half of this session, emanates from not just the privacy laws, which are their own arena and the data security rules, but there is a whole other set of rules that are unique to lawyers. There are charts that the ABA has posted comparing all 50 states ethical rules to the ABA model rules, in two particular arenas. Attorneys all have a duty of confidentiality and a duty of competence and these have been beefed up since 2012 by the ABA, which is looked to by a lot of the states, even though it doesn't technically speaking apply and by the various states.
First, let's talk about the duty of confidentiality. The duty of confidentiality for lawyers is extremely broad. It is often much broader than the attorney client privilege. Think about it this way. Attorney client privilege is communication oral or written between a prospective client or a client and the lawyer seeking legal advice, but when a modern lawyer like you or me, or I, does a project, whether it's litigation, whether it's a deal, whatever it is we often, as I've already talked about in the world in general, we have information obtained from a lot of different sources. All that information is protected by the duty of confidentiality. The ABA rules changed a bit, particularly rule 1.6 in 2012, rule 1.6 A is always said, there is a need to not disclose confidential information unless you've been authorized to do so by the client. But one point 1.6 C was added and has been adopted in at least 20 of the states. A lawyer has to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of client information and prevent the unauthorized access to information entailed in an attorney, client representation. In other words, you've gotta protect what you have and if you communicate information out, you've got to make sure it's done in a protected way. Not necessarily in that order. Comments, 18 and 19 are must reads. They flesh out the two things I just mentioned. What measures you should take in a given perhaps in a given situation when you disseminate confidential information and what you need to do to keep others from hacking into confidential information.
The second big issue in this realm is competence. Attorney competence now includes since 2012 under the ABA rule, one must keep abreast if one's a lawyer of changes including the benefits and risks associated with relevant technology. And now the vast majority of states, it's at least 31 ethics rules also address the technology competence. California even has an ABA, I should say a ethics, a state ethics opinion on a discovery competence for example. Florida has altered its CLE rules to require a certain number of courses in each compliance period in the technology area. There is now as of 2018, also an ABA formal opinion that deals with lawyers obligations to protect against a data breach, a material client information, and what to do if there is an incident where material, client information is hacked. It's a must read for any lawyer in the modern era. And there's a really good summary of it in this Barney article that I have linked you to on slide 12. Basically you're supposed to have a process in place to prevent data breaches and God forbid, if you have one to deal with the aftermath, and then if anything is material, you have to tell your client about it and keep the client abreast of what was hacked if information was indeed compromised. In terms of cloud computing, virtual law office, virtual storage that that many of us use now, it has been accepted for many years. It is fine for lawyers and law firms or legal departments to use these platforms. It is not a per se waiver of attorney client information, and attorney client privilege, or attorney work product to store files or communications and the cloud. But there is an ongoing duty of diligence and supervision, basically reasonable care as pointed out by this California opinion about 10 years ago.
So let's start talking about measures. Physical security, now that we know that security is part of lawyers, ethical duties, there's physical security and then there's a virtual technology. Some of the and they overlap in some ways. So basically now that all these people are working at home, you wanna make sure people's routers and their wifi are protected. That they're secure, that they're password protected, that there's a firewall built in which there often is. So that's linked to due diligence on for your workers who are working at home. Data should be encrypted at rest and in transit. Meaning whether it is sitting on a given machine laptop, desktop, smartphone, whatever. And also when it is stored in Dropbox or any other file transfer protocol or FTP site, we've talked about kind of the selfish reason. You don't wanna give notice a breach if there's a breach, but the whole point of encryption is if that machine is not powered up, when someone gets to it or someone hacks into an environment and the data is encrypted, there's no way they gonna be able to use the information or read the information. Do you only allow people to use employer issued equipment at home that is of course gonna be more affordable for big law firms or big companies legal departments, or big companies, whole your client's whole worker base than it is by a smaller one. Some things to think about just best practices that require training.
Closed door policy. Someone should not really be sitting in a room with their kids or their roommate or their spouse conducting confidential communications, or having a screen that someone can do some shoulder surfing on. SNL did something that I found very funny you may not have my sick sense of humor, where they had kids kept popping up behind someone who was trying to have a work call. Alexa and Echo should be turned off they are always listening. That's another thing to keep in mind. So those are all what I would call physical security issues. They are physical measures. Then there are the traditional no-nos. I worked on a law fraud and white collar crime cases and white collar investigations and some murder cases actually long ago in New York. I worked through my whole career, I've worked on things that are very confidential. I was always warned by my mentor, the lawyer who trained me, that you shouldn't be identifying a client verbally where you can be heard, whether you're on your balcony or on front porch, or walking around yacking really loudly on a phone. You shouldn't allow family or friends access to, to a work computer or to game on a work computer or to add filters like the cat filter.
Again, I've talked about shoulder surfing shoulder surfing can be avoided by a screen, a filter that physically goes on a computer, whether one's at home or commuting or sitting in a coffee shop, as the case may be. Okay, data security, the other type of security that gets more technological as I said. The biggest threat has for many years has been and still is phishing schemes. As you probably know phishing the word and the concept, it's a mashup phony and fishing meaning trying to reel in information that you're not really supposed to get. They are all the schemes keep getting more and more sophisticated. They've now branched out from emails to text messages to voicemails. I use WhatsApp. I started using it because I have a couple friends that are overseas and who wants to make, a paid long distance call, but I get all kinds of wacky scam like messages on there. The malware that can be embedded in something that someone clicks on, cause they're fooled by it. It's a spoofing scheme perhaps. It can be very problematic. It can weave its way into a network. And it can also involve ransomware where data is put under encryption and you're threatened with you or your company or client is threatened that the data will be permanently encrypted or never be able to be accessed unless you pay the ransom. The FBI doesn't want you to pay ransom, cause it only encourages the bad actors, but that's the biggest threat.
So concentrating on that. And maybe you using a site like PhishMe now has a new name, the name's escaping me. It's free testing you can do where you can send some from some to all of your employees fake, phishing emails and see what they click on. And if they keep clicking on them, you give them extra training. There should always be a virtual private network an encrypted pipe so to speak. Whatever an a machine someone is using to get into a work network from afar should be using a virtual private network. I happen to spot this article on consumer VPNs for their individual machines. That may be some of the same companies there that purvey the VPNs. You may want to prevent local storage. Maybe people always have to VPN in such that they're always working as if they were sitting at a terminal at a computer elsewhere within the physical and virtual walls of the company. In any event, part of the beauty of VPNs is there's multifactor authentication.
In other words, there is an app that, that sends a unique code every 30 seconds. And only if someone is sitting with their smartphone, whether or not it's the smartphone they're using to get into the net, the company network, only if they get that code coupled with their login and password name for the network can they VPN into company systems, password force changes periodically and force complicated passwords are important. Training training, training, training, ongoing training is super important. There are different ways people have found now to do training for people at home and shorter modules, monitoring and tracking has been beefed up. You wanna be transparent with people that they are being monitored. Why has it been beefed up? Well, you don't necessarily know as well what people are doing when they're home. And, but you wanna tell people if you're capturing their clicks and capturing everywhere they're going. And then use making sure that if you are using the cloud using web file storing or sharing things like file transfer protocol sites like Dropbox or box that you have an enterprise wide account and that everything is encrypted and password protected in the particular way, you've set up your environment. And that's what people are using rather than rogue departments or individuals using their own free or for fee file transfer protocol sites. For in terms of resources, I've linked you to a bunch of items on slide 16. Some of them go into even more sophisticated data security measures than time permits for this hour long talk. The second article here, for example, talks about maybe using AI, maybe using facial recognition, maybe preventing people from taking screenshots all as extra measures one could say because of the risks of people are so diffused and all over the place and prying eyes and prying hackers can see more than they could have seen before.
The third resource here is the one I wrote a few years ago. It's still in concept up to date. I wrote it with a very close former colleague who's still back at that big firm. He's the CSO there. We kind of came up with a list of concerns and a list of key tools. I'm sure some of the tools have changed over time, but the concerns are still the same, at least in concept. They're just kind of ratcheted it up now in our working from home era and as to Zoom calls. And I'm when I say Zoom, I don't mean that everyone's on Zoom. I'm gonna show a chart momentarily of all the many platforms that are, that have been out there for some time and that have sprung up in pandemic times. This one article goes into great depth on even some concerns about Zoom that I had not focused on until I read that piece. Here's my chart. I keep this up to date. I've used almost all of these. Let me see if there's any, I have not used. I've used every one of these one to many times over of very long period of time. So when I say Zoom for the next few slides, I'm just talking generically about any or all these platforms. Zoom kind of became the guinea pig because a lot of data security flaws were pointed out at the onset of pandemic. And so anything that I'm mentioning in the next few slides, they should, you need to poke around, make sure you are familiar.
Your client is familiar with the various issues in, in settings that are corresponding there to in each of these environments, there've been many changes to Zoom cause they got a lot more attention from regulators and the public. Again, these are generic things you should be doing that are now pretty much the default in Zoom. You should use a unique URL every time for a meeting. You shouldn't disseminate your general host link because guess what people can pop in at any point randomly while you anyone with that link can hop in. The host should be a gatekeeper. Zoom now has that function where you have to click admit on one by one to let each person in. I know Microsoft teams does that as well. Et cetera, these are some of the many concerns and some bunch of articles that came out early in 2020 were very helpful. These first two deal with again, issues that I think Zoom has for the most part solved, but they kind of still give a good checklist for the concerns that you should be looking for. Your clients should be looking for in whatever platform or platforms it uses.
And then next I know I promised, I guess I said section three, I think I really meant section six on the recordings, but in any event again be really careful with recordings, have a standard approach, whether it's trainings, whether it's meetings, whatever the panoply of use is you or your client make of one of these Zoom or Zoom like platforms, make sure that people are being told whenever anything's recorded. Now again, Zoom got a lot of scrutiny and did a lot of work and had an infusion of cash to deal with this. There now is a popup that says this is being recorded. But it's always the best practice to let people know in one to many ways that it's being recorded. And back to the deposition thing, another thought that occurs that came up in that article I mentioned back in one of the earlier sections, on lawyer issues in the modern era. Is that you might want to have a list in the depo notice of everyone's gonna be there. Or if not in the notice then in the, the dialogue that goes back and forth, a stipulation I guess I should say of what state each person lives in, or maybe even stipulate up front that it's going to be recorded and disclose that and that anyone who attends that twist just occurs to me, that anyone who attends is consenting to being recorded.
So again, we didn't drill down on those ABA comment 18 and 19 to that, that one ABA rule and confidentiality 1.6. But what the, those comments basically say is kind of what I've been going through the last few slides, which is depending on the circumstance, you may need to use stricter measures to be more careful with security and privacy than you would in some other settings. In terms of video recordings. I always the main, the most frequent project I do for clients and I've done this for over a hundred organizations for over 15 years, is what I call record retention or destruction, what a company keeps, what it gets rid of. I do it from an IT and a legal perspective, and I do it with an eye toward being ready for any kind of ensuing litigation or e-discovery. Knowing what you have and where you have it. Hopefully having less in general under the less is more theory that the less you have, the easier it is to do your work, that your company's work or your law firm's work on a day to day basis. The easier it to be efficient, to find what you need by surfing or searching. Also the less you have the, or your client has the less that is subject to being hacked. The less that's private or that's proprietary or that's intellectual property. The less likelihood something of concern will be hacked, but a big issue in the, in retention, in what I work with clients on is in the recordings. Whether it's video recordings of a secure physical area, whether it's video recordings of trainings, there really should be a deletion period. These should not be kept forever. It's a risky arena. So that's something to think about. And in terms of training, there have been so many wacky things going on in the world, not just the lawyer as cat, via cat filter, but it suggests that people really need to be trained and retrained on the basic settings. How to mute video, how to make sure you've Xed out of a meeting or, or ended a meeting if you're the host.
There was a Canadian politician who was nude and on a parliament call with the, basically the equivalent of our Congress. There was a famous, I think he writes for the New Yorker, if I'm not mistaken and a famous CNN correspondent, who's been there forever, who exposed himself in a very indecent way. Cause he didn't, he didn't realize he was still sitting on a Zoom call. And so he's now been rehired I won't comment on that in any event, all things to be concerned about.
So in the remaining minutes, I wanted to talk about some what I'm calling personally issues, but they really are what I guess now is being called soft skills that are now kind of becoming more and more and more important. Some of these are my own ideas. And then I keep abreast of writings on this. You'll see, I'm linking you to a few resources on, in this area in the next couple slides. These have become more and more important because look face it. Even the most organized of us, we're working at home a lot, a lot of distractions. Whether you have pets, whether you have kids, whether you have a spouse, a roommate, or all the above. Whether you live in a loud area, whether you live with where the weather's beautiful. Or where you have to shovel your driveway. I mean, there are just so many things that can break up your day. So what I've urged people to do when I've done time management training, even before the WFH era are the following. I urge people to calendar as many things as possible. That again, you can call me captain obvious in some of these, but, and we all work differently there's no one way. But I've tried to improve my processes by calendaring due dates, religiously, and then having multiple or reminders for each one. I've also found that it helps keep me on track to block out time in my calendar for when I wanna work on something in particular. So I'm holding my own feet to the fire. I mean, again, that's one approach, I take.
Another approach I've started doing, I used to do the following for to-do list. I had a running draft message in my email box and I, every day at the beginning of the day, the end of the day, I looked at it and I edited it. And I found that even if I didn't knock out some, let alone all of what's on that list. Or even if I didn't read it super carefully, just skimming it, taking out some things, adding others. It kept me knowing what I had to get done. I've now altered that approach. I send myself a single shot email on one to do, and I always have to do in the start of the subject line and I send it to myself. And then at the beginning of each day, I sort my inbox by to do by T for to do, and I drag all those to a folder. And I use that to do, to a to do folder. I use that as my to-do list. I've also created sometimes in the past, in my inbox underscore inbox two and underscore inbox three folders as a second and third priority for what I need to do. And I try to keep clearing my main inbox, such that what's in the main inbox. And boy, this is hard to do it would take all day to actually do this, but what's at the top of the inbox really has to get done. What's in the inbox. The inbox two folder is a second priority. And often inbox three is, well it's just something I'm gonna read, or I'm gonna sort later on. Again, no one way to do it. I use outlook and I always have the left pin open, and I always use the favorites or the favorites favorite folders, a segment in the upper left of that left pin. What I do is I have subfolders that I use all the time there. So I don't wanna have to click down, drill down into a subfolder and I keep folders of active matters or tests with there. I mean, the folders themselves out there, there are pointers. And that gives me a priority list that's maybe eight to 10 long or the most frequently currently used folders. So again, lots of ways to use your mailbox.
Other things that are now more and more important for us as individuals and us as workers are routinizing one's approach. Now that we have all these distractions exercise of course, breaks from the screen. Very, very important, always been an issue now, even more of an issue. Addiction and mental health, not gonna touch on those, but I think we all know that lawyers in particular and probably executives that our clients tend to have more pressure and therefore more of these issues than others. In terms of the resources I alerted to, I alluded to these are some of the articles I've read more recently that I found helpful. Some of them are more touchy-feely than others. I'm originally from New York. And although I lived in California half my life, I'm more touchy-feely than I was not super touchy-feely, but I really have found that some of these are very, very helpful. The not working in multiple browser tabs really interesting. I think I try to do that, but I don't know how successful I am and again, we all work differently. That was helpful. I mean, I think we've all become used to, to multitasking or thinking. We're effectively multi multitasking over the last 10 to 20 years. And I think it-it's all become harder in the last couple years. The mindset stuff really involves a lot of the things on my little list on the prior slide or two. They dealt, they deal with, taking breaks from screen getting exercise, calendaring as much as possible. Treat your day in blocks and have like, if you can have like kinds of activities in like periods of a day when, when you're in control of what's happening when.
And then classic time management issues, there's a great little book called 'Eat That Frog'. It's based on a saying by Mark Twain, which was, "If you have a lot of things to do," "and one of them is a great big giant toad" "and you're going eat or frog." "You're gonna eat all of them in the day," "eat the first, the biggest horniest toad first," "get it done, get the biggest thing done" "and then move on." That's one approach. "The Checklist Manifesto" is a great book, very, very helpful in terms of not just organizing your own time, but coming up with processes for various kinds of projects. More and more doctors and surgeons over in the modern area have used checklists. I made a build with an I helped with input from pure IT folks. I built an automated e-discovery checklist at my prior firm. So any process that you want to be replicable can be subject to a checklist. And then the, again, these articles probably have something in each of them that will help all of you. So, and the remaining minute or two, I will wrap up. If you want further clarification on anything and you wanna follow up with a question, here you have my information. I'm happy to answer anything that I'm able to answer that didn't cover in the talk.
So again, the bottom line is whether you are a lawyer thinking about your own firm or your own legal department, or you're a lawyer thinking about your clients. I hope I have covered for you a grounding in privacy and data security law, and also in a bunch of key physical security and data security practices that have become more and more important to us as lawyers and to our clients. And in addition, assuming you're a lawyer, hopefully you, you now know more about our ethical duties as lawyers as to say cybersecurity and two technology in general. And if there are, is a data breach, what to be doing after the fact, and hopefully having an incident response plan in place before there is a breach, whether the breach occurs in the virtual physical walls of the company, or it occurs on remotely from one of our many remote workers and remote colleagues.
So thank you for listening and watching, and be careful out there.
Credit information
Jurisdiction | Credits | Available until | Status |
---|---|---|---|
Alabama | |||
Alaska |
| ||
Arizona |
| ||
Arkansas |
| ||
California |
| ||
Colorado |
| ||
Connecticut |
| ||
Delaware |
| ||
Florida |
| ||
Georgia |
| ||
Guam |
| ||
Hawaii |
| ||
Idaho | |||
Illinois |
| ||
Indiana | |||
Iowa | |||
Kansas | |||
Kentucky | |||
Louisiana | |||
Maine |
| December 31, 2026 at 11:59PM HST | |
Minnesota |
| ||
Mississippi |
| ||
Missouri |
| ||
Montana | |||
Nebraska | |||
Nevada | |||
New Hampshire |
| ||
New Jersey |
| ||
New Mexico | |||
New York |
| ||
North Carolina |
| ||
North Dakota |
| ||
Ohio |
| ||
Oklahoma | |||
Oregon |
| February 28, 2025 at 11:59PM HST | |
Pennsylvania |
| ||
Puerto Rico | |||
Rhode Island | |||
South Carolina | |||
Tennessee |
| ||
Texas | |||
Utah | |||
Vermont |
| ||
Virginia | |||
Virgin Islands |
| ||
Washington |
| February 28, 2026 at 11:59PM HST | |
West Virginia | |||
Wisconsin | |||
Wyoming |
Alabama
Credits
Available until
Status
Alaska
Credits
- 1.0 voluntary
Available until
Status
Arizona
Credits
- 1.0 general
Available until
Status
Arkansas
Credits
- 1.0 general
Available until
Status
California
Credits
- 1.0 general
Available until
Status
Colorado
Credits
- 1.0 general
Available until
Status
Connecticut
Credits
- 1.0 general
Available until
Status
Delaware
Credits
- 1.0 general
Available until
Status
Florida
Credits
- 1.0 technology
Available until
Status
Georgia
Credits
- 1.0 general
Available until
Status
Guam
Credits
- 1.0 general
Available until
Status
Hawaii
Credits
- 1.0 general
Available until
Status
Idaho
Credits
Available until
Status
Illinois
Credits
- 1.0 general
Available until
Status
Indiana
Credits
Available until
Status
Iowa
Credits
Available until
Status
Kansas
Credits
Available until
Status
Kentucky
Credits
Available until
Status
Louisiana
Credits
Available until
Status
Maine
Credits
- 1.0 general
Available until
December 31, 2026 at 11:59PM HST
Status
Minnesota
Credits
- 1.0 general
Available until
Status
Mississippi
Credits
- 1.0 general
Available until
Status
Missouri
Credits
- 1.0 general
Available until
Status
Montana
Credits
Available until
Status
Nebraska
Credits
Available until
Status
Nevada
Credits
Available until
Status
New Hampshire
Credits
- 1.0 general
Available until
Status
New Jersey
Credits
- 1.2 general
Available until
Status
New Mexico
Credits
Available until
Status
New York
Credits
- 1.0 cybersecurity - general
Available until
Status
North Carolina
Credits
- 1.0 general
Available until
Status
North Dakota
Credits
- 1.0 general
Available until
Status
Ohio
Credits
- 1.0 general
Available until
Status
Oklahoma
Credits
Available until
Status
Oregon
Credits
- 1.0 general
Available until
February 28, 2025 at 11:59PM HST
Status
Pennsylvania
Credits
- 1.0 general
Available until
Status
Puerto Rico
Credits
Available until
Status
Rhode Island
Credits
Available until
Status
South Carolina
Credits
Available until
Status
Tennessee
Credits
- 1.0 general
Available until
Status
Texas
Credits
Available until
Status
Utah
Credits
Available until
Status
Vermont
Credits
- 1.0 general
Available until
Status
Virginia
Credits
Available until
Status
Virgin Islands
Credits
- 1.0 general
Available until
Status
Washington
Credits
- 1.0 law & legal
Available until
February 28, 2026 at 11:59PM HST
Status
West Virginia
Credits
Available until
Status
Wisconsin
Credits
Available until
Status
Wyoming
Credits
Available until
Status
Become a Quimbee CLE presenter
Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.