Well, welcome, everyone. This is Mike Overly and I'm a partner at Foley and Lardner in their information technology and outsourcing group. And so what I do on a daily basis relates quite well to what we're going to be talking about today, which is I secure data, do technology agreements in which very sensitive data is at risk, including sometimes data which is subject to the attorney client privilege, work, product doctrine, something that all of us, if you're listening to this presentation, are very, very, very keenly aware of and sensitive to. So during our presentation today, and why don't I move to our first real slide, which is the agenda and do not recoil in horror at the length of the agenda. We do just have an hour today and there's more information here than we're going to get to in detail. But I wanted to intentionally provide you with that additional information, and that's primarily toward the end of the presentation. So you'll have some notes to refer to. And so we're going to begin by talking about why we're here and why we're here essentially is our ethical obligations. And we'll talk about some of those, including some recent cases. But once we do that, which is the foundation for everything we're going to be talking about today, we turn to the practicality of, okay, now that you've got me scared about my obligations, how do I fulfill those obligations? And so after we get past that ethics obligations overview, we're going to be talking about some specific things like why should I be concerned as a lawyer about cyber security? Who in the world is going to try and hack my firm? Maybe you don't work for a firm that has 2000 lawyers. Maybe you are five lawyers. How would anyone know where you are? Although you'd like them to? How would a hacker, for example, decide they're going to focus on you? And we can talk about that. We'll talk about sources of risk. We'll talk in particular about the human factor. And that is we're talking about your own employees, your own lawyers, your own staff, and how they might pose a risk to your organization. We'll talk further about and I realize we have a duplicate here about sources of risk, but there are some surprising ones, like your own vendors of the laptop or desktop computer that you may be sitting at right now watching this presentation.
We'll talk about incident response and what is that? That simply is, should your firm ever become the subject of a cyber security incident? And this could be something as straightforward as and this would be considered a cyber security incident. You do not have your data available when you need it. You're going to trial and all of your exhibits are online and you cannot access them all the way across the board to you've got a hacker actively manipulating your systems. Someone is transmitted a malware attack onto your systems and has rendered them unusable. Or you have a ransomware attack where someone is demanding $500,000 in order to give you back control of your systems. We're also going to be talking about common threads and what in the world do we mean by that? In addition to the ethics obligations that we have, there are many, many, many laws out there, both state and federal, or rather, I should say state, federal and even international laws that may be relevant to you as far as the data that you might have. If you have a trust and Wills Department, you may have personally identifiable information. If you have individual clients, even if they are high net worth value clients, they you may have personal information about them. The common threads portion of our discussion today is to give you an just a few minutes an appreciation for My God, there's this huge range of laws, regulations, industry standards relating to information security. How can I understand what all of those things mean? Mean from sort of a forest for the trees level that is, let's not focus on what any one law says, but what might be common to all laws, rules, regulations and industry standards. We'll talk about that. Even if these specific laws or regulations might not apply to you and your particular law firm. Industry trends. Industry processes, best practices for dealing with information security, absolutely do. And so let's help you get a handle on all of those things. And so we're going to talk about essentially three common threads that run through all of these things that help you have a better understanding. And one of the things about this discussion today is that we're actually going to be touching on those common threads throughout this discussion.
You'll see them repeated several times. Finally, we'll talk about getting a cyber security program in place for your firm or organization. And even if you have one, how might you improve that cybersecurity program? Why is it important to have a cybersecurity program apart from the fact that it helps you potentially prevent an attack? One of the other reasons to have a cybersecurity program is the following. If you are the subject of a data compromise, for example, your systems are hacked and there is an investigation by, say, a state bar or an attorney general's office, and you need to show that you were reasonable, that you took reasonable steps in addressing client the security of client data. One of the things that they're going to look to is did you have a reasonably well put together cybersecurity program and God forbid you encounter a situation where you've had a data breach and someone comes in to look at your data security procedures and you have nothing in place, that's going to be a real problem. So please think about these things. So again, it's a very ambitious list of topics. We're absolutely not going to be able to talk about all of them in a lot of detail. But what we are going to talk about in detail are the things that are the most important in this discussion, and the rest can be used as nice material for a checklist and creating your own instant response program or your own cybersecurity program. And I'm not sure if I was careful enough in telling you a little bit more about what instant response is. It really is sort of a plan for if you have a potential, a suspected or even an actual security situation, what steps do you follow? Who do you call first? If you've got a paralegal working overnight and they suddenly see their screen manipulated by what appears to be ghostly apparitions and in fact, it's a hacker modifying their system as they're watching, who does that paralegal call? Is it clear? Do you have specific measures If you are the subject of an attack, who's the next person That's called? Do you have, for example, access to a computer forensics company that can come in and help you identify what's been accessed, what's not been accessed, how it was accessed, how you can prevent future hacks in this in in this of this type.
And if this becomes public, do you have a relationship with potentially someone that handles publicity for or public communications with regard to data breaches, These are things that you might want to think about. We'll talk about that in more detail as we go along. But that's our agenda. So let's turn to why are we here today, which is the ethics obligations, and let's talk about those things, Law.com, which I think everybody visits from time to time. Great content, great material says that right now law firms are falling victim to data breaches at an alarming rate and that these instances are frequently unpublicized. And even those that are publicized, it seems like the tip of the iceberg. One of the things to think about is that. Hacking activities are not limited to financial institutions. Hacking activities are not limited to sort of high value targets where money might be involved, if you think about it. Law firms have lots of information that could be very useful. M&a transactions which are in the offing and someone might be able to get that information and trade to their advantage. Something else Is that. Almost everyone knows that law firms essentially operate on the data that they have, the documents that they've created, the information that they use, databases, etcetera. And so simply coming in and locking all of that information up with a ransomware attack, which is not designed to compromise the confidentiality of your client data, it's not intended to disrupt or corrupt that data. It simply means that they're preventing you from accessing and using your own systems could be devastating to a law firm, regardless of size. And there have been many situations where law firms have been targeted. So this occurred this this study in Law.com occurred in 2019. It's now 2023. And things have just simply gotten worse. There are more attacks every day. So let's look at ABA model rule 1.1, which deals with competence. And one of the things that now is addressed by Rule one. Point one is being competent with regard to the benefits and risks associated with using technology in a law practice. And I don't think that I'd be contradicted in saying that I don't really care what kind of law practice you have, whether it's one lawyer and a storefront and a strip mall all the way up to the largest law firm in the world.
You use technology. It's almost impossible to avoid court filings now, record keeping, you name it, communications with clients. It's all done electronically. And so. You need to make sure that you've got the necessary knowledge and skill to address this. And if you don't and there's nothing wrong as a lawyer with not being a computer expert, but what is important is that you engage people to help you in securing your systems, setting up your systems, managing your systems, getting those people to help advise you. So the point of model rule one. Point one is not to say every lawyer needs to become a computer expert. And a cyber security expert. What it is saying is that folks that do those sorts of things are readily available and that you need to be in contact with them and helping you assess risks and benefits to your firm. So that's model rule 1.1. Model. Rule 1.6 is confidentiality. And we are all very aware of confidentiality when it comes to client records. So nothing new there. There have been a number of ethics opinions, both by the ABA and state state ethics boards with regard to technology and obligations to protect client data. There's an ABA formal Opinion 483 that talks about what those duties are, and they're really actually things that are relatively common sense and that if you work in any industry, whether it's a law practice or whether it's a office office supply manufacturing plant, they're all about the same, which is you need to monitor your systems for breach. And I will tell you and we'll see later that although that sounds like a simple matter, it is absolutely not. And one of the things we'll look at is that, in fact, on average, it may take months until a breach is actually discovered. And what that means is that somebody may have unfettered access to your systems and the data that resides on those systems for weeks and weeks and weeks and even months and months and months without your knowledge, that is somewhat terrifying. You have the duty to stop a breach and restore your system. Sounds pretty reasonable to me that you need to have the way to address this.
And again, attorneys are not expected to be computer forensics experts or cybersecurity experts. You need to potentially establish relationships with folks like that that you can have those people come in and help you. You have a duty to determine what happened. If you have 10,000 clients over the years and two of those clients have had their data compromised, you need to make sure you understand that, that it's not your entire database, that it's only a limited section of that database. These are very, very straightforward things. Aba Formal Opinion 498 goes right to the heart of the matter virtual practices. And this doesn't just relate to if you're an entirely virtual law practice and virtual simply means that, you know, there's no physicality to it, that you could be anywhere that your laptop is. But that's really most lawyers these days anyway. And it simply stressing that you need to understand and take reasonable efforts to prevent inadvertent and unauthorized disclosure of information, particularly when transmitting that information using electronic means. Think about this. How many times have you been flying from one place to another and the person next to you might be another lawyer and they are working on their laptop on a brief or responding to client communications without any regard to the fact that the person sitting next to them can see the screen quite clearly. The person behind them can see the screen quite clearly. The person milling about in the aisle can see that screen quite clearly. That's not being careful with protecting client information. So that's the foundation. And we could talk about a lot of other opinions, things that have gone wrong. But the general idea is, and I think this is something that we focus on throughout this presentation or will focus on throughout this presentation. No one can guarantee security. I don't care who you are. Even the CIA and the NSA can't absolutely secure their systems. Both have been hacked. What you are required to do as a lawyer is to inform yourself of the potential risks. And to take reasonable steps to address those risks. And that's really the theme for the rest of the presentation. It's how do you do that?
So we're going to be talking about that. Why are cyberattacks so insidious? Why now as opposed to other points in history? And these points here really do touch on and show why we have a problem. If you think about it, if you were going to go in and rob a bank. And one of the things and one of the reasons I'm using this, this example is that organized crime has become extremely active in hacking. It's no longer a 16 year old and a cyber cafe in the Philippines, although that does happen. More likely than not, if you are the subject of an attack, it's by organized crime because they understand that if they walk into a bank and they rob it at gunpoint, the average bank robbery results in at most a few thousand dollars worth of cash being lost or to the benefit of the robber. They get a few thousand dollars. What's the likelihood they're going to be apprehended? Pretty darn high. What's the likelihood they may be injured, including mortally during the robbery high? Now look at what's the average, say, ransomware attack in which there's virtually no possibility of being tracked down and prosecuted. Virtually no possibility of bodily harm. And whereas you can maybe do one bank robbery or two a day, you can do 10,000 ransomware attacks an hour. And so if you look at this and you realize that the average ransomware attack, in fact, gets about the same amount of money as the average bank robbery and certainly sometimes far more. Doesn't it make sense for organized crime to focus in this area? I think one of the things that is really confusing in many instances that people think, well, you know, organized crime or these people really computer geniuses, I thought you had to be a a super educated or skilled hacker to be able to do this. And in fact, there are areas of the Internet on the dark Web which anyone can access, and you can gain essentially the ability to download ready made tools to help you in hacking, to help you in launching launching viruses, to help you in launching ransomware attacks. They even come with FAQs and documentation. It is very hard to generally track down people.
It is very common these days. People use them all the time. We use them when we want to potentially obscure where we're currently located. But there are these these readily available tools that make it virtually impossible to track down the location of where the hacker is located. What happens is that Internet traffic is bounced all over the world, that if you track an IP or Internet protocol address down, you find out that it goes to Australia. But when you go to Australia and serve a search warrant on the server, in fact it goes to Croatia and then you go to Croatia and find out that the traffic is bounced to China and then to Russia and then back to Brazil. And at the end of the day, you've spent nearly a fortune many, many months, if not years, and you still don't have the person that you want to prosecute. It's the likelihood of actually being brought to justice quite low in many instances. The country in which the attacker is located may not even have laws that would make it illegal for what they are doing. So if you look at sort of everything around this globe that's in front of you now, these all add up to one thing, which is. Now is the time that we are seeing just enormous volumes of hacking going on, of sending out ransomware, phishing attacks, viruses, etcetera, and the likelihood of your firm being hit and potentially even specifically targeted is certainly something you need to be worried about. And I should mention before we go on that if there ever any questions about something that I'm discussing, please don't hesitate to use my contact information at the end of the presentation to reach out and you'll have access to these materials. I want to give you just two more examples of why there's a lot of danger these days when it comes to hacking. Shodan is a search engine and you can all access it. Shodan is like Google or any of the other search engines, but what Shodan focuses on is identifying vulnerabilities in devices and routers and nuclear power plants and wind turbines. You can literally type in the type of streetlight that's being used at an intersection and find out that whether or not it has any security vulnerabilities.
If you are looking at a particular organization, you can look at and see if the router that they're using to protect their systems has any known vulnerabilities. That's what shodan's about. And so it's easy to get this information from them. Another resource readily available is wiggler net. And what does this confusing thing on the screen tell us? You can type in an address, including a street address quite easily. This one shows Grand Rapids, Michigan. But you can type in your home address if you like. What it will show you is whether or not your home or the home next to you, your neighbors. If someone has probed your home Wi-Fi network, your law firms. Wi fi network to determine whether or not there are vulnerabilities. And if they are, it's been flagged here. And so essentially, they have folks driving around. Some people refer to it as wardriving that identify when they come upon vulnerable computer networks and they post that information. These things are readily available. All right. Let's talk about some common security myths. Understanding these myths will really help you in securing your own systems. The first one is it's all about the data. And of course, you know that from the the ethics rules that we we indicated, client data is absolutely deserving of protection. The problem is all too often we get focused on the data and not the systems on which the data resides. A lot of times if you go to a law firm, even a small law firm, and say, give me a list of all locations where your client data resides, that could be potentially a very difficult question to answer. Do you host all of this data at your office? Do you use Microsoft 365, which is essentially an online version of Microsoft Office? In which case the data is stored in the cloud. Do you use other cloud services, too? For example, Bill, your client's invoicing, etcetera. Do you use onsite online data rooms? Almost certainly you do that. Do you use other online or cloud, you know, backup and other systems? So understanding where all of your data is and of course you want to protect that data.
But it's not all about the data. It's about making sure that the systems on which the data resides are also adequately protected. Myth number two It's all about confidentiality. That is incorrect. In fact, if you look at most well written security privacy laws, regulations, industry standards, you'll see references to an acronym that's been around since almost the beginning of information security. That CIA confidentiality, integrity and availability. Let me give you a quick example of why these are critical. And so to say, whether or not data is is secured properly, you must have all three of these things. Can't be just confidentiality, can't be just integrity, can't be availability. But let me let me explain each and the first one is rather obvious. The other 2nd May not be as obvious, particularly the middle one. Suppose that you're a physician working in an E.R. and someone comes in who has been in an auto accident and needs immediate care. You have a computer sitting beside the patient's bed and you fire up your medical record system and of course, you want to make sure that this patient's medical record is confidential, that no one has gotten access to it except authorized physicians and other medical personnel. That goes without saying. But right now, when I'm most concerned about is treating this patient. So I bring up their medical record. And on the right side of the screen, they have a list of preexisting conditions as well as drug allergies, something you definitely would want to know. Am I treating somebody with diabetes that I don't know about? Am I treating somebody with a pre-existing heart condition? Does this person has this person had a kidney transplant? Does he only have or she have only one lung? These are all things that we'd want to know. But suppose that data has been intentionally corrupted. That goes to the middle term here. Integrity. Hackers know that when you have vast volumes of data, it could be absolutely devastating if you go in and you methodically change data so that it's no longer reliable. In fact, there have been articles written about this in hacker magazines. And so when you look at preexisting conditions, when you look at drug allergies, you need to be 100% sure that data is accurate.
Next. And this is really fundamental. If you go to that computer screen as the patients lying there on the gurney, you need to make sure you can actually pull that information up, meaning that it's available for use right now. If you think about it. A ransomware attack has nothing to do with confidentiality, has nothing to do with about integrity. It's all about availability when we're talking about ransomware. Ransomware is designed to make it impossible for you to access your data when you need it. So please keep this in mind that these three things are very important, that when you're negotiating a contract with a vendor, a cloud provider, a whatever, that provides services, technology services to your law firm. Think about these things that if you enter into a cloud services agreement and they don't have an obligation to make the system available during critical business hours and they have no real liability if they fail to achieve that service level, that's a problem for you. And essentially you're documenting up if someone ever looks that you were negligent in handling client data because you didn't ensure its availability when needed. Take a look at these things. Just a few other security myths. To be a hacker, you must be a technology genius. We already touched on this that, in fact, you don't need to know much of anything. That there are pre-made pre-wrapped and readily available tools online. There's a woman by the name I think, of Carolyn Meinel, who wrote a book years ago called The Happy Hacker. And one of the provisions or one of the chapters in that book was How to Be a Hacker in 60 Minutes. And what she meant by that is that anyone with virtually no computer skills could in about an hour learn how to use methods that could cause harm to some of the largest companies in the world. That's very concerning. Myth number four, particularly for lawyers, is an IP department issue. No, it is a lawyer issue, but it department helps the lawyer manage that problem. Lawyers that simply say, I'm going to let the I.T. people handle this. Thank God I don't have to worry about it. I'm going to go write that brief that I need to write.
Are being are not fulfilling their ethical obligations. Doesn't mean that you need to spend your days dealing with cyber security, but you need to apprise yourself of what's going on or delegate cybersecurity to a group of lawyers within your firm that can help work with the IT department and others to address this issue. Myth number five I can achieve 100% security. Impossible. And I won't spend too much time talking about the the the writing on this slide. But what is important is that teeter totter on the right side. The greater the security, the less usable a piece of technology is. If I take your cell phone, I can absolutely secure it. If I take the SIM card out and lock it in a safe. Does that mean that it's usable by you? No. And this is one area that lawyers complain the most about all the time, which is that as you impose greater security on your systems, it does impact usability by the people that keep your firm in business, the lawyers who are billing hours. And so you're always trying to balance what is reasonable as far as information security without making things so hard to use that you're going to have lawyer pushback. Last one. I'm safe. I've got great security. We've been in business for ten years, and no one's ever hacked us. As I mentioned way at the beginning, there are situations, if you look at, say, the Trustwave Holdings study, where it sometimes takes on average, which means some are fewer but some are longer to ten is just the average 210 days to detect. Whether or not that's greater than six months, whether or not there's been a hack of your systems. So please don't get into the habit of thinking, well, we've never had a breach. You've never had a breach that you know about. Keep that in mind. All right. Let's turn to sources of risk. And I always feel as though that first section on cybersecurity is sort of scared straight. Remember model rule 1.1, which talks about making sure that you understand the benefits and risks. And I'm certainly not here to say don't use technology in your practice.
That is what we all rely on. There's no way to avoid it but to use it in a responsible fashion. So sources of risk, my gosh, we've got quite a parade of horribles here. Organized crime, cyber terrorist hacktivists. Let me focus on a couple of these now. Also, let me just define script, kiddies. Is a pejorative term used to refer to folks that have no real tech training and are simply using tools they got online to cause harm to others. So hackers really look down their nose at script kiddies. Two items, though, that I want to mention. Insiders. What does that mean? Insiders are your own employees, your own lawyers, your own paralegals. They also classify insiders as providers of services to the law firm, your cloud service provider, your people that operate a cloud based billing system. These are all insiders and that in most instances, one of the two. One of the two most likely reasons to have a hack of your systems is and one of them is insiders, that someone will click through a message that they shouldn't have clicked through the open, an attachment that they shouldn't have opened. And consider this. I would be willing to bet that I could walk into almost any law firm and sit in their lobby for a moment or two and read a magazine, possibly. And when I leave, I simply let behind a USB drive, one of those thumb drives with a little label on it that says the Black Rock case or something similar. Leave it there. And I'd be willing to bet in most instances by the end of the day what will happen. Someone will plug that USB drive into a computer on your network and they will load a virus into your network. It's a common means of doing this, so insiders pose a great risk. The other one I wanted to mention to you is hacktivists and hacktivists are people that have some hacking skills that have a particular political, environmental, whatever it might be, motive for engaging in hacking. How is this relevant to law firms? You may represent a particular type of industry that has gained some adverse notoriety. A particular individual who has gained a particular adverse notoriety and someone may target you as a result of that representation?
Well, certainly unfair. That is our obligation as lawyers to represent people or entities that we may not agree with. Hacktivists have been known to target law firms as a result. Another insight or risk is your own vendors. I mentioned that to you a moment ago. Your own business partners, your own cloud providers. I'll just give you one quick example. There was a situation where a very well known provider of brand name laptop computers had had a hack at their manufacturing facility and at no additional charge. They were delivering desktops and laptops to various customers, including business customers with malware already installed on their hard disk from the manufacturing facility. So you can never be too careful. Here's one of the checklists that I referred to for you that kind of just talks about key elements of a cybersecurity risk management program. And as I mentioned, toward the end of the presentation, we'll also be talking about just a general cybersecurity program, of which these types of things are elements. Some of the things that really are relevant. We won't go into a lot of detail here, but let me just point out a couple. Number three, managing user privileges. This is something law firms do a terrible job at. Consider this. You have someone in your copy room. They have a password and username on your system, your network. That person should generally have rights to access only those things that are relevant to their performance of their duties. Same thing with somebody in HR or someone in your HR department has access to your network but should definitely not have access to say, attorney client work product. In particular, someone in the department would have no reason to have access to, say, documents about a highly confidential merger and acquisition deal that's going to be occurring. That's called least privilege that you want to have everyone on the network having the least privilege necessary to perform their job function and no more. Another thing that's very important is home and mobile working. I think that we all understand now, having lived through Covet, how this can come back to be a problem. If you have people working remotely, can they print out sensitive firm documents and then how are they destroying those documents?
How are they storing those documents? Who has access to those documents at home? Does their computer that they're using at home have timeout mechanisms that if they walk away from it to go have lunch, that someone else can't walk in and have access to the data on that computer? Lots and lots of things like that. We've had situations where mobile workers decide that, boy, I have a lot of really, really important work product on my laptop. I'm going to connect it to one of the free cloud services that will essentially store my information. So I'll have a second copy of it. Well, that's not a bad idea. The problem is that that cloud service for backup likely provides almost no real protection in the event of a data breach. All things to think about have appropriate policies and procedures about remote workers, how they'll be able to access your system securely, the lockdown mechanisms on their computers, you know, does their USB, the USB ports on their firm laptops, have they been disabled? These are the kinds of things that you want to think through. So just to list for you to consider. But a list nonetheless that really does highlight a lot of the things that we've been talking about today and that you should be concerned about. The human factor remains one of the greatest risks. In fact, as I told you, there was a recent study by a very well known information security provider, and they found that of the two greatest risks posed to businesses today, one of those two is the human factor. That is personnel. And although the greatest risk, there are also the best first line of defense, which means everybody at a law firm should have some basic information security training. For example, if I get the name of the assistant. Uh, the personal assistant for a partner and say that partner is in the antitrust group. And I create a an email and I spoof it and it's quite easy to do that. What is spoofing? In just a few minutes, anyone can learn to send an email and make it look exactly like it came from anyone else they desire. I can impersonate Bill Gates.
I can make it look like it came from his email address at Microsoft. This is very easy to do. And so let's take that partner who works in antitrust. He's an expert or she's an expert. I target their personal assistant. I send them an email that says, Hi, I'm Bill Smith and I'm at the ABA in their antitrust practice group and or group, and I'm writing an article about a particular area of antitrust. And I would love to get this partner for whom you work thought on the document that's attached. And there's a PDF attached that says Draft Antitrust article. You can bet someone, either the assistant or the partner will click on that PDF. What's one of the best ways to transmit a virus pdf? It's so easy to take someone in. And so when you get an email like that, are people trained to ask? Are we expecting this? Do we know where this came from? And really thinking before they start clicking through things. Some firms have deployed a training software, if you will, that will periodically send email just like the one I described, except they don't in fact include malware, but they're used to test employees and if they nonetheless click through or go through a hyperlink or do whatever it is that's in the email when they shouldn't have, it'll be flagged and that person will go through some additional training. Just something to think about. But right now, human error accounts for nearly two thirds. You read that right? Of security compromises. Yet in our experience, very few law firms invest in the training of their personnel. They do nothing more than conduct some very perfunctory training when the employee is hired or when the lawyer first starts. We've seen that there's been a nearly 1,000% increase in email phishing. And what's email phishing? All that means is that there are two types of phishing regular phishing and spear phishing. Regular fishing is simply sending out an email that's very generic in nature that simply tries to get people to click through things. Let me give you an example of general email phishing, and it's actually incredibly effective. Hackers know that people in October generally will will be setting up their their, you know, and electing their benefits for the coming year.
And so they're kind of expecting that they'll get something from h.r. About benefits election. So every October there is a sea of phishing email that says, you know, hi, this is Burt in H.R. and we've already set up this link for your convenience for you to give your elections for benefits if you don't click through by Thursday at 5:00, your benefits from last year will continue to apply. And sure enough, when you get on, when you click through that that URL, you'll be asked to include your Social Security number. You'll be asked to, for example, enter your firm username and password. These are all ways to take that information. Hackers also know that most people plan their summer vacations somewhere in April and May. And so that's when we always see lots and lots of phishing attacks. Just generally from airlines. People will spoof email from American, United, etcetera, making it look like, you know, we need to get your contact information and your payment information verified or your recent reservations will be canceled. And sure enough, you in fact made reservations a week earlier and you're now worried that they're going to be canceled. You'll click through. Those are general phishing attacks. Spear phishing is more sophisticated. That's more like the PDF article that I mentioned on antitrust, where we learn a little bit about the target that we want to go after. We may look at social media postings, we may look at their firm bio, we may look at other information, and then create a specialized email just for them. There are tools to even create spear phishing email that go and sort of troll through a firm website or a company website to gain information about the individual and create the email. So social engineering, which is fishing, but it's also things like simply calling someone on the phone and being very friendly and talking them into giving information about the company, about the fact that, you know, their password was used a few minutes ago and they want to verify that that password is theirs. Can you please give it to me again, that kind of thing. Be very, very cautious about these sorts of attacks. They can be devastating.
You'll see the statistic in the second to the last bullet point here that basically you've got one in every two individuals in a large enterprise are going to be targeted at one time or another. All right. Let's talk about incident response. And again, we go back and look at that formal opinion for 83, which just describes what kinds of things you should be doing as a firm with regard to information security, particularly if there is a breach. This graphic, which we could spend quite a lot of time on, simply gives you an outline of what should be done generally in the first 24 hours following a data breach. You do not want to figure this out. In our number one of a data breach. In other words, all too often what happens is that there's a panic call at 8:00 at night on a Friday. That they've noticed unusual activity on your servers. It appears to be a hack. Now what? Who do we call? Who's practiced on this issue? Have we tested people about their knowledge of what to do? What about if The New York Times or The Washington Post calls us in two hours and says, hey, we heard you were hacked? Any comment? Worse yet, suppose The New York Times, The Washington Post calls random personnel in your firm. Would they know not to, in fact, comment? More importantly, would they know to direct The New York Times and The Washington Post to a particular person in the firm who is authorized to speak on behalf of the firm with regard to issues like this. So what you see here for this first 24 hours is sort of the laundry list of things that you should consider when you're creating your incident response plan. And way back all the way back to the very first slide I showed you with the frighteningly long list of the agenda when I was talking about incident response. One of the things I mentioned is, you know, really having a plan and understanding how to work that plan. Again. You don't want to wait till the last minute. You want to have this established that when and normally it's going to happen.
Not if, but when. You do have a situation where you need to trigger the plan. Everyone knows what they're supposed to be doing. Another example of this is having a forensics expert. Now, you could say, well, we're a large firm and we've got extremely skilled information technology people that are at our firm. No. There are two reasons for this. First of all, do you really want your person now being called as witnesses? Potentially, if there's litigation involving the breach? Probably not. You may want people that do nothing but incident response and computer forensics for a living who have testified in court a thousand times before. The second thing is that it people can be extremely good at their job, but that does not mean that they have been specifically trained in how to do computer forensics. One of the things to understand about computer forensics and all this means is coming in after a security breach and determining what has happened. Is the computers and the information stored on them, particularly when the case is a data breach, is that things are very tenuous. The mere fact that you turn a computer on or off, the mere fact that your loading a particular program or taking a particular action on the computer may in fact delete or render unretrievable information that would be critical to determine what actually happened. So you want somebody that really understands what they're doing. Do you want to find that someone at 8:00 on a Friday night? You do not. And so it really does behoove every law firm to think about. All right. Who's well known in this area, who's within our budget. That would be appropriate. Maybe we don't need the largest or the most well known, but we need someone that's highly skilled. And there are many, many out there. Let's get a relationship with them underway. Now let's negotiate a contract with them now, and maybe we won't have any need for them for a year or two years or potentially forever. But nonetheless, you want that relationship that as part of your incident response plan. There's the phone number. There's your contact. You want to be able to call that person right away.
You also want to make sure that when you negotiate that contract and you say, hey, by the way, we're a law firm and we want to make sure the attorney client privilege work product doctrine is maintained, we're going to want to add some language to the engagement with you that ensure that that is done. And if you have a forensics person who looks at you with. You know, kind of questionable, you know, a questioning faced, you know, they're not the people you want to use. Most experts in this area, if you mention what I just described, they will yawn and say, of course, we know exactly what you're talking about. We'll take care of it. And if you hit someone that does not understand what you're talking about, probably not the right relationship for you. So these are just some of the things to think about that you should have in place. And in the slides that follow. We have that sort of additional information for you. One of the things to think about is that if you bring in a computer forensics specialist, one of the things they might do is to remove information from your systems for processing on their systems. That is not uncommon. You want to make sure that you're not going to create another problem. You certainly don't want the forensics people taking highly sensitive information off your systems, storing it on theirs without any requirement that say that data is securely deleted upon completion of the services. You certainly wouldn't want to do that without adequate protections in the contract involving information security, confidentiality and liability. If those things if if in fact those things are not maintained. Think about this also and this slide. And again, I want to make sure that you look through these as time permits, but I want to touch on things just that sort of jump off the page to me. And one of the things is you generally never want to use the B word breach. Breach has various implications under applicable laws, rules, regulations, etcetera until it's absolutely verified. You always want to refer to something as an incident and it's it is under review. Not that you've had an actual breach occur.
All too often we see lots of documentation created where someone sends an email that says, Yeah, we just had a breach. No, you had an incident that needs to be investigated. You don't want to be creating documentation about a breach until you know it's an actual breach. These are small things, but they need to be managed. Let's see if there's anything else here that we might. Oh, the forensics consultant. Here are just some tips with regard to pre negotiating the contract. Um, making sure that you maintain the privilege, those sorts of things. The most important thing again is having relationships like this, having relationships with a media consultant who can handle communications with the press on this issue. You might be very good at communicating with the press upon victory in court. That's quite a different animal when you have the press asking questions about a data incident or data breach. Just things to be thinking about and some things that you want to kind of look through that talk about incident response. Again, the last thing you want is for someone to say you had a data compromise of some kind until you actually understand what the data compromise is. Is it merely that someone got access to a database of documents which haven't been used or relevant in a decade? Or is it someone that got access to important records that will be used in a trial next week? You need to nail this down. And sometimes that does take time. Here we have the types of things that you want to include in an information security policy, and there are lots of examples online of these policies. You generally want to develop that policy with the cooperation of a consultant with your own IT department. But these are the types of things that are typically addressed in a well written information security policy. And actually, let me just go back for a moment. So in an information security policy library, there is the policy itself. And believe it or not, these are not necessarily tremendously lengthy documents, nor do you want them to be so detailed that they'll be outdated in ten minutes. A lot of times when there's an audit being conducted, one of the first things that an auditor looks at with regard to information security policies and we're going to be talking about that plural in just a moment.
When was the last time this policy was updated? And they go to the revision history, which is normally the second page or the last page of the document. And if they see something like, well, it's been 12 months since the policy was updated, they know that that's not a good thing. Normally you expect the policy to be updated at least once a year. Personnel change Your relationship with an outside computer forensics company may change. Lots of things may change. You may move from a locally installed software base to one that's in the cloud. You need to be able to adjust the policy and at least an annual basis or more frequently if there material changes. If you've just acquired another law firm and you've merged, you want to make sure that it accounts for that. So number one on the hit parade for policies is the information security policy itself. Here's a list of other potential policies that might be very relevant to your organization. Examples being, you know, what's acceptable use for employees personnel to use your computer resources for home and mobile computing or bring your own device. Meaning if you do allow a employee, a lawyer, to use their personal cell phone, iPad, etcetera, is that okay? And if it is, what kinds of things they need to know about? Sample median acceptable use policy. Number eight, making sure that you don't have individuals posting things online in social media that are not necessarily public information. Boy, I'm working on a really, really complex merger with, you know, a gazillion documents for and they name the the company. These are all things to know about. Also, when it comes to security incidents, the last thing you want, something somebody to say is, Gosh, I'm going home early today. Our systems are locked up with a ransomware attack and they post that on Facebook. Also officers, directors or the management committee for your firm should be setting policy. It doesn't mean, again, that they spend their time with the nuances of these things, but rather at least making sure they understand what's the firm doing with respect to information security generally, and how is this being handled? Did they create an information Security Committee committee of several partners or other personnel, including it, that are managing this?
These are the things that you need to work through. I'm seeing the forest for the trees. This goes back to staying abreast of technology and making sure you understand benefits and risks. I'll just touch on these very, very briefly because we've now sort of hit them, which is if you look at all the laws, rules, regulations, etcetera, they all key off of confidentiality, integrity and availability. Mostly that is. The other thing is that it needs to be reasonable that you are not required to spend the sum total of every dollar your firm makes on information security. That would not be reasonable if you don't do anything involving personally identifiable information. M&a ET cetera. Then you have a decreased level of responsibility, but certainly not zero. That scaling needs to be involved, and this is a common concept in information security. In other words, you don't necessarily require in every single engagement, say, a vendor that's providing services to your law firm, that they agree to the same information security requirements as someone who is going to host a data room for you in an M&A deal. Just things to think about, but those are the common threads that really run through most laws, rules, regs, etcetera. And we'll just really wind up here by talking in a moment about overall information security programs for your firm. And this goes to ABA model rule 1.6, making reasonable efforts to prevent. I've already talked in detail about cybersecurity programs, but these slides at the end here really help you in thinking about what kinds of things you want to have. And it really is that last bullet point I want to mention, which is. No program is perfect. No security measures are perfect. What you need to be able to show in the event that there is a potential security incident is that you've acted reasonably, prudently, etcetera, in addressing the issue and mitigating risk. And that's going to be done how, as you would expect, by looking at documentation. Has your did your law firm spend time and developing an information security program? Do they look at that program and potentially test their incident response plan and and those types of things on a regular basis?
Then you know that you can document up that you've been acting reasonably. And with that, I'll finish up by saying once again, here's my contact information. I think we're right on time. Do not hesitate to reach out if you have any questions. And thank you so much for your kind attention.
Read full transcriptSee less