Computer and Network Security Issues

REMINDERSOFFICE HOURSWEBMAILDBx2Don’t wait to post on DB if you are struggling

Unit ObjectivesDiscuss with others the different types of

computer systems used in a law office; andDescribe the components in a computer

network and the security issues in using a network in a law office.

What is a Computer System?A "computer system" is a combination of

hardware and software needed to create a complete working computer.

A "computer system" is not the same as an "operating system."

Input; Output;Storage

Your Computer

monitor

keyboard

case

CD RW/DVD

Printer/Fax/Scanner

mouse

Inside the case . . .

Image copied from: http://resources.kaboose.com/brain/comp-les2.html

CPU = brains

RAM = working memory

storage

Why is Information Security Important?Legal professionals and clients depend on

computers and technology to communicate about their cases

Because of this, law offices, courts, and clients depend upon computers to keep cases moving along

It’s vital that the information that is disseminated via the computer remains as secure as possible so that client confidences and not revealed

Network ComputersA single computer alone faces security issues only for

that computerHowever, when a computer is on a network, a breach

of security on one of the computers can affect other computers on the network

Limiting access to the network can help to ensure that the system and files stored on it are not corrupted

Security ProtocolsThe term “security protocols” refers to

securing communications between points within a computer network and across the Internet.

There are software programs that can limit the ability to access a file server, workstations, printers, etc. that are on the network.

Network Rights and PrivilegesHow can the right to access the server and

other devices be limited to maximize security?

First, who has access can be indicated. Network administrators have the most rights.

Second, it can be designated just what type of information can be stored on the server.

Third, how the information is disseminated can also be restricted.

PasswordsRestricting network access by requiring

passwords can add securityWriting down your passwords can increase

risk of unauthorized useVPN – Virtual Private Network, a secure

connection to a secure network, such as the office network. This acts as a tunnel to the secure network.

What about “thumbprint devices” and “retinal scans?”

HackingUnauthorized access to computer networks in

order to obtain information stored on the network or undermine how the network operates (viruses)

This can happen when someone on the network surfs the web

Liability can result when unauthorized material is stored on the network

FirewallsFirewalls serve to limit access to a computer

or a system by those outside the computer or system with unauthorized access

But sometimes firewalls can prevent you from accessing some information that you need or working from an offsite location

Antivirus Plus Firewall Example (FREE)

VirusesPrograms that destroy or compromise the

running of computer programs and operating systems are known as computer viruses

Antivirus programs work to prevent viruses from attacking a computer beforehand

Some viruses can cause a computer to be completely ruined or can slow a computer’s speed

Antivirus Example

Preventing Downloading VirusesBe careful when opening attachments on

email. If the source is unknown, you may not want to open or download that.

Update your antivirus software frequently. Most are set to expire or have automatic updates to remind you.

Windows Updates

Backing Up DataOne of the most important things to

remember to do is to back up your work while you are working and when you are done.

USB sticks are great for storing data, but many computers also have an internal recovery system that works well too.

Data Breaches Mean More Than Bad Publicity The following discussion comes from an article

by Jim Walden – as found on www.law.com. “Over the last several years, corporate data

breaches have been regularly splashed across the front pages of the nation's newspapers, causing nightmares for corporate executives. Ever-increasing digitization in areas such as business, banking and accounting has led multinationals to collect and retain inestimable quantities of personal information about employees, customers and counterparties.”

Data BreachesThe negligent (or even innocent) loss of

electronic data to cybercriminals inflicts billions of dollars of damage on our economy, as personal information has become a sought-after treasure trove for cybercriminals. These costs are likely to escalate as, in an increasing trend, corporations are also being pummeled with civil litigation related to data breaches.

Hannaford Brothers Co. The recently announced data breach at grocer

Hannaford Brothers Co. illustrates the trend. On March 17, 2008, Hannaford announced that cyberbandits had breached its system, obtaining access to personal-financial information of nearly 4.2 million customers. Just three days after the announcement, plaintiffs' lawyers filed four class actions against Hannaford. Since then, lawyers have filed an additional 12 complaints, requiring Hannaford to defend litigation from Florida to Maine.

TJX TJX, a retailer that operates T.J. Maxx and

Marshall's stores, faced a federal investigation and an onslaught of follow-on civil litigation after announcing a breach widely reported as the largest data-security breach in U.S. history where computer "hackers" stole at least 45.7 million credit and debit records.

Data Breaches Although data breaches can occur in a wide variety of

ways -- from lost or stolen employee laptops to hacked computer networks -- most companies face a similar array of implications following discovery of a breach. As an initial and immediate matter, a thorough forensic investigation is critical to ascertain the scope and nature of the data breach. According to a recent study from Verizon Business,

more electronic records were breached in 2008 than in the previous four years combined with 9 out of 10 breaches being avoidable if simple security measures had been followed. http://newscenter.verizon.com/press-releases/verizon/2009/verizon-business-2009-data.html

WHAT WOULD YOU DO IF YOU DISCOVERED A BREACH IN YOUR FIRM’S SECURITY? For example, as an initial and immediate matter, a

thorough forensic investigation is critical to ascertain the scope and nature of the data breach.

Civil Lawsuits Corporations suffering data breaches are also

routinely contending with follow-on civil suits -- private, often class, actions seeking damages for the potential economic losses and emotional distress allegedly caused by the potential misuse of the disclosed personal information. Increasingly, these suits are filed soon after the data breach is publicly announced -- much like "stock drop" securities class actions -- thereby adding negative publicity and causing further distractions.

Randolph v. ING Life Ins. In the recent case of Randolph v. ING Life Insurance & Annuity

Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee's home containing the personal information of 13,000 government workers and retirees.

Plaintiffs argued, inter alia, that the theft exposed them to "substantial risk of identity theft," and that as a "direct and proximate result," they "have been exposed to a risk of substantial harm and inconvenience, and have incurred or will incur actual damages in purchasing comprehensive credit reports and monitoring of their identity and credit for the definite future."

None of the plaintiffs asserted that they had actually been the victim of any identity theft.

Company succeeded on a motion to dismiss, arguing that plaintiffs lacked standing to sue because they proved no actual damages and, thus, no "recognized injury."

Randolph v. ING Life Ins. The company succeeded on a motion to dismiss,

arguing that plaintiffs lacked standing to sue because they proved no actual damages and, thus, no "recognized injury.“ The court agreed, citing a long line of "lost data" cases in which courts held that "an allegation of increased risk of identity theft due to lost or stolen personal data, without more, is insufficient to demonstrate a cognizable injury.“ Thus, plaintiffs failed to demonstrate the "injury in fact" necessary for the constitutional requirement of Article III standing. Moreover, the court also recognized that credit monitoring services, even if the plaintiffs were to have actually alleged payment for such services, cannot constitute actual injury.

Guin v. Brazos Guin v. Brazos Higher Education Service Corporation Inc.

had a similar result. Plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers. Granting summary judgment in favor of Brazos, the court held that Brazos had no duty of protection (under the Gramm-Leach-Bliley Act),that Brazos acted with reasonable care in handling the information and that Brazos's inability to foresee and deter the specific theft was not a breach of a duty of reasonable care. Because neither of plaintiff's identity nor personal information was used in any fraud, the court also ruled that the absence of damages was likewise fatal to plaintiff's claim. Consequently, the court dismissed the case with prejudice.

State LawsState laws also help to guide how to proceed

once a security breach has occurred.For a listing of every state’s laws on this

subject, go to http://www.consumersunion.org/campaigns/Breach_laws_May05.pdf

What do you think?What did you find in the news about

information security?

Preview Next Week’s AssignmentPropose Guidelines for Ensuring Security in a Sole

Practice or Small Firm Imagine you are a newly-hired paralegal working for attorney in a sole practice. Similar to the paralegal discussed in the eBook, your attorney relies on you to manage the technology of the office. Based on your Web research and what you learned from the Discussion Board, develop a set of guidelines for ensuring security in your office. Create a table in Word to organize your thoughts.  Include in one section concerns -- what the security issues might be -- and in the other suggestions for ensuring security.  Highlight the heading in yellow.

Preview Next Week’s AssignmentTo create a table in Word,

click on Insert, Table, Insert Table, and Change the number of columns to 3, and put as many rows that you will need. 

If you need to later add or remove rows, right click and either add or delete the row. 

To highlight the heading, highlight the entire row, click on Design, Shading, and then select the color.

TableConcerns Security Issues Suggestions

What do you think?What did you find in the news about

information security?

DB – Two Questions This WeekQuestion One - Different Types of Computer Systems

Perform some Web research on the different types of computer systems available. You will likely find a lot of information on home computer systems, but look specifically for information on office computer systems.

Hint: You may also want to read the section titled “Operating Systems,” located on pages 62-64 in your eBook.

Based on what you learn from your research and the eBook reading, compare and contrast the different types of computer systems.

Post a summary of your findings to the Discussion Board, including citations or the URLs of where you found your information.

Review your classmates’ summaries as well. How did their research and findings compare to what you were able to uncover?

DB – Question 2• QUESTION TWO - Network Security: Network

security is a concern for every one of us. Reports of security breaches and of stolen personal information are in the news all the time, whether it be a hotel, school, or credit card company that has had its networks breached. Share your thoughts and findings with the class on the Discussion Board. Review and respond to at least two of your classmates' posts as well.

Perform some Web research to learn more about this hot topic. For example, this article discusses the new security threats in Web 2.0: http://www.technewsworld.com/story/58854.html.  

What steps do you have to take in order to establish administrator access on a computer? 

How do you assign a password for your computer?  How do you back up data to save your work?  Why is network security an issue for the law office?

Practice Questions

Practice Question # 1ABC Law Firm has 20 associates and 5 legal

assistants. Every associate and secretary has a computer that is part of a network. To make things easy, they give everyone the same password, and the password never lapses or expires. What is wrong with this?

Answer to Practice Question # 1An outsider can readily obtain access to

internal systems because password policies are weak.

User accounts could be compromised and full access to network controllers can be had by some not authorized to use the network.

Practice Question # 2Suppose the ABC law firm gave everyone in

the office administrator access. What is the problem with this?

Answer to Practice Question # 2Once on the network, any staff member could

then defeat security settings and could potentially access all information on the network.

Merely assigning administrator access inside the firm would not enable outside hackers unless staff gave out the information.

Practice Question # 3As a regular part of doing business, the ABC

law firm sends and receives attachments via email without routinely running an antivirus program. What is wrong with this?

Answer to Practice Question # 3Attachments sent via email may carry

viruses.Viruses and worms can spread quickly to

large numbers of computers.An intruder finding a hole somewhere in the

network could easily jump straight to the core of the system.