Confidentiality in a Digital World
33
Confidentiality in a Digital World David Whelan, Manager, Legal Information The Law Society of Upper Canada
-
Upload
david-whelan -
Category
Documents
-
view
1.088 -
download
2
description
This presentation was given to lawyers preparing to start practice in Ontario, Canada, as part of an introductory course. It is meant to provide an introduction to some considerations relevant to lawyers who store confidential client information electronically. It was given on December 16th in Toronto.
Transcript of Confidentiality in a Digital World
Confidentiality in a Digital WorldDavid Whelan, Manager, Legal InformationThe Law Society of Upper Canada
BE AWARE
Risk Exists Without Technology
Risk Exists Without Technology
Risk Exists Without Technology
Risk Exists Without Technology
I'm in a Starbucks & bunch of lawyers are talking about a client's email trail problem: clearly see their own speech trail as no problem
- from Twitter April 29, 2010
“
”
Location, Location, Location
Home
OfficeMobile
Laptops and Mobile Devices
2009 ABA Legal Technology Survey Report
Home Hotel Airport In Transit Client Office Courtroom Other Lawyer's Office
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Laptop Handheld
CHECKLIST
Risk Assessment Checklist
Unintended Portability
Assume Everything is Portable
• Lock office doors• Place server(s) in
locked room• Physically secure all
devices– Desktops– Laptops– Handhelds
On 7/7/07, <NAME PROTECTED> <EMAIL PROTECTED> wrote:
SUBJECT: Stolen Server
One of my clients is a law firm… on the 4th of July, someone broke into their office and stole the server as well as all of their computers. Luckily they had a good backup plan, so they didn't lose any data from the server.
Avoid Security Through Obscurity
Avoid Security Through Obscurity
US $39, getaheadcase.com
We May Be the Weakest Link
Airport Insecurity: The Case of Missing & Lost Laptops, Ponemon Institute, 2008
~12,000 laptops
LOSTeach week atU.S. airports
Only 1/3d Recovered
Risk Assessment Checklist
Unintended Portability Defend Against Attacks
Review defaults Passwords Harden your defenses
Review Defaults
Internet
PasswordsWhat’s Shared
What’s Broadcasting
PasswordsPasswordsAdd Security
Change Name
Network hardware
Passwords
• Lots and lots of passwords– E-commerce and banking Web sites– E-mail accounts in your firm and on the Web– To access your phone, your laptop, Windows
• Make them complex• Make them unique• Test them• Write them down
Passwords
• Most popular password? 123456• Try for eight characters or more• Use a site like Passwordmeter.com to get tips• Ideal password is random – good luck with that• Start with something you can recall
– Weak 15%: commonlaw– Better 70%: C0mm0nl&w– Best 92%: C03m0nL&w
Passwords
• Know where your passwords are– Gawker Media hacked December 12, 2010– 200,000 passwords cracked immediately
• 1,958 used password• 681 used qwerty• Other popular: 123456, 12345678, abc123
Password AGawker.com
Exploit A
Passwords B/CTwitter.com
Campfire.com
Exploit B
Passwords D/E/…Other staff
Other non-staff
Exploit C
Harden Your Defenses
InternetNetwork hardware
SoftwareAnti-virusAnti-malwareBrowser securityFirewall
HardwareFirewallIntrusion Detection
Risk Assessment Checklist
Unintended Portability Defend Against Attacks
Review defaults Passwords Harden your defenses
Reduce Your Risk Encrypt your data Don’t carry any data you don’t have to Protect the data you leave behind
Encryption Reduces Impact of Loss
Client’s notebook PC & removable hard drive were stolen . . . . Hard drive was unencrypted and contained 10+ yrs of personal and business financial data . . . .
“
”E-mail to Solosez discussion list, November 2009
Encrypt Your Data
• May require you to start the encryption tool
• Encrypts everything you place in the encrypted volume
• Can be closed without turning off computer
• Can be treated as file
• Starts with computer• Encrypts everything
whether it needs it or not
• No user interaction
Partial Disk Full Disk
You Can Take It With You: Don’t!
• The need for portable media is nearly gone• If you have Internet access, use cloud-based
file access tools– Synchronization ( Dropbox, Sugarsync )
• Synchronize files between your computer, their servers, and your other devices
• Delete a file, and it is deleted from their servers
– Tonido• Creates an encrypted tunnel to your files
Encrypt from End to End
Username
*********
https://http://
https://
3 Reasons to Leave Data Behind
1) Storage devices are getting smaller and easy to lose
2) Someone who finds your lost device can almost always recover deleted data from it
3) A laptop traveling in standby or hibernation mode retains your decryption keys in memory
Protect Your Data
• Back up your data– Use a secure online backup like Mozy, Carbonite– Use a portable drive that you can physically secure
• Use preventative measures on handhelds– Remote locating apps– Remote destruction apps
Risk Assessment Checklist
Unintended Portability Defend Against Attacks
Review defaults Passwords Harden your defenses
Reduce Your Risk Encrypt your data Don’t carry any data you don’t have to Protect the data you leave behind
Manage Your Mobility
“Sharing, Sharing, Sharing”*
* Beaver Scouts motto
Manage Your Mobility
• Disable Bluetooth and wireless antennas when you’re not using them
• Disable Windows File Sharing• Use an encrypted connection AND connect to
encrypted resources
Baaaaaa…..Firesheep
Risk Assessment Checklist
Unintended Portability Defend Against Attacks
Review defaults Passwords Harden your defenses
Reduce Your Risk Encrypt your data Don’t carry any data you don’t have to Protect the data you leave behind
Manage Your Mobility
Conclusion
• Maintain control of your data– Requires prior planning to prevent loss– Requires creating practices to minimize possibility
of loss• Embrace technology thoughtfully
– You can be efficient and careful– Be aware of where you are and be mindful of
what you are doing and sharing
Thank You!
• David Whelan– Manager, Legal Information
The Law Society of Upper Canada– [email protected]– Twitter: @davidpwhelan
