Protecting Client Data - Ethics, Security, and ... Materials… · Protecting Client Data: Ethics,...

1/16/2019

Protecting Client Data: Ethics, Security, and Practicality 1

Protecting Client Data:Ethics, Security, and Practicalityfor Estate Planners

J. Michael DeegeJames D. Lamm

Margaret Van Houten

1/16/2019

J. Michael Deege

1/16/2019Protecting Client Data: Ethics, Security, and Practicality

• Estate planning attorney atWilson Deege DespotovichRiemenschneider & Rittgers, PLC,in West Des Moines, Iowa

• ACTEC Fellow

2

1/16/2019


James D. Lamm


• Estate planning attorney atGray, Plant, Mooty, Mooty & Bennett, P.A.,in Minneapolis, Minnesota

• ACTEC Fellow

3

Margaret Van Houten


• Estate planning attorney atDavis, Brown, Koehn, Shors & Roberts, P.C.,in Des Moines, Iowa

• ACTEC Fellow

4

1/16/2019


Introduction


• The practice of law is, at its core, all about receiving, processing, and transmitting information

• Over the past 60 years or so, the practice of law has evolved with each major advance in information technology

5

Introduction


• Major information technology advances:

– Photocopiers

– Fax machines

– Personal computers

– Cell phones

– Internet

– Email

– Cloud storage and services

6

1/16/2019


Introduction


• In estate planning, we may acquire:

– Social security numbers

– Bank and brokerage account numbers

– Net worth statements

– Tax returns

– Confidential family and business information

• This is valuable information to cyber criminals

7

Introduction

• We know how to protect that information when it’s on paper:

– We take precautions transmitting valuable or significant paper (e.g., stock certificates, bonds, and original legal documents)

– We lock the doors to our law firms and restrict who can enter

– We train staff to respect client confidences1/16/2019Protecting Client Data: Ethics, Security, and Practicality

8

1/16/2019


Introduction

• Today, we need to protect confidential information in the digital world:

– Take precautions transmitting confidential client data

– Lock confidential data with passwords and encryption, and restrict who can access it

– Train staff to practice safe computing and respect confidential client data


9

Introduction

• Every day, about 7 million data records are lost or stolen

• 72% of breach incidents are done by a malicious outsider

• 18% of breach incidents are a result ofaccidental loss

• 9% of breach incidents are done by a malicious insider


10

1/16/2019


Introduction

• In 2017, the FBI’s Internet Crime Complaint Center received reports of 301,850 malicious cyber incidents (reported losses: $1.4 billion)

• The chance of arresting a cybercriminal was estimated to be 0.31% in 2016

• Malicious cyber incidents cost the U.S. economy $57 billion to $109 billion in 2016

• Other Statistics:1/16/2019Protecting Client Data: Ethics, Security, and Practicality

11

Introduction

• Phishing is the leading cause of cyber attacks worldwide

• “Amateurs hack systems, professionals hack people.”—Bruce Schneier


12

1/16/2019


Introduction

• More Bruce Schneier quotes:

– “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

– “You can’t defend. You can’t prevent. The only thing you can do is detect and respond.”


13

Introduction

• Today, we’ll discuss how to protect client data:

– What are the rules?

– What are the tools?


14

1/16/2019


Ethical Rules


• ABA Model Rule 1.1:

“A lawyer shall provide competent representation to a client.”

15

Ethical Rules


• ABA Model Rule 1.1, comment 8:

“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

16

1/16/2019


Ethical Rules


• ABA Model Rule 1.6(c):

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

17

Ethical Rules


• ABA Model Rule 1.6(c), comment 18:

“Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.”

18

1/16/2019


Ethical Rules



“The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

19

Ethical Rules


• “Reasonable efforts” factors:

– Sensitivity of the information

– Likelihood of disclosure if additional safeguards are not employed

– Cost of employing additional safeguards

20

1/16/2019


Ethical Rules


• “Reasonable efforts” factors:

– Difficulty of implementing the safeguards

– Extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., difficult to use)

21

Ethical Rules



“A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.”

22

1/16/2019


Ethical Rules


• ABA Formal Opinion 99‐413:

“A lawyer may transmit information relating to the representation of a client by unencrypted e‐mail sent over the Internet without violating the Model Rules of Professional Conduct.”

23

Ethical Rules



“A lawyer sending or receiving communications with a client via e‐mail … ordinarily must warn the client about the risk of sending or receiving electronic communications … where there is a significant risk that a third party may gain access.”

24

1/16/2019


Ethical Rules



– Obligation to warn a client who uses an employer‐provided device or email account

– Also consider other situations where a third party may have access to emails, including shared email accounts and shared devices

25

Ethical Rules


• State ethics opinions on email:

– Some states require advising a client that email is not absolutely secure

– Some states require client consent to use unencrypted email

– Some states require appropriate precautions when using public Wi‐Fi

26

1/16/2019


Ethical Rules


• ABA Formal Opinion 477R (May 22, 2017)(update to Formal Opinion 99-413):

“A lawyer generally may transmit information relating to the representation of a client over the Internet … where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.”

27

Ethical Rules


• ABA Formal Opinion 477R:

“The use of unencrypted routine email generally remains an acceptable method of lawyer-client communication. However … it is not always reasonable to rely on the use of unencrypted email.”

28

1/16/2019


Ethical Rules



“Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the Comment [18] factors to determine what effort is reasonable.”

29

Ethical Rules



1. Understand the nature of the threat

2. Understand how client confidential information is transmitted and where it is stored

3. Understand and use reasonable electronic security measures

30

1/16/2019


Ethical Rules



4. Determine how electronic communications about clients should be protected

5. Label client confidential information

31

Ethical Rules



6. Train lawyers and nonlawyer assistants in technology and information security

7. Conduct due diligence on vendors providing communication technology

32

1/16/2019


Ethical Rules


• ABA Formal Opinion 480:

– Lawyers who post public comments on blogs, listservs, and social media may not reveal information relating to a representation, including information contained in a public record, unless authorized by an exception to ABA Model Rule 1.6

33

Ethical Rules


• ABA Formal Opinion 483:

– When a data breach occurs that involves client information, lawyers have a duty to notify current clients of the breach and take reasonable steps consistent with their ethical obligations under the Model Rules

– Obligation to monitor for a data breach

34

1/16/2019


Ethical Rules


• Security should be balanced with practicality

35

Securing Client Data


• Cybersecurity resources for solo practitioners and small firms:

– IRS Publication 4557

– FCC Cybersecurity for Small Business:https://tinyurl.com/y9f74qaw

– NIST Small Business Corner:https://tinyurl.com/yaynpmc4

36

1/16/2019




• Confidential client data can be protected using strong encryption

• Encryption scrambles data using a key so that the original data cannot be recovered without knowing the key to decrypt it

37



• You can encrypt:

– A single data file

– A collection of data files

– An entire storage device

– Communications between two devices

38

1/16/2019




• Symmetrical encryption uses the same key (e.g., a password) to encrypt the data and to decrypt the data

• Both the sender and the recipient need to know the password

39



• Asymmetrical encryption uses two keys: one key to encrypt the data and a second key to decrypt the data (these two keys are mathematically linked)

• Asymmetrical encryption can securely transmit and/or authenticate data without both parties sharing a common secret(e.g., a password)

40

1/16/2019




• Weak encryption

– Data can be decrypted relatively easily without knowing the password

– A fast computer can guess all of the possible passwords (“brute force”) in a reasonable amount of time

41



• Strong encryption

– It takes so long to guess all of the possible passwords (“brute force”) that it’s practically impossible to decrypt

– But, a weak or commonly-known password undermines strong encryption

42

1/16/2019



• Weak encryption examples:

– Data Encryption Standard (DES)

– Used from 1976 to 1999 by the U.S. government for classified data

– Until the late 1990s, DES was considered impractical to decrypt by brute force

– Today, it takes less than a day to decrypt


43



– Some Adobe PDF documents:

• 40‐bit RC4 encryption since 1996

• Today, 40‐bit RC4 encryption can be decrypted in minutes

• Use 128‐bit or 256‐bit AES encryption plus a strong password to secure client data


44

1/16/2019




– Some Microsoft Office documents:

• Encryption for file formats .doc, .xls, and .ppt uses weak RC4 encryption that can be decrypted in less than 10 minutes

• Encryption for file formats .docx, .xlsx, and .pptx uses AES encryption (use with a strong password to secure client data)


45



– Zip archives using ZipCrypto:

• Originally released in 1989

• Today, a home computer can decrypt ZipCrypto in minutes

• Use AES encryption and a strong password to secure client data in Zip archives


46

1/16/2019



• Strong encryption example:

– Advanced Encryption Standard (AES)

– U.S. government uses AES to protect national security information

– AES encryption is widely‐used in popular software programs and devices


47



– 128‐bit AES encryption has

possible key combinations


340,282,366,920,938,463,463,374,607,431,768,211,456

48

1/16/2019




– Take one 128‐bit AES‐encrypted file with a strong password

– 7 billion people on the planet

– Give each person 10 computers that each can guess one billion passwords per second


49



– 70,000,000,000,000,000,000 password guesses per second

– Let’s say we get lucky and guess the password after trying only 50% of the possible password combinations

– It would take 77 billion years to guess the password!


50

1/16/2019



• Weak passwords undermine the protection of strong encryption:


51


• Consider using strong encryption plus a strong password for confidential client data:

– Stored on a laptop, tablet, smartphone, or other storage device that leaves your office

– Stored in the cloud (e.g., Dropbox)

– Transmitted in a manner where there is a significant risk that a third party may gain access


52

1/16/2019


Office Policies


• Who is responsible for the Firm’s Technology Resources? A committee, an individual or the Firm’s Board of Directors?

• Should there be a Confidentiality/Security Committee to address ethical issues, deal with client security audits, develop and complete training modules and courses?

53

Office Policies

• Should there be a written set of policies for use by the end users of the firm systems? See Attached APPENDIX C to these materials for a sample policy.

• Topics to be covered by Policy include:

– Designation of parties responsible for various technology and security matters.

– Listing of Technology Resources.1/16/2019Protecting Client Data: Ethics, Security, and Practicality

54

1/16/2019


Office Policies

• Contents of Policies (continued)

– Guidelines for use of Portable Electronic Devices, including laptops, phones, tablets, portable drives, etc. Where can those portable devices be stored?

– What information can be placed on a personally-owned computer or device?

– Internet Access and Email Provisions1/16/2019Protecting Client Data: Ethics, Security, and Practicality

55

Office Policies


– Passwords – How often to change, how to create a secure password, with whom may a password be shared.

– Use of 2 Factor Authentication.

– Remote Access – how and where should it be used?


56

1/16/2019


Office Policies


– Procedures for avoiding virus problems, such as prohibition on users downloading or updating software, and providing additional training.

– Definition of “Sensitive Data” that must be encrypted before sharing outside the firm network.


57

Office Policies

• Contents of Policies

– Incident Response Policy.

– Sanctions for violation of policies.


58

1/16/2019


Engagement Letters

• Clients should be made aware of the policies and ethical responsibilities regarding email confidentiality, encryption, and electronic file maintenance.

• Engagement Letters should include reference to email and information security.


59

Engagement Letters

• SAMPLE LANGUAGE #1: We will endeavor to keep you well informed of developments, and will consult with you to ensure timely, effective and efficient completion of the Project. To facilitate this, we use communication and technology tools, including email, which may be provided by or facilitated by third parties. Email may not be as secure as other forms of communication.


60

1/16/2019


Engagement Letters

• SAMPLE LANGUAGE #1 (continued): As a result, your information may be exchanged on networks or stored on servers hosted by third parties. We have adopted internal policies and procedures related to the selection and use of third party tools and the transmittal and storage of your information.


61

Engagement Letters

• SAMPLE LANGUAGE #1 (continued): These policies and procedures are intended to reduce the risk of inadvertent disclosure of your communications or information. If you would like to review our information security policies, please let us know. We would be happy to provide them to you.


62

1/16/2019


Engagement Letters

• SAMPLE LANGUAGE #1 (continued): If requested, would be happy to work with you to develop specialized information security protocols for your information; however, unless so requested by you and agreed to by us, we will operate in accordance with our standard information security policies. In addition, your work email is likely not confidential.


63

Engagement Letters

• SAMPLE LANGUAGE #2: From time-to-time it may be convenient to communicate by email or cellular telephone, unless you object. You are cautioned that such communications cannot be accomplished with complete confidence that they will not be intercepted by unauthorized persons. (continue with reference to security policy).


64

1/16/2019


Engagement Letters

• File Retention Policies.

– A client should be notified of the firm’s file retention policies, either in the Engagement Letter or upon completion of the project.


65

Engagement Letters

– SAMPLE LANGUAGE: We will retain your file electronically for ten years after the completion of the Project. Your file and all of its contents will then be permanently destroyed without further notice to you, with original documents returned to you, unless otherwise agreed. You may retrieve your file at any time during that period.


66

1/16/2019


Training


• Look for training courses dealing with cybersecurity. Here is a list of cybersecurity education and training providers:https://tinyurl.com/y9v8hp9u

• Also look at Department of Homeland Security website: http://www.dhs.gov

67

Training


• Larger businesses have increased security

• Small to mid-size business exposure

• Small business is the low hanging fruit

• 97% have email

• 74% have website

• What are the elements of a training program

68

1/16/2019


Insurance


• Coverage Highlights

– No retro date (full prior acts for unknown data breaches)

– Coverage for data held in electronic or paper format

– Coverage for breaches of PII and any corporate confidential information

– Coverage for breach of data held by 3rd party

69

Insurance

• Coverage Highlights (cont.)

– Full limit for regulatory fines and penalties

– Full limit for contractual damages

– Cyber business interruption

– Split notification costs

– Broad system damage caused by hacker

– Coverage for breach of employee’s PII


70

1/16/2019


Insurance

• Coverage Highlights (cont.)

– Breaches by rogue employees

– No encryption warranty in policy or exclusion

– No failure to upgrade software exclusion

– 24/7 privacy breach hotline staffed by privacy breach lawyers


71

Insurance

• One carrier estimated cost for 5 attorney, 5 staff firm to be $500/$1,000 per year


72

1/16/2019


Cloud-Based Systems


• Sometimes referred to as SaaS or software as a service. (http://www.airdesksolutions.com/law-firms/)

• All of firm’s software is located on the cloud

• All of firm’s data is also on the cloud

• Does moving to the cloud raise security concerns?

73

Cloud-Based Systems


• Iowa Bar Ethics Opinion 11-01(September 9, 2011)

– Approved use of SaaS to store client information under Iowa RPC 1.6

– Must perform due diligence on degree of protection

– Basic guidance provided (See Chart in Opinion)

74

1/16/2019


Cloud-Based Systems


• How physically secure is my data and my clients’ data?

– Server has a physical location somewhere

– Vulnerability to weather related disasters

– Physical security (Guards, alarms, cameras, power backup, etc.)

75

Cloud-Based Systems


• What kind of encryption is provided?

– What level of data encryption is used when transmitting (Financial industry standards)

– What level of data encryption is used for stored data

76

1/16/2019


Cloud-Based Systems


• How often is data backed up?

– Does the frequency meet your needs (what is the most data you can lose and still be in business)

– Is the data backed up on site or a remote location

– You risk malpractice if lost data causes missed deadlines

77

Cloud-Based Systems


• What minimum standards must be met?

– Data Security

– Availability (Uptime)

– Encryption

– Intrusion detection

– Virus protection

– Uninterruptible power supply

– Benefits vs Risks

78

1/16/2019


Software Solutions

• Use a password manager to keep track of passwords and other secure information:

– LastPass: https://www.lastpass.com

– 1Password: https://www.1password.com

– Dashlane: https://www.dashlane.com


79

Software Solutions

• Use strong encryption and a strong password to protect confidential client data:

1. Encrypt a single file

2. Encrypt a collection of files

3. Encrypt an entire storage device

4. Encrypt communications between two devices


80

1/16/2019


Software Solutions

1. Encrypting a single file:

– Print or scan to a PDF document

• Change the security settings to “password security” and select “require a password to open the document”

• AES encryption is used in Adobe Acrobat 7.0 or later files


81

Software Solutions

• Adobe Acrobat:(full version)


82

1/16/2019


Software Solutions


83

Software Solutions


84

1/16/2019


Software Solutions

1. Encrypting a single file:

– Word/Excel/PowerPoint documents

• For AES encryption, ensure the file is saved in .docx, .xlsx, or .pptx format

• File Info Protect Document Encrypt with Password


85

Software Solutions

• Microsoft Word:


86

1/16/2019


Software Solutions


87

Software Solutions

2. Encrypting a collection of files:

– Create an archive that:

• Combines multiple data files into a single data file

• Compresses the data (smaller size)

• Encrypts the data using strong encryption (e.g., AES)


88

1/16/2019


Software Solutions


– Popular archive formats:

• Zip (file ends with .zip)

• 7‐Zip (file ends with .7z)

• RAR (file ends with .rar)


89

Software Solutions


– Popular Windows software to create encrypted archives:

• 7‐Zip (free)

• PeaZip (free)

• IZArc (free)

• WinRAR (shareware)


90

1/16/2019


Software Solutions


– Popular Mac OS software to create encrypted archives:

• Keka (free)

• BetterZip ($24.95)


91

Software Solutions

• 7‐Zip for Windows:


92

1/16/2019


Software Solutions


93

Software Solutions

3. Encrypting an entire storage device:

– Encrypt the system drive where the operating system is installed (recommended for laptops that store confidential client data)

– Encrypt a hard drive, SSD, USB flash drive, CD, DVD, Blu-ray disc, etc.

– Encrypt a virtual volume


94

1/16/2019


Software Solutions

3. Encrypting an entire storage device:

– Windows BitLocker (free):

• Windows 8 or 10: Pro or Enterprise

– Mac OS FileVault (free)

– VeraCrypt (free for Windows, Mac OS, Linux)

– How to encrypt your laptop: https://tinyurl.com/qbccuvv


95

Software Solutions

4. Encrypting communications between two devices:

– Email

– Public Wi‐Fi


96

1/16/2019


Software Solutions

• Encrypting email:

1. Use attachments:

• Put the client‐confidential message into an encrypted PDF or Word document

• Attach the encrypted PDF or Word document to the email


97

Software Solutions


2. Use public key encryption:

• Built‐in to Microsoft Outlook

• Symantec PGP Email Encryption

• GnuPG (free)

• But, both the sender and the recipient must generate keys and know how to use the software


98

1/16/2019


Software Solutions


3. Use a third‐party service/software:

• ZixMail

• Mimecast Email Encryption

• Rpost RMail

• Cisco Registered Envelope Service

• Sophos SPX Email Encryption

• Cirius Messaging


99

Software Solutions

• Use appropriate security software on your devices:

– Anti-virus options for Windows: https://tinyurl.com/zmvbm9s

– Anti-virus options for macOS: https://tinyurl.com/puhl5um

– Anti-malware for Windows or macOS: https://www.malwarebytes.com


100

1/16/2019


Using Public Wi-Fi


• Use “https” if available for Web sites to encrypt data in transit

• Require SSL connections in apps to encrypt data in transit (e.g., email)

• Turn off file and printer sharing

• Turn on your firewall (included with Windows and Mac OS X)

101

Using Public Wi-Fi


• Use a Virtual Private Network (VPN)

– Encrypts the connection between your device and the VPN provider (prevents others using the same public Wi‐Fi from seeing your data)

– But, some public Wi‐Fi hotspots block VPN services

102

1/16/2019


Using Public Wi-Fi


• Popular VPN providers:

– NordVPN

– Private Internet Access VPN

– TunnelBear VPN

– Many other VPN providers

103

Computer Security Tips


1. Keep your operating system, anti-virus, anti-malware, and other apps up-to-date

2. Back up your data regularly to protect against a ransomware attack, virus, malware, theft, or a hardware failure

3. Use appropriate security software on your devices

104

1/16/2019




4. Encrypt your home and office Wi-Fi networks: https://tinyurl.com/ya4dvyjj

5. Use separate, strong passwords for each of your user accounts, and use a password manager to keep track of them

6. Use two-factor authentication for remote access and, if possible, for online accounts

105



7. Encrypt confidential client data before it leaves your office by email, on a laptop, on a USB flash drive, etc.

8. Don’t leave mobile devices unattended

9. Use a VPN when using public Wi-Fi

106

1/16/2019




10.Think before you click a link received in an email, even if the email comes from someone you know and trust. When in doubt, check the link first by using: https://sitecheck.sucuri.net/ or https://www.virustotal.com

107



11.If you’ve been attacked with ransomware, visit https://www.nomoreransom.org for help

12.If you’ve been infected with a virus or malware, visit https://tinyurl.com/ycktycqtfor help

108

1/16/2019


Questions & Answers


109

J. Michael DeegeJames D. Lamm

Margaret Van Houten

Protecting Client Data - Ethics, Security, and ... Materials… · Protecting Client Data: Ethics,...

Documents

Transcript of Protecting Client Data - Ethics, Security, and ... Materials… · Protecting Client Data: Ethics,...