TECHNOLOGY For the Corporate Lawyer

2016 In House Counsel Conference

Presenters: Jennifer K. Mailander Associate General Counsel Corporation Service Company

Ryan Murphy Corporate Counsel Heraeus

Scott Plichta Chief Information Security Officer Corporation Service Company

What company? “We have a long history of innovation and using leading edge technology to provide customer solutions.” Caterpillar Inc.

Describe Yourself How knowledgeable are you about technology? • Not at all • Somewhat • Very knowledgeable • I am an expert

Ethical Duties • ABA Model Rules • 1.1 “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” • Comment 8 “A lawyer should keep abreast of changes in the law

and its practice, including the benefits and risks associated with relevant technology.” • 5.3(d) “A lawyer having direct supervisory authority over the non-

lawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer.”

Ethics: Client Confidences • Model Rule 1.6(c) “A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”

Cybersecurity & Lawyers According to the FBI, law firms and law departments are among the most vulnerable targets for cyber attacks. • Lawyers are reported to: • Have limited resources to

dedicate to computer security • Lack a sophisticated appreciation of technology risks • Lack an instinct for cybersecurity The ABA Cyber Security Handbook

Part of a Larger Phenomenon Individual IT Empowerment

Key Terms and Definitions* •

Hosting (Website hosting, Web hosting, and Webhosting) – the business of housing, serving, and maintaining files for one or more websites.

•

The Cloud (Cloud Computing) – a type of Internet-based computing where different services such as servers, storage, and applications are delivered to an organization's computers and devices through the Internet. Examples of Cloud Computing include: •

IaaS (Infrastructure as a Service) – a service model that delivers computer infrastructure on an outsourced basis to support enterprise operations. Typically, IaaS provides hardware, storage, servers and data center space or network components; it may also include software.

•

PaaS (Platform as a Service) – a category of cloud computing services that provides a platform allowing customers to develop, run, and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an application.

•

SaaS (Software as a Service ) – a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.

*Technology terminology sources include: Wikipedia, Technopedia, Internationals Association of Privacy Professionals (IAPP), ABA, ACC, The Shared Assessments Program, Merriam-Webster, and Ponemon Institute.

A Tasty Example: Pizza as a Service

https://www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service

Key Terms and Definitions (cont.) •

Shadow IT – Where a user/department finds Cloud provider to do work because IT is too busy, and usually without knowledge/oversight controls of IT/IT Security/Legal.

•

SSO (Single Sign-On) – A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. May be used interchangeably with “federation” or “federated login”.

•

SAML (Security Assertion Markup Language) – A data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

•

Federation – Refers to different computing entities adhering to certain standards of operations in a collective manner to facilitate communication.

•

Encryption – The conversion of electronic data into another form, ciphertext, so that it cannot be easily understood by anyone except authorized parties with the key. Types of encrypted data include: Data in Use, Data at Rest, Data in Motion.

•

PCI DSS (Payment Card Industry Data Security Standard) – Industry created policies and procedures intended to optimize the security of credit, debit, and cash card transactions to protect cardholders against misuse of personal information and financial loss.

Data Types Data in Use: Active data under constant change stored physically in databases, data warehouses, spreadsheets, etc.

Data in Motion: Data that is traversing a network or temporarily residing in computer memory to be read or updated.

Data at Rest: Inactive data physically stored in databases, data warehouses, spreadsheets, archives, tapes, off-site backups, etc.

Key Terms and Definitions (cont.) • Big Data – • Data sets so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, search, sharing, storage, transfer, visualization, and privacy. • High-volume, high-velocity, and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making. • IoT (Internet of Things) - Network of physical objects embedded with

electronics, software, sensors enabling connectivity (exchanging data, remote control) between manufacturer, operator and other devices. Resulting in improved efficiency, accuracy and economic benefits. •

Phishing – Broad scattered email fraud where user is duped into revealing personal or confidential information for illicit use.

•

Spear Phishing – Phishing that targets a specific organization; messages appear to come from trusted source.

Information Security •

Information Security: Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide: • Integrity – guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity. • Confidentiality – preserving authorized restrictions on access and disclosure. • Availability – ensuring timely and reliable access to and use of information.

• Information Security Program • Identify threats, vulnerabilities, and requirements • Implement security controls, monitor •

Cybersecurity: Measures taken to protect a computer or computer system against unauthorized access or attacks.

Information Privacy • Not a technology concept, yet inescapably tied to it • Privacy is not security • “[Privacy is] the appropriate use of personal information

under the circumstances. What is appropriate will depend on context, law, and the individual's expectations; also, [privacy is] the right of an individual to control the collection, use, and disclosure of personal information.” IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, 2011

• Notable privacy events • Safe Harbor and Privacy Shield • Establishment of Federal Privacy Council •

National Cybersecurity Action Plan

• New FTC rules for Internet Service Providers • General Data Protection Regulation (GDPR)

Top 10 Tips Top 10 Tips: Working with Technology

Top 10 Tips 10. Understand your company’s technology

Top 10 Tips • Understand your company’s business and the

technology your company uses on a daily basis • Understand your company’s technology strategy • Cloud first to Cloud never • Bring your own technology

• Understand who has responsibility for buying and

maintaining technology • What is Legal’s role in this? • What is your process for buying technology? • Make sure it includes a process to identify when shadow IT is being

bought or used

Top 10 Tips 9. Know your vendors and vendors’ vendors

Top 10 Tips • Know who your vendors are and what

services/products they provide • Connect and work with your security team • You both need to know when you find new places to store data

• Put a process in place to identify new

technology being used • It’s happening; you just may not know about it

Top 10 Tips 8. Know your law firms’ security practices

Top 10 Tips • Understand your obligations as in-house

counsel when working with your law firms • Join the ACC Litigation Committee

Subcommittee on Cybersecurity and Law Firms • Evan Slavitt, [email protected]

• Join the ACC Working Group Data Security for

Law Firms • Amar Sarwal, [email protected]

Top 10 Tips 7. Be a partner to the business

Top 10 Tips • Find a way to help your business partners

understand and mitigate technology risks; help them achieve success • Host a series of lunch and learns with your

business and technology counterparts • Present on areas of respective expertise

• Contract and licensing 101 • Technology 101 • Sales 101, Operations 101, etc. • Meet regularly to discuss issues, trends, etc.

Top 10 Tips 6. Conduct a data audit

Top 10 Tips • Form a cross-functional team to identify data

practices • Understand what and how data is managed • What is the data? • Who has (and should have) access? • Where does it go? • How long is it stored? • Do you have a DR/BCP?

• Conduct a DR/BCP exercise annually

Top 10 Tips 5. Assess your individual data practices

Top 10 Tips • Where do you keep your personal data? • At home? • At work?

• Use a password manager • Don’t store a copy of your passwords online

• Use two factor authentication everywhere

Top 10 Tips 4. Know your company’s breach and incident response plan and practices

Top 10 Tips • If you don’t have a plan – create one!

• Know the plan and practices • Know who has what roles in the plan • Practice, practice, practice

Top 10 Tips 3. Employee training on technology, security, and privacy

Top 10 Tips

Do it!

Top 10 Tips

2. Get comfortable with technology

Top 10 Tips •

• • • • •

• • •

ACC.com, ACC Committees and Chapters • ACC Cybersecurity Working Group with Litigation Committee • May 17th Cybersecurity Roundtable - The Proactive Side of Cybersecurity: Building the Right Defense with Sound Legal Standing LegalTechNews - www.legaltechnews.com ABA’s Law Technology Today- http://www.lawtechnologytoday.org/ PinHawk - www.pinhawk.com Pocket - https://getpocket.com/ Two Factor Authentication - https://twofactorauth.org/ Password storage • LastPass - lastpass.com Take a class Read • Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, Marc Goodman • The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses and Other IT Contracts for Lawyers and Business People, David W. Tollen

Top 10 Tips

1. Network inside and outside your organization

Top 10 Tips • Develop a core team of company contacts to

assist on technology issues. • Use your contacts in other parts of the organization (e.g., IT,

Security) to help you keep up to date on technology developments affecting your business.

• Talk to your peers outside the company

regarding best practices and stay current on new developments.

Questions?

Contact Us Scott Plichta [email protected] Ryan Murphy [email protected] Jennifer K. Mailander [email protected]