Data Security. The dominant business communication tool

Email Data Security

Business Uses Email…

The dominant business communication tool

• Time spent on email exceeds time spent on all other communication tools combined*

• “The continuing increase in the adoption of email authentication is laying a foundation for email to … remain the world’s dominant form of online communication**

* Osterman Research (based on time spent on communication tools during an eight-hour day) ** Craig Spiezle, President and Executive Director, Online Trust Alliance

The Good Old Days

Insiders

Phishing and

Spear Phishing

Rogue Cloud

Data

Data

Data

Data

Data

Data

How email seems to work

Company Network Company Network Router Router DLP Router Router AS/AV

How email actually works

The Cloud

Email = Cloud Data

“Email sent in the ‘default’ manner over the Internet

is inherently insecure.”

 Benefits of Secure Email: • Integrity • Confidentiality • Privacy • Authenticity • Proof of receipt • Nonrepudiation

“Now is the time to get serious about your email system.”

Data Intercepts Happen

Email Intercepted

•

Government monitoring

•

Gmail, Hotmail and Yahoo!

accounts targeted by hackers

• China’s Gmail diversion

Man-in-the-Middle

• Bank's unencrypted email: $1.2M theft • Typosquatting

• SSL Spoofing

• Courts in The Netherlands advised lawyers to stop using email • Several SSL Certificate Authorities hacked

Reasonable Expectation of Privacy?

What Are Attackers After?

• Proprietary Information

– Cybercriminals: corporate trade secrets

– Nation-state hackers: military and defense intellectual property, designs and plans

• Personal Financial Data • Political change

• Embarrassment • Information Freedom

Business Impacts of Cyber Attack

• Loss of IP, confidential information • Privacy data breach

• Business disruption

• Forensics, containment, recovery, remediation

• Regulatory investigation

• Violations, Increased compliance costs

• Contract breaches

• Consumer lawsuits

• Adverse publicity, brand damage • Loss of customer trust

• Revenue impact • Share price decline

• Shareholder derivative suits • Fines

• Impact on insurance

Who are Targets?

• Individuals

• Governments

• Universities

• Businesses

• Outside directors

• Services providers

– Data security firms – Professionals

Attacking Law Firms

•

ALAS: Hacker threats are not hypothetical

•

Law firms are soft targets

– Treasure trove of confidential client information – Consultants, vendors, business partners and

employees may have relatively weak data security

Spying by N.S.A. Ally Entangled U.S. Law Firm

By JAMES RISEN and LAURA POITRAS FEB. 15, 2014

The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers.

Slide 21

Cyber Security Ethics

2014 ABA Resolution

 “

Encourages all private and public sector

organizations to develop, implement and

maintain an appropriate [cyber] security

program

 An organization-wide security program is comprised of a series of activities, including:

– governance by boards of directors and senior executives; – development of security strategies and plans, policies and

procedures;

– creation of inventories of digital assets; – selection of security controls;

– determination of technical configuration settings; – performance of annual audits; and

Ethics: Competence

Rule 1.1

A lawyer shall provide competent representation to a client

A lawyer should keep abreast of the risks associated with

technology

Ethics: Client Confidences

Texas Rule 1.05

Lawyer shall not knowingly reveal confidential information of a client or former client

 Unless the client

Ethics: Client Confidences

New Model Rule 1.6

A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the

representation of a client

Ethics: Confidentiality Competency

Comments to Model Rule 1.6

17. When transmitting a communication, lawyer must take reasonable

precautions to prevent the

information from coming into the hands of unintended recipients

Ethics: Client Property

Rule 1.15

Client property should be appropriately safeguarded

 A lawyer should hold property of others with the care required of a professional fiduciary

Information

is property

Email Ethics: New Direction

Email Ethics: New Direction

Attorneys may use email but must, under

appropriate circumstances, take additional

precautions to assure client confidentiality

Professional Judgment

Email Ethics: New Direction

Obligation to warn client about

significant risk of email interception

~ ABA Formal Opinion 11-459 (August 4, 2011)

Duty to Protect the Confidentiality of Email Communications with One's Client

Slide 31

Encrypt

Channels

Devices

Content

• at rest

• in transit

E2EE: End-to-End Encryption

Everything

Channel Encryption

From the Experts: SSL Hacked!

Enterprise can't rely on encrypted communications anymore, but corporate counsel can champion a fix

Identity inquiry SSL certificate

Encryption Considerations

 Degree of sensitivity of the information  Possible client impact from disclosure  Data breach laws

 Likelihood of disclosure  Inherent level of security

 Reasonable steps to increase security  Cost of additional safeguards

 Urgency of the situation

 Legal ramifications of unauthorized interception, access or use

When to Encrypt

Mandatory Data Protection

• Law or regulations require encryption

– E.g., Massachusetts rules for personal information • Safe harbor from data breach requirements for encrypted

data

Highly Sensitive Information

• Should not send highly sensitive client communications via unencrypted methods

Heightened Risk of Interception

• Should not use unencrypted methods where there is a particularly high risk that it may be accessed by unauthorized third parties