1 The Firm s Digital Assets: How to Identify & Protect Them Jason L. Turner May 2, 2013
2 Learning Objectives Through today s seminar, we will: (1) Learn what a digital asset is; (2) Explore how technology and our ethical obligations cross paths in the digital age; and (3) Learn some safeguards to implement within the Firm to reduce cyber-attacks and security breaches
3 What is a Digital Asset? Computer files Word documents, PDFs, Excel Website PayPal Social Media sites LinkedIn, Facebook, Twitter Ultimately, a digital asset is anything you electronically store, whether it be on your computer, phone, tablet or via the server (old school or cloud).
4 Keeping Digital Assets Secure Cyber-Attacks are on the rise Complaints in excess of 300k/year CA, FL & TX ranked #1, #2 & #3 in Verizon Business Study Studied 90 breaches 285 million data records exposed 9 exposures per second End user mistake = most breaches Twitter & Facebook = most attacked websites
5 Passwords Anonymous attack on Yahoo Analysis on 440k Yahoo passwords: 22% were not unique (i.e., used by more than one person) Password, , Jesus, welcome, love, money, freedom
6 Hacking / Cyber-attacks Puckett & Faraj, PC (Virginia firm) Military law firm (defended US Marine in Haditha killings) February 2012 hacking by Anonymous Released numerous electronic files, including employee s, cell phone records, etc. Replaced firm s website home page with a hip-hop video
7 Hacking / Cyber-attacks, cont d. Anonymous strikes again! Jan. 28, 2013 US Sentencing Commission website Protesting the prosecution of Aaron Swartz (committed suicide while awaiting trial) Replaced site with video criticizing prosecution Hacked again after site restored Uploaded code that could change site into the Asteroids video game Distributed encrypted files named after US Supreme Court Justices
8 Where are Digital Assets Kept? Computers (PCs and laptops) Tablets (ipads) Internal Servers External/Cloud Servers Mobile Phones It is crucial to have a security-aware culture to make reasonable attempts to prevent breaches.
9 Security-Aware Culture Anti-virus software (BitDefender, McAfee) Employee training Phishing scams Malware pop-ups attachment viruses Website access
10 Security-Aware Culture cont d. Information Technology (IT Dept.) Security team can assist in assessing data and creating a risk assessment plan Insurance coverage (not for ethical violations!) The primary motivation for hacking is revenge/disgruntled employees.
11 Ethics & Digital Assets Model Rule 1.6(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b)* *[criminal acts, bodily harm, etc.]
12 Ethics & Digital Assets Model Rule 1.6(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
13 Maintaining Sensitive Information Safeguard your sensitive info by: (1) Knowing what you have; (2) Keeping only what is necessary; (3) Protecting what is retained; (4) Properly destroying what is not needed; and (5) Developing a response plan in the event of a security breach Segregate high-risk assets and implement additional measures to maintain security of the assets.
14 Major Areas of Exposure Computer Servers (internal v. the Cloud) Smartphones/Mobile Devices Websites/Social Media
15 Servers vs. The Cloud
16 2012 Global Cloud Survey Report Legal IT Professionals
17 The Cloud: Efficient, Affordable & Accessible Alternative to internal server rooms Drop Box, Microsoft, Google, Amazon End user accesses files via web or desktop application Copies are synched instantaneously Can be stored locally Accessible 24/7 from anywhere and via virtually any device
18 The Cloud, cont d. Significant cost savings vs. traditional server Tens of thousands of dollars annually vs. nominal annual fees Staff of 10 = $1, annually (based on Drop Box) Convenience / Accessibility No cost of maintenance, office space or software While there are many benefits to Cloud servers, be aware of and manage the many risks.
19 Choosing a Cloud Provider (1) Reputation Short business history First established in mid 2000s Google search for reviews from users Review news stories for breaches
20 Choosing a Cloud Provider, cont d. (2) Security Who owns the data? Closely review Terms of Service re: third party outsourcing How secure is the transfer of data from user to cloud? What happens in the event of a crisis, disaster or outage? What happens if a device (i.e., laptop) is lost?
21 Choosing a Cloud Provider, cont d. (3) Privacy Be aware of different laws in different countries Currently no blanket law in the U.S., unlike the E.U.
22 % of Attorneys Using Digital Case Management Systems 100% 80% 60% 40% 20% 0% 0-3 years 4-10 years 10+ years 2011 Small Law Firm Technology Report calawyer/pdf/small_law_survey.pdf
23 Smartphones/Mobile Devices Smartphone Usage Among Lawyers 90% 85% 80% 75% 70% ABA Legal Technology Resource Center
24 Uses for Mobile Devices (over 90%) Calendar & Contacts Internet access Telephone conversation Text messaging In 2011, 33% of respondents indicated use of an ipad/tablet (more than 2x in 2010)
25 Safeguarding Mobile Devices SHOCKING STATISTIC: **Only 65% of respondents indicated actively using a password on their mobile device! In 2011, $30 BILLION worth of cell phones were lost in the U.S. Symantec study of purposefully lost phones: 96% were accessed by the finders 83% were accessed for corporate-related apps/info
26 Safeguarding, cont d. What do you have on your phone (or ipad)? Client s Text messages Client contact information Financial information Case information/notes Passwords Remember our ethical obligation to make reasonable efforts to prevent disclosure of or unauthorized access to client information.
27 Don t Get Scared! Two options for firms re: mobile device policy: (1) Block mobile devices from installing synchronization programs or accessing corporate servers (not recommended!) (2) Implement a balanced mix of policies and tech enforcement to maintain secure data
28 Ways to Protect Mobile Devices PASSWORDS! Basic password to lock device (and auto-locking) Unique passwords for certain files/folders No remember me for apps! Anti-virus protection (Norton, McAfee, etc.) Encryption (i.e., Wickr) Military grade encryption for text, photo, audio and video messages and it is FREE!
29 Ways to Protect cont d. Remote wiping / Find my iphone Lock individual applications Use common sense and a password, at a minimum!
30 Social Networking
31 Social Media/Internet Usage Policy Tips/Guidelines Ban sites or functionality, if necessary Educate users Open up, but keep control Protect users identity Stay informed
32 What We Learned We now know: (1) What a digital asset is; (2) That we have ethical obligations that need to be monitored when using digital devices; and (3) How we can minimize our risks when affording ourselves the benefits of using mobile devices and cloud services
33 End of Session Thank you for attending the session today. Please take the time to conduct the Conference Evaluation that you will receive via .
34 The Firm s Digital Assets: How to Identify & Protect Them 1 Jason L. Turner Keller Turner Ruth Andrews Ghanem & Heller, PLLC th Avenue South, Suite 302 Nashville, TN (615) Mr. Turner has extensive experience in intellectual property, copyright and trademark law. Mr. Turner represents record companies, entertainment industry executives, music publishers, songwriters, professional athletes and sports franchises in various corporate, copyright and trademark matters. Mr. Turner s practice focuses on the representation of clients in the negotiation of various entertainment contracts, protection of intellectual property rights for entertainers and professional sports entities, and representation in federal copyright and trademark infringement litigation, which recently resulted in a landmark ruling in favor of the heirs of the author of I ll Fly Away in a federal court copyright termination case. He has served as an adjunct professor at Belmont University s Curb College of Entertainment & Music Business and currently serves as Adjunct Professor of Entertainment Law at Stetson University College of Law in St. Petersburg, FL.
35 Identifying & Protecting the Firm s Digital Assets In the current age of digital media, a global workplace, and the server-less or cloud office, a law firm has many digital assets. Every day, multiple new assets are created. Is your firm taking the necessary steps to protect those assets? What processes are in place to ensure that the firm abides by its ethical obligations to protect confidential client information? What is a Digital Asset? Digital assets include online accounts and computer files 2 that are created during the course of a firm s practice. They include a firm s website, social media sites (i.e., Facebook, LinkedIn, etc.), s, and client files stored electronically, among many other things. There are many convenient ways to access the digital assets, yet with convenience, comes large risks for compromising security and confidentiality. With cyber-attacks on the rise, firms must take necessary, but reasonable, steps to ensure that data remains protected. Security Concerns Keeping Your Digital Assets Locked On July 12, 2012, a hacker group attacked Yahoo s service. 3 As a result of the hack, analysis was conducted on approximately 440,000 passwords on the Yahoo accounts. 4 The study revealed that over 22% of the passwords was not unique (used by more than one individual). 5 Some of the most common passwords were password, , welcome, Jesus, love, money, and freedom. 6 Just five months earlier, hacker Anonymous infiltrated the s of the Virginia law firm of Puckett and Faraj, and released several internal s and posted a message on the firm s website homepage. 7 Companies specializing in law firm technology security, such as Firmex, jumped on the story to promote its Virtual Data Room service, which is a cloud-based secure document sharing solution for law firms. 8 Early in 2013, Anonymous struck again, only this time it hacked the U.S. Sentencing Commission s website in protest of the prosecution of Aaron Swartz, the individual who 2013 NAELA Annual Conference May: 2-4 Page: 1
36 committed suicide while awaiting trial for allegedly downloading scholarly papers and making them freely accessible to the public. 9 The hackers initially replaced the site with a video criticizing the individual s prosecution, and after the site s restoration, Anonymous hacked the site again. The hackers reportedly distributed encrypted files named after Supreme Court justices in an effort to force legal reform to limit computer fraud laws used to prosecute hackers. More recently, the United States government has initiated a secret legal review of its use of cyber weapons in light of the alleged Chinese hack attack on the Wall Street Journal and New York Times. 10 In the attack, hackers succeeded in obtaining passwords and gaining access to 53 employee computers. 11 In fact, some argue that cyber weaponry is the newest and perhaps most complex arms race under way amongst the world s powerful nations. 12 Think of it this way when you leave your house in the morning to go to work, chances are, you lock the doors to your house. You do not want unwanted visitors snooping around your personal belongings while you are away. Lawyers and law firms must have that same mentality when it comes to a firm s digital assets, especially in the age of global exchange of information, accessibility through mobile devices (smartphones and ipads), and client confidentiality issues. Would you willingly leave your house unlocked in the morning knowing that someone wants access to your belongings? Issues such as information security, password protection, and an awareness of preventing cyber-attacks must be at the top of a law firm s list of priorities. Absent such, a firm risks being attacked like Puckett and Faraj, which undoubtedly will lead to loss of business, lost profits, and potential ethical violations. A. Managing Sensitive Information/ Protecting Digital Assets Law firms undoubtedly possess and maintain large amounts of confidential client information. Implementing measures to protect the integrity of that information presents a 2013 NAELA Annual Conference May: 2-4 Page: 2
37 challenge because a data security plan must balance securing and protecting the integrity of the information (i.e., the digital assets ), as well as an individual s right to privacy concerning his or her own personal information, even in the workplace. Cyber fraud and attacks are increasing more frequently than ever before. Savvy hackers can access entire bank accounts and personal information worldwide with just a few strokes of the keyboard and installation of viruses and malware. According to the Internet Crime Compliant Center (a division of the Department of Justice), 2011 was the third year in a row of cyber-crime complaints exceeding 300,000 compared to just 207,000 complaints in Interestingly, Florida ranked #2 in victim complaints. As it relates to data mining and web hacking, Verizon Business conducted a study in 2009 of 90 data breaches, which revealed that 285 million data records were exposed across the 90 breaches, which equates to nine data exposures for every second. 14 As explained by the forensics manager for Verizon Business Solutions, many of the breaches were the result of an end user mistake (i.e., a human doing something on the computer), which leads to the user s system getting hacked and/or the installation of malware to collect data from the user s system. 15 The study further revealed that the most attacked websites include Twitter and Facebook. 16 The balance between an individual s privacy rights and the need to protect the firm from an unauthorized disclosure of confidential information is a sensitive balance. By focusing on your employees and their behavior as it relates to computer usage, one can attempt to build a security-aware culture. 17 Options as simple as installing anti-virus software is a good first step, but it also requires the training of employees to be aware of phishing scams, malware popups, and potential viruses contained within unknown attachments. Educating the workforce is the next step in attempting to combat security issues and avoid putting digital assets 2013 NAELA Annual Conference May: 2-4 Page: 3
38 at risk. This includes having a security team (typically an IT individual) assist the firm with assessing data and compiling the risk assessment plan. Finally, a firm can mitigate risk by purchasing insurance coverage, though such likely will not protect lawyers from potential ethical violations, to the extent that disclosure of confidential information occurs. Keep in mind that the primary motivation for hacking seems to be disgruntlement and revenge by former employees, 18 and as such, implementation of proper data security measures is crucial. B. Law Firms and Data Security As a law firm, protecting confidential client information contained in digital files can become quite problematic when employees have free reign to surf the Internet from a work computer that stores and/or has access to such digital assets. Sensitive information must be safeguarded by maintaining a data security plan that (1) knows what sensitive information one has; (2) keeps only the sensitive information necessary; (3) protects the information that is retained; (4) properly destroys information no longer needed; and (5) develops a response plan in the event of a security breach. 19 This is consistent with a lawyer s ethical obligations pursuant to Model Rule 1.6(a) (providing that one shall not reveal client information without informed consent) and 1.6(c) (providing that one must make reasonable efforts to prevent disclosure of, or unauthorized access to, client information) (emphasis added). Law firms need to rethink how they protect confidential digital assets by identifying which assets are deemed high-risk to intrusion, segregating those assets from other less sensitive assets, and providing additional security to make efforts to maintain security of the assets. 20 While virtual data rooms (online vaults that allow one to store documents electronically in the cloud so clients can easily access those documents from anywhere in the world), smartphones and websites provide a significant convenience for access and promotion, they also provide 2013 NAELA Annual Conference May: 2-4 Page: 4
39 major security issues that must be addressed adequately to prevent a violation of ethical obligations to our clients. I. The Cloud In the mid to late 2000s, companies began introducing cloud servers as an alternative to storage rooms full of computer hard drives. Companies such as Dropbox, Microsoft, Terremark (owned by Verizon), Amazon and Google have all entered the marketplace and actively compete for business from companies and individuals. With a cloud server, the end user can access files (i.e., Word documents, PDFs, etc.) via a web browser or desktop/mobile application. Copies of the files can be stored on a local computer, but the main idea is to store the files on the cloud server at a remote location to allow the user to have access to the files any time and from anywhere. 21 With applications such as Dropbox, the files are synched between the local computer and the cloud server such that if changes are made to a document on a local computer, those changes are synched to the cloud instantaneously. Choosing a cloud company can save firms a significant amount of money since there is virtually no capital outlay, unlike with the old school server rooms, which could cost in the tens of thousands of dollars to purchase and maintain each year. With a cloud service, a firm can have all of the benefits of a server room at a fraction of the price (e.g., a Dropbox account for a team of 10 individuals costs a grand total of $1, per year). 22 However, while there are certainly some major benefits to cloud servers, (not the least of which are cost savings and convenience), there are some risks that firms should be mindful of when considering a switch to cloud-based servers. There are three main items that firms should be aware of when selecting a cloud provider: (1) the provider s reputation; (2) security; and (3) privacy issues. 23 Each of these issues requires common sense and should be well thought out ahead of time NAELA Annual Conference May: 2-4 Page: 5
40 A. Reputation. As with any business, reputation is everything. While cloud-based companies are fairly new given the fact that the idea was not released to the public until about ten years ago, certain companies undoubtedly have established great reputations such as Google, Amazon, and Dropbox, just to name a few. A simple Google search can reveal a general consensus of user reviews and news articles about virtually any existing cloud provider. B. Security. Until users become fully aware of the depth of the cloud, security and privacy in cloud computing will remain a major concern. Arguably the largest security concern is akin to the age-old ethics question of who is the client? Here, the question is who owns the data? As Tchifilionova points out, [w]ith cloud computing, consumers do not own the computing infrastructure and often it is no longer clear who owns and controls the data if the third party is further outsourcing some of its infrastructure or services, or if the real owner is not mentioned in the provider s terms of services. 24 Similar to web-based hacking, one can imagine that cyber-attacks on cloud providers might begin to increase as more and more people move to cloud services, which is why users should invest in risk assessment to ensure that the provider has adequate security controls in place. For example, Dropbox utilizes the AES-256 standard, which is the same standard utilized by banks. 25 File transfers via Dropbox also have the protection of AES 256-bit encryption, and users have the option of applying additional encryption to files prior to placing them into the Dropbox folder(s). 26 With a 256-bit encryption algorithm (as adopted by the National Institute of Standards and Technology), the encrypted file is completely unreadable without the password associated with the file/folder. 27 As with any kind of hardware, software or application these days, users must always be aware of the risks of compromising confidential information when allowing third parties access to data. Also, what happens in the event of an Internet outage, crisis/disaster? Clearly, this will 2013 NAELA Annual Conference May: 2-4 Page: 6
41 cause issues regardless of whether the outage or disaster is at the user s location or the cloud provider s location. However, if a firm still utilizes the in-house server room and the physical location incurs a disaster, the firm may completely lose everything (assuming there is no backup). Alternatively, with a cloud provider, assuming there are no Internet outages, the cloud files are theoretically always available by storing data across multiple data centers. 28 Likewise, if files are kept in the cloud as opposed to on an actual device (i.e., desktop, laptop, phone), one could legitimately argue that if devices are hacked, lost or stolen, no data can ever be lost since the files are maintained on private clouds that are highly encrypted. 29 C. Privacy. The main concern with cloud computing is how to protect data in transit, or in storage, and how to protect that same data from storage providers. Different countries have different legislation in place (or none at all) as it pertains to electronic data. For example, the United States has the Patriot Act, which allows the federal government the right to request details about one s online activities without that individual s knowledge. The European Union has been at the forefront of digital data protection laws, which sometimes are in conflict with the U.S. laws. 30 This is important because if the cloud provider moves data to a different geographical location without disclosing such to the user, a different set of laws might apply as it relates to privacy rights. 31 Absent specific legislation regarding cloud computing, it is foreseeable that these issues will go unresolved and conflicts will remain. II. Smart Phones/ Cellular Devices As more employees use their smartphones to access sensitive company data, the need for mobile security has increased dramatically over the past decade. As an employer, while it is great to know that employees are utilizing ipads, mobile phones, and other mobile devices to improve productivity, the benefit of more productivity is undermined by the potential of security 2013 NAELA Annual Conference May: 2-4 Page: 7
42 risks. One expert suggests that there are two options for companies: (1) block mobile devices from installing synchronization programs or access to corporate servers (not a realistic approach in the current digital age) or (2) implement a balanced mix of policies and technological enforcement to maintain secure data. 32 Each year, the ABA Legal Technology Resource Center conducts a survey to gauge use of technology by individuals in the legal field. Over the course of the past three years, that study revealed that 79%, 88%, and 89% (respectively) of lawyers responding to the survey indicated use of some sort of mobile device for legal work. 33 Uses include (well over 90%), calendar and contacts, Internet access, and of course, telephone conversations/text messaging. Perhaps a bit surprising is that the 2010 survey revealed that only 65% of the respondents indicated that they actively utilize a password on their mobile device. 34 This is shocking simply because a lawyer s ethical obligations are pounded into the brains of lawyers at CLEs annually. It is quite common for a cell phone to be lost or stolen ($30 billion worth of cell phones were lost by U.S. consumers in 2011), 35 and with lawyers carrying highly confidential information on mobile devices, lawyers must take the bare minimum steps to protect the accessible data on the mobile devices. In a study commissioned by Symantec (mostly known for its Norton Anti-Virus products), 96% of phones that it purposefully lost in major cities were accessed by the finders of the phones. 36 In the same study, 83% of the lost phones were accessed for corporate-related applications and information. 37 Simply put, lawyers must recognize that the Model Rules of Professional Conduct pertaining to client confidentiality are just as vital as it relates to mobile devices as they are when it comes to old fashioned paper files. In the latest survey, 33% of respondents indicated use of an ipad or similar tablet device for law-related tasks, which was more than double that of the prior year. 38 Recall that 1.6(c) requires a lawyer to make 2013 NAELA Annual Conference May: 2-4 Page: 8
43 reasonable efforts to prevent disclosure of, or unauthorized access to, client information. Allowing easy, unprotected and unfettered access to s, contacts, and perhaps confidential client information within one s contacts (i.e., social security numbers, bank information, etc.) on an unlocked phone certainly does not seem to rise to the level of reasonable efforts in this day and age. There are some pretty easy solutions to protecting mobile devices. Things such as encryption and virus protection are easily available online and/or via app stores directly through mobile devices. Also, certain phones, such as the iphone, have remote wiping that an owner can utilize in the event a phone is lost or stolen. This allows the user to go to a computer and remotely lock and/or completely wipe (delete) all of the contents off of the phone to prevent the thief from accessing confidential client data. It is also possible to lock individual applications or require unique passwords for certain files or folders on the mobile devices. Ultimately, each mobile device should, at a bare minimum, have a password lock enabled. Short of that, it is a very plausible argument that a lawyer could face ethics violations in the event of improper disclosure via mobile devices. III. Social Networking: Managing Your Brand As we are living in the age of Facebook, LinkedIn and Twitter, social media sites can and do provide great benefits to companies and can be a fantastic means of branding. However, these types of sites can be risky and problematic as well. For example, two defense lawyers in New Jersey recently found themselves in hot water with the New Jersey Bar because of a paralegal who friended the plaintiff in a personal injury case in order to access private information on the plaintiff s Facebook page. 39 According to the Office of Attorney Ethics in New Jersey, this amounted to improper contact with an adverse party in violation of the Rules of 2013 NAELA Annual Conference May: 2-4 Page: 9
44 Professional Conduct (as well as other alleged violations). Additionally, a recent case has been submitted to the Florida Supreme Court over a trial court judge having a prosecuting attorney as a Facebook friend. 40 Firms should have some sort of social network usage policy, not just for lawyers, but for all employees. One writer suggests some tips for companies when drafting such a policy: 1. Ban sites or functionality if necessary. While an outright ban is not necessarily recommended, sites that run in an encrypted form (one that does not allow web monitoring) may require blocking. 2. Educate users. It is crucial to talk to your employees about the importance of creating unique passwords (preferably alpha-numeric) and maintaining the security of such. This also includes informing employees of the necessity of maintaining client confidentiality on such sites (i.e., not disclosing confidential case facts over Facebook or Twitter), whether they be personal sites or company websites. 3. Open up but keep control. Provide the time and environment for your employees to engage in non-work related browsing by defining a policy and applying it. Perhaps there are certain times of the day when downtime is allowed (akin to a smoke break ) to foster a productive work day that doesn t include non-stop activity on social media sites, which will lead to very low productivity. Also, advise employees to use caution when accepting friends on Facebook for the very reason as noted above NAELA Annual Conference May: 2-4 Page: 10
45 4. Protect users identity. Again, with sites such as Facebook, it is important that employees keep their privacy settings set at a responsible level to avoid personal and/or business information from being available to the public. 5. Stay informed. Someone within the firm needs to reasonably monitor which applications are being accessed from within the firm network. With cyber-attacks occurring more frequently through social media sites, this could be a wide open door to an attack on the firm s digital infrastructure. 41 Conclusion As lawyers, there are many great benefits at our fingertips with the amazing technological advances that we have experienced over the past decade and will continue to enjoy in the future. From accessing case law from an ipad in court or instantaneously responding to demanding clients from a mobile phone or device, we have the ability to increase productivity (and reduce free time!). However, with these great advances in technology, we must be aware of the security risks and ethical obligations that we have to maintain the integrity of the information and prevent unauthorized disclosure of confidential client information. With a balanced approach, security concerns can be mitigated while maintaining the need for accessibility and balancing privacy concerns. 1 This paper was originally presented on October 17, 2012, at Stetson University College of Law s Special Needs Trust 2012 National Conference in St. Petersburg, FL. Updates and revisions have been made for the 2013 NAELA Annual Conference. 2 Davis, J., Lustig, N.: Digital Assets (Feb. 10, 2011), 3 Protalinski, E.: The Top 10 Passwords from the Yahoo Hack: Is Yours One of Them? (July 12, 2012), 4 Id. 5 Id NAELA Annual Conference May: 2-4 Page: 11