August 6, Technology 101 for the Corporate Lawyer

Transcription

1 August 6, 2015 Technology 101 for the Corporate Lawyer

2 The Presenters Scott Plichta Chief Information Security Officer Corporation Service Company Jennifer K. Mailander Associate General Counsel Corporation Service Company Page 1

3 What Company? We have a long history of innovation and using leading edge technology to provide customer solutions. Caterpillar Inc. Page 2

4 Describe Yourself How knowledgeable are you about technology? Not at all Somewhat Very knowledgeable I am an expert Page 3

5 Ethical Duty ABA Model Rules 1.1 A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. Comment 8 A lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. 5.3(d) A lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer. Page 4

6 Ethics: Client Confidences Model Rule 1.6(c) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client. Page 5

7 Cyber Security & Lawyers According to the FBI, law firms and law departments are among the most vulnerable targets for cyber attacks. Lawyers are reported to: Have limited resources to dedicate to computer security Lack a sophisticated appreciation of technology risks Lack an instinct for cyber security The ABA Cyber Security Handbook Page 6

8 Part of a Larger Phenomenon Individual IT Empowerment Page 7

9 Key Terms and Definitions Hosting (Website hosting, Web hosting, and Webhosting) the business of housing, serving, and maintaining files for one or more websites. The Cloud (Cloud Computing) a type of Internet-based computing where different services such as servers, storage, and applications are delivered to an organization's computers and devices through the Internet. Examples of Cloud Computing include: IaaS (Infrastructure as a Service) a service model that delivers computer infrastructure on an outsourced basis to support enterprise operations. Typically, IaaS provides hardware, storage, servers and data center space or network components; it may also include software. PaaS (Platform as a Service) a category of cloud computing services that provides a platform allowing customers to develop, run, and manage web applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. SaaS (Software as a Service ) a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. Page 8

10 A Tasty Example: Pizza as a Service Page 9

11 Key Terms and Definitions (cont.) Shadow IT Where a user/department finds Cloud provider to do work because IT is too busy. SSO (Single Sign-On) A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. SAML (Security Assertion Markup Language) A data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Federation Refers to different computing entities adhering to certain standards of operations in a collective manner to facilitate communication. Encryption The conversion of electronic data into another form, ciphertext, so that it cannot be easily understood by anyone except authorized parties with the key. PCI DSS (Payment Card Industry Data Security Standard) Policies and procedures intended to optimize the security of credit, debit, and cash card transactions to protect cardholders against misuse of personal information. Page 10

12 Data Types Data in Use: Active data under constant change stored physically in databases, data warehouses, spreadsheets, etc. Data in Use Data in Motion Data in Motion: Data that is traversing a network or temporarily residing in computer memory to be read or updated. Data at Rest Data at Rest: Inactive data physically stored in databases, data warehouses, spreadsheets, archives, tapes, off-site backups, etc. Source: Wikipedia JKM figure out how to cite to Wikipedia Page 11

13 Key Terms and Definitions (cont.) Big Data Data sets so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, search, sharing, storage, transfer, visualization, and privacy. High-volume, high-velocity, and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making. Phishing Broad scattered fraud where user is duped into revealing personal or confidential information for illicit use. Spear Phishing Phishing that targets a specific organization; messages appear to come from trusted source. Page 12

14 Information Security Information Security: Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide: Integrity guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity. Confidentiality preserving authorized restrictions on access and disclosure. Availability ensuring timely and reliable access to and use of information. Information Security Program Identify threats, vulnerabilities, and requirements Implement security controls, monitor Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks. Page 13

15 Information Privacy Not a technology concept, yet inescapably tied to it [Privacy is] the appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individual's expectations; also, [privacy is] the right of an individual to control the collection, use, and disclosure of personal information. IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, 2011 Privacy Models Comprehensive EU Sectoral U.S. Co-Regulatory Australia Page 14

16 Top 10 Tips: Working with Technology Page 15

17 10. Understand your company s technology Page 16

18 Understand your company s business and the technology your company uses on a daily basis Understand your company s technology strategy Cloud first to Cloud never Bring your own technology Understand who has responsibility for buying and maintaining technology What is Legal s role in this? What is your process for buying technology? Make sure it includes a process to identify when shadow IT is being bought or used Page 17

19 9. Know your vendors and vendors vendors Page 18

20 Know who your vendors are and what services/products they provide Connect and work with your security team You both need to know when you find new places to store data Put a process in place to identify new technology being used It s happening; you just may not know about it Page 19

21 8. Know your law firms security practices Page 20

22 Understand your obligations as in-house counsel when working with your law firms Join the ACC Litigation Committee Subcommittee on Cyber Security and Law Firms Evan Slavitt, Join the ACC Working Group Data Security for Law Firms Amar Sarwal, Page 21

23 7. Be a partner to the business Page 22

24 Find a way to help your business partners understand and mitigate technology risks; help them achieve success Host a series of lunch and learns with your business and technology counterparts Present on areas of respective expertise Contract and licensing 101 Technology 101 Sales 101, Operations 101, etc. Meet regularly to discuss issues, trends, etc. Page 23

25 6. Conduct a data audit Page 24

26 Form a cross-functional team to identify data practices Understand what and how data is managed What is the data? Who has (and should have) access? Where does it go? How long is it stored? Do you have a DR/BCP? Conduct a DR/BCP exercise annually Page 25

27 5. Assess your individual data practices Page 26

28 Where do you keep your personal data? At home? At work? Use a password manager Don t store a copy of your passwords online Page 27

29 4. Know your company s breach and incident response plan and practices Page 28

30 If you don t have a plan create one! Know the plan and practices Know who has what roles in the plan Practice, practice, practice Page 29

31 3. Employee training on technology, security, and privacy Page 30

32 Do it! Page 31

33 2. Get comfortable with technology Page 32

34 acc.com, ACC Committees and Chapters LQHs, Webcasts, Docket, ACC's Inhouse ACCess blog, egroups, etc. David Pogue TED Talk Password storage LastPass - lastpass.com ABA s Law Technology Today The Lawyerist Google - iphone & Android tips Take a class Page 33

35 1. Network inside and outside your organization Page 34

36 Develop a core team of company contacts to assist on technology issues. Use your contacts in other parts of the organization (e.g., IT, Security) to help you keep up to date on technology developments affecting your business. Talk to your peers outside the company regarding best practices and stay current on new developments. Page 35

37 Questions? Page 36

38 Contact Us Scott Plichta Jennifer K. Mailander Page 37