Data Security. The dominant business communication tool

Transcription

1 Data Security Jim Brashear General Counsel Zix Corporation Dallas Business Uses The dominant business communication tool Time spent on exceeds time spent on all other communication tools combined* The continuing increase in the adoption of authentication is laying a foundation for to remain the world s dominant form of online communication** Social Media 8% 60% Telephone 23% Instant Messenger 9% * Osterman Research (based on time spent on communication tools during an eight-hour day) ** Craig Spiezle, President and Executive Director, Online Trust Alliance 1

2 The Good Old Days Malware 2

3 Insiders Phishing and Social Engineering 3

4 Spear Phishing Lost and Stolen Portable Devices 4

5 Rogue Cloud Data Data Data Data Data Data = Cloud Data How seems to work Company Network Company Network Router The Cloud Router Router Router DLP How actually works AS/AV 5

6 sent in the default manner over the Internet is inherently insecure. Benefits of Secure Integrity Confidentiality Privacy Authenticity Proof of receipt Nonrepudiation Now is the time to get serious about your system. Data Intercepts Happen Even if you don t see them 6

7 Intercepted Government monitoring Gmail, Hotmail and Yahoo! accounts targeted by hackers China s Gmail diversion Man-in-the-Middle Bank's unencrypted $1.2M theft Typosquatting SSL Spoofing Courts in The Netherlands advised lawyers to stop using Several SSL Certificate Authorities hacked 7

8 Reasonable Expectation of Privacy? What Are Attackers After? Proprietary Information Cybercriminals: corporate trade secrets Nation-state hackers: military and defense intellectual property, designs and plans Personal Financial Data Political change Embarrassment Information Freedom Slide 16 8

9 Vogel - SMU Law School - Law of Business Impacts of Cyber Attack Loss of IP, confidential information Privacy data breach Business disruption Forensics, containment, recovery, remediation Regulatory investigation Violations, Increased compliance costs Contract breaches Consumer lawsuits Adverse publicity, brand damage Loss of customer trust Revenue impact Share price decline Shareholder derivative suits Fines Impact on insurance Who are Targets? Individuals Governments Universities Businesses Outside directors Board portals Services providers Outsourcers Data security firms Professionals 9

10 Attacking Law Firms ALAS: Hacker threats are not hypothetical Law firms are soft targets Treasure trove of confidential client information Consultants, vendors, business partners and employees may have relatively weak data security Slide 20 Spying by N.S.A. Ally Entangled U.S. Law Firm By JAMES RISEN and LAURA POITRAS FEB. 15, 2014 The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers. A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the United States. The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance. 10

11 Cyber Security Ethics Slide ABA Resolution Encourages all private and public sector organizations to develop, implement and maintain an appropriate [cyber] security program. An organization-wide security program is comprised of a series of activities, including: governance by boards of directors and senior executives; development of security strategies and plans, policies and procedures; creation of inventories of digital assets; selection of security controls; determination of technical configuration settings; performance of annual audits; and delivery of training 11

12 Ethics: Competence Rule 1.1 A lawyer shall provide competent representation to a client A lawyer should keep abreast of the risks associated with technology Ethics: Client Confidences Texas Rule 1.05 Lawyer shall not knowingly reveal confidential information of a client or former client Unless the client consents after consultation 12

13 Ethics: Client Confidences New Model Rule 1.6 A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client Ethics: Confidentiality Competency Comments to Model Rule When transmitting a communication, lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients 13

14 Ethics: Client Property Rule 1.15 Client property should be appropriately safeguarded A lawyer should hold property of others with the care required of a professional fiduciary Information is property Ethics: New Direction Professional Judgment Encrypting may be a reasonable step for an attorney to take ~ CA State Bar Opinion

15 Ethics: New Direction Professional Judgment Attorneys may use but must, under appropriate circumstances, take additional precautions to assure client confidentiality ~ PA State Bar Formal Opinion Ethics: New Direction Professional Judgment Obligation to warn client about significant risk of interception ~ ABA Formal Opinion (August 4, 2011) Duty to Protect the Confidentiality of Communications with One's Client 15

16 E2EE: End-to-End Encryption Encrypt Channels Devices Content at rest in transit Everything Slide 31 Channel Encryption From the Experts: SSL Hacked! Enterprise can't rely on encrypted communications anymore, but corporate counsel can champion a fix Identity inquiry SSL certificate Trust confirmation Browser Acknowledgement Encrypted channel session Website Server Security of HTTPS channel encryption relies on trust in SSL certificates 16

17 Encryption Considerations Client s instructions Degree of sensitivity of the information Possible client impact from disclosure Data breach laws Likelihood of disclosure Inherent level of security Reasonable steps to increase security Cost of additional safeguards Urgency of the situation Legal ramifications of unauthorized interception, access or use When to Encrypt Mandatory Data Protection Law or regulations require encryption E.g., Massachusetts rules for personal information Safe harbor from data breach requirements for encrypted data Highly Sensitive Information Should not send highly sensitive client communications via unencrypted methods Heightened Risk of Interception Should not use unencrypted methods where there is a particularly high risk that it may be accessed by unauthorized third parties 17