Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled "Cybersecurity: Cyber Risk Management for Lawyers and Clients" at the Texas Bar CLE's 16th Annual Advanced Business Law Course on November 8, 2018.
Cybersecurity: Cyber Risk Management for Lawyers and Clients
1. Spencer Fane LLP | spencerfane.com
Cybersecurity:
Cyber Risk Management
for Lawyers and Clients
16th Annual Advanced Business Law Course
Texas Bar CLE
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma
2. Spencer Fane LLP | spencerfane.com
The Problem for Lawyers
⢠Cybersecurity and privacy are issues that most
attorneys would prefer to ignore but are uniquely
obligated to address.
⢠Cybersecurity and privacy impact all lawyers and
law firms alike.
⢠Clients demanding adequate security (firms are
their third-party risk).
⢠Law firms are an increasingly popular target.
â Value and sensitivity of data.
â Data for multiple clients.
3. Spencer Fane LLP | spencerfane.com
The Ethics for Lawyers
âA lawyer should preserve the confidences
and secrets of a client.â
⢠Ethics Opinion 384 (Sept. 1975)
⢠Canon No. 4, Code of Professional
Responsibility
⢠Disciplinary Rule (DR) 4-101 (A) and (B)
⢠New duty of âtechnical competenceâ for lawyers
4. Spencer Fane LLP | spencerfane.com
Can you hear me now?
⢠ABA Ethics Opinion 483
⢠Lawyersâ Obligations After an
Electronic Data Breach of
Cyberattack
⢠October 17, 2018
5. Spencer Fane LLP | spencerfane.com
Ethics Opinion 483
⢠Lawyersâ Obligations After an Electronic Data Breach or
Cyberattack
â Proactive obligations
â âdata breachâ â âdata breachâ
⢠âdata breachâ â âa data event where material client
confidential information is misappropriated, destroyed or
otherwise compromised, or where a lawyerâs ability to
perform the legal services for which the lawyer is hired is
significantly impaired by the episode.â
⢠Ransomware?
⢠Service provider network outage, even if no access or
exfiltraton?
6. Spencer Fane LLP | spencerfane.com
Ethics Opinion 483
⢠Focus is on the overall process of protecting information, not
the result.
⢠Requires lawyers to:
1. Be competent by keeping abreast of the benefits and risks
associated with relevant technology;
2. Have reasonable cybersecurity safeguards in place;
3. Follow appropriate data destruction procedures;
4. Actively monitor for breaches of client information;
5. Address third-party risk;
6. Investigate, respond to, and mitigate incidents;
7. Develop and implement an incident response plan; and
8. Notify clients in an appropriate manner when there has been a
âdata breach.â
7. Spencer Fane LLP | spencerfane.com
Cybersecurity is no longer just an IT
issueâit is an overall business risk issue.
8. Spencer Fane LLP | spencerfane.com
âSecurity and IT protect companiesâ data;
Legal protects companies from their data.â
Security and IT protect companiesâ data;
Legal protects companies from their data.
10. Spencer Fane LLP | spencerfane.com
Laws & Regulations
Types
⢠Security
⢠Privacy
⢠Unauthorized Access
International Laws
⢠GDPR
⢠Privacy Shield
⢠Chinaâs Cybersecurity Law
Federal Laws and Regs
⢠FTC, SEC, HIPAA
State Laws
⢠All 50 States
â Privacy + security (some)
⢠NYDFS, Colo FinServ, CaCPA
Industry Groups
⢠PCI
⢠FINRA
Contracts
⢠3rd Party Bus. Assoc.
⢠Privacy / Data Security /
Cybersecurity Addendum
Banks & Financial Institutions
⢠GLBA
⢠Dodd Frank
⢠FFIEC (Federal Financial
Institutions Examination Council)
11. Spencer Fane LLP | spencerfane.com
2 Themes to Remember
⢠Cyber law is an expedition
⢠The âissuesâ usually arenât really that new
12. Spencer Fane LLP | spencerfane.com
The Real Threats
⢠63% confirmed breaches from weak,
default, or stolen passwords
⢠Data is lost over 100x more than stolen
⢠Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
13. Spencer Fane LLP | spencerfane.com
Cybersecurity Best Practices
⢠Risk assessment
⢠Policies and procedures focused
on cybersecurity
â Culture
â Social engineering, password, security
questions
⢠Train workforce on P&P, security
⢠Phish all workforce
⢠Multi-factor authentication
⢠Internal controls / access controls
to restrict unnecessary data risk
⢠Data retention policy
⢠Signature based antivirus and
malware detection
⢠No outdated or unsupported
software
⢠Patch management process
⢠Backups segmented offline, cloud,
redundant
⢠Incident response plan
⢠Encrypt sensitive and air-gap
hypersensitive data
⢠Adequate logging and retention
⢠Third-party security risk
management program
⢠Firewall, intrusion detection and
prevention systems
⢠Managed services provider (MSP)
or managed security services
provider (MSSP)
⢠Cyber risk insurance
14. Spencer Fane LLP | spencerfane.com
Canary in the Coal Mine
⢠What is your role?
⢠How does your firm or client
handle:
â P&P + Training
â MFA
â Phishing
â Backups
â IR Team + IRP
â Cyber Insurance
17. Spencer Fane LLP | spencerfane.com
How mature is your bankâs cyber risk
management program?
âGMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter
maintain, a comprehensive information security program that is reasonably designed to protect
the security, confidentiality, and integrity of personal information collected from or about
consumers.â In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
âWe believe disclosures regarding a companyâs cybersecurity risk management program and
how the board of directors engages with management on cybersecurity issues allow investors
to assess how a board of directors is discharging its risk oversight responsibility in this
increasingly important area.â SEC Statement and Guidance (Feb. 21, 2018)
âInstitutions should maintain effective information security programs commensurate with their
operational complexities. Information security programs should have strong board and senior
management support, promote integration of security activities and controls throughout the
institutionâs business processes, and establish clear accountability for carrying out security
responsibilities.â FFIEC Examination Handbook (Sept. 2016)
âEach Covered Entity shall maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the Covered Entityâs Information Systems.â NYDFS
Cybersecurity Regulations § 500.02
âTaking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the controller and the processor shall implement
appropriate technical and organizational measures to ensure a level of security appropriate to
the risk, including âŚâ GDPR, Art. 32
18. Spencer Fane LLP | spencerfane.com
Too little â
âjust check the
boxâ
Too much â
âboiling the
oceanâ
What is reasonable
cybersecurity?
19. Spencer Fane LLP | spencerfane.com
Identify:
Assess Cyber
Risk
Identify &
Protect:
Strategic
Planning
Protect &
Detect:
Implement
Strategy &
Deploy Assets
Protect:
Develop,
Implement &
Train on P&P
Protect: Third
Party Risk
Protect &
Respond: Develop
IR Plan & Tabletop
Recover &
Identify:
Reassess,
Refine &
Mature
Cyber Risk
Management
Program Process
20. Spencer Fane LLP | spencerfane.com
What should a cyber risk management
program look like?
⢠Based on a risk assessment1,2,3,4,5,6
⢠Implemented and maintained (i.e.,
maturing)1,2,3,6
⢠Fully documented in writing for both
content and implementation1,2,3,6
⢠Comprehensive1,2,3,4,5,6
⢠Contain administrative, technical,
and physical safeguards1,2,3,6
⢠Reasonably designed to protect
against risks to network and
data1,2,3,4,5,6
⢠Identify and assess internal and
external risks2,6
⢠Use defensive infrastructure and
policies and procedures to protect
network and data1,2,3,4,5,6
⢠Workforce training2,3,6
⢠Detect events2,6
⢠Respond to events to mitigate
negative impact2,6
⢠Recover from events to restore
normalcy2,6
⢠Regularly review network activity
such as audit logs, access reports,
incident tracking reports3,6
⢠Assign responsibility for security to
an individual3,5,6
⢠Address third-party risk2,3,5,6
⢠Certify compliance by Chair of
Board or Senior Officer or Chief
Privacy Officer2
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.02
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 32
6. FFIEC IT Examination Handbook
21. Spencer Fane LLP | spencerfane.com
A few words about privilege
⢠Great sales pitch â the magic wand!
⢠Mature understanding â not so simple!
⢠Prepare by doing everything possible to ensure the applicability of
privileges but carry out the work as though there will be no privilege.
â Retain experienced cyber counsel to assess cyber risk, develop and lead
cyber risk management program.
â List role in engagement agreement.
â Develop communications protocol at the outset.
⢠i.e., âif it doesnât need to be in writing âŚâ
⢠Counsel must actively lead and stay engaged in the process.
⢠Counsel should hire, direct, and receive info from consultants.
⢠If incident, consider multiple tracks:
â proactive risk management;
â normal business investigation;
â Investigation in anticipation of litigation.
Photo credit: dave_7
Link: https://www.flickr.com/photos/daveseven/1910839183/in/photostream/
22. Spencer Fane LLP | spencerfane.com
A few words about privilege
⢠Great sales pitch â the magic wand!
⢠Mature understanding â not so simple!
⢠Prepare by doing everything possible to ensure the applicability of
privileges but carry out the work as though there will be no privilege.
â Retain experienced cyber counsel to assess cyber risk, develop and lead
cyber risk management program.
â List role in engagement agreement.
â Develop communications protocol at the outset.
⢠i.e., âif it doesnât need to be in writing âŚâ
⢠Counsel must actively lead and stay engaged in the process.
⢠Counsel should hire, direct, and receive info from consultants.
⢠If incident, consider multiple tracks:
â proactive risk management;
â normal business investigation;
â Investigation in anticipation of litigation.
23. Spencer Fane LLP | spencerfane.com
Without a magic wand, how does
cyber legal counsel help?
24. Spencer Fane LLP | spencerfane.com
Cyber Insurance
Key considerations about cyber insurance:
⢠If you donât know you have it, you donât!
⢠Does your broker really âgetâ cyber?
⢠Is your coverage based on your risk?
⢠Was security/IT involved in procurement?
⢠Does your coverage include social engineering?
⢠Does your coverage include contractual liability?
⢠Do you have first-party and third-party coverage?
⢠Do you understand your sublimits?
⢠Can you chose your counsel and vendors?
25. Spencer Fane LLP | spencerfane.com
Cyber Insurance
Key considerations about cyber insurance:
⢠If you donât know you have it, you donât!
⢠Does your broker really âgetâ cyber?
⢠Is your coverage based on your risk?
⢠Was security/IT involved in procurement?
⢠Does your coverage include social engineering?
⢠Does your coverage include contractual liability?
⢠Do you have first-party and third-party coverage?
⢠Do you understand your sublimits?
⢠Can you chose your counsel and vendors?
26. Spencer Fane LLP | spencerfane.com
Practitioner Editor, Bloomberg BNA â Texas Cybersecurity &
Data Privacy Law
Board of Directors & General Counsel, Cyber Future Foundation
Board of Advisors, North Texas Cyber Forensics Lab
Policy Council, National Technology Security Coalition
Cybersecurity & Data Privacy Law Trailblazers, National Law
Journal
SuperLawyers - Top 100 Lawyers in Dallas (2016)
SuperLawyers (2015-18)
D Magazine - Best Lawyers in Dallas (2014-18)
Officer, Computer & Technology Section, State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
College of the State Bar of Texas
Board of Directors, Collin County Bench Bar Conference
Past Chair, Civil Litigation Section, Collin County Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Shawn E. Tuma
Spencer Fane LLP
Partner & Co-Chair,
Cybersecurity & Data
Privacy Practice
O 972.324.0317
M 214.726.2808
stuma@spencerfane.com
web: spencerfane.com
blog: shawnetuma.com
@shawnetuma