Cybersecurity & Data Privacy attorney Shawn Tuma delivered this presentation to the Mid-Year Meeting of the State Bar of Oklahoma's Intellectual Property Law Section on June 2, 2018. For more information visit www.shawnetuma.com
Cybersecurity Fundamentals for Legal Professionals (and every other business)
1. Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, LLP
(214) 472-2135
Shawn.tuma@solidcounsel.com
Cybersecurity Fundamentals for
Legal Professionals
(and every other business)
@shawnetuma
2. The Problem
• Cybersecurity and privacy are issues that
most attorneys would prefer to ignore but
are uniquely obligated to address.
• Cybersecurity and privacy impact all lawyers
and law firms alike.
• Clients demanding adequate security (firms
are their third-party risk).
• Law firms are an increasingly popular target.
• Value and sensitivity of data.
• Data for multiple clients.
3. The Ethics
“A lawyer should preserve the confidences
and secrets of a client.”
• Ethics Opinion 384 (Sept. 1975)
• Canon No. 4, Code of Professional
Responsibility
• Disciplinary Rule (DR) 4-101 (A) and (B)
4. To protect law firm, you must:
• Protect your data for
• Confidentiality
• Integrity
• Availability
• Against threats from
• Insiders
• Outsiders
• Third-party partners
5. The Question
Are most cybersecurity and privacy incidents:
• Sophisticated James Bond-like attacks?
or
• Simple things, like people doing dumb
things?
6. Usually the real-world threats are not so sophisticated
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
7. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
8. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
@shawnetuma
www.shawnetuma.com
9. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
10. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
11. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
12. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
13. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
14. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
15. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
16. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
17. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
18. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
19. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
20. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
21. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
22. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
23. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
25. How mature is
your company’s
cyber risk
management
program?
“GMR Transcription Services, Inc. . . . Shall . . . establish and implement,
and thereafter maintain, a comprehensive information security program
that is reasonably designed to protect the security, confidentiality, and
integrity of personal information collected from or about consumers.” In re
GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
“We believe disclosures regarding a company’s cybersecurity risk
management program and how the board of directors engages with
management on cybersecurity issues allow investors to assess how a
board of directors is discharging its risk oversight responsibility in this
increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018)
“Each Covered Entity shall maintain a cybersecurity program designed to
protect the confidentiality, integrity and availability of the Covered Entity’s
Information Systems.” NYDFS Cybersecurity Regulations § 500.02
“Taking into account the state of the art, the costs of implementation and
the nature, scope, context and purposes of processing as well as the risk
of varying likelihood and severity for the rights and freedoms of natural
persons, the controller and the processor shall implement appropriate
technical and organizational measures to ensure a level of security
appropriate to the risk, including …” GDPR, Art. 32
26. Too little –
“just check the
box”
Too much –
“boiling the
ocean”
What is reasonable
cybersecurity?
29. • Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• Policy Council, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportation Society of America
• Practitioner Editor, Bloomberg BNA –Texas Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American Bar Association
• NorthTexas Crime Commission, Cybercrime Committee & Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
Shawn Tuma, Partner
Cybersecurity & Data Privacy
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com