3. Spencer Fane LLP | spencerfane.com
The Problem for Lawyers
• Prefer to ignore but obligated to address
• Impact all lawyers and law firms alike
• Clients demanding adequate security
• Law firms are an increasingly popular
target
– Value and sensitivity of data
– Data for multiple clients
6. Spencer Fane LLP | spencerfane.com
The Ethics for Lawyers
“A lawyer should preserve the confidences
and secrets of a client.”
• Ethics Opinion 384 (Sept. 1975)
• Canon No. 4, Code of Professional
Responsibility
• Disciplinary Rule (DR) 4-101 (A) and (B)
• New duty of “technical competence” for lawyers
7. Spencer Fane LLP | spencerfane.com
Can you hear me now?
• ABA Ethics Opinion 483
• Lawyers’ Obligations After an
Electronic Data Breach of
Cyberattack
• October 17, 2018
8. Spencer Fane LLP | spencerfane.com
Ethics Opinion 483
• Lawyers’ Obligations After an Electronic Data Breach or
Cyberattack
– Proactive obligations
– “data breach” ≠ “data breach”
• “data breach” – “a data event where material client
confidential information is misappropriated, destroyed or
otherwise compromised, or where a lawyer’s ability to
perform the legal services for which the lawyer is hired is
significantly impaired by the episode.”
• Ransomware?
• Service provider network outage, even if no access or
exfiltraton?
9. Spencer Fane LLP | spencerfane.com
Ethics Opinion 483
• Focus is on the overall process of protecting information, not
the result.
• Requires lawyers to:
1. Be competent by keeping abreast of the benefits and risks
associated with relevant technology;
2. Have reasonable cybersecurity safeguards in place;
3. Follow appropriate data destruction procedures;
4. Actively monitor for breaches of client information;
5. Address third-party risk;
6. Investigate, respond to, and mitigate incidents;
7. Develop and implement an incident response plan; and
8. Notify clients in an appropriate manner when there has been a
“data breach.”
10. Spencer Fane LLP | spencerfane.com
Cybersecurity Best Practices
• Risk assessment
• Policies and procedures focused
on cybersecurity
– Culture
– Social engineering, password, security
questions
• Train workforce on P&P, security
• Phish all workforce
• Multi-factor authentication
• Internal controls / access controls
to restrict unnecessary data risk
• Data retention policy
• Signature based antivirus and
malware detection
• No outdated or unsupported
software
• Patch management process
• Backups segmented offline, cloud,
redundant
• Incident response plan
• Encrypt sensitive and air-gap
hypersensitive data
• Adequate logging and retention
• Third-party security risk
management program
• Firewall, intrusion detection and
prevention systems
• Managed services provider (MSP)
or managed security services
provider (MSSP)
• Cyber risk insurance
12. Spencer Fane LLP | spencerfane.com
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• Board, Southern Methodist University Cyber Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security
Coalition
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Board of Directors & General Counsel, Cyber Future
Foundation
• Cybersecurity & Data Privacy Law Trailblazers,
National Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-19
• Best Lawyers in Dallas 2014-19, D Magazine
(Cybersecurity Law)
• Council, Computer & Technology Section, State Bar
of Texas
• Privacy and Data Security Committee of the State Bar
of Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar
Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on
Science & Technology Committee of the American
Bar Association
• North Texas Crime Commission, Cybercrime
Committee & Infragard (FBI)
• International Association of Privacy Professionals