TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE

Technology 101 and
the Practice of Law:
Keeping Your Firm Safe
Powered by
© Corporation Service Company®. All Rights Reserved.

© Corporation Service Company. All Rights Reserved.
The Presenters
Jennifer K. Mailander
Associate General Counsel
Corporation Service Company
Scott Plichta
Chief Information Security Officer

“We have a long history of innovation
and using leading edge technology to
provide customer solutions.”
What Company?
Caterpillar Inc.

How knowledgeable are you
about technology?
Not at all
Somewhat
Very knowledgeable
I am an expert
Describe Yourself

ABA Model Rules
1.1 “A lawyer shall provide competent representation to a
client. Competent representation requires the legal
knowledge, skill, thoroughness and preparation reasonably
necessary for the representation.”
Comment 8 “A lawyer should keep abreast of changes in
the law and its practice, including the benefits and risks
associated with relevant technology.”
5.3(d) “A lawyer having direct supervisory authority over
the non-lawyer shall make reasonable efforts to ensure
that the person's conduct is compatible with the
professional obligations of the lawyer.”
Ethical Duty

Model Rule 1.6(c)
“A lawyer shall make reasonable efforts to prevent the
inadvertent disclosure of, or unauthorized access to,
information relating to the representation of a client.”
Ethics: Client Confidences

According to the FBI, law firms and law departments are
among the most vulnerable targets for cyber attacks.
Lawyers are reported to:
Have limited resources to dedicate
to computer security
Lack a sophisticated appreciation
of technology risks
Lack an instinct for cyber security
The ABA Cyber Security Handbook
Cyber Security and Lawyers

Individual IT Empowerment
Part of a Larger Phenomenon

Key Terms and Definitions*
Hosting (Website hosting, Web hosting, and Webhosting): the business of housing, serving, and
maintaining files for one or more websites.
The Cloud (Cloud Computing): a type of Internet-based computing where different services such as
servers, storage, and applications are delivered to an organization's computers and devices through the
Internet. Examples of Cloud Computing include:
Infrastructure as a Service (IaaS): a service model that delivers computer infrastructure on
an outsourced basis to support enterprise operations. Typically, IaaS provides hardware,
storage, servers and data center space or network components; it may also include software.
Platform as a Service (PaaS): a category of cloud computing services that provides a
platform allowing customers to develop, run, and manage web applications without the
complexity of building and maintaining the infrastructure typically associated with developing
and launching an application.
Software as a Service (SaaS): a software distribution model in which applications are hosted
by a vendor or service provider and made available to customers over a network.
*Technology terminology sources include: Wikipedia, Technopedia, Internationals Association of Privacy Professionals (IAPP),
ABA, ACC, The Shared Assessments Program, Merriam-Webster, and Ponemon Institute.

A Tasty Example: Pizza as a Service
Traditional
On-Premises
(On Prem)
Made at Home
Dining
Table
Soda
Electric /
Gas
Oven
Fire
Pizza
Dough
Tomato
Sauce
Toppings
Cheese
Take and Bake Pizza Delivered Dining Out
www.linkedin.com/pulse/20140730172610-9679881-pizza-as-a-service
You Manage Vendor Manages
Infrastructure
as a Service
(IaaS)
Dining
Table
Soda
Electric /
Gas
Oven
Fire
Pizza
Dough
Tomato
Sauce
Toppings
Cheese
Platform
as a Service
(PaaS)
Dining
Table
Soda
Electric /
Gas
Oven
Fire
Pizza
Dough
Tomato
Sauce
Toppings
Cheese
Software
as a Service
(SaaS)
Dining
Table
Soda
Electric /
Gas
Oven
Fire
Pizza
Dough
Tomato
Sauce
Toppings
Cheese

Shadow IT: Where a user/department finds a cloud provider to do work because IT is too busy, and
usually without knowledge/oversight controls of IT/IT security/legal.
Single Sign-On (SSO): A session/user authentication process that permits a user to enter one name
and password in order to access multiple applications. May be used interchangeably with “federation”
or “federated login.”
Security Assertion Markup Language (SAML): A data format for exchanging authentication and
authorization data between parties, in particular, between an identity provider and a service provider.
Federation: Refers to different computing entities adhering to certain standards of operations in a
collective manner to facilitate communication.
Encryption: The conversion of electronic data into another form, ciphertext, so that it cannot be
easily understood by anyone except authorized parties with the key. Types of encrypted data include:
Data in Use, Data at Rest, Data in Motion.
Payment Card Industry Data Security Standard (PCI DSS): Industry created policies and
procedures intended to optimize the security of credit, debit, and cash card transactions to protect
cardholders against misuse of personal information and financial loss.
Key Terms and Definitions (cont.)

Data Types
Data in Use:
Active data under constant
change stored physically in
databases, data warehouses,
spreadsheets, etc.
Data in Motion:
Data that is traversing a
network or temporarily residing
in computer memory to be
read or updated.
Data at Rest:
Inactive data physically stored in databases,
data warehouses, spreadsheets, archives,
tapes, off-site backups, etc.

Big Data:
Data sets so large or complex that traditional data processing applications are
inadequate. Challenges include analysis, capture, search, sharing, storage,
transfer, visualization, and privacy.
High-volume, high-velocity, and high-variety information assets that demand
cost-effective, innovative forms of information processing for enhanced insight
and decision making.
Internet of Things (IoT): Network of physical objects embedded with electronics,
software, and sensors enabling connectivity (remote data exchange) between
manufacturer, operator, and other devices. Resulting in improved efficiency, accuracy,
and economic benefits.
Phishing: Broad scattered email fraud where user is duped into revealing personal or
confidential information for illicit use.
Spear Phishing: Phishing that targets a specific organization; messages appear to come
from trusted source.
Key Terms and Definitions (cont.)

Information Security: Protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction to provide:
Integrity – guarding against improper information modification or destruction;
includes ensuring information non-repudiation and authenticity.
Confidentiality – preserving authorized restrictions on access and disclosure.
Availability – ensuring timely and reliable access to and use of information.
Information Security Program:
Identify threats, vulnerabilities, and requirements
Implement security controls, monitor
Cyber Security: Measures taken to protect a computer or computer system against
unauthorized access or attacks.
Information Security

Not a technology concept, yet inescapably tied to it.
Privacy is not security.
“[Privacy is] the appropriate use of personal information under the circumstances.
What is appropriate will depend on context, law, and the individual's expectations;
also, [privacy is] the right of an individual to control the collection, use, and
disclosure of personal information.”
IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, 2011
Notable privacy events:
Safe Harbor and Privacy Shield
Establishment of Federal Privacy Council
• Cybersecurity National Action Plan
New FTC rules for Internet service providers
General Data Protection Regulation
Information Privacy

Top 10 Tips:
Working with Technology

Tip #10:
Understand Your Company’s Technology

Understand your company’s business and the
technology your company uses daily
Understand your company’s technology strategy:
Cloud first to cloud never
Bring your own technology
Understand who has responsibility for buying and
maintaining technology:
What is legal’ s role in this?
What is your process for buying technology?
Make sure it includes a process to identify when shadow
IT is being bought or used.
Tip #10: Understand Your Company’s Technology

Tip #9:
Know Your Vendors and Vendors’ Vendors

Know who your vendors are and what services/products
they provide.
Connect and work with your security team:
You both need to know when you find new places to store data
Put a process in place to identify new technology
being used:
It’s happening; you just may not know about it
Tip #9: Know Your Vendors and Vendors’ Vendors

Tip #8:
Know Your Law Firms’ Security Practices

Tip #8: Know Your Law Firms’ Security Practices
Understand your obligations as in-house counsel when
working with your law firms.
Join the ACC Litigation Committee Subcommittee on Cyber
Security and Law Firms:
Evan Slavitt, evan.slavitt@avx.com
Join the ACC Working Group Data Security for
Law Firms:
Amar Sarwal, sarwal@acc.com
Join Legal Services Information Sharing and Analysis
Organization (LS-ISAO) Services for law firms.

Tip #7:
Be a Partner to the Business

Find a way to help your business partners
understand and mitigate technology risks; help
them achieve success.
Host a series of lunch and learns with your business
and technology counterparts:
Present on areas of respective expertise
• Contract and licensing 101
• Technology 101
• Sales 101, Operations 101, etc.
Meet regularly to discuss issues, trends, etc.
Tip #7: Be a Partner to the Business

Tip #6:
Conduct a Data Audit

Form a cross-functional team to identify data practices
Understand what and how data is managed:
What is the data?
Who has (and should have) access?
Where does it go?
How long is it stored?
Do you have a disaster recovery (DR)/business
continuity plan (BCP)?
Conduct a DR/BCP exercise annually
Tip #6: Conduct a Data Audit

Tip #5:
Assess Your Individual Data Practices

Where do you keep your personal data?
At home?
At work?
Use a password manager:
Don’t store a copy of your passwords online
Use two-factor authentication everywhere
Tip #5: Assess Your Individual Data Practices

Tip #4:
Know Your Company’s Breach and
Incident Response Plan and Practice It

If you don’t have a plan – create one!
Know the plan.
Know who has what roles in the plan.
Practice, practice, practice!
Tip #4: Know Your Company’s Breach and
Incident Response Plan and Practice It

Tip #3:
Train Employees on Technology,
Security, and Privacy

Tip #3: Train Employees on Technology,
Security, and Privacy

Tip #2:
Get Comfortable with Technology

Tip #2: Get Comfortable with Technology
ACC.com, ACC committees, and chapters
ACC Litigation Committee and Cyber Security Working Group
LegalTechNews - legaltechnews.com
ABA’s Law Technology Today - lawtechnologytoday.org
PinHawk - pinhawk.com
Pocket - getpocket.com
Two Factor Authentication - twofactorauth.org
Password storage
LastPass - lastpass.com
Dashlane - dashlane.com
Roboform – roboform.com
Take a class
Read
Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, by Marc
Goodman
The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT
Contracts for Lawyers and Business People, by David W. Tollen
The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, by Gene Kim,
Kevin Behr, George Spafford

Tip #1:
Network Inside and Outside
Your Organization

Develop a core team of company contacts to assist on
technology issues:
Use your contacts in other parts of the organization
(e.g., IT, security) to help you keep up-to-date on
technology developments affecting your business.
Talk to your peers outside the company regarding best
practices and stay current on new developments.
Tip #1: Network Inside and Outside Your Organization

Question and Answer

Contact Us
Jennifer K. Mailander
Associate General Counsel
jennifer.mailander@cscglobal.com
Scott Plichta
Chief Information Security Officer
scott.plichta@cscglobal.com

TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE

Similar a TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE (20)

Último

Último (20)

TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE

Notas del editor