Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at the 55th Annual Conference on Intellectual Property Law at The Center for American and International Law on November 13, 2017.
Cybersecurity Fundamentals for Legal Professionals
1. Shawn E. Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, LLP
Shawn.tuma@solidcounsel.com
Cybersecurity Fundamentals for
Legal Professionals: A Lawyer’s
Duty to Protect Client
Confidences
@shawnetuma
2. The Problem
• Cybersecurity and privacy are issues that
most attorneys would prefer to ignore but
are uniquely obligated to address.
• Cybersecurity and privacy impact all lawyers
and law firms alike.
• Clients demanding adequate security (firms
are their third-party risk).
• Law firms are an increasingly popular target.
• Value and sensitivity of data.
• Data for multiple clients.
3. The Ethics
“A lawyer should preserve the confidences
and secrets of a client.”
• Ethics Opinion 384 (Sept. 1975)
• Canon No. 4, Code of Professional
Responsibility
• Disciplinary Rule (DR) 4-101 (A) and (B)
4. To protect law firm, you must:
• Protect your data for
• Confidentiality
• Integrity
• Availability
• Against threats from
• Insiders
• Outsiders
• Third-party partners
5. The Question
Are most cybersecurity and privacy incidents:
• Sophisticated James Bond-like attacks?
or
• Simple things, like people doing dumb
things?
6. Usually the real-world threats are not so sophisticated
Easily preventable
• 90% in 2014
• 91% in 2015
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Breaches
90% in 2014
91% in 2015
91% in 2016 (90% from email)
7. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
8. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
9. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
10. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
11. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
12. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
13. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
14. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
15. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
16. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
17. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
18. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
19. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
20. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
21. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
22. Common
Cybersecurity
Best Practices
1. Risk assessment.
2. Policies and procedures focused on cybersecurity.
• Social engineering, password, security questions
3. Training of all workforce.
4. Phish all workforce (esp. leadership).
5. Signature based antivirus and malware detection.
6. Access controls.
7. Security updates and patch management.
8. Multi-factor authentication.
9. Backups segmented offline and redundant.
10. No outdated or unsupported software.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk assessment & management.
15. Intrusion detection and intrusion prevention systems.
26. • Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, NorthTexas Cyber Forensics Lab
• Policy Council, NationalTechnology Security Coalition
• CybersecurityTask Force, IntelligentTransportation Society ofAmerica
• Cybersecurity & Data Privacy LawTrailblazers, National Law Journal (2016)
• SuperLawyersTop 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-16 (IP Litigation)
• Best Lawyers in Dallas 2014-16, D Magazine (Digital Information Law)
• Council, Computer &Technology Section, State Bar ofTexas
• Privacy and Data Security Committee of the State Bar ofTexas
• College of the State Bar ofTexas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science &Technology
Committee of the American Bar Association
• NorthTexas Crime Commission, Cybercrime Committee & Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
• Board of Advisors Office of CISO, Optiv Security
Shawn Tuma
Cybersecurity Partner
Scheef & Stone, L.L.P.
214.472.2135
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com