ETHICS + DATA Dennis Kennedy Patrick Reagan Cyber12 - NKU - - PowerPoint PPT Presentation

ethics data
SMART_READER_LITE
LIVE PREVIEW

ETHICS + DATA Dennis Kennedy Patrick Reagan Cyber12 - NKU - - PowerPoint PPT Presentation

Nov 12, 2022 42 likes •358 views

ETHICS + DATA Dennis Kennedy Patrick Reagan Cyber12 - NKU Cybersecurity Symposium - October 11, 2019 ROADMAP Part 1: Todays data security issues Part 2: Ethical obligations of lawyers Part 3: Ethical obligations of IT

slide-1
SLIDE 1

ETHICS + DATA

Dennis Kennedy Patrick Reagan Cyber12 - NKU Cybersecurity Symposium - October 11, 2019

slide-2
SLIDE 2

ROADMAP

 Part 1: Today’s data security issues  Part 2: Ethical obligations of lawyers  Part 3: Ethical obligations of IT professionals  Part 4: FTC Health Breach Notification Rule  Part 5: Conclusion  Part 6: Q&A

slide-3
SLIDE 3

TODAY’S DATA SECURITY ISSUES

 Fake data generation

 Pollutes a company’s data pool. Makes analytics faulty.

 Non-encrypted data

 For cloud storage, this is a huge problem.

 Granular access control

 Controlling who sees what limits noticeability of breaches.

 Creative hackers

 E.g. emails asking for your password.

 Data provenance difficulties

 Responding to a breach is more difficult if you don’t know where data came from.

 Distributed storage frameworks

 Storing data in multiple locations makes breach identification difficult.

 Lack of security audits

 You don’t know what you don’t know.

slide-4
SLIDE 4

ETHICAL OBLIGATIONS OF LAWYERS

from this to this

slide-5
SLIDE 5

ETHICAL OBLIGATIONS OF LAWYERS

 Massive amounts of client data is digitized  Law firms now have data security issues

 DLA Piper 2017 data breach

 Multi-day shutdown and millions in costs to fix

 Cravath  Weil Gotshal

 Law firms that work in healthcare have special HIPAA obligations  Regulating authorities are enacting new laws

 GDPR  CCPA

slide-6
SLIDE 6

ETHICAL OBLIGATIONS OF LAWYERS

 ABA Model Rule 1.1/SCR 3.130 (1.1): must keep up with technology to maintain competence.  ABA Model Rule 1.6/SCR 3.130 (1.6): core of lawyers’ ethical obligations to their clients.  ABA Opinion 99-413/KBA E-403: email with clients permissible  ABA Opinion 477R/KBA E-446: must secure Internet devices  ABA Opinion 483/KBA E-446: must notify clients of data breach

slide-7
SLIDE 7

DUTY TO MAINTAIN COMPETENCE

 ABA Model Rule 1.1/SCR 3.130 (1.1)  “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”  Comment 8 – ABA: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

 Kentucky comment is identical.

slide-8
SLIDE 8

DUTY OF CONFIDENTIALITY

 Core duty of a lawyer  Bedrock of attorney-client relationship  Foundation of the duty to keep client files and data secure  ABA Rule 1.6(c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  Comment 14 to SCR 3.130 (1.6): “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision.”

slide-9
SLIDE 9

ABA OPINION 99-413

 The genesis of legal opinions on how to protect client data  Authorized email with clients

 “Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted email sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client’s representation.”

slide-10
SLIDE 10

SINCE OPINION 99-413

 2012 technology amendments  Comment 8 to Rule 1.1:

 “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

 Kentucky SCR 3.130 (1.1), comment 6 states similarly.

 Rule 1.6(c)

 “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

 Comment 18: if a lawyer makes reasonable efforts to prevent data access/disclosure, she has met her obligation under Rule 1.6.

slide-11
SLIDE 11

CYBERSECURITY AND REASONABLE EFFORTS

 Comment 18 to Rule 1.6(c); KBA Opinion E-446  Sensitivity of the information  Likelihood of disclosure if additional safeguards are not employed  Cost of employing additional safeguards  Difficulty of implementing the safeguards  Extent to which safeguards adversely affect the lawyer’s ability to represent clients

 E.g. whether a safeguard would make a device or important piece of software excessively difficult to use

slide-12
SLIDE 12

EXAMPLES OF REASONABLE EFFORTS

 Firewall  Encryption  Avoiding instant message platforms  Using complex passwords  Retaining the ability to remotely wipe lost devices containing client information  Exercising caution when communicating with a client whose computers or other devices are controlled/accessed by a third party  Training all staff on how to properly use technology and follow security protocols  Remember: almost no data is ever truly “deleted”

slide-13
SLIDE 13

VENDORS

 Risk of breach and/or malfeasance  Kentucky allows contracting with vendors: KBA E-446: “an attorney selecting an online provider of storage or other services must investigate the provider to be sure that client information is reasonably sure to remain confidential and secure.”  Rule 5.3: lawyers supervising nonlawyers must make “reasonable efforts to ensure that” the nonlawyers’ “conduct is compatible with the professional obligations of the lawyer.” This includes confidentiality.  When hiring vendors, evaluate the vendor’s:

 References and credentials  Security policies and protocols  Hiring practices  Use of confidentiality agreements  Conflict check system  Availability of options to pursue legal relief for violations of vendor agreement

 Beware of arbitration clauses. You want a court’s equitable powers if there is a breach or malfeasance.

slide-14
SLIDE 14

THIRD PARTY SERVICES

 Examples: cloud-based storage services  Comment 3 to Model Rule 5.3

 Must use reasonable efforts to ensure third party service follows lawyer’s ethical obligations

 Factors to look at when evaluating third party services:

 Education, experience, and reputation of nonlawyer third party service  Nature of services involved  Terms of any arrangements concerning protection of client information  Legal and ethical environments of jurisdictions in which services will be performed— especially regarding confidentiality.

 When communicating highly sensitive client information to a third party service, disclose that to the client.  KBA E-446: attorneys must make reasonable efforts to adopt sufficient security policies regarding vendors and third party services.

slide-15
SLIDE 15

KENTUCKY LAWYERS’ OBLIGATIONS WITH CLOUD COMPUTING

 KBA E-437  Main authorities  “As with storage of files in a bricks-and-mortar law office or in an off-site warehouse, client information stored in the cloud cannot be protected absolutely. Burglars can break into law offices and warehouses despite the utmost care to protect against such happenings. Likewise, sophisticated hackers can access

  • nline information despite the utmost care to protect confidential client information.”

 Lawyer must make reasonable efforts to supervise a provider of online storage to ensure compliance with confidentiality rules and the lawyer’s other obligations  Lawyers should also consider advising clients with highly sensitive information they are storing their data

  • n the cloud

 Review any agreements made with cloud storage providers  Consider the following:

 Protections the providers has to prevent disclosure of confidential client information  Whether the provider is contractually obligated to protect security/confidentiality  Whether the service agreement states the provider will “own” the data  What procedures the provider uses when responding to governmental/judicial attempts to obtain confidential client information.

slide-16
SLIDE 16

LAWYERS’ OBLIGATIONS REGARDING DATA BREACHES

 ABA Opinion 483: “lawyers utilizing technology [must] safeguard and monitor the security of electronically-stored client property and information.”  Ethical obligations arise only when (1) there is a breach of material client information; or (2) a lawyer’s ability to perform legal services is significantly impaired by a cyber episode.  Not taking steps to reasonably prevent a data breach is where an ethical violation

  • ccurs—not necessarily the occurrence of the breach itself.

 KBA E-446: if there is a disclosure of the client’s specific confidential and/or privileged information to third parties that would constitute a significant development affecting the client’s representation, a disclosure must be made to the client about this development.  KBA E-446: rule regarding safeguarding client(s)’ property applies to client data

slide-17
SLIDE 17

STOPPING BREACHES MITIGATING DAMAGES

 Duty to prevent breaches is not one of strict liability. Rather, it is one of “reasonable effort.”

 Even if data has been accessed, if the lawyer took reasonable efforts to prevent the breach she has not committed a violation.

 Draft an incident response plan with specific procedures for responding to a data breach.  Identify team members and their backups.  Determine specifically what occurred.

 Gather enough information to determine the breach has been stopped.  Evaluate what data was lost or accessed.

slide-18
SLIDE 18

NOTICE REQUIREMENTS TO CURRENT CLIENTS

 Must notify clients of data breaches.

 “disclosure will be required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach.” ABA Opinion 483.

 Rule 1.4(a)(3): must “keep the client reasonably informed about the status of the matter.”  Rule 1.4(b): “A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”

slide-19
SLIDE 19

CONTENTS OF A BREACH NOTIFICATION

 Basic test: must be sufficient enough for the client to make an informed decision as to what to do next.

 At a bare minimum:

 Notify client that there has been unauthorized access to, or disclosure of, their information, or reasonable suspicion of such.  Advise client of the extent of access/disclosure.  Advise client of efforts taken to stop the breach.  Inform the client of plans to respond, recover information, and increase data security.

 If personally identifiable information of clients is compromised, lawyers must evaluate obligations of state and federal law in addition to ethics rules.

 All 50 states plus DC/Puerto Rico/Guam/Virgin Islands have breach notification laws.

slide-20
SLIDE 20

NOTICE REQUIREMENTS TO FORMER CLIENTS

 Is a notice requirement?

 Beware of applicable statutes and contractual provisions requiring notice  KRS 365.732: entity holding personally identifiable information about another must give written notice to persons affected by a security breach involving unencrypted personally identifiable information

 Rule 1.9(c) requires lawyers to not disclose information about former clients  Clients can make an informed waiver of Rule 1.9’s protections

 Same for SCR 3.130 (1.9)

 Lawyers can establish data destruction policies to avoid retaining client files and property indefinitely  Best practice: reach agreement with clients before the conclusion or termination of the relationship about handling their electronic information

slide-21
SLIDE 21

ETHICS CODES FOR IT PROFESSIONALS

 Largely self-regulated and decentralized profession  International Association of Electrical and Electronics Engineers (IEEE)  SANS Institute

slide-22
SLIDE 22

COMMON THEMES FOR IT ETHICS

 Avoid conflicts of interest  Maintain technical competence  Refuse bribes and kickbacks  Avoid injury to others, their property, reputation, or employment  Honesty about one’s capabilities  Not exceeding authorized access into data  Do not disclose confidential data that could harm a third party or client  Protect privacy

slide-23
SLIDE 23

IT ETHICS AND DATA BREACHES

 Do everything reasonably capable to prevent data breaches.  Maintain technological competence.  Be upfront with law firms that contract with IT professionals.  Do not accept contracts beyond the scope of your abilities.  If there is a breach, disclose it to the contracting law firm.  Ensure your IT employees follow these ethical rules.  Treat contracting law firms as those firms would treat their clients: honesty, fair dealing, and disclosure.

slide-24
SLIDE 24

RECOMMENDATIONS FOR IT PROFESSIONALS

 Implement a code of ethics.  Train employees.  Perform regular audits for data breaches.  Review agreements with law firms to see what you must disclose.  Provide an annual or semiannual report to update law firms on technology used

  • n their data, and their clients’ data.

 Train employees on applicable legal obligations of lawyers and nonlawyers, in compliance with Rule 5.3 and SCR 3.130 (5.1).

slide-25
SLIDE 25

FTC HEALTH BREACH NOTIFICATION RULE

 In the context of this presentation, it applies to certain third party IT professionals.  Vendors of personal health records

 Entities that “[offer] or maintain a personal health record”

 Personal health records-related entities

 Entities that interact with vendors of personal health records by offering products/services through the vendor’s website  Entities that access information in a personal health record  Entities send information to a personal health record

 Third-party service providers

 Entities that offer services involving the use, maintenance, disclosure, or disposal of health information to vendors of personal health records or personal health record- related entities.

slide-26
SLIDE 26

NOTIFICATION REQUIREMENTS

 Notification requirement for unauthorized acquisitions of personal health record- identifiable health information that is (1) unsecured; and (2) in a personal health record.

 Unauthorized acquisition: acquisition by someone else without consent.  Personal health record-identifiable health information: identifies someone or could reasonably be used to identify someone  Unsecured information: information not encrypted or destroyed.  Personal health record: electronic health record that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

slide-27
SLIDE 27

RESPONSE TO HEALTH DATA BREACH

 Applies to vendors of personal health records and personal health record-related entities  Three notifications to give:

 Each affected US citizen

 Within 60 calendar days after the breach is discovered

 The Federal Trade Commission

 If more than 500 people affected: notify FTC as soon as possible and within 10 business days  If fewer than 500 people affected: notify FTC within 60 calendar days of January of the next calendar year

 The media

 If at least 500 residents of a particular state, DC, or territory are affected, must notify prominent media outlets serving the relevant locale within 60 calendar days after the breach is discovered.

slide-28
SLIDE 28

RESPONSE TO A HEALTH DATA BREACH, CONT’D

 Third-party service providers servicing vendors of personal health records or personal health records-related entities  Disclose to those clients the rule’s coverage  If there is a breach, must notify an official designated in the contract with the client as soon as possible within 60 calendar days of discovering the breach  Must identify each person whose information may have been involved in the breach  Vendor or personal health record-related entity must receive acknowledgement

  • f receipt of notice

 They in turn must notify people affected by the breach, FTC, media, etc.

slide-29
SLIDE 29

NOTICE PROCEDURES AND CONTENTS

 If you fail to personally reach 10 or more people, you must provide substitute notice through clear posting on your website for 90 days on your home page, or media notice where affected  Contents of notification:

 Brief description of what happened  Kind of information involved in breach  Steps affected people can take to protect themselves  Brief description of steps the business is taking to investigate, protect against, and mitigate harm from the breach  Contact information for more information

slide-30
SLIDE 30

CONCLUSION

 If material client information is improperly accessed, disclosed, or lost, lawyers must notify clients.  Lawyers must take reasonable steps to protect client data.  Lawyers must appropriately supervise nonlawyers, including third-party contractors, to ensure client data is safe.  Lawyers should disclose to clients what they do with their data.  IT professionals should disclose to law firms what steps they take to protect data.  If IT professionals discover a breach, they should disclose and fix it.

slide-31
SLIDE 31

Questions & Answers