This presentation was given to lawyers preparing to start practice in Ontario, Canada, as part of an introductory course. It is meant to provide an introduction to some considerations relevant to lawyers who store confidential client information electronically. It was given on December 16th in Toronto.
6. Risk Exists Without Technology “ I'm in a Starbucks & bunch of lawyers are talking about a client's email trail problem: clearly see their own speech trail as no problem ” - from Twitter April 29, 2010
11. Assume Everything is Portable Lock office doors Place server(s) in locked room Physically secure all devices Desktops Laptops Handhelds On 7/7/07, <NAME PROTECTED> <EMAIL PROTECTED> wrote: SUBJECT: Stolen Server One of my clients is a law firm… on the 4th of July, someone broke into their office and stole the server as well as all of their computers. Luckily they had a good backup plan, so they didn't lose any data from the server.
14. We May Be the Weakest Link ~12,000 laptops LOST each week at U.S. airports Only 1/3d Recovered Airport Insecurity: The Case of Missing & Lost Laptops, Ponemon Institute, 2008
15. Risk Assessment Checklist Unintended Portability Defend Against Attacks Review defaults Passwords Harden your defenses
16. Review Defaults Network hardware Internet Passwords What’s Shared What’s Broadcasting Passwords Passwords Add Security Change Name
17. Passwords Lots and lots of passwords E-commerce and banking Web sites E-mail accounts in your firm and on the Web To access your phone, your laptop, Windows Make them complex Make them unique Test them Write them down
18. Passwords Most popular password? 123456 Try for eight characters or more Use a site like Passwordmeter.com to get tips Ideal password is random – good luck with that Start with something you can recall Weak 15%: commonlaw Better 70%: C0mm0nl&w Best 92%: C03m0nL&w
19. Passwords Know where your passwords are Gawker Media hacked December 12, 2010 200,000 passwords cracked immediately 1,958 used password 681 used qwerty Other popular: 123456, 12345678, abc123 Exploit A Exploit B Exploit C Password A Gawker.com Passwords B/C Twitter.com Campfire.com Passwords D/E/… Other staff Other non-staff
20. Harden Your Defenses Network hardware Internet Software Anti-virus Anti-malware Browser security Firewall Hardware Firewall Intrusion Detection
21. Risk Assessment Checklist Unintended Portability Defend Against Attacks Review defaults Passwords Harden your defenses Reduce Your Risk Encrypt your data Don’t carry any data you don’t have to Protect the data you leave behind
22. Encryption Reduces Impact of Loss “ Client’s notebook PC & removable hard drive were stolen . . . . Hard drive was unencrypted and contained 10+ yrs of personal and business financial data . . . . ” E-mail to Solosez discussion list, November 2009
23. Encrypt Your Data Partial Disk Full Disk May require you to start the encryption tool Encrypts everything you place in the encrypted volume Can be closed without turning off computer Can be treated as file Starts with computer Encrypts everything whether it needs it or not No user interaction
24. You Can Take It With You: Don’t! The need for portable media is nearly gone If you have Internet access, use cloud-based file access tools Synchronization ( Dropbox, Sugarsync ) Synchronize files between your computer, their servers, and your other devices Delete a file, and it is deleted from their servers Tonido Creates an encrypted tunnel to your files
25. Encrypt from End to End https:// http:// Username ********* https://
26. 3 Reasons to Leave Data Behind Storage devices are getting smaller and easy to lose Someone who finds your lost device can almost always recover deleted data from it A laptop traveling in standby or hibernation mode retains your decryption keys in memory
27. Protect Your Data Back up your data Use a secure online backup like Mozy, Carbonite Use a portable drive that you can physically secure Use preventative measures on handhelds Remote locating apps Remote destruction apps
28. Risk Assessment Checklist Unintended Portability Defend Against Attacks Review defaults Passwords Harden your defenses Reduce Your Risk Encrypt your data Don’t carry any data you don’t have to Protect the data you leave behind Manage Your Mobility
30. Manage Your Mobility Disable Bluetooth and wireless antennas when you’re not using them Disable Windows File Sharing Use an encrypted connection AND connect to encrypted resources Baaaaaa….. Firesheep
31. Risk Assessment Checklist Unintended Portability Defend Against Attacks Review defaults Passwords Harden your defenses Reduce Your Risk Encrypt your data Don’t carry any data you don’t have to Protect the data you leave behind Manage Your Mobility
32. Conclusion Maintain control of your data Requires prior planning to prevent loss Requires creating practices to minimize possibility of loss Embrace technology thoughtfully You can be efficient and careful Be aware of where you are and be mindful of what you are doing and sharing
33. Thank You! David Whelan Manager, Legal InformationThe Law Society of Upper Canada dwhelan@lsuc.on.ca Twitter: @davidpwhelan