Law & Technology Blog

Tue, September 16th, 2014 by Graves and Allen

New Portable ScanSnap Scanner iX100

Fujitsu has announced the release of a new scanner to its well respected ScanSnap line, the iX100. The smallest and most portable scanner in the line, the iX100 offers some real advantages to the mobile lawyer. It scans rapidly and uses wireless technology to send quality scans (up to 600 dpi) to computers, iOS and Android devices. The iX100 scans at a rate of 5.2 seconds in normal mode; weighs in at under a pound,and measures 10.75 x 1.87 x 1.42 inches. It can scan color and grayscale.

You do not need access to a wireless network to use the wireless capabilities of the iX100 as it comes with a built-in WiFi transmitter allowing you to connect your computer, Android or iOS device to the iX100 using its own Wi-Fi signal. You can also use USB to scan to a computer. The iX100 works with both the Mac OS and Windows. It comes with ABBY FineReader, ScanSnap Organizer and CardMinder for both the Mac OS and Windows.

Scanning to a mobile device requires installation of a free app, available for iOS and Android. Once the app is installed, it lets you scan a document directly to your mobile device.

When scanning to a computer, the software lets you choose between sending the scanned image to the computer or to a cloud storage service.

Fujitstu designed the scanner for mobility and built it compactly. One of the tradeoffs is the lack of a document feeder,such as you would likely have on a larger scanner. The absence of the feeder is a common tradeoff for small portable compact scanners. It is designed for scanning a few documents at a time, not mass quantities of documents.

The iX100 lists for $229. It has just come out and I do not know if it will be available at discounted prices in the near future. You can always check on line to see. If you have a regular need to scan documents outside of your office and need better quality than you can get from your smartphone, the iX100 is a solid choice.
ix100-model

Sun, September 14th, 2014 by Graves and Allen

Samsung Galaxy S5

I recently bit the bullet and upgraded my Galaxy S4 to the newer S5. I have my Galaxy phones on a Verizon service plan and got the phone through Verizon. I have had the phone for about a week and it has impressed me positively. I like it better than the S4 and appreciate the faster speed and longer battery life between charges. While I like the S5 better than the S4, in reality they offer largely similar features and capabilities. I chose to upgrade as Verizon made me a very good deal on the upgrade package and because I wanted to compare the two phones. If it had not been for the special pricing, I would likely not have done it. In terms of recommendations, I have no hesitation in recommending the S5 as an outstanding piece of hardware. I would recommend it without hesitation to anyone wanting a new Android phone. If you already have a Galaxy S4, however, unless you get a very special deal on the upgrade pricing, it may not be worth the cost of upgrading to you.

I got a 16 GB S5 and immediately added a 128 GB Micro SD card to it. Although larger configurations of built-in memory are supposedly available, Verizon does not have them and, when I checked other providers, could not find any of the major providers offering a larger memory configuration. While the SD card memory works fine for media, it does not work for all Apps (you can move some Apps to the SD card and use that memory for them, but not all Apps work from the SD card).

The size and weight of the two devices is very similar, with the S5 being a trifle larger and a bit heavier. The S4 weighs in at 130 g and measures 70 x 137 x 7.9 mm, while the S5 weighs 145 g and measures of 73 x 142 x 8.1. The S5 sports a battery-saving 5.1” super AMOLED touch screen. The display is bright, clear, and sharp.

The Galaxy S5 has a 16-megapixel primary UHD camera that will take full HD video at 30 frames per second) and a 2-megapixel secondary camera for video conferencing.

The S5 comes with very fast quad-core processors. The larger size of the S5 also allows it to pack a larger battery. That, in combination with the low power demands of the Super AMOLED display allows the S5 a longer time between charges.

The Galaxy S5 comes in your choice of white, black or gold. I got the gold and like its looks very much. The overall appearance of the phone is excellent and it appears to be well and solidly made. I consider the hardware package superior to Apples iPhone 5s, although I still prefer the iOS to the Android OS, as I consider it easier to work with and more flexible. While the Google Play Store has shown substantial improvements recently, it still does not match up to the Apple iTunes Store, especially in the category of Apps (I consider the two very comparable when it comes to other media). On the hardware front, the real question will be the comparison of the Galaxy S5 to the iPhone 6/6 Plus.
Samsung-K-Device-Large

Sat, September 13th, 2014 by Graves and Allen

Cybersecurity Issues

The following is a copy of a letter I sent to the editor of the ABA Journal respecting the action of the House of Delegates of the American Bar Association in August 2014 adopting Resolution 109 respecting Cybersecurity.

“At the 2014 annual meeting, the House of Delegates adopted a proposal respecting data security, which proposal came out late in the game, did not have the opportunity for proper discussion and was either not supported or opposed by significant portions of the ABA, including the ABA’s own Standing Committee On Technology and Information Services (SCOTIS), which voted to not support the resolution.  As a result of strong opposition, the proponents of the resolution modified it to make it more acceptable.  In the end, the language of the resolution was not itself offensive.  Unfortunately, the resolution was accompanied by a supporting report drafted to justify the original resolution which endeavored to impose a hard standard of the highest possible level of security for all data, no matter how unlikely that it would become a target for hacking and despite the cost of the security measures. While the proponents made minor changes to that report, the modifications were not well integrated and stand out in conflict with other provisions of the report.  Even with the modifications, the report contains language that may serve to support a claim that the intent was to impose those standards, which could function similarly to legislative intent in terms of interpreting and applying the resolution.
The resolution ultimately adopted by the HOD reads:

“RESOLVED, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.”

The critical problem with the original resolution was that it did not call for scalability.  The language of the resolution finally adopted allows for scalability in its approach.  The problem is that,  despite some passing references to scalability added to the proponents’ report, the report fails to recognize that not all law firms are created equal or have equal ability to adopt certain measures and that not all data requires equal security protection for the protection to be reasonable.

Although we have heard the argument that the HOD adopted only the resolution and not the report, the fact remains that people immediately looked to the report to help interpret the meaning of the resolution.  While “appropriate” looks a lot like “reasonable” when viewed in a vacuum, it looks very different seen through the perspective of the proponents’ supporting report, which effectively continues to argue for imposition of the highest levels of security by all firms and for all data.  Had the HOD expressly rejected the report as inappropriate, there would be much less concern over the adoption of this resolution and its potentially negative impact on solo and small firm attorneys. Unfortunately, that did not happen.   Perhaps the HOD can mitigate the damage by adopting a resolution expressly rejecting the report that accompanied the resolution.  That would go a long way towards dissuading people from relying on it as instructive as to the intent of the resolution’s reference to an “appropriate” program.

Reasonableness as a standard makes sense.  It inherently recognizes the importance and the availability of scalability in security. A reasonableness standard can address the nature of the data, the level of risk to the data and the financial and IT abilities of smaller as opposed to larger firms.  The cost of certain types of data security, while perhaps desirable may prove reasonable for a large law firm, but prohibitively expensive for a sole practitioner. We must consider the financial ability of the practitioner to provide that level of security in any standard or we create a situation where sole practitioners must cease to practice law or find themselves in violation of unreasonable standards imposed upon them. In establishing a standard, we should recognize that some data has a much higher likelihood of attracting risk than other data.  For example, while nobody would suggest that the earnings data of a personal injury plaintiff in an auto accident case should go unprotected, the risk that someone will expend significant resources to hack into a law office computer to try to obtain that data pales in comparison the risk that exists respecting plans for the feature set of the iPhone 7 or the Samsung Galaxy S6.  Simply put, we should expect that a law firm in possession of the latter will adopt a more protective (and likely more expensive) standard for security respecting the feature set plans than the income information for the personal injury plaintiff, not because the data is less important, but rather because the data is less likely to be targeted.”

Jeffrey Allen

The language of the report, as provided to me by the ABA staff, follows.  In publishing that language, I do not claim credit for it nor do I adopt it and ratify it.  I am simply reproducing it in the interests of accurately reporting its content.  While I agree with many things stated in the report, I do not believe that it adequately addresses the need for and importance of scalability and the protection of the “reasonableness” standard when it comes to data security.

“REPORT

  1. INTRODUCTION

This Resolution addresses cybersecurity issues that are critical to the national and economic security of the United States (U.S.). It encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations, and is tailored to the nature and scope of the organization, and the data and systems to be protected. This Resolution and Report are intended to educate organizations and heighten their sensitivity to cybersecurity risks, and help them effectively evaluate their own specific risks and respond on behalf of their organization. The Resolution and Report do not define any obligations pursuant to laws or rules, including applicable lawyers’ rules of professional conduct.

Recognizing that small businesses, small law firms and solo practitioners have varying financial and human resources available to them, the components of a cybersecurity program should be flexible and their implementation should be practical.

  1. CYBERSECURITY THREATS — BACKGROUND

The threat environment today is highly sophisticated, and massive data breaches are occurring with alarming frequency. Cyber-criminals exploit weaknesses in software and operating platforms, the domain name system, and mobile and web-based applications. They conduct successful social engineering through phishing attacks, social media, email, and various applications. Malware can quickly morph, change security controls, lurk in systems undetected, download other malware, and exfiltrate data undetected.

An organization-wide cybersecurity program with defined controls based on risk categorizations reflecting the operational impact and magnitude of harm of a cyber incident can mitigate risk to a considerable degree. In many cases, data breaches or other types of cyber incidents could have been prevented or detected early and the risks of the incident mitigated if the organization had undertaken proper security planning and implemented appropriate security safeguards.

In today’s digital world, threats to data and information systems are found almost everywhere a computer, server, smart phone, thumb drive, or other electronic device is operating (including the cloud). Many organizations provide access to their networks to business partners and entrust their data and business functions to outsourcing and cloud providers, creating additional risks. The proliferation of mobile devices and wireless technologies that enable mobile commerce and a continually expanding array of applications—more than 1.5 million—also present vulnerable points in the flow of sensitive data in computer networks.

Security is only as strong as its weakest link. Failed security has resulted in thousands of data breaches that have led to the loss or compromise of millions of personally identifiable records, as well as the theft of classified information, valuable intellectual property and trade secrets, and the compromise of critical infrastructure.[1] The consequences of a cyber incident or data breach can have a disturbing impact on the victim, whether a business, organization, government entity, or an individual.

The protection of one of the most valuable and vulnerable assets of all organizations–-its information–-is not only vitally important, but it also avoids the high costs associated with cybercrime, including forensic investigations and data breach notification; the loss of confidential, classified, and proprietary data; reputational damage; loss of public confidence; and in the case of business, drops in stock price, and loss of market share and trust. Breaches also have resulted in the disclosure of closely-held government information, and businesses have faced regulatory fines and investigations, civil damage actions, administrative proceedings, and criminal indictments. The first- and third-party losses associated with security incidents are rising, and cybersecurity is now one of the top risks organizations must manage.

Sensitive Data At Risk

There are many types of sensitive data that are targeted by cyber-criminals or subject to unauthorized access, use, disclosure, or sabotage by insiders. They include personally identifiable information (PII), personal health information (PHI), and financial records, confidential and proprietary business data, intellectual property and trade secrets, research data, privileged legal documents, and classified information (including sensitive national security information). There is a vibrant market for these data, and all organizations–regardless of size–should consider themselves at risk.

The sensitive personal data being amassed by companies and governments is staggering. Inexpensive storage has enabled companies to collect and store large amounts of data and retain it far longer than they would have if it were in paper. “Big data,” the term applied to the collection of massive amounts of data that can be correlated, analyzed, and parsed for targeted advertising and strategic business purposes, creates rich targets for cyber-criminals. PII that can be used for fraud is being collected and often stored by organizations unprotected, putting many Americans at risk.[2] On its website, the Internal Revenue Service (IRS) indicates that it “has seen a significant increase in refund fraud that involves identity thieves who file false claims for refunds by stealing and using someone’s Social Security number.”[3]

Another aspect of the problem is illustrated by the dependence of American society on electronic transactions and e-commerce, which has fueled data breaches in all industry sectors. Failed security has resulted in massive data breaches of millions of personally identifiable records.[4] The recent data breaches of leading retail companies and credit bureaus have caught the attention of the public, politicians, and law enforcement. The success of these breaches, however, has also created a “me too” among cyber-criminals eager to capture their own trove of data. Risks will increase with the “Internet of Things,” as the Internet becomes the backbone for appliances, gadgets, and operational aspects of daily life. Many of the most personal aspects of people’s lives will be documented and transmitted over the Internet, subject to interception or theft.

Protecting the Nation’s Critical Infrastructure

The national and economic security of the United States depends on the reliable functioning of critical infrastructure: cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. [5]

The U.S. Department of Homeland Security has designated the following 17 government and private industry sectors as critical infrastructure: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials and Waste, Transportation, and Water and Wastewater Systems. The private sector owns the vast majority of the nation’s critical infrastructure and key resources—about 85 percent.

Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience, issued in February 2013, advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. Comprehensive cybersecurity programs are essential for critical infrastructure organizations, and following appropriate security frameworks and standards is central to achieving a strong cybersecurity posture and resilience. The electric sector, for example, voluntarily agreed to comply with cybersecurity requirements promulgated by the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission (NERC/FERC).

The National Institute of Standards and Technology (NIST) recently published the Framework for Improving Critical Infrastructure Cybersecurity, and mapped the Framework to other accepted security frameworks and standards.

Law Firms Are Targets of Cyber Attacks

The threat of cyber attacks against law firms is growing. Lawyers and law firms are facing unprecedented challenges from the widespread use of electronic records and mobile devices.

There are many reasons for hackers to target the information being held by law firms. They collect and store large amounts of critical, highly valuable corporate records, including intellectual property, strategic business data, and litigation-related theories and records collected through e-discovery.

The data and information kept by law firms are largely protected by the attorney-client privilege and/or the work product doctrine, as well as by various legal ethics requirements. Thus, lawyers and law firms should implement an appropriate cybersecurity program to protect confidential and sensitive information.

Both large and small law firms have been the target of hacker attacks in the U.S. as well as abroad. [6] The FBI has issued warnings to firms and held a meeting in early 2012 with approximately 200 law firms in New York City to discuss the risk of breaches and theft of client data.[7] A cybersecurity firm that helps organizations secure their networks against threats and resolve computer security incidents estimated that 80 major law firms were breached in 2011 alone.[8]

The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2013) provides threat information, practical guidance and strategies to lawyers and law firms of all sizes, and explores the relationship and legal obligations between lawyers and clients when a cyber-attack occurs. Amendments to the ABA Model Rules of Professional Conduct (Model Rules) adopted in 2012 provide that a lawyer’s duty of competence includes keeping abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology (Comment [8] to Model Rule 1.1). Further, to enhance the protection of client confidential information, Model Rule 1.6 (Confidentiality) provides that a lawyer shall make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The touchstone regarding lawyers’ obligations under Model Rules 1.1 and 1.6 is reasonableness. What is reasonable depends on the circumstances. With regard to data security, the Comments to Model Rule 1.6 provide lawyers with a nonexclusive list of factors designed to help them assess the reasonableness of their actions.

III.       CYBERSECURITY PROGRAM—FRAMEWORKS AND STANDARDS

There are a number of accepted frameworks and standards that can serve as a reference for developing, implementing, and maintaining an appropriately-tailored cybersecurity program. Some of these well-known frameworks and standards include[9]:

  • International Organization of Standardization (ISO), the 27000 series, http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
  • Information Technology Infrastructure Library (ITIL), http://itil-officialsite.com
  • International Society of Automation (ISA), http://www.isa.org
  • ISACA, COBIT, http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
  • Payment Card Industry Security Standards Council (PCI SSC), https://www.pcisecuritystandards.org/security_standards/documents.php
  • National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov
  • Information Security Forum (ISF) Standard of Good Practice for Information Security, https://www.securityforum.org/?page=publicdownload2011sogp
  • Carnegie Mellon University Software Engineering Institute, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://cert.org/octave
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), nerc.com/page.php?cid=2|20
  • U.S. Nuclear Regulatory Commission, nrc-stp.ornl.gov/slo/regguide571.pdf
  • The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), http://energy.gov/oe/services/cybersecurity/electricity-subsector-cybersecurity-capability-maturity-model-es-c2m2

These references are generally consistent, and a number of the provisions in the various security frameworks and standards map to one another. Thus, it is less important which framework or standard an organization might choose to follow and more important that it undertakes the key activities of a cybersecurity program.

A cybersecurity program is comprised of a series of activities. These activities include, for example: governance by boards of directors and/or senior management; development of security strategies, plans, policies and procedures; creation of inventories of digital assets; selection of security controls; determination of technical configuration settings; performance of annual audits; and delivery of training.

Due to the nature of the threat environment, certain activities in a cybersecurity program are ongoing. Continuous monitoring and log analysis are designed to provide data that can provide early detection of threats. To maintain a proactive security posture, potential threats should be investigated and targeted attacks detected in advance or addressed as they occur. The objective is to address cybersecurity threats and risks in a timely, disciplined, and structured fashion.

Privacy compliance requirements should be incorporated into the cybersecurity program. In addition, an effective cybersecurity program requires trained personnel to evaluate the security impact of actual and proposed changes to the system, assess security controls, correlate and analyze security-related information, and provide actionable communication of the security status across all levels of the organization.

Administrative, technical, organizational and physical controls help ensure the confidentiality, availability, and integrity of digital assets. Such controls should be carefully determined, implemented, and enforced. NIST has published extensive guidance on the selection of controls for government systems, which can also be useful for private sector organizations.[10]

Many organizations are undertaking some of the required cybersecurity activities, but not others, and some activities may be performed without all the critical inputs. In such cases, the resulting cybersecurity program could have gaps and deficiencies and associated risks that may adversely affect the organization’s operations, financial bottom line, and compliance. To help protect against massive data breaches or loss of confidential/proprietary data, organizations–whether private or public– should continually work to assess and improve their security posture, in light of the most recent guidance and recommendations on cybersecurity programs.

Small Organizations

Recognizing that small businesses, small law firms and solo practitioners have varying financial and human resources available to them, the components of a cybersecurity program should be flexible and their implementation should be practical. Small organizations, including small law firms and solo practitioners, can prioritize key cybersecurity activities and tailor them to address the specific risks that have been identified. For example, NIST has provided guidance on information security for small businesses.[11] Similarly, the U.S. Department of Health and Human Services (HHS) has accorded flexibility in its HIPAA Security Series guidance for the needs of small covered entities.[12]

  1. RISK-BASED ASSESSMENT—AN ACCEPTED BUSINESS PROCESS

Organizational risk can include many types of risk (e.g., management, investment, financial, legal liability, safety, logistics, supply chain, and security risk). Security risks related to the operation and use of information systems is just one of many types of organizational risk. This Resolution focuses on one aspect of a comprehensive enterprise risk management program—operational and IT/cybersecurity risk.

Risk assessments inform decision-makers and support the risk management process by identifying: (i) relevant threats to the organization or threats directed through third party entities; (ii) vulnerabilities both internal and external to the organization; (iii) the impact (i.e., harm) to the organization and individuals that may occur given the potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end result is a categorization of risk according to the degree of risk and magnitude of harm to the organization flowing from the threat or vulnerability if it occurred.

Cybersecurity is based on a systematic assessment of risks that are present in a particular operating environment. Ensuring the confidentiality, integrity, and availability of digital assets is fundamental to their protection.   Risk assessments are undertaken to identify gaps and deficiencies in a cybersecurity program due to operational changes, new compliance requirements, an altered threat environment, or changes in the system architecture and technologies deployed.

Risk assessments are the basis for the selection of appropriate security controls and the development of remediation plans so that risks and vulnerabilities are reduced to a reasonable and appropriate level. The principal goal of the organization’s risk management process should be to protect the organization and its ability to perform its mission, not just to protect its IT assets.

Risk assessment is not new to most businesses. It is a fundamental business process that many have been following since at least 1977 when Congress enacted the requirement in the Foreign Corrupt Practices Act of 1977 (FCPA), 15 U.S.C. §§ 78dd-1, et seq., that public companies have internal controls. Nearly all rely on the COSO Framework to comply with the internal control reporting requirements under the FCPA and the Sarbanes-Oxley Act of 2002, PL 107-204, 116 Stat 745.[13] The framework, issued in 1992 and updated in 2013, is designed to assist companies in struc­turing and evaluating controls that address a broad range of risks. It is geared to the achievement of three important objectives—operations (operational and financial reporting goals, and safeguarding assets from loss, the objective of an effective cybersecurity program), reporting (financial and non-financial), and compliance (with laws and regulations).

Risk assessments for publicly-traded companies are addressed in the Securities and Exchange Commission (SEC) guidance on Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents.[14]

Examples of cybersecurity risk management frameworks and standards include:

  • ISO/IEC 27005:2011: Information Security Risk Management.[15] It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the implementation of information security based on a risk management approach.
  • ISO/IEC 31000:2009: Risk Management–Principles and Guidelines.[16] This document is intended to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards. It can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
  • Managing Information Security Risk, Organization, Mission, and Information System View, NIST Spec Pub 800-39 (March 2011)[17] and Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Spec Pub 800-37 Rev. 1 (February 2010).[18] These publications provide guidance for developing an integrated, organization-wide process for managing risk that includes the activities of security categorization; security control selection, implementation, and assessment; information system authorization; and security control monitoring.
  • Critical Sectors—DHS Infrastructure Risk Management Approach.[19] This guidance provides a useful approach to critical infrastructure risk management utilizing a risk management framework enunciated by DHS. It is designed to be applied to all threats and hazards, including cyber incidents, natural disasters, man-made safety hazards, and acts of terrorism, although different information and methodologies may be used to understand each. Risk information allows partners, from facility owners and operators to federal agencies, to prioritize their risk management efforts.
  • DOE Electricity Subsector Cybersecurity Risk Management Process (RPM).[20] The electricity subsector increasingly relies on digital technology to reduce costs, increase efficiency, and maintain reliability during the generation, transmission, and distribution of electric power. Managing cybersecurity risk is critical to achieving their strategic goals and objectives, including reliability, resiliency, security, and safety. Issued by the Department of Energy in conjunction with NIST and NERC, this guidance is designed to help utilities better understand their cybersecurity risks, assess severity, and allocate resources more efficiently to manage those risks.
  1. CYBERSECURITY PROGRAM—CYBER RESPONSE PLANS

Incident response is the practice of detecting a problem, determining its cause, minimizing the damage it causes, resolving the problem, and documenting each step of the response for future reference. Fully developed and tested incident response plans and business continuity/disaster recovery (BC/DR) plans are components of a cybersecurity program. Organizations should be prepared if a cyber attack or data breach occurs or if an event interrupts their operations. Response plans, policies, and procedures should be able to accommodate the full array of threats, not just data breaches.

Incident response plans involve stakeholders across an organization, including IT, security, legal, finance, operational units, human resources, and procurement. The individuals should be identified and their roles and responsibilities defined. Communication with and coordination among stakeholders is an important aspect of an incident response plan. This includes the identification of who within an organization should be responsible for communicating with employees, customers, and other key groups (e.g., investors). It would also include plans for appropriate external communications, such as with first responders, forensic investigation experts, Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Centers (ISACs), regulators, communications providers, and outside counsel.

If litigation is anticipated, adequate documentation and evidentiary procedures for incident response can be very important. This advance planning can help to ensures that valuable tracking and tracing data and evidence of what happened within a system are preserved and secured and chain of custody is documented.

For many organizations, adequate incident response planning is a compliance requirement. For example, those organizations subject to the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), or state data breach laws.

Resources are available to assist organizations in understanding the key components of incident response. NIST, for example, has published an excellent guide, the Computer Security Incident Handling Guide,[21] and Carnegie Mellon has issued the Handbook for Computer Security Incident Response Teams.[22]

Business Continuity Management—The other critical cyber response plan for a cybersecurity program is a business continuity/disaster recovery plan. Although they are commonly lumped together as BC/DR, there are separate processes for business continuity and disaster recovery. A cybersecurity incident that is initially handled under an incident response plan may cause a business interruption that requires implementation of business continuity procedures. Thus, each plan should be drafted and tested for such circumstances to ensure a smooth and efficient response and continuity of operations.

Certain critical infrastructure sectors have BC/DR requirements. NERC, for example, has requirements for BC/DR in its required standards, and it conducts ongoing work regarding continuity of operations and resiliency of electricity grids. These activities help these companies stay abreast of threats and develop, implement, and maintain sophisticated BC/DR plans.[23]

  1. INFORMATION SHARING

Sharing threat information regarding cyber incidents with others, such as law enforcement, community emergency response teams (CERTs), information sharing and analysis centers (ISACs), business partners, and public sector cyber officials who could benefit from the knowledge, helps advance cyber defenses and resiliency in other organizations.[24] An attack on any organization may impact others, or it may be targeted at a particular activity or business process, such as point-of-sale systems or control processes. The sharing of threat information can substantially improve the ability of other organizations to respond to a similar attack. It also expands the knowledge base about threats and effective mitigation measures.

Many organizations have not thought through what external assistance they might need when responding to incidents. Establishing relationships with external organizations–such as FBI Infragard, ISACs, CERTs, and industry cyber groups–regarding cyber threats can be an important defensive measure for any organization. Such organizations are usually open to receiving information in an anonymized or sanitized fashion, if desired, by the entity providing the information.

It is important that organizations identify what data they might share, determine with whom they would share it and in what form, and consider any legal ramifications associated with the data or sharing it with third parties. Although some have raised concerns that antitrust constraints may arise with information sharing, the U.S. Department of Justice (DOJ) has indicated a willingness to provide letters of exception, if requested, to enable cyber information sharing. On April 14, 2014, DOJ joined with the Federal Trade Commission (FTC) and issued a joint “Antitrust Policy Statement on Sharing of Cybersecurity Information,” which clarifies the issue:

Through this Statement, the Department of Justice’s Antitrust Division (the

“Division”) and the Federal Trade Commission (the “Commission” or “FTC”)

(collectively, the “Agencies”) explain their analytical framework for information sharing and make it clear that they do not believe that antitrust is–or should be–a roadblock to legitimate cybersecurity information sharing.[25]

VII.      EXISTING ABA POLICY

In recent years, the ABA House of Delegates and Board of Governors have adopted several policies regarding cybersecurity and lawyers’ use of technology, and the proposed Resolution is consistent with those existing ABA policies. These ABA policies include the following:

Resolution 118, Adopted by the House of Delegates at the 2013 Annual Meeting in San Francisco (August 2013)

This Resolution condemns intrusions into computer systems and networks utilized by lawyers and law firms, urges federal, state, and other governmental bodies to examine and amend existing laws to fight such intrusions, and makes other related recommendations. The complete Resolution and Report are available at:

http://www.americanbar.org/content/dam/aba/administrative/law_national_security/resolution_118.authcheckdam.pdf

*   *   *

Policy Adopted by the ABA Board of Governors (November 2012)

The ABA’s Board of Governors approved a policy in November 2012 comprised of five cybersecurity principles developed by the ABA Cybersecurity Legal Task Force. The complete Resolution and Report are available at:

http://www.americanbar.org/content/dam/aba/marketing/Cybersecurity/aba_cybersecurity_res_and_report.authcheckdam.pdf

*  *  *

Resolutions 105 A, B and C, Adopted by the House of Delegates at the 2012 Annual Meeting in Chicago (August 2012).

Resolution 105A amends the black letter and Comments to Model Rule 1.0 (Terminology), the Comments to Model Rule 1.1 (Competence) and Model Rule 1.4 (Communication), and the black letter and Comments to Model Rule 1.6 (Confidentiality of Information) and Model Rule 4.4 (Respect for Rights of Third Parties) of the ABA Model Rules of Professional Conduct dated August 2012, to provide guidance regarding lawyers’ use of technology and confidentiality.  Resolution 105B amends the black letter and Comments to Model Rules 1.18 and 7.3, and the Comments to Model Rules 7.1, 7.2 and 5.5 of the ABA Model Rules of Professional Conduct dated August 2012, to provide guidance regarding lawyers’ use of technology and client development.

Resolution 105C amends the Comments to Model Rule 1.1 (Competence) and Model Rule 5.5 (Unauthorized Practice of Law; Multijurisdictional Practice of Law), and the title and Comments to Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistants) of the ABA Model Rules of Professional Conduct dated August 2012, to provide guidance regarding the ethical implications of retaining lawyers and nonlawyers outside the firm to work on client matters (i.e., outsourcing).

The Resolutions and related Reports are available at:

http://www.americanbar.org/content/dam/aba/directories/policy/2012_hod_annual_meeting_105a.doc

http://www.americanbar.org/content/dam/aba/administrative/law_national_security/resolution_105b.authcheckdam.pdf

http://www.americanbar.org/content/dam/aba/directories/policy/2012_hod_annual_meeting_105c.doc 

  • CONCLUSION

This Resolution is intended to call attention to the importance of appropriate cybersecurity programs for all organizations. These issues are linked directly to our Nation’s economic and national security.  The principles and concepts discussed in this Resolution and Report can help organizations, including law firms, understand and address cybersecurity threats and risks.

Respectfully Submitted,

Judith Miller

Harvey Rishikof

Co-Chairs, ABA Cybersecurity Legal Task Force”

 

August 2014

[1] White House, Cyberspace Policy Review, pages 1-2, 17, available at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.

[2] For example, a Vietnamese national was indicted recently for allegedly participating in an international scheme to steal and sell hundreds of thousands of Americans’ PII though various websites he operated. United States v. Ngo, No. 13-crm-1116 (D. N.H. 2013), available at http://www.justice.gov/opa/pr/2013/October/13-crn-1116.html.

[3] IRS Criminal Investigation Targets Identity Theft Refund Fraud, February 2013, available at http://www.irs.gov/uac/Newsroom/IRS-Criminal-Investigation-Targets-Identity-Theft-Refund-Fraud-2013.

[4] See. Thomson, Lucy L., Data Breach and Encryption Handbook (ABA 2011), chapter 5, pages 57-85.

[5] NIST Framework for Improving Critical Infrastructure Cybersecurity, (February 12, 2014) Executive Summary, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.

[6] Michael Riley and Sophia Pearson, China-Based Hackers Target Law Firms to Get Secret Deal Data, available at http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html.

[7] Mike Mintz, “Cyberattacks on Law Firms—A Growing Threat,” Martindale.com, Mar. 19, 2012, http://blog.martindale.com/cyberattacks-on-law-firms-a-growing-threat.

[8] Mandiant Intelligence Center Report, APT1: Exposing One of China’s Cyber Espionage Units, page 20, available at http://www.mandiant.com.

[9] Westby, Jody R., “Cybersecurity and Law Firms: A Business Risk,” Law Practice Magazine, Vol. 39, No. 4, available at http://www.americanbar.org/publications/law_practice_magazine/2013/july-august/cybersecurity-law-firms.html.

[10] See, e.g., Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards & Technology, Special Pub 800-53, Rev. 4, Apr. 2013, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

[11] NIST Interagency Report 7621, Small Business Information Security: The Fundamentals, 2009, was published to assist small business management to understand how to provide basic security for their information, systems, and networks, available at http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf.

[12] See, Security Standards: Implementation for the Small Provider, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/smallprovider.pdf.

[13] The Committee on Sponsoring Organizations of the Treadway Commission (“COSO”), an initiative of several groups with an interest in effective internal control, available at http://www.coso.org.

[14] http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[15] http://www.iso.org/iso/catalogue_detail?csnumber=56742.

[16] http://www.iso.org/iso/catalogue_detail?csnumber=43170.

[17] http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.

[18] http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.

[19] U.S. Department of Homeland Security, Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach, http://www.dhs.gov/sites/default/files/publications/NIPP%202013%20Supplement_Executing%20a%20CI%20Risk%20Mgmt%20Approach_508.pdf.

[20] http://energy.gov/oe/downloads/cybersecurity-risk-management-process-rmp-guideline-final-may-2012.

[21] Computer Security Incident Handling Guide, NIST Spec Pub 800-61, Rev. 2 (Aug. 2012), available at http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736.

[22] Handbook for Computer Security Incident Response Teams, Carnegie Mellon University, Software Engineering Institute, available at http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=6305.

[23] See, e.g., Cyber Attack Task Force, Final Report, accepted by NERC Board of Trustees, May 9, 2012, available at http://www.nerc.com/docs/cip/catf/12-CATF_Final_Report_BOT_clean_Mar_26_2012-Board%20Accepted%200521.pdf; Severe Impact Resilience Task Force, Final Report, accepted by NERC Board of Trustees, May 9, 2012, available at

http://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf.

[24] Lawyers, law firms, and organizations and entities authorized to provide legal services should take into consideration any ethical constraints that may apply to client records, and any legal restrictions applicable to records under seal, grand jury information, classified information, etc.

[25] Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information, available at http://www.ftc.gov/system/files/documents/public_statements/297681/140410ftcdojcyberthreatstmt.pdf.