update what s happening in the cybersecurity world
play

Update: Whats happening in the cybersecurity world NYPWA January - PDF document

12/3/2018 Protecting Our Clients A guided discussion on privacy, security, confidentiality and compliance NYPWA January 2019 NYPWA January 2019 2 Update: Whats happening in the cybersecurity world NYPWA January 2019 3 1 12/3/2018


  1. 12/3/2018 Protecting Our Clients A guided discussion on privacy, security, confidentiality and compliance NYPWA January 2019 NYPWA January 2019 2 Update: What’s happening in the cybersecurity world NYPWA January 2019 3 1

  2. 12/3/2018 NYPWA January 2019 4 NYPWA January 2019 5 Internet of Things – IoT Connecting any device with a network • Cell phones • Televisions • Amazon Echo/Amazon • Heating/cooling systems Dot “Nest” • Appliances • Nanny cams • Pacemakers/implanted • Kids toys medical devices • Home security systems • Cars • Voice Queuing Systems NYPWA January 2019 6 IoT leads to increased vulnerability “The attackers used (the thermometer) to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.” – April, 2018 https://www.businessinsider.com/hackers-stole-a-casinos-database-through-a- thermometer-in-the-lobby-fish-tank-2018-4 2

  3. 12/3/2018 NYPWA January 2019 7 Cyber Security Breaches Not limited to “hackers” “When questioned by officials…the boy said he had acted alone and that he was only trying to see what he could do with the apps.” – November, 2018 http://www.govtech.com/security/Student-Behind-Illinois-High-School-Hack.html NYPWA January 2019 8 Recent Cyber Security Breaches Yahoo – Update “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.” – April, 2018 https://www.law.com/therecorder/2018/04/24/sec-wallops-yahoo-with-35m-penalty-over- breach-disclosures-or-lack-thereof/ NYPWA January 2019 9 Recent Cyber Security Breaches Equifax – Update Five key factors contributed: Ineffective Identification Poor Detection No Segmentation, Poor Data Governance No Query Limits - September, 2018 https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-11480 3

  4. 12/3/2018 NYPWA January 2019 10 Security Breaches Impact on Government NYPWA January 2019 11 Legal updates NYPWA January 2019 12 Recent Legal Cases Carpenter v. United States – background • Supreme Court heard oral arguments on November 29, 2017 • Cell phone records connecting phone with towers in vicinity of crime introduced as evidence • Defendant convicted and sentenced to 116 years in prison • Question raised: is this protected information? Or does the third party doctrine apply? 4

  5. 12/3/2018 NYPWA January 2019 13 Recent Legal Cases Carpenter v. United States – decision https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf • Government’s acquisition of Carpenter’s cell-site records was a Fourth Amendment search – Fourth Amendment protects certain expectations of privacy in addition to property interests • Digital Data – personal location info held by a third party – does not fit in existing precedents – Expectation of privacy in physical location and movements – Expectation of privacy in information voluntarily turned over to third parties NYPWA January 2019 14 Recent Legal Cases Carpenter v. United States – decision • Court cited Riley v. California – “Cell records hold for many Americans ‘the privacies of life’” • Court adopts rule “must take account of more sophisticated systems that are already in use or in development” from Kyllo v. United States • However, court stated this is a narrow ruling, and does not address issues not before the Court NYPWA January 2019 15 Recent Legal Cases Apps making it to the court (not the food variety) Knight First Amendment Institute v. Trump US District Court – Southern District of NY • At issue: President Trump’s Twitter Account in relation to the 1 st Amendment – Whether a public official can “block” a person from his/her Twitter account in response to the political views the person has expressed – Does the analysis differ because the public official is the President of the United States • Court held no in both instances 5

  6. 12/3/2018 NYPWA January 2019 16 Recent Legal Cases Cullinane v. Uber Technologies, Inc. – Conspicuous informing of Terms and Conditions • No click box to accept, instead display a notice of deemed acquiescence and link to the terms • “If everything on the screen is written with conspicuous features, then nothing is conspicuous.” • Transactions on smartphones and websites increasing, evolving law around those transactions NYPWA January 2019 17 Recent Legal Cases Applebaum v. Lyft • Several different types of online consumer contracts – Browsewrap, clickwrap, scrollwrap, sign-in-wrap • “Whether there was notice of the existence of additional contract terms presented on a webpage depends heavily on whether the design and content of that webpage rendered the existence of terms reasonably conspicuous.” NYPWA January 2019 18 Recent Legal Cases State of New Hampshire v. Verrill • Murder case, Amazon Echo at crime scene owned by the victim • Judge signed order for Amazon to provide authorities with recordings during time when crime allegedly occurred • Similarities to Bates case – however, that case was not decided by courts because defendant consented to release of information • Probable cause and privacy rights at issue 6

  7. 12/3/2018 NYPWA January 2019 19 Remember our Ethical Obligations NYPWA January 2019 20 NYS Rule 1.1 http://www.nycourts.gov/rules/jointappellate/ny-rules-prof-conduct-1200.pdf A lawyer should provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. NYPWA January 2019 21 NYS Rule 1.1 Clarification Comment 8 To maintain the requisite knowledge and skill, a lawyer should (i) keep abreast of changes in substantive and procedural law relevant to the lawyer’s practice, (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information , and (iii) engage in continuing study and education and comply with all applicable and continuing legal education requirements under 22 N.Y.C.R.R. Part 1500. (emphasis added) https://www.nysba.org/DownloadAsset.aspx?id=50671 7

  8. 12/3/2018 NYPWA January 2019 22 ABA Model Rule 1.1 mirrors NY ABA Commission on Ethics 20/20 In order to provide competent representation in a digital age attorneys must understand and properly use technology. For example, an attorney should know how to properly use email and create an electronic document and know the benefits and risks associated with technology. ABA Commission on Ethics 20/20 Report 105A (Aug. 2012) https://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revi sed_resolution_105a_as_amended.authcheckdam.pdf NYPWA January 2019 23 Legaltech News Article from October, 2018 • 32 States require technology competence of lawyers • Some states adding a CLE requirement around technology • Need to work with professionals to assist in becoming competent if not able to understand on own NYPWA January 2019 24 Tech Competency Asked to Demonstrate Computer Skills, 0 of 9 law firms passed in-house hiring test • Corporate counsel for Kia Motors gave a computer skills test to potential law firm hires • Audit should have taken one hour, but average pace was five hours • Excel, PDF, Bates numbering, Word were all tested • Competence can range from using MS Word to complex e-discovery software 8

  9. 12/3/2018 NYPWA January 2019 25 Lawyer's e-discovery error led to release of confidential info on thousands of Wells Fargo clients - 2017 • Vendor conducting e-discovery, attorney oversaw and checked the responsive documents using the vendor’s software • View only allowed a limited set of documents, not the entire response, and documents that were supposed to be redacted were not • Information turned over to opposing counsel included confidential information of at least 50,000 of the banks wealthiest clients – Social security numbers – Financial details, including size of portfolios http://www.abajournal.com/news/article/lawyers_e_discovery_error_led_to_release_of_confidential_wells_fargo_client/ NYPWA January 2019 26 Guided Discussion: Securing Public Data NYPWA January 2019 27 Security, Compliance, and Legal Obligations • Security: Protecting the confidentiality, integrity, and availability of the data • Compliance: What is required by federal or state laws, rules, regulations, or policy • Legal Obligations: What is required by federal, state or local law or regulation 9

  10. 12/3/2018 NYPWA January 2019 28 Three Key Principles in Information Security Confidentiality Availability Integrity NYPWA January 2019 29 Confidentiality • Limiting access to only authorized users • Preventing access by unauthorized users • Preventing impermissible disclosure, whether accessed by authorized or unauthorized individuals • Permitting access only where the specific job responsibilities cannot be accomplished without such access • Enforcing a “Need-to-know” basis NYPWA January 2019 30 Availability • Focusing on ensuring the availability of information resources at all times • Working to ensure that hardware and software are protected so that they will not be compromised by viruses or malware, and thus, become unavailable 10

Recommend


More recommend