In this episode of The Florida Bar Podcast from the 2017 Annual Florida Bar Convention, hosts Christine Bilbrey and Jonathon Israel talk to Lawrence Kunin and Serge Jorgensen about data security breaches and the legal implications of such a breach. They also discuss the ethical obligations of an attorney in regards to data security, as well as signs that reveal when a firm has been breached.
Larry Kunin is a partner in Morris Manning & Martin’s Litigation practice and serves as chair of the firm’s Data Security and Breach practice.
Serge Jorgensen is president and a founding partner of the Sylint Group. He provides strategic guidance and active oversight in computer security.
The Florida Bar Podcast
2017 Annual Florida Bar Convention: Every Firm is a Target for Cyber Security Breaches
Intro: Welcome to The Florida Bar Podcast, where we highlight the latest trends in law office and law practice management to help you run your law firm, brought to you by The Florida Bar’s Practice Resource Institute. You are listening to Legal Talk Network.
Christine Bilbrey: Hello and welcome to The Florida Bar Podcast, brought to you by The Practice Resource Institute on Legal Talk Network. This is Christine Bilbrey recording from the 2017 Annual Florida Bar Convention in Boca Raton, Florida.
Jonathon Israel: And I’m Jonathan Israel, Director of the Florida Bar’s Practice Resource Institute. Thank you for joining us today.
Christine Bilbrey: Our guests for this segment which has a fairly ominous title Every Firm is a Target are Lawrence Kunin and Serge Jorgensen. They are experts in their fields and Serge is the president and founding partner in the Sylint Group spelled S-Y-L-I-N-T. He provides technical development and guidance in the areas of cyber security, counter-cyber warfare, e-Discovery, system design, and incident response. Larry Kunin is a partner in Morris, Manning & Martin’s Litigation, love a good alliteration and serves as Chair of the firm’s Data Security and Breach Practice. He concentrates in commercial technology and intellectual property litigation and consultation.
So both of our guests spoke here in Boca Raton today in our Cyber Technology CLE, so I’m going to start with you, Serge, what did you focus on today?
Serge Jorgensen: Good morning Christine. We went through some ideas on protecting from a breach or from a security incident and then what to do in terms of response. If you do have a security incident, how do you prevent it from becoming a breach and what steps would you choose or what steps should you take in that initial response process.
Christine Bilbrey: And so, this comes up in like when you’re talking insurance to incident versus breach because you can have, it can be internal or external, can you explain to our listeners that don’t understand those terms a little bit what the differences could be?
Serge Jorgensen: I think that’s a legal question and Larry can correctly take the difference between an incident of breach.
Christine Bilbrey: Well, if you lose your laptop, have you been breached?
Serge Jorgensen: I don’t know. Larry, is that –
Lawrence Kunin: That would be a potential data disclosure incident. I don’t know if I define the word “breach” to it, but it is what we’re talking about, which is security of information and disclosure of that information.
Christine Bilbrey: Because there are different reasons they want to get and sometimes it’s ransomware, where they’ve seized all your data and are holding it, and so, is there — what’s the specific insurance that you want to get if you’re — for ransomware, is that different if you’re just protecting your data, so all of your laptops and those kind of things?
Lawrence Kunin: Yeah, and I’d advise Serge to jump in as well. Ransomware is a type of data security incident where your data gets locked up, so you can’t get to it. The bad guys may not necessarily be interested in the data and so much as Serge is interested in getting money from you to give your data back. That is contrasted from what we normally think of a data breach, which is where somebody may hack into your system through some fashion and get financial information, health insurance information, even within a law firm we hold credit cards for people to pay that way. We have information about our employees, if we are involved in a healthcare matter, as a litigation matter on behalf of a client, we may be in possession of HIPAA covered information, and we have attorney-client information. There what we’re concerned about is somebody getting a hold of the information to use the information itself either for personal gain or somehow against us or our clients.
Serge Jorgensen: And that’s a really important point. I think, Larry, you just mentioned that when as a law firm, you have a case that involves healthcare, you may have HIPAA data, and HIPAA actually has a four-part test to see in a ransomware incident if there was a breach, and so they are almost assuming that there was a breach and asking you to prove that it wasn’t, and it was just an incident and that no one else had unauthorized access to information.
That’s what could change between the incident is something happened. I lost access to some data, or I deleted some data, but it’s a security incident but not necessarily a breach, and then the other way is if I lost access to data and somebody else accessed it, now we have a breach.
Christine Bilbrey: Thank you. That’s what I was looking for, trying to clarify it, because we had record turnout today in your CLE, so this is obviously a topic that a lot of attorneys have on the top of their minds, and so Larry, what are some of the points that you wanted to drive home to the people that attended the CLE?
Lawrence Kunin: Well, in the first segment which I spoke was on an attorney’s ethical obligation with regard to data security and we did it first to kind of set the stage of why a lawyer should care. Everybody hears about data incidents every day in the news whether it’s some kind of breach, some kind of ransomware, but lawyers tend to forget about themselves, and as the story that I told was I started thinking about this when we were moving and I had some old computers that my wife wanted to donate and I put the brakes on it realizing that I had the mother lode of attorney-client privileged information on it and started really digging into what are the ethical rules, not only in Florida but in other states as well, and to hit those major points home, under the ethical rules themselves, there is the competence rule that has been interpreted to mean technological competence as well.
There’s the keeping client information confidential rule. There’s the rule about keeping clients informed, and then a rule that gets overlooked a lot, is the obligation of an attorney to make sure that the attorneys staff within the firm is also properly trained and educated because if an assistant, for example, were to be careless and a data disclosure incident occurs as a result, the attorney is responsible for that person who’s not subject to the rules of Florida Bar.
And then trailing off of that, there is a lot of advisory opinions, ethical advisory opinions in Florida and other states that basically talk about the duty of an attorney to make sure that devices are known that store information including copy machines that they’re properly cleaned when they are disposed of that if you’re going to use storage, cloud storage, you need to vet the vendor and understand where is your information being held, is it protected, is it encrypted, and when you sign up with vendors who may provide ESI services or other outsource services for the firm, what is their data security protocol. All of this is put on the attorney and connected through optical obligation.
Christine Bilbrey: So that’s a lot to think about. So while you’re practicing law, you’ve got to make sure that you are meeting all of these ethical duties and we talked about ransomware, and Serge, I see in your bio that you also have a status, a tracking device, a HIPAA compliant patient location. What is that, I’m curious?
Serge Jorgensen: It was a project that we worked on almost 20 years ago now working on identifying people’s status if they’ve — I’ve fallen and I can’t get up and yet tracking where you are, and if you did fall and then continue to walk, do you need care just based on the motions that you were exhibiting as you continue to move, to walk, and then trying to transmit all that information back to a central location, so it could be monitored and responded to.
Christine Bilbrey: Okay, who knew that there was that much data about you is stored somewhere in the world, that’s a little bit eye-opening.
Serge Jorgensen: When we talk about every firm at Target, and Larry just went through those obligations, I wanted to add there that from an attacker’s perspective, a law firm is a one-stop shop, and then generally you’re seen as rich and have Escrow accounts and you have lot of money even if it’s not the lawyers individually. It’s moving through the law firm. So from an attacker’s perspective, I’m looking at it going, that’s a very attractive target and that there’s a lot of money there, and there’s a lot of information about a lot of different businesses and clients, and you have trust established with all of those clients. So now I can use the firm as a watering hole and jumping-off point that I know is collecting information and communicating with a lot of different other companies. So in one shot, I really get three of my main goals.
Christine Bilbrey: That is unsettling.
Serge Jorgensen: Little bit, yeah, and Larry, you talked about some of the ethical obligations an attorney has, well, what requirements do they have that once they do notice, okay, I have been breached maybe not so much ransomware but I have been breached. What are their obligations then whether to their clients or state?
Lawrence Kunin: Yeah, it depends what the breach is. With regard to clients, first of all there’s the rule that you have to keep clients informed. So you are supposed to tell the client we’ve had this incident, how would you like us to handle it or we’re handling it — it depends upon what the breach is.
With regard to the extent that you might have payment information, for example, credit card information or personally identifiable information, not just the run of the mill like that information about a merger and acquisition that’s going to occur, well that may not be run of the mill, but in other words, it’s not personally identifiable information. But then you may be implicating data breach laws just like any business would. Those data breach laws may say, you have an obligation to give notice to the people whose identities have been disclosed, and depending on the State, you might have an obligation to give State authorities notice.
To be clear on a couple things, what’s personally identifiable information? It’s not a name, address, and a phone number, what I would call white pages information, almost every State defines it as a name in combination with something that could be used to steal an identity, driver’s license number, bank account number, debit card number along with the password, credit card number which you don’t need the password for, Social Security Number, so something in combination with. So, every incident is a little bit different.
Christine Bilbrey: So Larry, the topic of your CLE this morning was that every firm is a target, do you have any kind of statistics on how many firms really have been breached?
Lawrence Kunin: Yeah, there have been studies done that estimate and they are estimates that approximately 80% of the top hundred law firms in this country have been breached at some level, and most of them don’t even know it. Somebody got in scoured around, but that is a percentage that’s high enough to get the alarm of any lawyer that they are a target and people are after information, and when we talk about what is the information they are after, we’ve mentioned healthcare information and credit card information, but think about the firm especially a larger firm that is engaged in an M&A between a public company and either another public company or a private company, and if somebody were to find out about that deal in advance, what kind of benefit or insider trading it could lead to, that would be very, very difficult to catch if it was being disclosed through some type of a hack.
Christine Bilbrey: And so, when you’re talking to another firm, what kind of training can you give your staff because really the human error seems to be the weak link and all of this because you can have all the best software, but what are firms doing to get their staff to get on board with this because of its seriousness?
Lawrence Kunin: When it comes to staff, the biggest exposure points are emails, phishing emails that come in that can be recognized under most circumstances being malicious or at least questionable, and if they are at least questionable, they should know to contact somebody in IT if you have an internal IT department or if you’re using somebody in the outside to check before going into the email, going into attachments, clicking on links. Some of these phishing emails are really convincing, and they’ll spoof a FedEx, a UPS, a bank, Wells Fargo, I know I’ve seen, and they do look real and you just have to have your radar up.
And the other exposure points for staff people because they don’t have the ethical obligations, so I am thinking about it is to remind them we are holding attorney-client information and information is to be delivered to a vendor, how’s it being delivered to the vendor, make sure they ask the attorney, but just make sure the staff is always thinking about the data security to the same level that the attorney should be as well.
Serge Jorgensen: It’s really critical though that firms prepare for the times when the passwords are exposed or somebody has access to the system and is able to track what that person did on the system. Working with firms, let’s say in a document management system or a practice management system, if that credential that’s used to access that system is shared amongst ten people or the passwords are all the same because everyone thinks, well, I have to be sitting in my desk or I need remote access through another system. Once somebody gains access to that system, tracking what a particular person did with that access becomes critical.
The days of thinking that we’re going to stop the attackers at the edge ended 10 years ago, so to think that, you can prevent users from clicking on a phish or prevent users from opening an attachment they shouldn’t is over. That’s an intact methodology that’s been so successful and there’s really nothing that you can do to prevent a user from opening that document.
So you have to assume that the attackers are going to get credentials. They’re going to have some level of access to the system, and if the firm is unprepared to deal with the next step, then you end up with an incident that becomes a breach because you can’t definitively say that for that hour or for that week when the password was in the wild and somebody had access to the system that they didn’t go rifling through the practice management tools or the document management database.
Christine Bilbrey: Well, it’s interesting to me because usually the breaches that we hear about are the ransomware because now there’s they want Bitcoin payments, that gets a lot of publicity, are there any signs that you’ve been breached? If all these firms have been breached and don’t know it if it’s not ransomware, it’s short of having your identity stolen. What are some signs?
Serge Jorgensen: So from an attacker’s perspective when we were talking about firm, law firms being an attractive target. Only one of those you would ever notice and that’s the monetization, so if I’m actively asking you for money, then you’re going to notice, but the other is the information collection and the watering hole attacks, it’s in the attacker’s interest to stay below your radar, so you may never know or you may get a call from a client that says, hey, did you send me this email? Why did you send this to me, and all of a sudden, that deeper investigation of, okay, what happened, and I think law firms while they have an ethical obligation to investigate and report, there’s also a lot of pressure to just sweep it under the rug and say, oh, we just sent out that email and it was an accident we’re moving on because if they did a full investigation on it and found that they lost client information, the ramifications to the firm is massive and that’s where ethics comes into play I guess from Larry’s talk this morning.
Lawrence Kunin: And then even backfired on me one time, luckily I made up for it, but I got one of these emails that was delivered overnight, got to my email box at 4 o’clock in the morning. It was somebody in Europe who said I am looking for counsel in Atlanta, who could help with it, that was a trade dress issue, had some attachments to it. I didn’t know who the person was. I really didn’t pay much attention to the email and I very quickly deleted it.
My radar was up, and then I got a voicemail a few hours later. This is so-and-so, I was recommended to you by your client in London who said that you could help us with this issue, I just wanted to make sure you got my email.
Christine Bilbrey: Oh.
Lawrence Kunin: That was being maybe a little overly careful, but the email was not artfully drafted that it didn’t make the particular connection, but it shows how at least a lawyer at least me looks at every single email and really questions, is this really coming from where it’s supposed to be coming from loaded with attachments for me to open up.
Jonathon Israel: Right.
Serge Jorgensen: But then the second time you get that, now you’ve been trained that you should open them because it might be legit, and that gets to the point of if you’re not tracking, what’s going on in the end points then —
Christine Bilbrey: And what if the hacker was the telephone call like I’m paranoid now, like what if they are so smooth that they’ve stepped it up to that level.
Lawrence Kunin: That’s yeah sure.
Serge Jorgensen: This is not a law firm thing but I know when I get a text message from American Express saying we need you have some questionable charges, et cetera., please call whatever. I never call that number. I pull out my credit card and I call the number on the back of my credit card just in case.
Christine Bilbrey: Good, good tip.
Serge Jorgensen: All right, it’s just common sense.
Christine Bilbrey: And Larry, can you comment on this for to have safe harbor like we talk about making sure that your laptops have been encrypted and those kind of things, where does that fall into the ethical requirements?
Lawrence Kunin: Well, it doesn’t fall into the ethical requirement, there’s a couple things that raises first with regard to data breach notification laws. If a system has been hacked and the system is encrypted such that the information is meaningless. most data breach laws are going to say, you don’t have an obligation to give notice to anybody because the information is just ones and zeroes, it doesn’t mean anything. There is one state that’s softened that standard recently that said it’s not automatic but it’s still a major factor to determine if you’ve really had a data breach. With regard to ethics, it’s really no different than any other kind of data breach that we’re not subject to the data breach laws themselves which is what are the steps that you’ve taken as far as being reasonable.
And the word “reasonable” in my mind has always been one of the scariest words in the legal community because what’s reasonable to one person is not reasonable to another and what it ultimately means for a client is what the judge says it means on the day of his decision. So the answer really is along the lines of what Serge is talking about. If you show preventative steps, you’ve acted reasonably, you’ve had a keen eye, and when you’ve had an incident, you’ve acted reasonably in response to the incident, hopefully you’ll carry that reasonableness standard and be okay and so far is liability.
Christine Bilbrey: Okay, and I want to remind our listeners that this is such a fascinating topic. So if you missed the CLE this morning, these are going to be available later on online, Young Lawyers Division will be promoting them so you’ll be able to take advantage of that, but if our listeners want to reach you or find out more about this, are you on social media, do you have a website, how can they find out more?
Serge Jorgensen: I’m not on a lot of social media, certainly the website HYPERLINK “http://www.sylint.com” www.sylint.com.
Christine Bilbrey: Okay, and Larry.
Lawrence Kunin: Our website Morris, Manning & Martin is HYPERLINK “http://www.mmmlaw.com” www.mmmlaw.com, almost looks like 3M Corporation but with the word “law” in there and through our website, you of course can see my bio Larry Kunin and we offer podcasts, other interviews, articles, as you would expect and we do talk a lot about data security and our information about data security and data security steps are available there as well.
Christine Bilbrey: Okay, excellent. Well, this has been another edition of The Florida Bar Podcast brought to you by The Practice Resource Institute on Legal Talk Network and I want to thank our guests for joining us. If you liked what you heard today, please find and rate us in iTunes. I’m Christine Bilbrey.
Jonathon Israel: And I’m Jonathan Israel. Until next time, thank you for listening.
Outro: Thanks for listening to The Florida Bar Podcast brought to you by The Florida Bar’s Practice Resource Institute and produced by the broadcast professionals at Legal Talk Network.
If you’d like more information about today’s show, please visit HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com. Subscribe via iTunes and RSS.
Find The Florida Bar, The Florida Bar Practice Resource Institute and Legal Talk Network on Twitter, Facebook, and LinkedIn, or download the free app from Legal Talk Network in Google Play and iTunes.
The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives shareholders, and subsidiaries. None of the content should be considered legal advice. As always consult a lawyer.