The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals, Second Edition is published by the ABA Cybersecurity Legal Task Force which is composed of ABA members with expertise in cybersecurity as well as government, technical and private sector representation.

The Second Edition of this top selling cybersecurity book is a must read for anyone working in the field including private practice attorneys and associates, in-house counsel, non-profit and government attorneys and others.

Since the release of the first edition published in 2013, cybersecurity breaches in law firms have made news headlines and clients are asking questions about lawyers' and firms' security programs. From the massive Panama Papers breach that led to the dissolution of the Mossack Fonseca Law Firm in April 2016 to the WannaCry and Petya Ransomware attacks, the latter that led to the several day work outage at DLA Piper in June 2017, it is imperative that attorneys understand the potential risk of weak information security practices to their practices and their clients. As hackers increase their capability to conduct cyber attacks, so must law firms step up their risk management game specifically in cybersecurity as a fundamental part of their sustainable business practices.

Co-edited by cybersecurity leaders, Jill D. Rhodes and Robert S. Litt, former General Counsel of the Director of National Intelligence, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals focuses on many of the issues raised in the first edition, while highlighting the extensive changes in the current cybersecurity environment. Aside from the length of the book (about 30% more extensive than the prior edition), this edition includes a chapter on technology basics for the technologically challenged.

This updated edition will enable you to identify potential cybersecurity risks and prepare you to respond in the event of an attack. It addresses the current overarching threat as well as ethical issues and special considerations for law firms of all sizes. The Handbook also includes the most recent ABA Ethics Opinions and illustrates how you should approach the subject of cybersecurity threats and issues with clients as well as when and how to purchase and use cyber insurance.

Jill Rhodes is Vice President and Chief Information Security Officer for Option Care, Inc. in Bannockburn, Illinois. In this role, she is responsible for building and implementing an information security program for this multibillion-dollar healthcare company. Her work includes all facets of information security governance, education, process development, and technology implementation. Prior to this, she held a similar position for an insurance company, also in Illinois. Before moving to the private sector, Ms. Rhodes spent 20 years working in and with the federal government. She joined the Office of the Director of National Intelligence (ODNI) in February 2007. Ms. Rhodes supported the intelligence community (IC) integration of data and security into their Cloud Environment for the IC Chief Information Office. Prior to this, Ms. Rhodes was on detail to the CIA, where she worked with data management, foreign language, and training matters on behalf of the National Clandestine Service, addressing issues such as data security and exploitation. Ms. Rhodes has held various leadership roles within the intelligence community, including the deputy chief of staff for the ODNI and the assistant deputy director of national intelligence for education and training.

Prior to joining the ODNI, Ms. Rhodes worked on national security–related issues within the Department of Homeland Security Office of the General Counsel and Civil Rights and Civil Liberties Office. Ms. Rhodes is a former Foreign Service Officer with the U.S. Agency for International Development, having worked in Bolivia and Russia and throughout Eastern and Southern Africa on democratic development issues. Prior to joining the Foreign Service, Ms. Rhodes had her own company and traveled globally supporting third-world nations in the rewriting of their constitutions and electoral codes.

Ms. Rhodes has written, published, and speaks regularly about several national security law topics. Ms. Rhodes was the editor of the first edition of this Handbook and also edited the book National Security Law, Fifty Years of Transformation: An Anthology (ABA 2012), sponsored by the ABA Standing Committee on Law and National Security. In addition, she has written on topics such as the development of regional emergency management systems, military use of radio frequency identification, quarantine law, privacy and technology, and consumer data administrators. She is a graduate of the University of Illinois at Urbana-Champaign, the University of Cincinnati, College of Law (JD), and the George Washington University College of Law (LLM). She is also a certified information security manager, certified information privacy professional/IT, and certified project management professional.

Robert S. Litt served as the second General Counsel of the Office of the Director of National Intelligence (ODNI) from June 2009 until January 2017. Before joining the ODNI, Mr. Litt was a partner with the law firm of Arnold and Porter, LLP. He served as a member of the governing body of the American Bar Association's Criminal Justice Section and a member of the Advisory Committee to the Standing Committee on Law and National Security. He previously worked at the Department of Justice, where he served as Deputy Assistant Attorney General in the Criminal Division and as the Principal Associate Deputy Attorney General; as special advisor to the Assistant Secretary of State for European and Canadian Affairs; and as an U.S. Attorney for the Southern District of New York.

Mr. Litt started his legal career as a clerk for Judge Edward Weinfeld of the Southern District of New York and Justice Potter Stewart of the U.S. Supreme Court. He holds a BA from Harvard College and an MA and JD from Yale University.

Introduction xvii

By Judy Miller and Harvey Rishikof, Immediate Past Chairs

Acknowledgments Section I

CyberseCurity baCkground

CHAPTER 1

xxi

1

Purpose of This Handbook 3

Jill D. Rhodes and Robert S. Litt

CHAPTER 2

Understanding Cybersecurity Risks 11

Lucy L. Thomson

I. New TechnologiesCreateUnprecedentedChallengesforLawyers 11

A. Responsibilities to Protect Sensitive and Confidential Data 15

B. Lawyers and Law Firms Are Prime Targets: The

Significant Resulting Damage 16

II. Protecting theConfidentiality,Integrity,andAvailabilityofData 17

III. Security BreachesontheRise:ThreatsandVulnerabilitiesIllustrated 20

A. Hacking and Advanced Persistent Threats 20

B. Social Engineering and Phishing Attacks 22

C. Ransomware 25

D.Business E-mail Compromise 28

iii

iv CONTENTS

Malicious Insiders 29
Mobile Devices 31
Cloud Computing and Wi-Fi Risks 34
Improper Disposal of Personal Information 35
Business Partners Can Be a Weak Link—A Two-Edged

Sword for Law Firms 36

Addressing Threats and Risks to Law Firm Security 38
1. What Is “Information Security”? 38
2. Why Is Information Security Important? 39
3. Who Is Responsible? 39
4. The Need for Risk Assessment 39
5. Achieving Optimal Network Security through Continuous Monitoring 41
Steps to Protect Confidential Law Firm Records and Prevent Data

Breaches: Top Considerations

CHAPTER 3

Understanding Technology: What Every Lawyer Needs

to Know about the Cyber Network 45

Paul Rosenzweig

I. The GrowthoftheCyberNetwork 46

II. The StructureoftheCyberNetwork 47

III. Changing Architectures 48

IV. Threats ontheCyberNetwork 50

V. Defensive SystemsandEnterpriseChallenges 53

VI. TopTenConsiderations 57

Section II

Lawyers' LegaL and ethiCaL obLigations to CLients 59

CHAPTER 4

Lawyers' Legal Obligations to Provide Data Security 61

Thomas J. Smedinghoff and Ruth Hill Bro

I. Overview 61

A. What Is Data Security? 61

B. Security Law: The Basic Security Obligations 64

CONTENTS v

The Duty to Provide Data Security 65
1. What Is the Duty? 65
2. To Whom Does the Duty Apply? 65
3. What Is the Source of the Duty? 67
4. What Data Is Covered? 70
5. What Level of Security Is Required? 72
6. The Legal Requirements for “Reasonable Security” 73
7. Rules Governing Specific Data Elements and Controls 88
8. Frameworks for Reasonable Security 89
The Duty to Notify of Security Breaches 92
1. What Is the Source of the Duty? 92
2. What Is the Statutory Duty? 93
3. When Does a Contract-Based Duty Arise? 95
Practical Considerations: A TopTen List 96

CHAPTER 5
International Norms 99
Conor Sullivan, Kelly Russo, and Harvey Rishikof
I. Introduction 99
II. International Norms and International Regulatory Framework 100
A. Tallinn 101
B. United Nations 101
C. International Organization for Standardization (ISO) 103
III. Key LawsinEurope,LatinAmerica,China,Russia 104
A. European Union 104
B. Latin America 108
C. China 108
D.Russia 110
IV. Notable U.S.Incidents/Cases 111
V. How InternationalCyberNormsAffectLegalPractice 113
CHAPTER 6
Lawyers' Obligations to Provide Data Security Arising
from Ethics Rules and Other Law 115
Peter Geraghty and Lucian T. Pera
I. ABA Formal Opinion477R 115

vi CONTENTS
II. Lawyer EthicsRules 118
A. Confidentiality 118
B. Competence 123
C. Supervision of Lawyers and Nonlawyers 125
III. The Law ofLawyering 126
IV. Examples oftheEmergingApplicationofEthicsandLawyeringLaw
to NewTechnology 127
A. E-mail 127
B. Portable Devices and Other Devices That Retain Data 131
C. Metadata Leaks 133
D.Outsourcing 134
E. Cloud Computing 136
F. Social Media 138
V. Conclusion 141
CHAPTER 7
Occasions When Counsel Should Consider Initiating a Conversation about Cybersecurity with the Client 145
Roland L. Trope and Lixian Loong Hantover
I. Introduction 145
A. The Problem: Lawyers and Law Firms Have Become
High-Priority Targets for Cyber Attacks 145
B. Preparations that Lawyers and Law Firms Would Be
Wise to Make 149
II. Nine OccasionsThatWarrantDiscussionofCybersecurity 150
A. At the Start of a Representation 151
B. When the Client Enters a Regulated Field of Activity 153
C. When Cybersecurity Regulations are Issued, Amended,
or Judicially Reinterpreted 154
D.When Litigation, Enforcement Action, or Investigation
Is Reasonably Anticipated 156
E. When the Client Experiences a Cyber Incident 158

CONTENTS

vii
1. When Counsel Experiences a Cyber Incident or When Reports of Cyber Incidents Demonstrate the Law Firm's Need to Enhance Its Safeguards of Client Confidential
Information 160
1. When the Client Anticipates Being the Buyer or Target in a Merger or Acquisition, Particularly If Counsel Anticipates the Need for a Review of the Transaction
by CFIUS 162
1. When the Client Anticipates Providing Goods or Services for New Communications Technologies in a Regulated Sector, Such As Providing IoT Devices for Use in
Connected Vehicles 169
1. For In-House Counsel, When the Client/Organization Embarks on a Major Transition in Its Corporate or Commercial Activities and May Be Tempted to Devise
Software to Circumvent Regulatory Obstacles 172
1. Practical Considerations 180
Section III
understanding different LegaL PraCtiCe settings 185

CHAPTER 8
Large Law Firms 187
Alan Charles Raul and Michaelene E. Hanley
I. Introduction toCybersecurityforLargeLawFirms 187
II. Cybersecurity IssuesandChallengesforLargeFirms 191
III. How LargeLawFirmsMayAddressCyberRisk 197
A. Governance and Strategy 198
B. Cyber Preparedness 200
C. Administrative, Technical, and Physical Measures 201
D.Vendor Management 201
E. Incident Response and Threat Intelligence 202
F. Data Recovery and Business Continuity 203
G.Continual Process Improvements 203
IV. TopTenConsiderations forLargeLawFirmLawyers 204

viii CONTENTS
CHAPTER 9
Cybersecurity for the Little Guys 207
Theodore L. Banks
CHAPTER 10
In-House Counsel 219
Angeline G. Chen
1. The Cyber Threat Landscape for In-House Counsel 219
  1. Role Differentiation 220
  2. The In-House Perspective 222
  3. Duties and Responsibilities 224
2. Fundamentals of What In-House Counsel Needs to Know 225
  1. The Basics 225
  2. The Amorphous and Unusual Nature of the Threat
Compared to Traditional Risks 226
1. Establishing Essential Relationships 227
2. Distinguishing Compliance in Operational Matters
from Market-Based Considerations 229
1. Be Prepared 229
  1. Understand as Much as You Can about the Risks 229
  2. Ensure That the Company's Governance Framework Encompasses Cybersecurity, and Develop Cyber Incident
and Cyber Breach Plans That Align with That Framework 231
1. Identify and Establish Key Relationships and Be Part of
the Team 234
1. Identify Legal Issues Associated with a Cyber Incident 235
2. Cultivate a Cyber-Aware Culture and Community 238
Responding to a Cyber Incident 238
1. Identify the Attack and Damage 238
2. Limit the Damage 239
3. Record and Document 239
4. Engage and Notify 240
5. Correct and Close 240
In the Aftermath 240
Special Considerations 242
Summary and Tips 242

CHAPTER 11
Considerations for Government Lawyers 245
Sandra Hodgkinson, Clark Walton, and Timothy H. Edgar
1. Government Cyber Lawyers and Their Mission 247
  1. Department of Defense (DoD) 247
  2. Department of Homeland Security (DHS) 248
  3. Department of Justice (DoJ) 249
  4. Department of Treasury 249
  5. Other Agencies 249
2. Government Data: An Increasing Problem of Data Insecurity 250
3. Government Centric Attacks: National Security and Critical
Infrastructure 253
1. Significant U.S. Cyber-Related Laws 256
2. Best Practices for the Government Lawyer for Cybersecurity 259
CHAPTER 12
Public Interest Attorneys 263
Michelle Richardson
1. Introduction: Why Public Interest Attorneys Should
Be Concerned 263
1. Issues and Strategies 265
  1. Defining What Information to Protect: Nonprivileged
but Sensitive Data 265
1. Budget Constraints 265
2. Use of Interns and Volunteers 267
3. Cultural Hurdles 268
4. Special-Needs Clientele 268
Takeaways and To-Dos 269

CHAPTER 13
Get SMART on Data Protection:
Trainingand How to Create a Culture of Awareness 271
Ruth Hill Bro and Jill D. Rhodes
I. Data ProtectionTrainingBasicsandCorePrinciples 271
A. Why Train on Data Protection? 272
B. What Does SMART Training Look Like? 275

x CONTENTS
1. SMART Training in Action 279
  1. Understanding the Basics of Employees: Role
and Generational Differences 279
1. Building an Effective and Diverse Program 280
2. Measuring Success (Through Phishing Campaigns
and Other Means) 283
1. TenKey Points 284
Section IV
inCident resPonse and Cyber insuranCe Coverage 287
CHAPTER 14
Best Practices for Incident Response: Achieving Preparedness through Alignment with Voluntary Consensus Standards 289
George B. Huff Jr., John A. DiMaria, and Claudia Rast
1. Introduction 289
  1. Business Continuity and Management of the Law
Firm's Business Risks 290
1. The Cybersecurity Framework 292
ISO 22301, the International Standard for Business Continuity

Management Systems 295

Global Benchmark for BCMS Requirements 295
Law Firms: Steps for Establishing Your Firm's

Business Continuity Program 296

Information and Communications Technology

Readiness for Business Continuity 300

ISO 27001: Challenges for Law Firms of All Types and Sizes 301
1. Threats, Disruptions, and Trends 302
2. Impacts of Extended ICT Disruptions—A Common

Cyber Incident Scenario 303

Best Practices for Cyber Incident Response 304

Conclusion

CHAPTER 15

Cyber Insurance for Law Firms and Legal

Organizations 313

Kevin P. Kalinich and James L. Rhyner

Insurance as a Cyber Risk Management Tool 313
Professional Liability Insurance Policies May Cover Some Cyber

Incidents 315

Cyber Insurance Coverage Can Mitigate the Costs of an Incident

in SeveralRespects 317

Policy Wording Varies and Often Requires Customization to Match

Identified andQuantifiedExposures 322

Cyber Insurance Market Constraints 330
1. Regulatory Constraints 330
2. Capacity Constraints 330
3. Insurance Placement Constraints 331
How to Respond to a Loss or Claim 331
TopTenConsiderations 332

Conclusion 335

Robert S. Litt and Jill D. Rhodes

CHAPTER 4 APPENDICES: SELECTED SECURITYLAW STATUTES, REGULATIONS, AND CASES

Appendix A. FederalStatutes 339

Appendix B. StateStatutes 341

Appendix C. FederalRegulations 349

Appendix D. StateRegulations 353

Appendix E. Best Practice Guidelines Issued

by FederalGovernmentAgencies 355

Appendix F. Best Practices Guidelines Issued

by StateGovernmentAgencies 357

Appendix G.CourtDecisionsreDutytoProvideDataSecurity 359

Appendix H.CFPBDecisionandConsentDecree 361

xii CONTENTS

Appendix I. FTCDecisionsandConsentDecrees 363

Appendix J.SECDecisionandConsentDecree 365

CHAPTER 6 APPENDICES: ABA AND STATE BAR ASSOCIATION ETHICS OPINIONS AND OTHER RESOURCES REGARDING LAWYERS'

ETHICAL OBLIGATIONS TO PROVIDE DATA SECURITY TO THEIR CLIENTS

Appendix K. 367

ABA Formal Ethics Opinions 367
ABA Treatises and Annotated Model Standards 369
State Bar Ethics Opinions That Have Addressed E-mail

Usage (with Links to the Full Text Where Available) 370

State Bar Ethics Opinions That Address Cordless

and Cell Phone Usage 383

Appendix L. 385

ABA Ethics Opinions 385
ABA Treatises, Annotated Model Standards, and Other Resources on Metadata 386
Digests of State Bar Ethics Opinions on Metadata 386

Appendix M. 395

ABA Formal Opinion Headnotes 395
ABA Treatises and Annotated Model Standards 396
Bar Association Reports 397
Digests of State Bar Association Ethics Opinions

on Outsourcing 397

State Bar Ethics Opinions That Address Issues Similar to Those Addressed in ABA Formal Opinion 95-398 (allowing outside computer maintenance firms access

to law firm computer networks) 405

Appendix N. 409

ABA Reference Material and Bar Association Reports

on Cloud Computing 409

Digests of State Bar Ethics Opinions on Cloud

Computing 410

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.