Commission on Law & Technology


General Principles of Data Security Planning


Leading Practices | Data Security

Working Group Data Security
Topic General Principles of Data Security Planning
Date of Publication June 20, 2014
Version 2.0
Applicable DLRPC (Rules) 1.1; 1.4, 1.6; 1.9; 1.15, 1.18, 5.1; 5.3
Summary This Leading Practice addresses a lawyer's ethical obligations relating to data security. This Leading Practice is intended to provide a general overview and approach to data security planning. It should be read in light of other Leading Practices that address particular technology applications or issues.

Disclaimer: The purpose of this leading practice is to provide the Delaware Bench & Bar with an understanding of an appropriate manner in which this technology may be used. There may be more appropriate uses; and the leading practice discussed might not be appropriate for a specific purpose. It is up to the individual to use well-reasoned judgment in making that decision. The Commission is not responsible for the consequences of the decision-making process.


General Principles of Data Security Planning


Introduction

Data security is a risk management process undertaken to ensure the confidentiality, integrity and availability of data and information systems. Privacy is an objective of data security, and often a legal and ethical requirement imposed upon lawyers and others who create, transmit and possess confidential or sensitive data.

There is no single, correct way to mitigate cyber risk. As pertinent to these Leading Practices, there are two overarching principles of data security. First, individualized risk assessments should lead to the design of a Data Security Plan that fits each lawyer or legal organization's risk profile, goals, and budget. Second, the Data Security Plan should be used to design a separate Cyber Incident Response Plan before cyber incidents occur.


Data Security Leading Practices 1

A General Approach to Data Security

Lawyers and legal organizations should adopt a general approach to data security centered on the following core risk management steps:

  1. Conducting a risk assessment that includes identifying data to be protected, as well as likely threats and vulnerabilities relating to that data;
  2. Evaluating the likely impact to the lawyer, the legal organization, clients and others if the identified threats materialize;
  3. Developing a Data Security Plan that includes the implementation of security safeguards and user training to protect against identified threats;
  4. Monitoring the use and effectiveness of selected security safeguards;
  5. Preparing an Incident Response Plan for data breaches and other cyber events; and
  6. Making appropriate adjustments in response to changes in the above factors.

Development of a Data Security Plan

Develop a data security plan appropriate to the size and complexity of the legal practice and the nature and scope of its activities. The plan should include reasonable security measures in light of identified risks for computer networks, devices, cloud and other third-party services. There are a variety of generally accepted standards and guidance sources that may be used to develop and implement data security plans appropriate to each lawyer or law practice. 2

  1. Identify individuals responsible for the development and implementation of data security plans, policies and procedures. A senior manager should remain informed and responsive to data security issues. In larger organizations, clearly delineate chains of command and the organizational reporting structure.
  2. Identify the information, communications and processes to be protected.
  3. Identify the information systems involved and their locations.
  4. Map networks, locations and data flows relating to sensitive information.
  5. Identify all laws, regulations, contractual obligations and policies that apply to the creation, transmission and possession of the identified information assets. This includes:
    1. becoming familiar with the federal and state laws and regulations that govern the protection of specific types of data in a lawyer's possession, custody or control. Examples of such types of data include: personally identifiable information, personal health information, financial, educational, export-controlled and national security-related information, as well as other information subject to court order, rule, contract or policy.
    2. reviewing and becoming familiar with the requirements of Title 6, Delaware Code, Chapter 12B, Computer Security Breaches.
  6. Identify and assess potential risks to information assets and systems. This includes both internal and external threats.
  7. Determine the potential harm that would result if each identified threat materialized, and assess the likelihood of each threat occurring.
  8. Based on the information and analysis resulting from Steps 2-5 above, design and implement a written data security plan that includes reasonable security measures to protect data against identified threats. Which security measures any particular lawyer or legal organization employs will vary depending on the totality of the circumstances. Relevant factors include: the type of legal practice and data at issue; the size and location(s) of the lawyer and legal organization; the technical infrastructure, hardware, and software used by the lawyer or legal organization; the available budget and costs associated with data security; and the technical burden of implementing different security measures. See Sample Technical Components of Data Security Plans below.
  9. Maintain written employee policies addressing appropriate use of information technology systems and devices, Internet usage, privacy and property rights of users and the organization, and data security procedures upon termination or separation from employment.
  10. Develop and continually update a computer security awareness training and education program for all network and device users, including coverage of insider and outsider threats.
  11. Develop a written data breach and incident response plan. See Creation of a Data Breach and Incident Response Plan below.
  12. Regularly monitor and assess the effectiveness of the data security plan, including user compliance with the plan. Adjust the plan accordingly.
  13. Oversee the data security practices of third-party service providers retained to assist in the performance of legal services. This may include: (1) exercising due diligence in the selection of third-party service providers; (2) contractually requiring third-party service providers to implement reasonable data security measures; and (3) monitoring the performance of third-party service providers.
  14. Protect against unauthorized disclosure of confidential and sensitive data stored in a "cloud" service. Steps to consider include ensuring that the cloud provider:
    1. explicitly agrees that is has no ownership or security interest in the data stored in the cloud;
    2. has an enforceable obligation to preserve the security of the data;
    3. will notify the lawyer if requested to produce any portion of the data to a third party, and provide the lawyer with the opportunity to respond to that request before the provider takes any action;
    4. has employed reasonable data security measures to prevent and detect infiltration or exfiltration of the data;
    5. employs reasonable access restrictions and monitoring capabilities;
    6. permits the lawyer to audit the provider's security procedures and to obtain copies of such audits;
    7. will host the data only in specified geographical areas; and
    8. provides the ability for the lawyer to obtain all data on demand from the provider's or its agent's servers.
  15. Consider the costs and benefits associated with purchasing data security and cyber-risk insurance policies.

Sample Technical Components of Data Security Plans 3

Which technical components a lawyer or organization may choose to include in a security plan depends on a host of factors, including organizational size and location(s), network infrastructure, number of users, types of hardware and software used, types of practice and data at issue, security budget, and likely effectiveness of any given security measure.

Networks

  1. Inventory authorized devices that connect to the network.
  2. Inventory authorized software used on the network.
  3. Continuously update and patch outdated and insecure software and browsers.
  4. Secure configurations for hardware and software on all networked devices.
  5. Secure configurations for network infrastructure and interconnection devices, such as firewalls, routers, and switches.
  6. Allow only known users and devices to access a network.
  7. Employ wireless device controls to ensure that only authorized devices with approved configurations connect wirelessly to networks.
  8. Employ strong network password policies. Avoid re-use of passwords across multiple networks/websites/accounts. Prohibit the sharing of passwords by network users. Change passwords regularly.
  9. Employ policy disclosure banners at log-in to networks.
  10. Protect confidential and sensitive data with appropriate encryption technology.
  11. Create multi-layered and controlled access to sensitive information on a "need-to-know" basis, including network segmentation where appropriate.
  12. Tightly control the use of network administrative and other broad-access privileges. Control unauthorized escalation of user privileges and lateral movement among network resources.
  13. Limit and control access to network ports, protocols and remote services, such as web servers, email servers, file and print services, virtual private networks, domain name system servers, and cloud services.
  14. Employ appropriate, multi-layered network boundary defenses, including the use of blacklists and/or whitelists for network communications.
  15. Engage in the continuous monitoring of IT systems, networks, security status and risks. Maintain, continuously monitor and analyze network audit logs.
  16. Conduct appropriate account monitoring and control, including the disabling of any unnecessary or unused accounts and monitoring against user account profiles/baselines. In larger organizations, use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit user activity.
  17. Monitor and control remote access from all endpoints, including mobile devices.
  18. Employ and continually update firewalls and anti-virus, anti-spam, anti-spyware, malware and phishing defenses for networks.
  19. Consider use of a Data Loss Prevention (DLP) solution to prevent or detect data breaches. DLPs can detect the location of sensitive data, monitor its use, and protect it from exfiltration.
  20. Consider use of an Intrusion Detection System ( IDS) capable to detecting unusual behaviors, activities or files on a network.
  21. Network design should include an architecture that uses multiple tiers, where Internet accessible systems cannot access sensitive data, or can only do so with appropriate controls (such as through encrypted connections and virtual private networks) if such access is necessary.
  22. To support rapid response and shunning of detected attacks, engineer the network architecture and its corresponding systems for rapid deployment of new access control lists, rules, signatures, blocks, blackholes, and other defensive measures. Segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses.
  23. To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the network's overall layout and the services it provides. Organizations should prepare diagrams for each of their networks that show network components such as routers, firewalls, and switches, along with significant servers and groups of client machines.
  24. Conduct periodic network vulnerability assessments and remediation.

Devices

  1. Inventory authorized devices and software/apps used on all devices.
  2. Secure configurations for hardware and software on all devices, including smartphones, laptops, tablets, and removable digital media.
  3. Display disclosure banners at password/unlock screens for mobile devices.
  4. Employ strong device password policies. Avoid re-use of passwords across multiple devices/websites/accounts. Prohibit the sharing of passwords by device users. Change passwords regularly.
  5. Employ strong encryption policies for mobile devices, including encryption of all confidential and sensitive data.
  6. Utilize and continually update anti-virus, anti-spam, anti-spyware, malware and phishing defenses for devices.
  7. Require multi-factor authentication for remote network access.
  8. Conduct device vulnerability assessments and remediation.
  9. Implement a removable media policy that prohibits the use of unauthorized removable media devices, such as USB and other external drives and memory cards. The permissible use of any removable device should involve automatic virus scanning upon connection to a network or authorized computer and use of a Data Loss Prevention (DLP) solution to restrict/monitor the copying of confidential client and other sensitive information.
  10. Restrict copying of confidential client or highly sensitive data from network to encrypted and approved USB drives.
  11. Prohibit the sharing of USB and other portable drives, including encrypted ones.
  12. Use Mobile Device Management to allow administrators to remotely manage all mobile devices approved for professional use by personnel.
  13. As part of Mobile Device Management, employ centralized password management and administrative ability to remotely lock, locate and erase data from any mobile device approved for professional use by personnel.
  14. Weigh the risks and benefits associated with the adoption of any "Bring You Own Device" (BYOD) policy for lawyers and other personnel, and disclose that policy to clients where appropriate.
  15. Establish a minimal security profile for any device allowed to access the network through a BYOD program.
  16. Avoid using public Wi-Fi networks, such as airports, hotels, and coffee shops, to access confidential and sensitive client information. Instead, lawyers should use private, encrypted hotspots or virtual private networks to access such information.

Disaster Recovery, Data Retention and Destruction

  1. Develop and test a comprehensive data recovery capability, including complete and frequent backups of critical systems and data, with appropriate encryption employed. Maintain backups of key devices.
  2. Develop data retention and destruction plans that include protocols for the removal and destruction of all confidential and sensitive data prior to disposal of all devices.
  3. Employ remote wiping or deletion capability for lost mobile devices, laptops, tablets and other portable digital media.

Email and Digital Communications

  1. Create email, voicemail, instant message, and social media policies that protect client data and communications from unauthorized disclosure.
  2. Encrypt communications that contain confidential client information.
  3. Employ server-based or cloud-based solutions for encryption.
  4. Do not transmit or "forward" confidential client information to personal electronic communication accounts.
  5. Transmit files containing highly confidential or sensitive client information via secure file transfer protocol (FTP) or online file sharing sites.
  6. Do not transmit confidential client information via mobile devices that are not included in server-based or cloud-based encryption solutions.
  7. Password protect files that are attached to emails or other electronic communications. Transmit passwords for such files by separate communication.
  8. Do not open and access confidential client communications remotely from shared or untrustworthy devices or networks.

Cloud and File Sharing

  1. Evaluate the data ownership, privacy and security characteristics of any cloud computing usage. See NIST Special Publication 800-147, Guidelines for Security and Privacy in Public Cloud Computing, available at http://www.nist.gov/itl/csd/cloud-012412.cfm. Guidelines for Security and Privacy in Public Cloud Computing (NIST SP 800-144, 2011) available at http://www.nist.gov/customcf/get_pdf.cfa?pub_id=909494.
  2. Be mindful that many file hosting programs and applications, such as Dropbox and SkyDrive, are public repositories of data. Confidential and sensitive client information generally should not be stored in such public repositories. If they are, they should be encrypted before being placed there.
  3. Organizations should establish policies on the use of cloud services for the accessing and storage of confidential client information.

Remote Access

  1. Require remote access to confidential client and sensitive organizational data through a Virtual Private Network.
  2. Employ multi-factor authentication for remote VPN access.
  3. Limit remote access privileges by user, network areas and data types available through VPN.

Websites

  1. Maintain controls to secure against Distributed Denial of Service (DDoS) attacks for critical, Internet-facing websites and IP addresses.
  2. Scan your website daily for malware.
  3. Set the secure flag for all session cookies.
  4. Regularly assess your website for vulnerabilities.
  5. Implement Always On SSL for all transactions and client communications.

Creation of a Data Breach and Incident Response Plan 4

  1. Lawyers should plan a response to different types of data security incidents before they occur.
  2. Appoint a cyber-event coordinator or coordinating team appropriate for the size and type of organization. The coordinator/team members should be familiar with the laws and regulations applicable to cyber incidents and cybersecurity, including data breach notification laws. In larger organizations, team members should include representatives from the legal, technical, management and communications departments of an organization.
  3. Define and memorialize scenario-based models of most likely cyber events (lost or stolen devices, spear phishing email attacks, malware introduced to computer networks, website defacements, insider theft of data, and external data exfiltration (identity or intellectual property theft of other confidential or sensitive information by hackers).
  4. Identify and train internal first-responders on responses to the scenario-based models of most likely cyber events. Each responder's role and actions should be clearly defined.
  5. Identify key external parties that may need to be mobilized in the event of a cyber-event. This should include internal/external counsel, computer forensic investigators, public relations and crisis management service providers.
  6. Identify contacts at law enforcement agencies, regulators, clients, customers and other interested outside parties that may be notified of a cyber incident.
  7. Establish thresholds for notification obligations based on particular types of data loss or loss of business functions.
  8. Devise standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification.
  9. Publish information for all personnel, including employees and contractors, regarding the reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.
  10. Develop an event notification and subsequent communications plan that satisfies all legal requirements.
  11. Conduct periodic, scenario-specific incident drills to test and refine the incident response plan and to ensure that all participants understand current threats and risks, as well as their responsibilities.
  12. Monitor current events relating to data breaches and cyber-threats to incorporate "lessons learned"into data security and incident response planning.



1. These leading practices may be used, but are not required to be used, by lawyers and legal organizations of any size as a general approach to data security planning. These are merely suggestions for some leading practices that could be adopted. Neither this document nor any other publication of this Commission should be interpreted to create any standard of care or required practice on the part of Delaware lawyers or legal services organizations.

2. The National Institute of Standards and Technology ("NIST"), the SANS Institute, and the International Organization of Standards are some of organizations that produce such standards and guidelines. See Nat'l Inst. Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity, available at www.nist.gov; see also Nat'l Inst. Standards & Tech., Special Publication 800-53, Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013); SANS Institute, Twenty Critical Security Controls for Effective Cyber Defense, available at www.sans.org; International Organization for Standardization, ISO/IEC 27001 - Information security management, available at www.iso.org. The American Bar Association also has published materials relating to various aspects of data security. See, e.g., The ABA Cybersecurity Handbook (2013). A number of the general principles set forth in this section were adopted from these sources.

3. A number of these suggested practices were incorporated from the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity, available at www.nist.gov; Twenty Critical Security Controls for Effective Cyber Defense, available at www.sans.org; and from The ABA Cybersecurity Handbook (2013).

4. Elements of this suggested approach were adopted from The ABA Cybersecurity Handbook (2013) and the ABA's A Playbook for Cyber Events (2013), which contain more detailed discussions of various aspects of incident response planning.