Introduction xviiBy Judy Miller and Harvey Rishikof, Immediate Past ChairsAcknowledgments Section ICyberseCurity baCkground CHAPTER 1xxi 1 Purpose of This Handbook 3Jill D. Rhodes and Robert S. LittCHAPTER 2Understanding Cybersecurity Risks 11Lucy L. ThomsonI. New TechnologiesCreateUnprecedentedChallengesforLawyers 11A. Responsibilities to Protect Sensitive and Confidential Data 15B. Lawyers and Law Firms Are Prime Targets: TheSignificant Resulting Damage 16II. Protecting theConfidentiality,Integrity,andAvailabilityofData 17III.

Security BreachesontheRise:ThreatsandVulnerabilitiesIllustrated 20A. Hacking and Advanced Persistent Threats 20B. Social Engineering and Phishing Attacks 22C. Ransomware 25D.Business E-mail Compromise 28iiiiv CONTENTS* Malicious Insiders 29* Mobile Devices 31* Cloud Computing and Wi-Fi Risks 34* Improper Disposal of Personal Information 35* Business Partners Can Be a Weak Link--A Two-EdgedSword for Law Firms 36* Addressing Threats and Risks to Law Firm Security 38* What Is "Information Security"? 38* Why Is Information Security Important? 39* Who Is Responsible? 39* The Need for Risk Assessment 39* Achieving Optimal Network Security through Continuous Monitoring 41* Steps to Protect Confidential Law Firm Records and Prevent DataBreaches: Top Considerations CHAPTER 3Understanding Technology: What Every Lawyer Needsto Know about the Cyber Network 45Paul RosenzweigI. The GrowthoftheCyberNetwork 46II. The StructureoftheCyberNetwork 47III. Changing Architectures 48IV.

Threats ontheCyberNetwork 50V. Defensive SystemsandEnterpriseChallenges 53VI. TopTenConsiderations 57Section IILawyers'' LegaL and ethiCaL obLigations to CLients 59CHAPTER 4Lawyers'' Legal Obligations to Provide Data Security 61Thomas J. Smedinghoff and Ruth Hill BroI. Overview 61A. What Is Data Security? 61B. Security Law: The Basic Security Obligations 64CONTENTS v* The Duty to Provide Data Security 65* What Is the Duty? 65* To Whom Does the Duty Apply? 65* What Is the Source of the Duty? 67* What Data Is Covered? 70* What Level of Security Is Required? 72* The Legal Requirements for "Reasonable Security" 73* Rules Governing Specific Data Elements and Controls 88* Frameworks for Reasonable Security 89* The Duty to Notify of Security Breaches 92* What Is the Source of the Duty? 92* What Is the Statutory Duty? 93* When Does a Contract-Based Duty Arise? 95* Practical Considerations: A TopTen List 96 CHAPTER 5International Norms 99Conor Sullivan, Kelly Russo, and Harvey RishikofI. Introduction 99II.

International Norms and International Regulatory Framework 100A. Tallinn 101B. United Nations 101C. International Organization for Standardization (ISO) 103III. Key LawsinEurope,LatinAmerica,China,Russia 104A. European Union 104B. Latin America 108C. China 108D.

Russia 110IV. Notable U.S.Incidents/Cases 111V. How InternationalCyberNormsAffectLegalPractice 113CHAPTER 6Lawyers'' Obligations to Provide Data Security Arisingfrom Ethics Rules and Other Law 115Peter Geraghty and Lucian T. PeraI. ABA Formal Opinion477R 115vi CONTENTSII. Lawyer EthicsRules 118A.

Confidentiality 118B. Competence 123C. Supervision of Lawyers and Nonlawyers 125III. The Law ofLawyering 126IV. Examples oftheEmergingApplicationofEthicsandLawyeringLawto NewTechnology 127A. E-mail 127B. Portable Devices and Other Devices That Retain Data 131C. Metadata Leaks 133D.

Outsourcing 134E. Cloud Computing 136F. Social Media 138V. Conclusion 141CHAPTER 7Occasions When Counsel Should Consider Initiating a Conversation about Cybersecurity with the Client 145Roland L. Trope and Lixian Loong HantoverI. Introduction 145A. The Problem: Lawyers and Law Firms Have BecomeHigh-Priority Targets for Cyber Attacks 145B. Preparations that Lawyers and Law Firms Would BeWise to Make 149II.

Nine OccasionsThatWarrantDiscussionofCybersecurity 150A. At the Start of a Representation 151B. When the Client Enters a Regulated Field of Activity 153C. When Cybersecurity Regulations are Issued, Amended,or Judicially Reinterpreted 154D.When Litigation, Enforcement Action, or InvestigationIs Reasonably Anticipated 156E. When the Client Experiences a Cyber Incident 158CONTENTSvii* When Counsel Experiences a Cyber Incident or When Reports of Cyber Incidents Demonstrate the Law Firm''s Need to Enhance Its Safeguards of Client ConfidentialInformation 160* When the Client Anticipates Being the Buyer or Target in a Merger or Acquisition, Particularly If Counsel Anticipates the Need for a Review of the Transactionby CFIUS 162* When the Client Anticipates Providing Goods or Services for New Communications Technologies in a Regulated Sector, Such As Providing IoT Devices for Use inConnected Vehicles 169* For In-House Counsel, When the Client/Organization Embarks on a Major Transition in Its Corporate or Commercial Activities and May Be Tempted to DeviseSoftware to Circumvent Regulatory Obstacles 172* Practical Considerations 180Section IIIunderstanding different LegaL PraCtiCe settings 185 CHAPTER 8Large Law Firms 187Alan Charles Raul and Michaelene E. HanleyI. Introduction toCybersecurityforLargeLawFirms 187II.

Cybersecurity IssuesandChallengesforLargeFirms 191III. How LargeLawFirmsMayAddressCyberRisk 197A. Governance and Strategy 198B. Cyber Preparedness 200C. Administrative, Technical, and Physical Measures 201D.Vendor Management 201E. Incident Response and Threat Intelligence 202F. Data Recovery and Business Continuity 203G.

Continual Process Improvements 203IV. TopTenConsiderations forLargeLawFirmLawyers 204viii CONTENTSCHAPTER 9Cybersecurity for the Little Guys 207Theodore L. BanksCHAPTER 10In-House Counsel 219Angeline G. Chen* The Cyber Threat Landscape for In-House Counsel 219* Role Differentiation 220* The In-House Perspective 222* Duties and Responsibilities 224* Fundamentals of What In-House Counsel Needs to Know 225* The Basics 225* The Amorphous and Unusual Nature of the ThreatCompared to Traditional Risks 226* Establishing Essential Relationships 227* Distinguishing Compliance in Operational Mattersfrom Market-Based Considerations 229* Be Prepared 229* Understand as Much as You Can about the Risks 229* Ensure That the Company''s Governance Framework Encompasses Cybersecurity, and Develop Cyber Incidentand Cyber Breach Plans That Align with That Framework 231* Identify and Establish Key Relationships and Be Part ofthe Team 234* Identify Legal Issues Associated with a Cyber Incident 235* Cultivate a Cyber-Aware Culture and Community 238* Responding to a Cyber Incident 238* Identify the Attack and Damage 238* Limit the Damage 239* Record and Document 239* Engage and Notify 240* Correct and Close 240* In the Aftermath 240* Special Considerations 242* Summary and Tips 242 CHAPTER 11Considerations for Government Lawyers 245Sandra Hodgkinson, Clark Walton, and Timothy H. Edgar* Government Cyber Lawyers and Their Mission 247* Department of Defense (DoD) 247* Department of Homeland Security (DHS) 248* Department of Justice (DoJ) 249* Department of Treasury 249* Other Agencies 249* Government Data: An Increasing Problem of Data Insecurity 250* Government Centric Attacks: National Security and CriticalInfrastructure 253* Significant U.S. Cyber-Related Laws 256* Best Practices for the Government Lawyer for Cybersecurity 259CHAPTER 12Public Interest Attorneys 263Michelle Richardson* Introduction: Why Public Interest Attorneys ShouldBe Concerned 263* Issues and Strategies 265* Defining What Information to Protect: Nonprivilegedbut Sensitive Data 265* Budget Constraints 265* Use of Interns and Volunteers 267* Cultural Hurdles 268* Special-Needs Clientele 268* Takeaways and To-Dos 269 CHAPTER 13Get SMART on Data Protection:Trainingand How to Create a Culture of Awareness 271Ruth Hill Bro and Jill D. RhodesI.

Data ProtectionTrainingBasicsandCorePrinciples 271A. Why Train on Data Protection? 272B. What Does SMART Training Look Like? 275x CONTENTS* SMART Training in Action 279* Understanding the Basics of Employees: Roleand Generational Differences 279* Building an Effective and Diverse Program 280* Measuring Success (Through Phishing Campaignsand Other Means) 283* TenKey Points 284Section IVinCident resPonse and Cyber insuranCe Coverage 287CHAPTER 14Best Practices for Incident Response: Achieving Preparedness through Alignment with Voluntary Consensus Standards 289George B. Huff Jr., John A. DiMaria, and Claudia Rast* Introduction 289* Business Continuity and Management of the LawFirm''s Business Risks 290* The Cybersecurity Framework 292* ISO 22301, the International Standard for Business ContinuityManagement Systems 295* Global Benchmark for BCMS Requirements 295* Law Firms: Steps for Establishing Your Firm''sBusiness Continuity Program 296* Information and Communications TechnologyReadiness for Business Continuity 300* ISO 27001: Challenges for Law Firms of All Types and Sizes 301* Threats, Disruptions, and Trends 302* Impacts of Extended ICT Disruptions--A CommonCyber Incident Scenario 303* Best Practices for Cyber Incident Response 304Conclusion CHAPTER 15Cyber Insurance for Law Firms and LegalOrganizations 313Kevin P. Kalinich and James L. Rhyner* Insurance as a Cyber Risk Management Tool 313* Professional Liability Insurance Policies May Cover Some CyberIncidents 315* Cyber Insurance Coverage Can Mitigate the Costs of an Incidentin SeveralRespects 317* Policy Wording Varies and Often Requires Customization to MatchIdentified andQuantifiedExposures 322* Cyber Insurance Market Constraints 330* Regulatory Constraints 330* Capacity Constraints 330* Insurance Placement Constraints 331* How to Respond to a Loss or Claim 331* TopTenConsiderations 332Conclusion 335Robert S.

Litt and Jill D. Rhodes CHAPTER 4 APPENDICES: SELECTED SECURITYLAW STATUTES, REGULATIONS, AND CASESAppendix A. FederalStatutes 339Appendix B. StateStatutes 341Appendix C. FederalRegulations 349Appendix D. StateRegulations 353Appendix E. Best Practice Guidelines Issuedby FederalGovernmentAgencies 355Appendix F. Best Practices Guidelines Issuedby Sta.