Data and Cybersecurity

OUTLINE
● Introduction
● Types of Cyber Threats in the
Legal Industry
● Legal Considerations for Data
and Cybersecurity
● Protecting Sensitive Data and
Information in the Legal Industry
● Incident Response Planning and
Management
● Real World Legal case
Introduction
 Definition of Data
and Cyber security
 Definition of Data Security

● Data security refers to the protection of

sensitive or confidential information from
unauthorized access, use, disclosure, or
destruction.

● It involves implementing technical and

administrative measures to ensure the
confidentiality, integrity, and availability of
data. https://www.flaticon.com/
 Definition of CyberSecurity

● Cybersecurity refers to the protection of

internet-connected systems, including
hardware, software, and data, from theft,
damage, or unauthorized access.

● It involves the use of various technologies,

https://www.theforage.com/blog/careers/cybersecurity
processes, and practices to secure the
digital world from cyber threats such as
hacking, malware, phishing, and data
breaches.
Importance for the
Legal Industry
 Why security?
● The legal industry is vulnerable to cyber attacks, as lawyers and legal
professionals handle sensitive information, confidential data and personal data.
● The legal industry is subject to numerous regulations and laws, that require
organizations to protect personal data.

https://www.cisco.com/c/en/us/products/security/what-is-cyber
security.html
Types of Cyber Threats
Phishing
 What is Phishing?

● Phishing and email scams are a type of cyber threat that involves
criminals trying to trick individuals into revealing sensitive information,
such as usernames, passwords, and financial information.
 Common Examples

1. Fake email from a client or legal authority

requesting sensitive information.
2. Email with a malicious link or attachment
that downloads malware onto the
recipient's computer.
3. An email from a supposed financial
institution requesting updates to account
information.
4. A fake email from a well-known software
company asking the recipient to download
a critical update.
Ransomware Attacks
 What is Ransomware?

Ransomware is a type of malicious software that is used to lock down a

computer or a network of computers and demand payment in exchange
for unlocking the system.
 Examples

● BitPaymer: The payment portal included the

title “Bit paymer” along with a reference ID, a
Bitcoin (BTC) wallet, and a contact email
address.
● DoppelPaymer: The ransom note used by
DoppelPaymer is similar to those used by the
original BitPaymer.

https://www.crowdstrike.com/cybersecurity-1
01/ransomware/ransomware-examples/
Malware
 Definition of Malware

● Malware refers to malicious software that is designed to cause harm

to computer systems and compromise the security of data.
● There are several types of malware, including viruses, Trojans,
spyware, and others, each with its unique mode of operation.
 Types of Malware

● Viruses: malicious software programs that attach

themselves to other programs and spread from one
computer to another through shared networks or
removable storage devices.
● Trojans: malicious software programs that appear to
be legitimate but have hidden functionalities that can
compromise the security of computer systems and
data.
● Spyware: software that monitors user activity, collects
personal data, and sends it to unauthorized third
parties.
Insider Threats
 Insider Threat?!
● Insider threats refer to the risks and dangers that come from
individuals who have authorized access to an organization's systems,
networks, and data.
● These individuals may misuse their access or inadvertently expose
sensitive information due to a lack of proper training or oversight.

https://www.ekransystem.com/en/blog/insider-threat-definition
 Insider Threat Types
● Malicious insiders
● Careless insiders
● Compromised insiders

https://www.ekransystem.com/en/blog/insider-threat-definition
Cyber Espionage
Definition

Cyber espionage is the unauthorized

and often illegal collection of sensitive
and confidential information from
individuals, businesses, and
governments.

https://www.crowdstrike.com/cybersecurity-10
1/cyberattacks/cyber-espionage/
Examples

● Tracking Cookies:The main role of

tracking cookies is for advertising,
gaining information about what websites
a user visits to present advertisements
suited towards that specific user’s
interests.
● Keylogging: This type of spyware is
dangerous because it records the victims
keystrokes which gives the hacker
access to private information like
passwords or social security numbers
https://www.avast.com/c-keylogger
Social Engineering
Definition

● Social engineering is a tactic used by cybercriminals to trick

individuals into revealing sensitive information or performing actions
that can compromise the security of their systems and data.
Examples
● Pretexting: It’s the use of an
interesting pretext to capture
someone’s attention.

https://blog.usecure.io/types-of-phishing-attack

● Email hacking and contact

spamming:It’s in our nature to pay
attention to messages from people
we know. And social engineers know
this all too well.

https://etactics.com/blog/phishing-email-examples
IoT Threats
IoT
IoT (Internet of Things) refers to the interconnected network of physical devices,
vehicles, home appliances, and other items that are embedded with software,
sensors, and connectivity which enables them to collect and exchange data.
Examples

● The Mirai Botnet

● The Verkada hack
● The Jeep Hack

https://www.cm-alliance.com/cybersecurity-blog/iot-security-5-cyber-attacks-caused-by-iot-
security-vulnerabilities
Legal Considerations for
Data and Cybersecurity
Data Privacy Laws
Data Privacy Laws

● Privacy Data laws refer to the legal

regulations and standards which govern
the collection, use, and disclosure of
personal data.

● These laws differ from country to country,

but the main aim is to protect the privacy
of individuals by ensuring that their
personal data is not misused or shared https://www.enzuzo.com/learn/how-to-create-a-privacy-policy
without their knowledge or consent.
Data privacy is not data security

https://dataprivacymanager.net/5-things-you-need-to-know-about-data-privacy/
 Electronic
Communications
Privacy Act
(ECPA)
ECPA

● Designed to protect the privacy of

electronic communications, including email,
text messages, and other forms of digital
communication:
○ illegal for any person or entity to intercept,
disclose, or use any electronic communication
without the permission of the sender or recipient.
○ The law also regulates the use of electronic
surveillance by law enforcement.

https://blog.ericgoldman.org/archives/2014/05/disclosing-uniq
ue-user-ids-in-urls-doesnt-violate-ecpa-in-re-zyngafacebook.h
tm
Importance of updating

https://www.aclu.org/issues/privacy-technology/internet-privacy/modernizing-electronic-communications-privacy-act-ecpa
Health Insurance
Portability and
Accountability Act
(HIPAA)
HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is

a federal law that required the creation of national standards to protect
sensitive patient health information from being disclosed without the
patient's consent or knowledge.
European Union’s
General Data
Protection
Regulation (GDPR)
GDPR
● General Data Protection Regulation (GDPR) is a regulation in EU law
on data protection and privacy for all individuals within the European
Union.
● The GDPR aims to protect the personal data and privacy of
individuals within the EU and regulates the processing of their data. It
also gives individuals the right to access, rectify, and delete their data.
GDPR protection principles

1. Lawfulness, fairness and transparency

2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitations
6. Integrity and confidentiality
7. Accountability
Protecting Sensitive
Data and Information
Data Encryption
What is encryption?
Data encryption is a process of converting sensitive data into a secure
code to prevent unauthorized access.

https://medium.com/searchencrypt/what-is-encryption-how-does-i
t-work-e8f20e340537
Apply Encryption

● Data encryption can be applied in different ways, such as encrypting

files, emails, and data storage devices.
● Law firms and legal professionals can also use encryption software or
hardware encryption devices to secure their data.
● Some popular encryption software include VeraCrypt, and AxCrypt.
Encryption types

Examples of popular hardware encryption include AES Hardware

Encryption and Apple FileVault Encryption.
 Two-Factor
Authentication
Two Factor Authentication

● It involves using two different types of authentication methods, such

as a password and a physical token, to access sensitive information.
● The purpose of two-factor authentication is to add an extra layer of
security to the authentication process.

https://www.merchantfraudjournal.com/two-factor-authentication-work
Example of 2FA

● 2FA with email accounts

https://www.malwarebytes.com/blog/news/2
018/09/two-factor-authentication-2fa-secure
-seems
 Regular Software
Updates and Patches
Updates and Patches
● Software updates often include
security fixes and patches that
help protect against vulnerabilities
and new threats.
● Regular software updates and
patches can also help ensure that
systems remain up-to-date with
the latest technology and
capabilities, helping to increase
https://blog.grantmcgregor.co.uk/2019/why-are-s
overall security and reduce the oftware-updates-or-patches-so-important
risk of data breaches and cyber
attacks.
Employee Training
and Awareness
Awareness and Training

● Educating employees about the various

types of cyber threats and how to avoid
them.

● Training employees on how to identify

phishing scams, how to protect
passwords and other sensitive https://isnews.stir.ac.uk/2020/09/21/information-security-awareness-trai
ning-is-here/
information, and how to report any
suspicious activity.
Programs

● Examples of employee training

and awareness programs include:
○ Regular email updates and reminders
○ Training sessions
○ Simulations that help employees
understand the dangers of cyber
threats and the importance of
protecting sensitive information.

https://isnews.stir.ac.uk/2020/09/21/information-security-awareness-trai
ning-is-here/
Incident Response
Planning and
Management
Purpose
Why the need for planning?

● The purpose of incident response

planning is to ensure that an
organization is prepared and able to
respond quickly and effectively to a
cybersecurity incident or data breach.

https://www.flaticon.com/
Part of a cycle

● An incident response
plan forms the basis of
your incident response
cycle.

https://www.exabeam.com/incident-response/incident-response-plan/
Defining an Incident
When to consider an event as an incident?

● An incident is any unplanned event or situation that affects an

organization's ability to perform critical business processes and
functions. Some common characteristics of incidents include:
○ Urgency
○ Unpredictability
○ Interruptions
○ Damage:
○ Complexity
○ Risk
Incident Response Team
Composition of an Incident Response Team

1. Incident Commander
2. Lead Investigator
3. Technical Lead
4. Communications Lead
5. Legal Counsel
6. Information Security Specialist
7. IT Operations Lead
Communication and Coordination within the Team
The success of incident response planning largely depends on effective
communication and coordination within the incident response team. The
following are the key elements to consider when it comes to communication
and coordination within the team:

1. Chain of Command
2. Communication Plan
3. Joint Information System
4. Contact List
5. Meeting and Briefing Schedule
Developing the plan
Key Components of an Incident Response Plan

1. Objectives
2. Preparation and Training
3. Incident Response Team
4. Communication Plan
5. Data Collection and Analysis
6. Containment and Remediation
7. Post-Incident Review
8. Continuous Improvement
Identifying Critical Business Processes and Data

● Identify the critical business processes and data that must be

protected in the event of a security breach
● By identifying these critical assets, legal professionals can prioritize
their incident response efforts and ensure that the most critical
information is protected in the event of an attack.
Examples

Examples of critical business processes and data in the legal industry

include:

1. Case files
2. Client information
3. Financial data
4. Confidential communications
Managing an
incident
Activating the plan

1. Notification
2. Declaration of an incident
3. Initial Assessment
4. Activating the Plan
5. Coordination with External
Agencies
6. Implementation of Response
Procedures
7. Ongoing Monitoring and
Assessment
Collecting and analyzing data

The data collected should include:

1. Details of the incident

2. Information about the systems and data
that have been impacted
3. Information about the potential threat
actors
4. Information about the systems and
processes that were in place to detect
and respond to the incident
Communicating with stakeholders and the public

1. Establish a communication plan

2. Identify key stakeholders
3. Communicate regularly
4. Be transparent
5. Use clear language
6. Address concerns
7. Evaluate the incident
Containment, Eradication, and Recovery

1. Containment refers to the process of isolating the affected systems,

devices, or networks from the rest of the environment.

2. Eradication involves removing the source of the incident. This may

involve removing malware, cleaning up infected systems, or restoring
systems from backups.

3. Recovery involves restoring normal operations.

Post incident analysis and documentation

After an incident has been contained and eradicated, it is important to

review what happened, what worked well, and what could have been done
better. This information can be used to improve the incident response plan
and to prevent similar incidents in the future.
Real World Case
Zoombombing
Zoom Video Communications, Inc. v. Cyber Security case

● In 2020, Zoom Video Communications, Inc. faced a significant

increase in usage due to the COVID-19 pandemic.
● The company faced a major cybersecurity challenge = Zoombombing.

https://techcrunch.com/2020/03/17/zoombombi
ng/
Zoom Video Communications, Inc. v. Cyber Security case

As a result, the company faced a number of legal challenges and

investigations.
Zoom Video Communications, Inc. v. Cyber Security case

● As a result of these legal challenges, Zoom was forced to take action

to improve its data security practices.

https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-me
etings