um so first of all welcome thanks for coming to our Technology so our first presentation is going to be on vulnerable vendors hopefully it won't scare you too much it will be all about all the things you should be doing and hopefully are to protect your systems we have two fantastic presenters first we have Jim below jim has spent two decades working in the field of information technology he has worked for global technology pioneers like Digital Equipment Corporation HP and loosened these are companies that use he's used that experience to build and sell to successful technology companies since January of 2015 Jim has been the chief information officer at Esquire where is responsible for information security enterprise architecture infrastructure and product development so welcome Jim first and then we also have with Jim someone is a member of our Senate Committee on technology Haley Peters Haley is a practicing attorney since 2011 in both federal and Florida state court she has significant experience litigating nationwide class actions representing institutional and individual clients collaborating with multinational legal teams to advise global corporate clients and developing consultive litigation strategies by leveraging technology I'll let her explain that to you she clerked at the 3rd District Court of Appeal of Florida and at the Florida Supreme Court for justice Perry she she's an escolar client executive responsible for guiding corporations law firms attorneys and their teams to effectively manage the deposition and discovery process she graduated magna laude from the University of Miami School of Law in 2011 and received two Bachelors of Arts with distinction from the University of Michigan and for those of you not following it jim is actually a Vanderbilt graduate Haley is a Michigan graduate and they will be playing for the College World Series championship tonight so should be interesting discussion with them so with that I give you Jim and Haley thank you so much mark I will just highlight a few aspects of Jim that he did not cover jim has been our CIO at Esquire for four and a half years each year we have two groups of clients law firms and corporations our corporate clients which are a lot of the clients that you and your law firm serve conduct audits of our company to make sure that our sedated security is on point and that we are following the best of the breed standards last year alone Jim responded to 37 different audits so and funded up next year 60 he expects more than 60 audits of our cybersecurity so if your law firm has not received these types of audits from your clients they are coming it's definitely something to be on the lookout for and then thank you so much mark I don't really need to say much more about myself again my name is holly Peters I work with that square so why are we here the threat landscape today for data security there are so many times every single day to own work almost 10,000 intrusion attempts hurt on a network per day that means the Wi-Fi here someone is trying to access that hackers from around the world are trying to access it your own personal email 1000 attempts per day on your own personal email some of us have a work email another email like each different email account has that many attempts per day so the threat landscape is the first topic that we're going to cover followed by the attorney responsibilities so we here as attorneys are responsible we're held to a duty of technological competence and we have to understand what is going on 36 states today have adopted this duty and Florida was a number 26 state so we'll cover that next and then at the end how we can all protect ourselves and make sure that we are following the standards in place and making sure that we are protecting our firms and our clients so what can go wrong one breach alone today cost an average on average almost eight million dollars that so you break that down to a granular level that is 114 dollars per record what do I mean by record a record of information could be confidential information about your client confidential information about your employees confidential information about you and your personal health information that one record and if you think about a transcript or an agreement or any type of confidential and sensitive document that you have with your clients there could be multiple records per document and in one breach accesses how many records in every breach quickly leading up to that 8 million dollar figure and who's being targeted I'm sorry to say it law firms are and wire law firms attacking or bio hackers attacking law firms because we are easy targets unfortunately so and you can be very very astute and on top of everything in your firm 23 hours and 59 minutes a day but that 1 minute that you're not is when the hacker will access your information and if you think that it's not going to happen to you you're the best target for a hacker so why law firms in addition to work very very vigilant but what what is the type of information that clients are giving us it's not just information that you give to your bank or even Target or other large corporations it's highly sensitive information because people are paying very good money to to have an attorney and they're working generally very important issues for them and the attorneys are storing this information and it's just more efficient if you even put the numbers together so if you think about for example JP Morgan JP Morgan spends almost 6 million dollars a year I'm daddy fortune 600 900 million dollars a year thank you Jim on data security and protection how much our law firm spending every year how much is your law firm spending every year do we have the teams and the systems in place to do that possibly no hopefully by the end of this presentation we're going to give you a lot of good guidelines and how to very clear questions to ask yourself the people in your firm and your different vendors that you're working with and we cast no aspersions on attorneys or law firms here yeah I'm not just here to flip the slides I'm going to talk to we cast aspersion on attorneys or law firms basically it's math if you have 600 million dollars to spend on security and you are by regulatory bodies forced to do so you're gonna do it law firms a 50-person law firm might have one person doing security scheduling and IT right so if you have a large volume of data that includes you know information about cleaning out the fridge on fridays at you know GE or Bank of America or JP Morgan Chase hackers don't care about that and you've got a million other documents like that but if I give you a contract give you intellectual property information that is key or working on you're working on a settlement you've got all the most valuable and most important documents so you're a high calorie target right whereas there's a lot of there's a lot of low calorie content and a ton of it thousands times more at the client the law firm has all the really valuable content the client has six million six hundred million dollars she handed it to six hundred million dollars to spend on security the law firm doesn't so if you're a hacker who would you go after to go after the law firm with the valuable stuff and less protection or would you go after JP Morgan Chase I know the loud laughter definitely and in addition to that oftentimes attorneys or even staff at your firm sometimes they assume that their their email even their personal email why would someone access my email why me I don't have that much I'm talking about your personal email oftentimes contains very sensitive clues that hackers can use to access your more important access your more important information files and your more important accounts but your bank information your trust account information and by even accessing your personal email which often times it's not nearly as safeguarded as your law firm email and your law firm email may not be as safeguarded as JP Morgan's email system but using that hackers use the information that they access and they're able to categorize it it was shocking to me to learn that hacker not only get paid to access the information but they categorize it and they catalog it year after year so if they access it they can see your password progression think of an Excel spreadsheet there with every single your favorite pet your first car your favorite I love to type of chocolate or whatever they can use for the different persecuted questions it is all catalogued and kept year after year so not only is their personal email at risk of course your law firm is and they can use that to easily access your law firms information as well and it's worth noting that this is not just the the geeky fourteen-year-old kid and his mom's basement drinking Mountain Dew right crime has been commercialized so you have nation state actors you have organized crime taking tools that are available readily available online in just your casual criminal somebody who wants to make some money there's a buy side to this and a sell side right on the sell side you go in the dark web you can customize your malware app check I want to use Bitcoin at thorium I want to have the key on my server not on the machine and you check all the boxes and either you have either a link and executable or both pay 500 bucks boom you're in business you start jacking people up and collected money on the sell side if it's not if you're actually collecting data as opposed to just encrypting it and keeping it from people and even blackmail to get them get the data back if you collect the data then there's a sell side so I was at a security conference on Monday see so secure at lanta and they were talking about deploy where they get kids social security numbers two bucks a record right and they use that to establish an account here and there which they don't actually use doesn't send off the alarms and then after they accounts been established for well that we will get a BSA loan a small business loan SBA loan for $200,000 right your kid's credit is ruined before there are 10 right that's the sell side this is no longer for fun right this is for profit and they don't care who you are and your password for your email has anybody ever reused the password I'm sure nobody in this room right right give me the password for something else or ten things or god forbid everything and that is why they go after email that's why emails so valuable to hackers to expand on that but the threat landscape has become commercialized it's no longer for fun and with a hacker ethic if we're gonna steal it can be done and so we're gonna see what money we can make off of you in particular with attorneys your clients information make sense and law firms being a main target and for the reasons we just discussed the good news is is that people are starting to pay attention 68% of chief legal officers now view data security and cyber security they're extremely concerned with it because they now understand the risk that it's posed to US attorneys practicing in the field every day and the scary part isn't that - in addition to the concern and your personal information being out there is that law firms have been sued a class action was filed against one law firm in Illinois and happened to others for actual legal malpractice where there wasn't even a breach so think about that for a second there was no breach of data and a class action was formed against a law firm for for failing to safeguard their information so their clients got together and said hey we're not paying just for legal services and you legal services include protecting our information we don't feel like your standards are up to par eventually that class action was settled and an arbitration was allowed to move forward against a law firm but that's just one case and there is case law supporting a claim for legal malpractice against law firms so the concern is real the concern is real for all of us here in this room and you should be very happy that you're here today because we will be able to help assess these risks that are you're faced with every single day in the field so specifically the you know the ABA gives common aid to Rho 1 1 2012 established the duty of technical competence right you have to make sure that the measures you're take you've got measures in place that protect your clients data Florida adopted this January 1st 2017 Florida added something Florida said I'd only do you have to have these measures in place you have to understand them enough to know that they're sufficient to protect client data so Florida's even tougher than the rest of the country in many cases and they were they were like the 24 the 26 state to adopt it so they're here for you in this room it's not just corporations worried about their reputation or their livelihood it's your license so the why should you care is a pretty there's a pretty big why should you care on that and the duty the competent representation requiring the protection of client information I won't read through all of this but I will draw your attention to the last section however a lawyer may be sorry however a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of fly information when required by an agreement with the client okay or by law or when the nature of information requires a higher degree of security so what does this mean oftentimes security it should be strapped it should be stratified oftentimes the data may not need that much security but combined with other pieces of information it does require a higher degree of security and that means accessing it so if you think about a law firm that just that means does Susy from HR is she able to access the same information as a managing partner at your firm it's a summer intern allowed to access the same information from your firm that's a very clear way to show there should be different different differing levels of access to the different data that you store based on how important and how confidential it should be and that's of course the gray area for US attorneys that we do need to be cognizant of because it's not clear yeah the refrigerator memo about cleaning it out on Fridays it's not gonna be classified the same way as an attorney's eyes only settlement for you know seventeen million dollars just it's just not different they're different things you have to understand that the different things and make sure they're protected appropriate to their content and sensitivity and in addition to that it's organizing your information do you keep all of your client files on one hard drive is that accessible to everyone do different clients weren't a different type of security to access their files are they cleaned up regularly those are all the different levels of security that each should be considering based on the rules that do apply to us here in Florida right and and the ACC the good news is they did publish recently model information protection and security controls this has been adopted almost nationwide as a de facto standard for US attorneys to follow and my lovely colleague Jim here is here to explain the guidelines that apply and that have been adopted to help guide us and protecting our information I'm flattered to be called lovely so essentially there were thirteen controls that they put in place and we're gonna we're gonna run through these really quickly because the last part of this is where we talk about how you make sure that the people you work with follow the same things you do so the first piece is we talked about that information right you have to understand what information you have classify it and then document what you're going to do to protect it pretty simple right the other thing that's really important in here and I'll highlight this without turning off the slide hopefully is security review rights so documentation is not some secret sauce it's not special it's not indifferent either it's best practice or it's not and security they're doing a good job and you're following a framework and best practices or you're doing your own thing and good luck Chuck you know who knows what's gonna work so you want to be able to review the document so you have to have a summary document if it's redacted so you can give it to them for how you protect the data it's that simple what you have and how you protect it the next piece you're given information by your clients you keep it for a while to do the job you're supposed to do then either you give it back or you destroy it or both depending on the arrangement that should be documented as well I call this out because this is a separate item a separate security control the ACC calls out which published in January 2017 applies to each and every one of you the other piece is I'm sure you've all heard about encryption right you've probably heard the term encryption at rest and encryption in transit this is basically a way of turning data into meaningless numbers and it would take years to reverse engineer what the original data was so encryption at rest is I have my laptop sitting here usually my laptop is here if I can use it as a prophet I don't have one but my laptop is sitting here and put in the like a like a doofus I put in the back of my car and somebody breaks the window and grabs it out I don't care it's not a breach it's encrypted why because it's meaningless numbers am i upset I have to spend another 1,400 bucks 1,300 bucks to buy a new one yeah but I don't have to report it as a breach and this also applies to your phones and mobile devices so every single phone if you get if it's lost for example if it's encrypted that would not constitute a breach because the encryption as Jim mentioned should apply to the entire phone plus the communications that are emitted and received by your device so the the encryption at rest is one aspect of it but also the encryption when information is flowing from mobile device to computer to your laptop to your intern who's vacationing which they should not be this summer they should be in the office but any type of communication that you're having not only with clients but your internal teams that should also be encrypted to protect it from access because that protects you and ensures that you do not have to report a breach because there was no breach because they can't do anything with the information that they accessed yeah and opinion 483 in October of last year said that you're required to report breaches that's also part of which are compelled to do its best practice and duty of technical confidence so if you if somebody gets your information but can't do anything with it it can't read it it's not a breach physical security so if you think about it this is doors this is fences this is cameras signing in with the license getting a badge when you go somewhere you guys are all right here your neck break your neck neck necklace your necklace things with a lanyard lanyard thank you God getting olds miserable so not for the faint of heart but all the things that protect data keep somebody from backing up a truck to your office and taking all the data away that's physical security that's pretty easy the other aspect of that is you take the things you do you segment data into different file boxes you have limitations on where people can go to get access to physical data all that applies in the logical world that's file servers I'm sure you guys familiar with file servers websites you make it create logical controls and make it where people can only access what they're supposed to have you know separation of duties principle of least privilege where they you only have access to the minimum amount of things you're supposed to have access to all these are best practices associated with them and as we mentioned in the first item of the ACC you're documented and you have a document available for review for somebody if they want to know what you're doing to protect the data now when I'm in the north giving this presentation I say I mashed several items together on this slide they love that quaint southerner but mash these things together so great now you you know what you have and how you're gonna protect it you know what you're gonna how long you're gonna keep it what you're gonna do with it and when you're gonna give it back and under what circumstances you've protected it by encrypting it you know what you're gonna do if there's a data breach and you have physical and logical control so you've done the five things rights you have to do to make sure that data is secure what do you do now well you monitor you make sure people are doing what you told them to do in that documentation in item one you do vulnerability controls and risk assessments you know and talk about that in a minute as this vendor prepared to protect client data as well as I am vulnerability assessment I look at is my laptop encrypted is there something open so somebody could get into my machine is it patched all those different pieces to make sure that you've done what's done the thing is you set out to do in your controls and your and your policies the other piece is from a system administration of network security if you're if you're part of a firm the most dangerous people in your firm are the people who do IT for you now they're also the most helpful it's just like it's funny in my business of IT and security and we just talked about the submit' ago trust as a commodity right if you can't trust your IT people or you can't trust your attorney you should probably find a different one right probably find somebody different to do that so you've got to make sure that those people go on vacation so somebody else can look at what they've done you got to make sure that there are controls in place for review of what the people who have access to everything do and then finally you don't know what you don't know so you buy insurance a fun facts anybody care to yell a guess of how many attorneys law firms in particular have cyber liability insurance just guess yeah 15 anybody else five you guys are a very very skeptical Bunch it's actually 36% right right but to me that's really scary you think about that 8 million-dollar concha costs to breach again that's the average some are much higher there's a 50 million dollar breach that wendy's paid for a couple months ago and some are much lower you know a few hundred thousand but if you think about you know the number of Records you have multiplied by a hundred fourteen dollars that tells you your exposure that tells you what you could potentially be on the hook for so what's interesting to me is that so few law firms take advantage of that ability to limit that exposure anyway interesting stats so you've done a good job you've done all these things you've bought the insurance you created your policies you encrypted your corrupted your laptop you make sure everything is secure start to finish what do you do you prove it it's a law firm you get an industry certification for security ISO or a EU u.s. privacy shield for you know GD P R which I believe we have a colleague speaking about later on this afternoon you prove it if you do all the work then take the time to prove it finally and this is where we pivot to our topic they call out the control of making sure that your contractors or subcontractors or third parties are doing at least as good a job as you are and implementing all these controls cloud compliance risk management they're doing all the same things you're doing by the way cloud is just another word for somebody else's computer right it's not yours you don't you don't have to deal with it but it's still somewhere we talked about this earlier too it's just somebody else's computer anyway there are a lot of reasons why we talk about vendors make it basically they constitute a ton of risk for everybody not just the flaw firms but for law firms in particular because 61% of security breaches are linked to third parties and those are the third party vendors law firms are oftentimes considered a third party third party to their clients but within the law firm you're also working with a lot of different vendors every single day this ranges from court reporting companies to document review companies to your janitors to whoever's giving you and forgiving your access when your remote when you're accessing your computer remotely those are all third party vendors and with almost two thirds of breaches being linked to them it's important to start assessing those relationships and doing that and because you will be getting the audits from your clients regarding your interactions with your third party vendors and it's unfortunately many law firms are not evaluating their third party vendors in that light you think okay well my law firm is good everyone has had training you know every single person knows not to click that link download that file open that attachment what about the vendors that you're working with or you do feel as comfortable that they know that that they're holding themselves to the same standards that you are at your law firm and hackers are relentless they will find the most vulnerable area in your law firm and that is where they will attack for example phishing emails how many people in this room have received phishing email trying to get you to download something trying to get you to click something so they can oftentimes download malware on your computer or that you get a virus in your computer 91% of hacks start with a phishing scheme so think about that 91% start with a phishing scheme and unfortunately I know a lot of my law firm clients they have definitely been victim to phishing schemes so it's important to have to be laser-focused on that as one area to train your team's on and every single person on your team whether it's an intern whether it's HR whether it's you as the managing partner every single person needs to be sure that they are well aware to spot that type of attack yeah the city of Tallahassee know if you guys heard about this they had payroll that didn't go through because third party was a payroll company was a phishing phishing issue and they had to they lost five hundred five hundred thousand dollars it was a department of city of Tallahassee but this is in the last year yeah this that's February I think March anyway that it's happening all the time a big big big problem and here's the here's a really scary thing you know 61% of attacks are are come against vendors successfully and law firms only you know 60 only 30 people if I can do it either way but six fifty percent of firms do not evaluate third party security right so two-thirds don't evaluate third party security 60 percent of attacks come through vendors and don't have cyber liability insurance and it's eight million dollars an attack so you go the why do you care why are we here you know this is why because you've done a good job with your security it's the third parties that are challenging and there's a reason for that I mean like I mentioned there are a wide range of third-party vendors and every business today think about almost 600 average of 583 third-party vendors are interacting with confidential information about their clients about their business about mergers and acquisitions that their clients are making or just confidential information and when you look at how many vendors each law firm or each business is working with it's scary to think that only 34% of respondents said that they even knew how many third parties are working with so that's the first step how are you working with have you vetted them have you even have you asked any questions about them how they're handling the information and I won't read through all of these Jim did you want to highlight a few the this is the one that always blows me away so only 29% thought that a vendor would even tell them that they had a breach so it's crazy you guys were attorneys you know that my agreement you should have it enumerated the timeframe and the circumstances in the contact there's a breach it's part of your contract and this is what surprises me this is the one that surprises made you have a favorite of these of yourself I think also well third party 50% of law firms will be audited as a third party that's what we're seeing with a come with our company that we're being audited by our well by our clients law firms will are being audited by their clients as well and actually a few states I think North Carolina or South Carolina South Carolina recently adopted a law requiring insurance companies to begin auditing every party that they're working with and their law firms included so it's coming might not be in Florida yet but it's definitely a nationwide phenomenon and it is becoming more and more normal and expected that you're auditing your third parties and that you're making sure that you're ready to respond to an audit if and when you receive it and one of those questions is almost always do you evaluate your vendors if so how do you do it very common so what's at risk this type of information personal identifiable information often called PII there's confidential documents obviously health records all the transcripts any items that you're using for your trials for your cases but evidence discovery documents responses all of these are the types of information that are at risk but also your firm's reputation and worst case scenario your license and ensuring and to make sure that you are practicing within the scope of the rules that are applying to you but good news don't worry we scared the heck out of you I know but we're here today to allow Jim to go through some guidelines and three very basic questions that anyone anyone here in this room can ask their vendors to make sure that they are protecting themselves and their law firms and their clients right so you're sitting there thinking Jim I'm an attorney I'm not an IT professional and a security professional how can you possibly expect me to do this right so I thought about it how can we help attorneys with this and there are three questions right I'm gonna paraphrase them like where's my stuff how are you gonna protect it and what do you do if something bad happens right so we'll start with the house my data protected now as attorneys you know that the answer to the question is often less important than how the question is answered right so it's like my wife do I look fat in this dress no actually believe me first off I'm not answering that question okay the second looks great immediate answer right how you answer the question is much disinformation the way the way the people answer it the the alacrity with which the answer and the level of detail thought they put into the answer matters as well so let's go through the first question how are you protecting my stuff right now when you ask this question that's open-ended for a reason right you're gonna want to see their policy documents if you remember item 1 in our coverage of the ACC security controls it's documentation right so if the answer is well that's proprietary you know you should be on your card because there are best practices and everything in law and security and IT and teaching you name it and best practice and security is transparency if you're doing the right things you should be able to write them down and numerate them and prove that you're doing them so if you ask a vendor how you protected my data they should jump up and say oh here's my security policy here are my security standards well here you go oh this is my instant response plan they should have all that stuff ready to give to you and I'll snap you can't hear it you could hear it like that it should be that quick and that easy data tension and destruction again we're parallel with the controls and the ACC guidelines but they should be able to tell you what they're gonna do with the data how long they're gonna keep it and if they have to keep it for longer than they're gonna use it because they're forgetting regulatory compulsion what that period is is a five years is a seven is a ten I should also be able to tell you how that day is classified and how they manage it well and on the destruction aspect if you think about whoever provides your discovery and like a relative or any types of the discovery holders of the discovery and productions there are actually and Jim enlighten me to this they have actual USB port and hard drive destroyers basically it's like oh it's like a wood chipper for USB drives it's not it's even I mean obviously the papers are drove in it but it's these things do exist and vendors that handle that type of information that's something you can ask them and also you yourself and your firm can also employ but it just it just goes to show you that they're these things and tools do exist to help you but you just have to make sure that you're asking the question how is our data protected to begin with yeah we a company that comes on site and will actually take our bins and we we observed them shred them all all the documents that we throw away like them misprints or any anything that's not right gets thrown away and a lock bin they open it up they take it down the truck lift it up thrown the shredder and we watch the little confetti flying to the truck and they do have a hard drive chipper it's awesome it's just saying it's so cool to watch yeah give us a certificate of destruction saying this is what was destroyed on this date and we tracked that your vendors should be able to do the same thing they should be able to prove to you if they've done with data what they did with it to get rid of it and that they should have a process written that shows we did a DoD wipe 40 times you know with ones and zeros written over it randomly 40 42 times k-member the number exactly but they should have some sort of standard that they adhere to should have a written policy and then proof that they did it it's a great example and this will also make sure that you're in line with a be a formal opinion 477 because under that the attorneys Duty of competence its attorneys may be required to take the special security precautions to protect against the inadvertent or unauthorized disclosure of client information so if you said okay I destroyed it here's my certificate here's my vendor certificate of when they actually destroyed it that will protect you in that regard for just in the destruction sense and also the data loss prevention example here's why this is such a good example is that it's proof that they're doing what they say they're gonna do and it's really easy to get because it's a best practice to collect it and it should be very easy to give you a digital copy of that another aspect of protecting data is data loss prevention I mean how many of you are familiar with Dropbox or box there's a couple others out there that are pretty and I won't bore you with to do the same thing and they all run over HTTPS this is secure socket layer this is the you know we talk about encryption in transit that's what we're talking about secure HTTP so you can't see what's inside the packet so you can't see oh people are sending unless you take measures special measures to do so so data loss prevention is people from here's a fun IT security or exfiltrating data out of your environment right sales leads settlement agreements intellectual property right you have these measures in place your vendor should be able to tell you what they're doing to prevent data from sneaking out the back door not easy to do but you're not doing your job if you haven't worked on preventing that this one's actually my favorite I know how he loves hates our security training security awareness training so how many of you have been in a situation where you want you really frustrated with somebody you know I'll do it this my kids right but you've never told them the right thing to do so I just do what they think it's right so if you set boundaries for people and you tell them the right thing to do I may be naive but I believe that the prudent man or woman the prudent human will do the right thing but at least they have a chance to do the right thing and they know what it is so security awareness training they should be able to tell you what topics they've covered you know encryption pH I multi-factor authentication whatever whatever they've talked about from social engineering whatever they've talked about they should have a list of the topics we've covered in the past and what they're doing now and a policy around the frequency of health can they do it they should be able to give that to you and say yeah we do this every year we do 12 courses a year and we we make sure they're certified I can show you the test scores and how many people passed and how many people didn't and what we did to remediate people who didn't pass sounds simple right so it is saved it is saved a number of companies I know anywhere between 1,800 $180,000 in a pop because how many of you how many of you are familiar with that phishing scheme or the phishing scam where they they ask you for 1,800 dollars worth of Apple gift cards yeah right right let's see they the CEO sends you a message out of the blue hey I'm gonna client site I need some help I need you to go right away you've never heard from the CEO before and usually go get 18 gift cards from the Apple Store and rub the numbers off incentive to me right that's 1,800 bucks though again like that go on and we actually had this this happened to us and they had the training two days before which is awesome and they contacted IT they told so what's going on and nobody bought anything right but it's kind of flattering right the CEO reaches out to you to help take care of a client and all it is is you know take your company credit card go get this stuff well it's with your law firm as well I will arguably say that security awareness training is one of the most important aspects in all of this because not only does your law firm you're doing it your vendors should be as well but internally I mean I can speak from experience with one client what they do to ensure that their security training is actually working and that it's in place and this is a law firm in Miami I won't say the name but they will send out their IT department sends out an email it says hey click this link for free Dolphins tickets you click that link and you have two extra hours of security awareness training so that make sure it's working but this type of training can be very very easy to implement not only at your law own law firm but also to just ask and make sure that you're asking about what is happening with your third-party vendors that you're working with yeah 91% of exports like she said or related to fishing 60 almost 60 percent of email is is phishing or spam so people are trying to do this all the time and the best way to defeat it is security awareness training encryption they show to tell you what they're doing to protect the data from an encryption perspective every vendor on the planet should be encrypting data at rest and in transit all the time every time period they're not doing that and can't tell you how they're doing that you should be very concerned you should ask why not explain that to me again why you're not doing this because that's the simplest easiest way to not have a report of breach of something is stolen it's just meaningless numbers so if they don't have it at hands ready to go they probably haven't put a lot of thought into it probably on the plan did right if you think about it tribal knowledge and hope and catch as catch can is no kind of strategy right if they don't have it set and ready to go immediately in the way the answer the question is well that's proprietary or give me a month they're probably writing it and then giving it to you as opposed to having it already and having it in practice privacy policy I'm not gonna go into this this is a whole other session which will be our third session I think but they should also have a privacy policy honestly it should be published it should be public they may have a back-end version as well but it should be published on their website should be accessible and available is too far how they as far as how they protect clients privacy I'll leave that to her to another speaker though so the Indian encryption piece is super important it's got to be encrypted at rest got to be encrypted in transit and all those pieces are in place then you know that they've got some good measures in place to protect client data they care at least as much as you do especially if they answer with a smile on their face and joy in their heart here's my policy would you like to see more I've got more and remember all you did was ask how's our data protected and they should give you all these things trick is to know what to expect second where's my stuff where's my stuff talked about the cloud right the cloud is somebody else's computer that's an AWS okay where is it in Virginia is it Portland is it in Timbuktu where is it which is it USA East - where is it they still to tell you that we have it documented and they should have what I called data flow diagrams this is spelled out in the GDP R which we'll hear about a little more about later that tells you remember we talked about encryption that tells you all the buckets where things sit at rest and then all the paths they take between those buckets when they're encrypted in transit should talk about protocols that are used to encrypt them and it should talk about the path they take and the human beings who access that data at each point in the workflow business continuity plan this is one of my favorites right business continuity plan is we hope we don't hit by hurricane right now if you have if you're if you're smart and you're in Florida you're gonna have a continuity plan right we have a place to go we can work in it we can work out of Atlanta we can work out of Chicago we people can work from home they can work over VPN but you got to have business continuity plans for things like printing things like the phones you got to have specific disaster recovery plans for your different IT pieces to support those business functions to ensure business continuity and the vendors should be able to give you the business continuity plan a redacted version of the disaster recovery plans it doesn't include proprietary information and they should be able to give you a notion of what they're doing to the backup and restore data and to test to make sure it works the key there is testing you should be able to look at the data flow diagram walk on site and say show me okay there's networks this is continuity when was your last test what was the result I don't more importantly what did you learn from it how did you get better for next time did you get better next time test test test right my guys are driven nuts by me because I tell him if you didn't document it it doesn't exist if you didn't test it it doesn't work right so if they can't give you proof they restored a file in the past year to make sure that they works and it works they're not they're not actually backing up there they hope they're backing up they don't know it right hope it's not a strategy hope is a feeling right an IT I don't have room for feelings I have to have strategies I have to have something as executable and the backup aspect of it I mean if you think about some of the larger law firm breaches that have happened recently the reason that where they have been able to work through them is because they've had backups regular backups by the vendors that are providing their IT by the miners that are holding their client files that is extremely important to ensure that you can it's not just backing up like one time five years ago like my mother likes to say about her iPhone that does not count as a backup mother I think you need to continue backing up but that goes with your vendors as well because that will save you if there is a potential breach a hack any access to information or if the network fails we could have virus things of that nature so the backing up extremely important and to make sure that you can get to the information after you restore it isn't it amazing hell the most important thing in almost any operation tends to be the most boring and at least glamorous thing right nobody wants to do backups nobody wants to look at the logs but you have to if you don't you're in trouble you know Library of Alexandria all human knowledge gone they could have used some backups so can you and your vendors right they could use the backup right so finally opinion 43 said in October of last year it's not if it's when something Bad's gonna happen what are you gonna do when something bad happens so you'd have a plan this is called incident response plan vendors should be able to show you their protocols for data breach they should be able to tell you who they're gonna notify and have a matrix by the way you should be somewhere on that list you should be somewhere on that list that they give you of people they're gonna notify and history of breach and it could be now we've never had one or more importantly the answer I like better is we have no known breaches it's more honest right how do you know you only know if you don't you won't always know now if a vendor tells you that we have had a breach that's not grounds for disqualification to use them especially if they learn something from it and they can tell you what they changed and improved in writing not verbally to make things better and to improve their security program so it's not if it's when not just for you but your vendors and for your clients that said it's super critical that you have a plan and again opinion 43 last year said this has to be part of what practice of law does to report those breaches which means that you need to make sure your vendors have as good of control since you do in this area it's interesting that that opinion was it issued in October of last year shortly after the worst bridge equifax in which Equifax did none of those things had no incident response plan they did not notify people of the breach and there was they had histories of breaches but nothing documented shortly after I don't know if there is a connection or not but this opinion was issued and it it really does require us to ensure that we have these plans in place and that we are following our standards when we do have these plans in place with our vendors the worst thing you can do after a breach is nothing you have to tell the right people especially if you're compelled to do so by agreement as you know so finally if they haven't documented this is what I said before if you haven't documented it it doesn't exist they didn't write it down think it through test it it doesn't work and if somebody going back to the principle of how people answer the question somebody says let's get on a phone call and I'll explain it to you know send it to me in writing and then we'll talk about it demand documentation because the ACCC guidelines say you should have something for security review and because duty of technical competence in Florida in particular says you need to understand what measures are taken to protect the data not just what you do but also what your vendors do so hopefully this has been helpful to you given you some natural normal human language not yiq speak to be able to talk about this particular topic we also have that will be available in the resource materials at the day I think a third party event vendor checklist it's basically a data security checklist I've answered tens of thousands of questions my team and I large banks insurance companies you name it and spend a lot of time taking you know the top four of each area that's included in the state of security checklist so you guys can download that look at that use it if you want to as a template or you can just ask the three questions and see what kind of answers you get but the whole idea here has been to give you guys a sense of a threat landscape what your responsibilities are the duty of technical competence and what you can do to make sure that your vendors are keeping you secure so I mean I think we got like two of two or three minutes if anyone's asked any questions have any thoughts of questions got a microphone for you this is being recorded so how do you pay for all of this do you have a separate line charge for your clients not usually so the idea is to bake this in stitches in the fabric that's woven in to everything you do so if you just make some good choices if you use instead of using our Dropbox free account if you as a business or an enterprise account and you there's some governance pieces you can put in place and it's like no and on that it speaks to the for example the class action filed against a law firm for not protecting their client their own information to the standard that they felt it was worthy that was not something expected outside of the legal duty of representing those clients so it is something to budget for and to make sure that you are on top of when you plan your year and that's why I and we also give these three questions to you because that's something that you can ask the vendors that you're working with that should be expected of them and if they say that they they should be doing this in their normal practice of how they're managing your clients data and your formation yes so if you have somebody who does IT work for you you should be able to ask them you know these these three questions and they should give you those answers and you say well what what can I do to improve my posture what can I do to make sure everything's encrypted and you know it's it's not that expensive really so encrypt a workstation it's actually with Windows 10 and Windows 7 it's what Windows 10 now is you don't wanna use seven it goes into support in January there's a there's a tool called BitLocker which you can use for free it's part of the operating system but you have to turn it on and erst and how it works BitLocker it's just a component of Windows 10 I have had my personal data breached by third parties three times in the last two years yes what do I've done everything I can to protect myself once I found out I was never notified what what can I do to execute suits against all these people you can sue anybody anytime for anything right yeah but I'm not a litigator I'm I'm an estate planner so so I would I'll give you a more practical answer I think okay and what I would suggest is freeze your credit freeze your kids credit always keep your credit frozen had to open it because I purchased real estate and I haven't been able to close it because I have to open other accounts so I am fearful but I'm I have a credit monitoring system right but that's the only practical advice I could give you I think we're equal time for one more question question okay and all of these discussions my question is why don't you just unplug from the internet why can't they put you know you got some clients sensitive information and put it in one server and pull the plug from the internet you can you can there are efficiencies that come along with it most people I think would would argue make it worth the risk however you know there's the highest level security certification with NSA is air-gapped right you got a you have a cage to prevents magnetic access and that's a box that sits by itself but the the power of the Internet is the connectivity and the network effect of bringing things together and the ability you know pull out my phone and search for legal precedent or cat video right so you've got to be able to that connectedness gives us power but it also gives us risk it's like anything you can do that I just don't know if it's worth the risk at the end of the day but again you can I just most people don't and the ABA rules they do and defying cybersecurity they make the assumption that this is something you cannot opt out of so when you can't opt out of the internet or being connected that is why they and that's why they adopt these opinions and and make sure that people are aware that this is not a matter of if it's a matter of one if there are certain clients that you can do that with like that's something you definitely do but the way that the Model Rules are progressing and state law and nationwide it does make it a bit tougher and less convenient for practitioners to do and the last point I'll make on this because this is a this is actually a great question people laugh it's a really good question I think in the arms race of technology discovery being a great example if you try and do it yourself you're gonna be outmaneuvered because of that connectedness and the agility internet-connected services give you Discovery's just one example if you if you go it alone or try and build a big enough organization you can do it on your own you're never gonna be as good you know as with ten people as the thousand people that do discovery for a living you're never gonna be as good as the other firms that are very specific and connected that you outsource to these vendors they're always going to be better than the other thing they do just like an IP lawyer is gonna be different from the standard corporate lawyer from state planning whatever it's going to be different economies economies of scale and capabilities that will make you outgunned and outnumbered if you disconnect I think I'd say thank you Jim and Hayley so we're gonna move from cybersecurity and now that you're all terrified onto another tech topic onto blockchain and FinTech and how they applied it alone we have two fantastic panelists let me introduce them first to the farthest from me is an SS Antos Anessa has 16 years of experience providing trusted business counsel to technology startups and scallops on matters of blockchain FinTech business development corporate law and government's intellectual property technology and securities in essence a frequent lecturer universities conferences seminars around Florida on varied topics such as the business of startups and the law blockchain and ethics and data analytics intellectual property and securities recently voted one of Orlando's best lawyers and NASA mentors Orlando's technology accelerator the starter studio she's a director of the Florida blockchain Business Association and is an active member of the Florida bar's Technology Law Committee and digital currency Task Force a neces formally studied blockchain strategies in fin tech at the University of Oxford she received her law degree from the University of Dayton and a bachelor's degree in international diplomacy from Wright State University speaking with an essa is Craig Barnett Craig's a shareholder in the Fort Lauderdale office of sturns weaver actually his bio says Greenberg Traurig he recently moved where he specializes in complex commercial litigation in state and federal court Craig's represented national and international clients and contract and business torts litigation judicial non-judicial foreclosures post-judgment collections and proceedings supplementary and ediscovery matters Craig currently serves on the Florida bar's digital currency task force and served previously on the Florida bar's Task Force on proceedings supplementary he's been a panelist and lecturer on topics of blockchain cryptocurrency and smart contracts his article cyber lending perfectionist perfecting security interest in the new frontier of cryptocurrency back loans was published in blockchain magazine Craig has a Bachelor degree of Science in policy analysis and management from Cornell and his law degree from University of Pennsylvania Craig is certified as an e-discovery specialist by the Association of certified ediscovery specialists and prior to entering practice Craig clerk for the Honorable Barbara J Perry NT so I'm going to leave it to Craig and Anessa to tell you all about what's going on in blockchain and FinTech okay so we had this super riveting presentation on data security and privacy before and I love data security and privacy it's one of my absolute favorite topics and if you follow me on LinkedIn our facebook you'll see that I am often making comments about how frustrating and irritating it is that our four big tech companies here in the u.s. seem to get away with murder and how often I wish that our government would hold folks like Mark Zuckerberg accountable for sharing and profiting off of our personal data similar to what gdpr does in Europe and that's what's got me so excited about blockchain blockchain is a new mechanism for data management at its core so throughout today in this room you're going to hear all about data data data is the big deal about data well everything in our lives right now is being represented in a digital form who we are our identities what we purchase where we shop what we think about we've probably all heard that story about that young woman somewhere in the country who received coupons in the mail for pregnancy items the internet knew that she was pregnant before she did why is this I don't know maybe she was searching her symptoms but this is how much information these companies and our government has about us blockchain is a new way to store manage record access analyze data at its absolute core and it has these really nifty new de fandangled principles to it when we think about what is the qualities about blockchain that make it so interesting why is there so much information about blockchain why is everybody talking about blockchain and what's super exciting about it is that it is the first data management system that has the opportunity to be completely 100% totally decentralized this is why there's so much excitement about Bitcoin because decentralized means that if you have enough folks that are participating in the blockchain network by maintaining or managing a system that keeps a copy of the entire history and record of transactions and you spread those people far apart geographically and you make sure that they don't all work for the same government then what you have is a system of data management and replication that has no centralized control it has no head so when you think about who controls the internet right who's the president of the Internet well we can identify who the President of the United States is we can identify who the president of Google is or Facebook or any other company that we can think of but if I ask you who's the president of the internet well there isn't one but there's Task Force out there like the internet internet Engineering Task Force the IETF and it's a body of folks and representatives from big companies and governments and industries and individual folks and engineers that are super interested in the topic and they all gather together just like us like we do here today in this room and they say what are the standards and protocols that we as a group think that we want to implement and that's what bitcoin is bitcoin is a blockchain that has agreed on standards and protocols for how they're going to transfer value and the folks that participate worldwide have decided that it's valuable because they decided like when I go on eBay and I want to sell I don't know my shoes or my handbag and somebody decides it's valuable and they purchase that right so as a community we've decided that bitcoin has value it's immutable because it uses a cryptographic hashing method which is an algorithm of security immutability means that it cannot be changed once the information about the transaction any transaction that you can think of purchasing shoes selling a handbag selling your Bitcoin any transaction that you can think of you can record information about that on any bot chain and once it's recorded if the blockchain is decentralized in that it has achieved the status of decentralization then it cannot be written over it cannot be changed and because of this the history of information that is now recorded immutable replicated among thousands of nodes throughout the world it leaves an audit trail that you can go back and look at and it's secured again because their use they use cryptography to hash write which is a cryptographic method where you take the information about the data that is recorded and stored and you coat it and so this is why it's so exciting and so you're probably thinking well that's really great but why do you have a picture of a DNA helix and I do that to remind myself to explain to folks that if you have a blockchain like Bitcoin or aetherium that is sufficiently decentralized that is magnanimous to the degree to where you cannot identify ahead that you can cut off like the CEO then the information is so secure that it would require something akin to changing the DNA of all the cells in your bodies at the one brief moment in time in which none of your cells were in the process of cell replication an impossibility for us today and it's an impossibility to record over or change immutable data on a blockchain so why should you care you should care because what's really exciting is that blockchain is infiltrating absolutely every industry that you can ever possibly think of just like I've provided on this slide CB insights records 255 big industries that blockchain is expected to transform and then of course as many more smaller industries in addition to the 55 that you see here why again data it's all about data we think about data about our searches and then we even think about data about data which is called metadata so anything that you can ever possibly imagine any business transaction could be recorded on a blockchain and a lot of these industries are working on implementing blockchain into their existing or prospective business processes and so blockchain is going to infiltrate every single area of our lives both personally and our clients and our clients that we represent and I eventually expected also to infiltrate our court systems this is why it's really important for us to take a look at it now understand what it is how it works and how it's going to be integrated into our practices shortly into the future now today's course was about blockchain and FinTech and identity and I recently studied six months at Oxford taking various FinTech courses and that's why I was really excited to have this opportunity to talk to you today about what I learned so here in the United States we have a situation where most of our big banks well let's just say they're a little bit resistant to servicing adopting or even speaking validly about blockchain and digital currencies like Bitcoin in aetherium again digital currencies is just one use case one application for blockchain it was the very first application and so our banking system is built upon a legacy infrastructure it's one of the oldest banking systems that's digitally operated in the world and most of the infrastructure was programmed in a programming language called COBOL COBOL is not compatible with today's programming languages it's not compatible with blockchain it's not compatible with the code that the Bitcoin blockchain was written in and it's not compatible with solidity which is the etherium blockchain language which is basically our second-generation blockchain we'll get to that in a moment and so because of there's the infrastructure challenges banks are really reluctant to service it additionally there's a lot of use cases for blockchain that we'll talk about momentarily where folks are able to take their funds convert it into a digital currency and use it as a payment rail to send remittances back to their country to their friends or their families Bitcoin or aetherium or other digital currency account utilizing their mobile phone in the internet and then on the other end they can convert it into their local currency so folks are bypassing the banking system and the banks are losing out on the transaction fees so understandably they're not huge fans of Bitcoin nonetheless they're getting on the blockchain bandwagon because they're realizing that if they don't do something about it they're going to be left behind and so we're seeing a phenomenon in the United Kingdom in particular called challenger banks and this is something that is just now starting to gain traction here in the United States challenger banks live primarily online they're wholly digital banking services sometimes they unbundle banking services and they are presenting such a challenge hence their name to the incumbent banks in the United Kingdom that the United Kingdom big banks like Barclays had to sit up and take notice and say hey you guys are stealing all of our clients and all of our customers you're providing services faster than we are and you're providing services that were unable to service so they're partnering together and they're figuring out how it is that they can adopt and incorporate some of these new coding possibilities and blockchain into their operations so some use cases that we're seeing come up here that are really great for the application of blockchain and financial technologies are the payment rails that we talked about right but but I know there's a lot of conversation about well isn't people using blockchain and etherium and these digital currencies to commit crime well by that same token we should also abolish the US dollar because prior to Bitcoin and aetherium all the criminals were using the US dollar and other fiat government backed currencies to commit the exact same crimes I know I was a former public defender right so they're using that for payment settlements maybe you've heard of the JPMorgan token the JPMorgan token is an internal blockchain that the bank JP Morgan instituted and built within their own network infrastructure with their own programming language and what they're doing it is to quicken settlements right of transactions especially for larger corporate accounts these transactions would take days to settle but if you run it through a blockchain programming language and you're sort of converting it to a known internal coin which is just a tracking ID a representation of that transaction it can happen within minutes and then be reconverted on the other into the currency of that particular government within minutes rather than within days another use case that we're seeing for blockchain is crowdfunding you can have crowd lending which is referred to in the industry as peer-to-peer lending you have crowdfunding which is where you're going out and you're sourcing folks under Regulation C F of this Security and Exchange Commission's regulations you're going out and you're sourcing funds investment funds capital for your business from the crowd and then you can also have a representation of tangible and intangible assets is another great use case so my car let's say I'm short on cash I own my car outright and I need a loan but I want to use my car as an asset because maybe I rent and I don't have a home and I can't get a mortgage and so if I can take my automobile and I can convert it into the representation of digital tokens and then I can sell those tokens to folks out there then everybody owns a piece of my car and then I get a digital currency in exchange and then I can exchange that digital currency to the US dollar and then I can go out and I don't know pay my medical bills or whatever it was that I needed to do with the money and then I can go and buy back the tokens for my individual lenders so that's another great use case oops I hit the wrong button okay all right this is my absolute favorite topic I get super psyched about this one and it's the whole reason why I really jumped into the study of blockchain and FinTech to begin with and that is blockchain for Identity Management now what on earth does this have to do with the practice of law oh my gosh I'm so excited has everything to do with the practice of law so when you think about your identity maybe you're a Florida State resident maybe you have a Florida ID and you think about all of the things that you use that ID for that identification is your gateway to the modern world and without it well you couldn't be a lawyer it couldn't have gone to law school you can't take a mortgage out on your home heck you can't even buy a home you can't get his driver's license you might not even be able to order that cocktail the bar this evening when you're trying to recover from the brain drain that happened in this room today about 1.1 billion people on the planet have no government recognized ID and half of the world is under banked which is something that I completely took for granted I didn't know was a thing until I began to study it so what we're seeing is an international push by governments by the United Nations the World Bank and other not-for-profit organizations to create a decentralized ID system based on multi-factor biometric authentication to provide everyone on planet Earth an identification that is recognized by their individual government as part of the United Nations sustainable economic development goals in particular 16.9 now this is coming and there are folks here in the United States big conglomerate type corporations like the Rockefeller Foundation through the ID 2020 Alliance that are working on putting this together if we're seeing standards and protocols are currently in development through the w3c consortium the sovereign foundation and this is gaining such traction here in our own government the Department of Homeland Security put out another transaction called the deadline was today to respond for folks in our country to offer up solutions to be funded by the government into development for some of the identity problems we're facing here at home for immigration for import traffic and for identity generally okay so smart contracts now if I've lost a little a few of you and I haven't had enough time to really go into the details of what is blockchain would a smart contracts how this all is going to impact you etc etc then I really encourage you to go out to legal fuel and watch last year's presentations where we dedicated an entire hour to the discussion of blockchain kind of like at a 30,000 foot level and then second hour was on smart contracts and you'll see that I took this slide from last year's presentation that I gave them smart contracts and basically smart contracts is a software program that uses if this then that IFT T rules of programming so that you can execute automatically contracts with identified parties identified terms etc etc and you run it on top of an existing blockchain program so Nick Szabo was the original thinker of the idea the concept if you will of smart contracts he is a contracts attorney and also computer engineer and so the vending machine Nick Szabo theorized was the very first example of a smart contract in operation if you insert a dollar and then you punch a code then the vending machine will spit out the $1 snack that you wanted and so that's kind of how smart contracts work and this is the second generation of blockchain this is what is the big deal and why it exploded so quickly on the scene because our first generation was this use case Bitcoin it was a game it was supposed to be like monopoly money nobody actually thought this would work or take off this was fun between engineers but then metallic booter in an 18 year old kid in canada well he's much older now he came along and he had a problem with it with a game that he was playing write an online digital game and he said I want to find a way to make my gaming characters their characteristics and mutable so that you know the program can't push out an update and then screw the characteristics of my gaming characters which was a problem that he apparently was repeatedly having so he took the Bitcoin programming code he modified it created his own brand new programming language that integrated all of the handy-dandy new finding gold properties of the Bitcoin blockchain and he tacked on Nick Szabo's idea of smart contracts and he said I want to be able to create contracts like actual legal contracts where I put the programming language the rules of the contracts like the identity of the parties and you know if I paint your house then you have to give me $500 right and so that there would be a way to verify whether or not the house have been painted and you can program that into the contract and the whole darn thing once you set it out there it just automatically executes itself and that can create some troubles which Craig here is going to talk to you about shortly but this is the application that we're seeing that's exploding Bitcoin this is why our third-generation blockchain which is IBM's help our larger fabric and other block chains that are being developed and created and and integrated into existing and prospective business processes of every major corporation on the globe is taking over our lives just like the Internet and now I'm handing it off to Craig thank you very much if there's any one theme to this morning's program and you've got all different presentations it's the idea that one of the functions that we have in the legal industry is we are a data management system simple and and and clear we've done it for centuries and you watch Game of Thrones you saw Sam writing in in the books what happened that's data management if there's one takeaway from this from our presentation it's that blockchain is in fact a data management system if anybody tells you or uses blockchain and cryptocurrency or Bitcoin as synonyms run because blockchain bitcoin is a type of blockchain it works on a box chain blockchain is much more than that and it's applications within the practice of law are as we're going to see are limitless one of the areas that has been significant in how Box chain is going to impact the law is in the area of real estate a number of places have started to look at the notion title title is at all at its very essence probably one of our earliest data management systems how we record ownership and transfers of ownership and encumbrances on property all of that because of the immutability of the blockchain is incredibly well-suited to adopting this new technology and in places like Sweden they've already started to implement that and a little bit closer to home Vermont has already started the process of allowing for a voluntary system to test the use of blockchain and digitization of property information as a way of moving from the traditional recording system the traditional very centralized recording system to a more decentralized system among the many benefits that you get from that is that it reduces the potential for either fraud or mistake by the same token though that vending machine that an S I had mentioned becomes particularly applicable when we talk about the use of blockchain in transactions especially smart contracts you can again think of nearly limitless applications for a smart contract within the real estate context if you hit these certain performance goals there is an automatic funding you can peg things such as monthly rents construction development to benchmarks that are written into this smart contract and when something is achieved that that project or that portion of the contract is funded the next step moves on by the same token part in the pond the notion of being able to use blockchain as a method of funding transaction providing for an automatic escrow no longer would you have to worry about you know a human error or issue with respect to funding in escrow releasing funds from escrow if the contract is written in such a way then and the the code is put in that once X Y or Z condition is met that escrow is released that will revolutionize how that is done finally a number of folks have looked at the way to use blockchain and tokenization as a vehicle for real estate and investment just here this past spring in the state of Florida a company by the name of and then Miam Capital Partners began a process of raising 270 million dollars of investment through the tokenization of four different properties the first of which was located just down the road in Miami it's the we work building and the idea is that investors instead of you know buying smaller portions can in a sense a bid on the investment and acquire it through a blockchain through a tokenization in this instance i ICPs using the etherium network but you can envision a number of different circumstances where different blockchain networks become the vehicles for different investments oh I think you skipped it yeah there you go by the same token the blockchain is available for government use and for law firms and data management's I'm not going to spend a whole lot of time on data management and discovery there's a full program of that today but the very interesting thing is when you think of the use of blockchain for government purposes or law enforcement or the justice system it's a significant way that can be used to store data and make it immediately accessible while simultaneously making it secure here in Florida there's already been some initiatives in that direction last year there was a legislation proposed which was contemplated as having the agency for state technology to work with the Department of Highway Safety and Motor Vehicles to look to the provision of digital driver's licenses by the same token there was some contemplation that the there would be an amendment to the uniform electronic transactions Act that would provide recognition of blockchain transactions as being a valid contract as well as other provisions relating to the digitization of of information what we have here is is a technology that much like what we had perhaps in the early 90s with the explosion of the internet and everybody sort of scrambling to figure out what to do you're seeing a similar thing here in the nature of this blockchain what do we do with it how do we use it and significantly how do we control it it is a topic that is being discussed at both the state and federal level 46 different state governments at this moment have something going on with respect to blockchain whether it's issuing opinions enacting legislation considering legislation it is virtually everywhere by the same token the federal government at the same time is doing much of the same thing you've got different state agencies whether it's the SEC the CFTC the Federal Trade Commission the IRS or fence and all looking at this all determining ways in which to make the use of blockchain technology safer this is not also a simply domestic or us concept in fact in many ways because of a lot of the legacy infrastructure that Anessa meant mentioned we are somewhat behind for example then Estonia they have embraced the notion of a residency anyone here can actually come in a resident of Estonia using the blockchain where you become an e resident you can then open bank accounts and investment accounts there start a company there the notion is that this blockchain technology as adopted by governments is allowing governments in places that you didn't think about doing business to make a a community that becomes extremely business friendly now with with these competing agencies looking at blockchain and looking at crypto currency in specifics you are starting to see what is without question a varying view on what this products are especially when you talk about crypto currency for example when you talk about the view of crypto currency in the federal government they look at it in different ways depending on which agency you're talking to the CFTC sees it as a commodity the SEC sees it in their wheelhouse as a security the IRS sees it as property and FinCEN sees it as a tool that you're going to use to try to steal stuff with this slide what we're trying to convey is that you've got some different states that are starting to show different ways of dealing with it for a variety of reasons Wyoming seems to have fully embraced the notion of accepting blockchain and virtual currencies as a significant factor in how it wants to do business they've created the FinTech sandbox which is a regulatory relief for financial innovators to to get through the existing laws as the laws developed they have said okay we're going to allow you to see how this fits in with our current regulatory scheme it also has authorized the number of new state chartered repositories that provide banking on a blockchain other states have followed suit New Hampshire recently amended its money transmitter statute to exempt businesses from selling issuing payments payment insurers excuse me payment instruments on the virtual currency Nevada has banned local governments from taxing blockchain use Delaware which has been very significant about this is using the blockchain for stock trading for example overstock had done a security through tokenization as opposed to simply stocks the federal government is also looking at this and with respect to the u.s. congressional action the HR tu-144 the token taxonomy Act is looking to amend the Securities and Exchange Act of 33 and 34 to exclude digital tokens from the definition of a security that's to allow the SEC to then go on and make certain changes to allow for the use of this technology within our various investment mechanisms a little bit closer to home Florida has been in many ways a significant player in the notion of accepting and moving through the use of a blockchain and for crypto currencies back last year in June this it was announced that we had it would have a crypto czar to enforce the flickable regulations and to consider how best to protect Florida consumers in the sort of Wild West of crypto currencies and virtual currencies in May of this year just a few months back we established a state task force consisting of 13 members which is going to among other things look two ways to develop different uses for watching and to coordinate the idea that we want a system of watching that doesn't bang into each other but actually works together the Florida Bar here has has recognized that this is a an issue that's here to stay in is formed a blockchain and cryptocurrency task force to help guide lawyers to understand these technologies and to work with the legislature to come up with ways in which the best regulated okay I've been practicing law for about 16 years and I remember when I was an undergraduate at Wright State University and they took me down into the basement is one of like at the time anyway there was three universities in the nation where all the buildings were conducted or connected by an underground system so we had a lot of handicapped folks that were able to attend the University because during the wintertime he just hit the nearest building take the elevator down and you're good for the rest of the day and they took me down there because that's where all the computer labs were and that was the first time I had really been introduced to the Internet this was like way back when when the only people participating in the Internet were super engineer gigs and universities then I went to law school and I had to use the books and of course I was introduced to Alexis in West LA but lexis and Westlaw weren't what they are today and then I was admitted to the Florida Bar and there were they CLE courses on e-discovery I had no idea what that was the only litigation that I did was as a public defender and you really don't hit a discovery a lot in criminal defense except maybe if you're representing Madoff and some sort of big Ponzi scheme where you've got loads and loads of documents as being tossed at you so I never really caught on to the e-discovery that wasn't Craig's problem in fact he was like the very first one of the very first attorneys here in the state of Florida even try any discovery case and then and then there were all of these cles that were being pushed called IOT Internet of Things I thought what is this this is crazy why all of a sudden am I getting all of this like wave of IOT stuff and you know what it never went away and then I started hearing about data security and privacy this hit me about I don't know maybe five years ago because I represent tech startups about five years ago I just started seeing a wave of inundation about data security and privacy and again I thought all right you know the internet didn't go away and ediscovery didn't go away an IOT didn't go away I thought I should probably pay attention to what they're talking about with data security and privacy and now here we are with blockchain and I have decided this is the new normal ever few years I'm going to get slapped with some new technology thing and I have to figure it out I have to learn about it I have to eat it ingest it and make it a part of my knowing so that I have a clue when my clients encounter these kind of issues or maybe I even encounter these issues so here we are and blockchain is here to stay it's not going anywhere it's the new data management system for today and for tomorrow and what's really crazy is that I'm seeing this consolidation in the industry faster than I've ever seen it before I've been in the unified communications and collaboration industry for over 20 years working with a series of successive startups developing out proprietary patent portfolios by the hundreds that we license installed in Fortune 500 companies four times over and so you know I'm thinking gosh this is a lot to take in it's overwhelming it's going to take over the planet and integrate it selves into every facet of our lives and the way that we're managing it here in the United States of America well it's crazy if you can't figure out what's going on with it if you're googling it and you're seeing all kinds of stuff pop up on LinkedIn and Facebook and instant and whatever other social media channels you're on you're like well this person says this and this person says that and this regulator said this and I don't know who to listen to you're not going crazy it really is crazy out there it's all screwed up right now but the industry consolidation that I saw in unified communications and collaboration the industry consolidation that we all experienced with our cellphone carrier providers the industry consolidation that we saw with Internet service providers I am now seeing industry consolidation of the blockchain industry that is at an absolute blurring pace iBM is in the space Microsoft is in the space Facebook is in the space Google's in the space the big monster players are in the space and I think they're going to eat up the little fish a lot faster than we've ever seen the turnover the switch if you will when we flip from the way that we're managing data now with cloud-based services it's going to go like this and in a moment everything in your life is going to be based on blockchain it doesn't really matter what the state of Florida says and State v Espinosa which we're gonna talk about and it doesn't really matter what Wyoming or New York says because there's going to have to be comprehensive federal legislation that makes sense has to and the reason why is because data doesn't give it a fly-in flat rat about our random arbitrary state borders that are drawn on a map data flies and it flies around the planet and that data carries your information and zoom there it goes and so whether it's stored on a blockchain whether it's stored in Amazon Web Services in the cloud and some gigantic server farm I don't know where Nevada they have you know a great taxation scheme over here in Nevada similar here in Florida so I expect there would be a gigantic data center over there so it doesn't really matter how your data is stored you got to know what's in it you got to know where it's at and you got to know the way that it's being handled for you and for your client so we had this case here in the state of Florida which is really interesting and it's interesting because it makes me really mad I think this is a stupid holding and I don't agree with it in the slightest I'm gonna tell you why so in this case we had a guy named Espinoza he wasn't actually a very good guy he was kind of doing some stuff flying below the radar where he was going out buying some Bitcoin and then he would turn around and he'd sell it to other people for cash in the hand right like actual like dollars in your hands not like a digital transfer and so they would get together in backdoor places and he would negotiate these deals and so law enforcement kind of caught on to it and so they did a little undercover up elio means law enforcement officer in case maybe you didn't know that so the detective arias was the Elio in this case and so he found out about Espinoza and he calls him up pretending to be somebody else obviously and he's like well you know I need to make a little transfer in Espinoza's like sure dude I could totally help you out with that so they get together and they meet a few times and detective arias was like well you know it's getting a little chatty he's like well you know you know I kind of need to do this like under the table like you don't really want people to know about it because I'm gonna do some stuff with it that I shouldn't probably be doing and Espinoza was like no problem dude I got you right don't you worry about it I got you and so they make multiple transactions and detective arias is pretty clear about what the funds are going to be used for Espinoza doesn't care because how he got the funds was a little bit shady as well and so detective arias kind of has all of this on tape it's all a big undercover sting they get the guy they bring them in they go to trial and in the trial court the state approves or oh yeah they approve Espinoza's motion to dismiss that says well bitcoin is not currency so I can't have committed a crime because it's not currency I'm basically exchanging an asset for an asset remember earlier I talked about I like to talk about shoes and handbags a lot so we'll stick with that it works for me so it would be kind of like if I'm exchanging shoes for a handbag and so the trial court agreed and then the state appealed it up to the appeals court for the 3rd District Court of Appeals and the judge didn't agree and the judge was like no it's not no it's not you know I agree with the tectum arias dude you're a bad guy and because you are exchanging Bitcoin for cash and transactions that you know that you shouldn't be doing because it's all criminal like right we are going to reverse and remand and so they did now here's why I'm really uncomfortable about this there are Bitcoin ATM companies out there and these Bitcoin ATM companies are registered with FinCEN properly and they're going out on their purchase seeing this asset bitcoin for themselves legitimately and then turning around and they're selling it to the public but they're getting the know your customer required information when you go to a bank and they have to verify your identity and the source of the funds and what you're going to be doing with it you know and all that good stuff anytime we want to go and open a bank account it's different every bank you go to there's reasons for that but it's outside the scope of today's conversation and so they get all a little information from folks that are utilizing the Bitcoin ATM and it's all legitimate it's trackable and it's traceable and all that good stuff because remember Bitcoin transactions are auditable and so this core is basically saying no we don't think that you can do that anymore and they want to put legitimate businesses out of business and this makes me mad because as a public defender I represented a Guatemalan guy who couldn't open a bank account he was an immigrant and he was working in the fields of Immokalee and he had to get paid in cash for a thousand pounds of tomatoes he moved every day for $62 and he would have to save up that cash is a wad carried around with him for security purposes until he got enough to where he could go to Western Union and be subject to robbery this is a major problem and I was thinking that if i could just install a bitcoin ATM at these locations dude could like transmit his cash this way and then remit it back home to his family in guatemala through their cell phone in a digital wallet only of Iran this court doesn't want to see that happen and I have an issue with that so I called up the Florida office of financial regulations who issues and regulates money transmitter money service businesses and I said are you now going to require these kinds of companies that are buying and selling for their own account to require a license and they said no and I said did you read the case they said yes we did did you like all get together in a room and sit down and talk about it absolutely yes we did and we don't care I was like wow you don't care they said no we don't care we don't agree with the case so right here in our own state of Florida we're seeing a major disconnect between our regulatory authorities and our court systems and so subsequent to that case there was some legislative amendments made you can read about later well essentially the definition of monetary instrument was emitted to include the term virtual currency but I really think that a lot of this is probably gonna eventually be preempted by federal legislation that Craig talked about here earlier other notable case law that was cited in Espinoza all of this is going to be available for you all to read later and so what the state of Florida has done then is that Governor De Santis signed Senate bill 1024 recently he now has less than 90 days to approve the appointment of 13 folks onto the box chain task force this is how the appointments work incidentally we have Sam Armas to thank for this the he's the executive director of the Florida blockchain business association he's also the director of the blockchain development project first the Seminole County Tax Collector they want to be able to accept Seminole County taxpayer dollars in Bitcoin but Sam was unable to be here with us today but you know he put together a lot of these slides and helped us sort of coalesce all of the different kinds of legislation that are happening around here in the United States and and so one of the things for us to think about is that the United States is incredibly slow to provide cohesive guidance or implement adoption in comparison to what is happening absolutely everywhere on the planet wouldn't you say Craig absolutely what is your perspective and how that works and I think that the the presentation this morning was really to highlight how expansive and how extensive the use of blocking is going to be as we practice law as we work with legal services over the coming years in decades this thing is going to move faster and faster from preventing counterfeit products those shoes and handbags that you're so fond of to how we record real estate transaction to how we do business and it's something that will just revolutionize so many areas but at the same time as I know you pointed out is going to allow banking services and other more essential things to be brought to folks in places that don't currently have them yeah like we're seeing Singapore Dubai the United Kingdom Indonesia the Philippines South Africa Nigeria these are all jurisdictions that the Oxford program required me to study extensively about what is their political economical and economic and social situation look like there and where we have the world's bottom billion those people without an ID the world's two and a half billion underbanked their governments are a little bit more streamlined so that's kind of one of the benefits of having a bit more streamlined government so they're able to implement a lot of these identification solutions like Nigeria in particular they have the world's most advanced a smart ID program so your ID also serves as your passport it also has five applicant well five applications that come pre-loaded onto the card including a MasterCard application and so there's a lot of things that you can do with your ID that you can't do here and they're finding out that with the implementation of blockchain the faster processing times this know your customer process that banking requires in many countries can take six months to verify an identity and the reports are that know your customer is about fifty percent of the costs of onboarding a client and it's absolutely substantial and blockchain is streamlining all of this making it absolutely financially profitable to bring in the world's bottom billion in the world's two and a half billion under banked and offering them additional services it's absolutely revolutionizing the lives of people all over the world well I think we've got about three minutes left for questions and then of course Craig and I will be available in the back after and we're going to take a ten minute break when this session is over one of the biggest questions I have is I always hear how Bitcoin it's supposed to be so secure so you can it's it's traceable trackable secure but yet alone every ransomware attack is done with bit where and I've never heard of one ransomware attacker ever been indicted or found to to who the these bad actors are but yet they use Bitcoin are you talking about BitTorrent type software like peer-to-peer I just stopped there that all the ransomware attacks which I have been victim of yet they always require Bitcoin as a transaction mode and at first I thought it was oh it must be this you know underground but then as I studied it a little more and it's supposed to be more secure and more traceable and more trackable mmm-hmm how do they not catch him with since they're using Bitcoin okay so there's a sub question in there and somebody's gonna ask it and it's really easy to answer real fast which is if blockchain is so secure then how come I hear about these block chains being hacked that's part a the question and then Part B is your follow-up question so we're harken back to the beginning of the presentation when I talked about this magic idea of decentralization and how a blockchain is going to achieve this grand state of decentralization that the Securities and Exchange Commission's has identified Bitcoin and etherium has achieving which means that it's a currency and not a security right the coin the digital token if you will so the way to achieve that and this this sort of leads into your question the way to achieve that is that you've got to have the folks that are maintaining the network with their computer systems right either in your back office or their garage or whatever it is that they got to be a geographically diverse there has to be a substantial number of them so when you talk about these brand-new baby block chains that are coming on board and you got a group of folks that are managing it and you can identify them and there's ten of them right to overcome the system in hack it you just need to have 51% so if there's 10 then you have sex of these machines to hack the system change the record of transactions and overcome it that can't happen in Bitcoin and aetherium because the to wonk and huge and because to overcome 51% of it you would have to literally go out and buy yourself an install and operate at least 51% of your own hardware in order to overcome it and it's just too costly you're not gonna make enough money so nobody bothers to do it that's why those aren't hacked that's why the little ones are hacked now to get into your question the one of the leading technologies that's involved in blockchain is BitTorrent and I talked about this last year in the presentation and BitTorrent is a peer-to-peer system that maybe we've used with Napster Kazaa LimeWire for music file-sharing z' but that system is distributed not decentralized right and so the reason why they may be asking you to pay in Bitcoin is because Bitcoin utilizes a pseudonymous algorithm for crypt well I was about to conjugate a word improperly I was trying to take cryptographic and turn it into a verb and I can't do that they convert it using cryptography into an identification that's hard to figure out who is operating on the other end it's difficult to unwind that and figure out okay so this gigantic you know 28 digit code represents Anessa Santos me right on the other and it's hard to do that for this reason the Financial Action Task Force which is a you know dozens of intergovernmental agencies have got together and this is the reason why they're enforcing kyc AML CFT standards for anybody that is opening up a wallet tied to a Bitcoin account so that is all changing to where you will be able to identify the bad actor on the other end [Applause] we're gonna move now from cybersecurity where we started to blockchain and now to to privacy so let me introduce our speaker we're panels are whittling down were down to one speaker in this panel but he's fantastic speaker and introduce you to Joshua marks who is a senior consultant in focal point data risk data privacy consulting practice Joshua focal point has aided multinational corporations in EU general data protection regulation if you don't know what the GD P R is you're gonna learn in those remediation efforts he's assisted with HIPAA compliance program assessments and implementations joshua has also assessed and built readiness plans for companies seeking to address new data privacy legislation such as the California consumer privacy act and Brazil's new data protection regulation before joining focal point Josh was practicing at civil litigation attorney for 10 years he's the incoming vice chair of the Florida Bar Standing Committee on technology where he previously chaired a Subcommittee on data privacy and security laws affecting lawyers in addition josh is the incoming second vice chair of the business law sections computer and technology law committee so josh is going to tell you everything you need to know about data privacy with that please welcome Joshua marks [Applause] thank you okay so you know here to talk about survey of data privacy laws and the compliance methodologies used to comply with those laws but before I get started just wanted to take a quick poll just by a show of hands you know how many people in the audience have addressed privacy laws in their in their practice with more entrenched laws like HIPAA or GLBA okay we have a few and and how bit how many people have addressed newer data privacy laws involving more recent laws like gdpr and CCPA or maybe even address DSR requests okay let's see we have a few and how many people just heard a bunch of letters and they're not really sure what they all mean yet okay good good all right okay so the purpose of this seminar is to conduct an overview of data privacy laws we won't cover every single one of them but we'll certainly cover a few major ones and look at the differing approaches that are taken by companies to comply with those laws so the goal is to sort through this alphabet soup of data privacy legislation and you know be able to identify where your clients might need to comply with these regulations and have more knowledge about the changing data privacy landscape as it does change on a seemingly weekly basis [Music] so quickly an agenda for this talk will go over an introduction to the data privacy legislative landscape look at a US sector specific privacy law HIPAA and a few others take a look at the GDP are in the CCPA and then talk about considerations for the future and possibly a federal law so before we get started data privacy what is it data privacy essentially is the right to control how information is collected and use it's you know when we talk about privacy versus security if we make a distinction it's usually around privacy focusing on the use and governance of data for example policies on sharing personal information and security around the protection of data for example protecting it from attacks and exploitation so security is absolutely necessary for privacy but it's not always sufficient for it data privacy in the news we have you know last year was a big year 2018 was huge we had the GDP are coming in to affect the Cambridge analytic Facebook scandal and Mark Zuckerberg testimony took place it really brought to the forefront consumer privacy rights and laws and those issues in the in the public discourse particularly in the United States and we saw the enacting of the first comprehensive consumer privacy law at the state level which was the CCPA the California consumer Privacy Act and that will go into effect January 1 we'll talk about that in more detail in the future in just a few weeks ago Nevada passed a consumer Privacy Act not as comprehensive but it is in the news and and more state laws seem to be coming and state legislatures are considering it there's also several versions of a proposed federal privacy law in the works the reason is looking for harmony across different states as Anessa pointed out in her presentation data doesn't give a flying flat rat where you are I like that quote and I decided to use it thank you an essa so before going any further just want to highlight you know that privacy and security are certainly shouldn't be strangers in in the legal landscape for for attorneys in their practice as we heard this morning from Haley and Jim you know ethics rules have mandated these safeguards certain safeguards to be in place in the security realm you know you have rule 4 - one point one around competence requiring safeguarding of confidential information relating to the representation including electronic communications and they talked about security controls it should be in place in the law firm to protect that an additional interesting note rule four - five point three around non lawyer assistance that mandates that attorney is insured on attorneys staff working appropriately and safeguarding confidential information there's a there's an ethics opinion 12-2 that i also wanted to highlight that states it permits a lawyer to give login credentials to a staff member for the ii portal in order to permit filing and at the at the court level the opinion also states that lawyers must immediately change the password if the non lawyer employee leaves the firm so in essence this is a cyber security requirement in an ethics opinion adi provisioning of credentials that could potentially be extrapolated to the rest of the firm so just just a highlight of how that is impacting our profession and in addition of course which was cited ethics opinion 12-3 that emphasizes the lawyer having an ethical obligations to understand the technology they're using how it impacts the confidentiality of information and what we'll see in looking at HIPAA is that some attorneys may also have very specific privacy and security obligations around pH I protected health information as a result of that rule so we'll talk about that and of course knowing the broader data privacy landscape help you represent your clients better and understand the issues in a in a business world where where data touches really every size of business so you know going back to the difference between us privacy legislation and EU legislation us historically it's been at the federal level it's been a very sector specific approach we have health covered by HIPAA finance for example the gramm-leach-bliley Act covers that sector and FERPA the Family Educational Rights and Privacy Act covers the educational sector at the state level what we've seen before you know we talked about CCPA or some other consumer privacy laws we've seen states enact data breach notification requirements and requirements around reasonable security measures to be in place Florida has its own the information Protection Act that addresses that as well if we compare that to the the e use approach so it's been a it's been a cross sector approach historically and with the enactment of the GD P R it's sought to harmonize legislation of the EU Member States it took effect in May 2018 it does have a cross sector scope and we'll cover it in some more details and why it is still important to consider for the US companies so first taking a look at a u.s. sector specific law HIPAA it's not a female hippopotamus it's a health privacy and security regulation the Health Insurance Portability and Accountability Act one of the older more entrenched laws that we see and certainly in quite detailed what is it it protects sensitive information known as protected health information and in a nutshell it spells out the privacy and security protections for that information it also guarantees individuals rights to access health information and how it is used and disclosed so it's going to apply to what are called covered entities these include health care providers like doctors and hospitals health plans health insurance companies and health care clearing houses that are involved in the backend some operations it also applies to business associates of covered entities these perform certain functions that are that involve the use and disclosure of protected health information on behalf of or they provide services to covered entities some examples could be you all attorneys attorney can be a business associate of a covered entity certainly if it receives a protected health information or pH I if you hear me say those three letters that's what that means as part of their representation they could be a business associate ce o--'s catching myself was about say DEA of the of the covered entity it could also be transcription services IT companies disposal shredding companies so what are some key components of the of HIPAA well it could be divided up into the Privacy Rule and the security rule the privacy rule focuses around protecting the privacy of individually identifiable health information for example the right to access and amend your pH I the right to request restrictions and you on the use and disclosure of that pH I rules for using and disclosing pH I collected on individuals like providing a privacy notice and limiting use and disclosure in certain circumstances around family or law enforcement so it has quite a few requirements and those different circumstances of what you do what you as a covered entity might do with information and the security rule concentrates on the implementation of safeguards that protect electronic pH I so what aspects is it looking to protect well it's looking to protect the confidentiality integrity and availability of that information otherwise known in in information security circles it's a CIA triad when we talk about confidentiality mainly we're talking about protecting from unauthorized access for example integrity protecting against improper alteration of that data and availability keeping that data accessible and usable so how is it going to protect it the the implementation specifications of HIPPA spell out three general categories of safeguards these include administrative safeguards which would be the those great information security policies and procedures that you heard talked about earlier today contingency planning in the event of a disaster for example the contracts that you have in place and of course very importantly the security awareness training for cover employees or business associates employees physical safeguards locks on the doors privacy screens in areas where a screen might be viewed by the public and technical safeguards so all those controls that you heard talked about earlier today those are examples of technical controls that can be used to protect pH I and another aspect of HIPAA key aspect is breach notification and that requires covered entities of his associates to provide notification individuals following a breach of pH I it outlines specific procedures for identifying and reporting incidents involving pH I and particularly to the Department of Health and Human Services Office of Civil Rights which enforces and administers and here's an example of a top health care breach we have the Anthem Blue Cross breach was often cited happened not too long though January 2015 7.8 million people affected and you can see broken out here some of them some of the costs associated with that breach 31 million just in notification cost so just the cost to notify the individuals and that doesn't include you know the the you know 100 or so million for security improvements and the millions to involve experts so and and and lawsuits have spawned from it so it's certainly you know a very you know important thing to keep in mind you know these breaches you know of data can be quite costly to any organization not just large ones like an Anthem Blue Cross so how does a how does a company or how we're one of your clients you know go about assessing building HIPAA compliance you know first step conducted gap a gap assessment for compliance so we talked about HIPAA having two sections security privacy on the security side of things you know do an analysis of the current state of those security safeguards we've talked about in comparison with the HIPAA rule and the implementation specifications for each of those safeguards so the information security policies in place and your training in place see if it's aligning with those requirements on the privacy side very similarly match up your policies your procedures and also the practices that are in place to ensure that the those HIPAA privacy policies and procedures are actually being followed by staff and then note any gaps for each one of the requirements within the Privacy Rule as we talked about the right for notice and the right to a man next you know conducting a periodic risk analysis is is is a crucial security rule requirement it's an evaluation of the likelihood and impact of threats to the CIA triad of eph I so what is the likelihood and impact of to the confidentially and confidentiality integrity and availability a pH I so OCR provides some guidance on this you know first it's an identification of a threat what's a threat well a hacker trying to infiltrate your system or maybe a threat could be a natural disaster like a hurricane coming and wiping out your systems then you'd identify the likelihood of that threat occurring and what would be the impact of that threat so for the for example hurricanes maybe not that common in Michigan more common in South Florida so that goes to likelihood impact you know something coming and wiping out your your your servers you know because they're on site could be an impact and next that those two aspects are the likelihood and the impact of that threat can be paired together and give you the inherent risk of that threat so before we think about all those controls that we talked about the training disaster recovery backups everything else we have the inherent risk of that threat and next we consider all those great controls and we and we think about them what you know now that we have all those controls in place how does that change the risk and that's what we call the residual risk the risk remaining after those security controls so there's certainly a lot more to address with HIPAA compliance but purpose of this is just kind of give a survey of some of the sector specific laws so I'll cover just a few more we mentioned the GLB a which protects consumer privacy through the regulation of data sharing between financial institutions and their affiliates so it's specific to that financial sector its governing the use of what it calls non-public personal information which includes identifiable like financial information some key features would be a notice requirement which where we all get it with our credit cards a right to opt out of sharing information and implementing an information security program it's similar to how we just discussed the TCPA provides limits on unwanted telephone solicitations essentially unsolicited fax machine advertisements and automated dialing and FERPA my favorite law to say provides rights over education records specifically to parents and students ability to you know review and correct and there's an option in of consent on disclosure for that one and we'll go over what that what that means and some other regulations and that's enforced by the Department education some that we see how the US has taken a historically a sector-specific approach on US laws let's take a look at how that he used doing it now with the general data protection regulation the g.d.p are so as I said before the GD P R was created to comprehensively harmonize EU privacy law across its member states they went into full implementation on may 25 20 20 18 and you know this is just a timeline of the progression of that regulation you see was under works for a while and an adaptation of what existed before so GD P our scope this is a very big question some sometimes a very divisive issue in circles it's a complex topic it's informed by understanding an organization its data its processing activities and we'll explain what that all means in a little detail but in an in a nutshell the focus is on the business's activities so GD P R may cover processing of personal data by businesses established in the EU and establish and implies some exercise in exercise of activities through what it calls stable arrangements with the EU it's a broad interpretation and some guidance even suggests that a presence of even one employer agent of a non EU company may be sufficient but again it is a complex analysis and next it could apply to non-eu businesses we're processing relates to good or service offerings to individuals in the EU or monitoring of the of the behavior of those individuals again there's some guidance on this the recital 23 sets out it should be apparent that the No you established entity envisions offering services to data subjects in the EU it suggests some intent some evidence of it for example you know websites what website should somehow be directed to the GDP our data subjects those are the people who are subject to the GDP are and this might include translating the website into the language of a member state country or using the member state country's currency or mentioning other users or customers in the EU again this is a complex topic certainly legal counsel is critical to determine determining the applicability of the GDP are to the organization and we'll get into some of the few aspects of how like evaluate the organization and look at some of its processing activities so I said I mentioned personal data but I didn't define it personal data is any information relating to an in to a person who can be identified directly or indirectly its name location genetic information economic data and who are the data subjects that I was mentioning before pretty much anyone employees customers prospects vendors it certainly can apply across the board as far as data and data types and data subjects goes and also when thinking about it I think in the green bubble in the middle that might be hard to to see but you know complying with this regulation really crosses department boundaries within an organization regardless of its size and crosses boundaries of systems and types of processing so it talked a lot about scope and in gdpr but what are some key concepts to understand that law well first crucial to it is understanding the controller and processor relationship under the law put simply the controller is it determines the purposes and means of processing personal data and in this case processing really means any set of operations on personal data collecting it storing it disclosing it it's quite broad and the processor is the entity that processes personal data on behalf of the controller so there's a relationship there and sometimes a complex relationship involving multiple controllers or processors next is a requirement that the GPR requires a basis before a processor can process personal data we'll go into detail what some of those basis ease might be but just know that that is a threshold under this law and next quite large several articles under the GDP are established data subject rights when I said D SARS earlier that's some way that some privacy people call it DSR that's that's a right that a person has to their data accessing it might be one of those rights taking their data and putting it somewhere else deleting the data so when we talk about data subject rights though that is what we mean and we'll talk about how a company might build out a program to comply with those types of requests and of course very importantly the security of processing information so there are requirements on security controls if you're going in the process covered Dana in addition the company should include records of processing and these are controllers maintain these records processing activities they describe the purposes of the processing the affected data subjects are the types of personal data and the data recipients and any third country data transfers so it's so it's a its accountability it's it's a way to describe the processes in your organization and it's it's certainly crucial to other aspects of compliance understanding where your data is and where it's going and next data protection impact assessments article 35 this is carried out on any high-risk processing activity before it's commenced and in order to figure out what a high-risk activity might be and usually there's some pre assessment that's done to determine that kind of a shortened assessment once you get to the assessment stage on data protection impact assessments you'd want to look at things like like providing a description of forseeable processing operations the purposes of processing how necessary and proportional the processing operations are in relation to the purposes and what safeguards are in place around that information crucially so we talked about the lawful basis of processing these are some of the lawful basis ease and general categories that can be provided in order to process personal data so this is really key it certainly you know many respects the legal determination but it can definitely be informed by a discovery process in the organization so doing your records of processing and understanding what the organization is doing with personal data for each type of its processing activities so it's collecting information and maybe it sells that information to someone else or it collects that information for its own use because it needs to administer payroll to its employees think of the many different things that company might do it data right and so we look at the records of processing and helps inform this a clear example is consider the lawful basis would be consent the data subject consents to the processing or it might be necessary for a contract with the native subject or there could be some legal obligation for the for the needed for the collection or it could be in a vital interest situation like an emergency a medical situation where the data subject is unable to consent or it could be in the public interest and lastly and more complex is the legitimate interest so is the processing necessary for the controller's with legitimate interest and this is definitely a balancing test it's certainly informed like I said by an understanding of the organization how the data flows through it and why it's why data is being used some clear examples so you know legitimate interest around fraud prevention is fairly clear or ensuring Network and information security or you know preventing a criminal act or something like that others possible but you know probably should be documented our processing employee or client data or administrative transfers between groups of country of companies so just some examples but certainly knowing about the organization and and how it uses data is crucial to to establishing law establish lawful basis for processing these are some examples of the data subject rights under the GDP are and what we see are some common themes across data privacy legislations right so access we learned about access in HIPAA ability to access your protected health information or the ability to access your personal data under GPR the right to erasure so the the right for you as a data subject to request deletion and the rights of data portability so the right to take your information and bring it somewhere else in a readable form and others are self-explanatory we have the right to amend data or restrict the processing or object of processing but we see across privacy legislations or common themes because privacy concepts are do have common themes so we talked a little about that about the security of processing under article 32 which requires processes for evaluating the effectiveness of security measures around personal data so know the security of your data flows I was mentioned earlier today and it's just as crucial here it's a it's a broad standard under the GD P R but we can seek alignment with certain industry standards like ISO 27001 to to help build out what security controls an organization should have in place in order to comply with Gd P R and pair with those industry standards so as an example this is just kind of a high-level example of a mapping of some gdpr provisions to more detailed ISO controls we have some great details so under 32 1b these security processing ability to ensure the ongoing confidentiality integrity availability sound familiar and resilience of processing systems and services and the ISO breaks out some sub categories of controls that can be used to ensure that we're complying with we with that article we have controls around logging and monitoring your systems malware protections information security procedures again these are common concepts that are across the cybersecurity realm of so how does a company or perhaps when your clients goes up you know ensuring that they are compliant with gdpr once they determine that they're in scope well you know first is conducting a gap assessment as I discussed earlier it's applicable here as well so measure the gaps first you know assess the system security for each of the systems that process personal data as discussed you know you might want to use a industry standard framework to do that and then measure gaps with whatever the current privacy program is in place if there is one or current practices in place against the gdpr requirements that I talked about so what what is in place in your privacy program for example to provide access if you even have one and then knowing the current state map out provide a project plan for that maps out for each one of those requirements in the gdpr what steps need to be taken to change the organization in order to facilitate alignment with gdpr we could call it a road map if we'd like but it's a mapping of a particular task and it's it's certainly customized for whatever entity it's going to be very unique to any to any company organization that's using it and next is opera operationalization so create those governance functions do your data protection impact assessments create a data subject rights program and make sure that people are trained and understanding that these are rights under GDP are that certain individuals have and recognizing it and first with first line staff is crucial to compliance if you don't have training in place you could have the best policies and procedures in the world but but the practices are going to falter and next ensure there's ongoing support to mature and manage program so you know of course responding to requests is key but you know mature that program at the direction of data protection officer which is a position required under GE PR as well here's you know just a few examples of how gdpr can touch even even a small organization right so it's it's a broad scope it would touch the engineers the privacy department security clearly legal the customer support and marketing every part of the company is going to play a role in ensuring ongoing compliance with the law so what are some of the key areas that we see organizations you know focus on in establishing compliance I won't go through every single one listed here but just to highlight a few you know based on experience obviously implementing encryption policies and and in systems where it's needed it is key having systems specific assessment program so evaluating the systems that handle personal data and enhancing your breach notification procedures to comply with the very particular requirements under the GD P R and we have just you know a few more examples of some key areas for compliance to highlight vendor risk management certainly we learned about it earlier today and it's just as crucial here you know understanding what vendors are have access to data and what they do with it when they have it the security in place that those vendors is crucial to compliance and you know GD P R does require controllers to ensure that its processors in that controller process or relationship implement appropriate measures to meet those requirements and of course we have the DSR program that we discuss and then training again very important in designing a training around GPR and the rights associated with it and finally you know for a company that might you know feel it it's built out compliance with GDP our what options are available to evaluate that well you know a a company could conduct an audit it allows measuring the alignment of the GDP articles with the policies the procedures and the practices in place it could be internal audit that performs as or legal or the DPO interestingly you know it a micro audit could be done and this would this would be an area where you you break out certain related topics and focus comprehensively on that area like they might carotid on the data subject rights process or the the breach response or vendor risk management process to evaluate how well the organization is doing but again it depends on what the organization is ready to have audited okay so at a high level that's that's the European approach and and and that was pending you know if we talk about legislative history that was pending you know and about to be enacted when when CCPA was being considered so we can see some general overlay between the two but certainly just because there's gdpr compliance does not mean that there's going to be CCPA compliance and we'll know some differences as we go through here and again CCPA is the California consumer Privacy Act so it was passed last June it goes into effect on January 1 500,000 US companies will need to comply by 2020 it's quite a few it's going to span different types of companies and sizes of companies and in a nutshell it's gonna it's it will provide several new rights for California consumers so the right to request information on the personal information a company has on them including the source of that information its purpose and information on how that is chair california residents can request deletion of their information with certain exceptions and again we see data portability so we can see this general trend in privacy laws right these similar concepts throughout and then something fairly unique to the CCPA is to request optioning out of the quote unquote sale of personal information what will see that sale is actually an incredibly broad term under that law sale includes not just a monetary you know a transfer of information for money it could include you know even sharing personal information between companies if it's you know mutually beneficial in some way so so certainly this is this is a key analysis but knowing that those transfers exist certainly is the first place and we'll talk about that in a minute so the scope it's going to be any business that operates in California that has 25 million in annual revenue or it could be processes the personal information of 50 thousand of consumers households or devices which sounds like a lot but it really could not be or it earns more than 50 percent of its annual revenue from selling consumers personal information it could be more that one could be more focused on like data brokers but certainly you know it has a fairly broad scope the law can definitely attach to companies within this state and other states and you know knowing just kind of general provisions and how companies comply is crucial because as we'll see other states are enacting similar laws so what is personal information under the CCPA some similarities here with GDP are but it's quite broad its any information that identifies or could reasonably be linked to a particular consumer when I say consumer I mean California resident so some companies might think oh it's the it's our customers and that's not the case its consumer or the household so common things like name are included address but then also geolocation biometric data biometric is like your fingerprint or like an iris scan we also see quite a broad approach as far as personal information including consumption histories of people profiles built of consumers or households again this is not technology that the biggest companies in the world are employing this is technology that many companies employ to know more about their customers and consumer browsing behavior online in addition to any information related to a household like utility usage or a car or a VIN so here are some key rights I mentioned a few of these earlier but these are kind of central place to describe them we have the right to know and access the data the right to request deletion certain circumstances opt out of sale and also the right to to notification if there's any financial incentive that the company gives for the sharing of the information and crucially the right to bring a private claim or class action for statutory damages which is a key part of the CCPA one of the most divisive parts of that law and some other laws that are proposed what are some of the operational impacts that we see companies seeking to comply with the law certainly privacy notices there provisions around ensuring you have the correct language within your privacy notice around these rights so that's key ensuring that there's a conspicuous you know opt-out for California in scope individuals but first what's really crucial about this is identifying where your collection points are it sounds simple but you know even for you know a smaller company knowing where you're collecting all your information from individuals is is incredibly important because you have to give them the notice at or before collection and also data mapping so this is knowing the flows of your data through your organization and then where does it sit in your organization information mapping or data mapping is key to many aspects of this law steps include identifying all the systems that in applications that process the personal information and then creating the data flows from the throughout the information lifecycle so from collection we've now identify that point through the use in the organization and then out to any third party sharing and when you think about that third party sharing that's when you know you know a legal analysis is key to understanding is that third party sharing a sale under this law and next contracts and tying in to that you know vendor management as well ensuring that contracts are in place to handle the CCPA provisions around security around bridge around the consumer rights requests and finally listed here but certainly this isn't comprehensive list of consumer rights requests program development so like we saw the GDP are you know training your staff to understand you know the new rights that are associated with this law and how to comply and responding to requests so only some impacts are listed here but these are some examples and you know briefly to cover some key aspects of consumer rights program you'd want to design the process put it in a document develop that could what I would call a consumer rights or customer rights play a playbook right so the the staff has a single source to go to to understand the types of data subjects that may make requests the types of requests that could be made and then what is the process flow for each one of those requests leverage clearly your your information mappings and inventories to fully address these requests so know where that information is and then have opt-out mechanisms that actually work so and the next update internal policies to address specific rights the specific rights that we've talked about and then finally again all emphasizes again training all employees so generally these these are the you know key areas you want would want to focus on a consumer request program it does center around training and making sure the mechanisms are in place and it's certainly a coordinated effort between various departments legal will certainly need to coordinate with IT to coordinate with you know front lines you know contact center staff if that's the case or any you know reception staff or anything like that and and finally so we have you know the considerations for a federal law we talked about the CCPA it certainly is a controversial law and it is providing a push toward a federal law many states are following the SI CPAs approach we have Nevada I mentioned a few weeks ago and that law that that law was passed a few weeks ago it might actually go into effect this year not as comprehensive as the California law I would say but does provide that opt-out for sales except sale isn't as broad as the CCPA and and and and the information around that is centered about what you collect online so what we'll probably see is if this trend does continue is a variation in the different privacy laws across the states and what the concern at the federal level you know and on both sides of the aisle perhaps is that this disparate you know different legal landscape would would render either the the most strict law the law of the land or become too cumbersome to comply with and and that is what the push is from major technology companies toward a federal law that would trump state you know privacy laws there's certainly current drafts in the works we see the the FTC as well as a potential enforcement authority and and you know the push is to harmonize these laws we'll see in the coming weeks with what happens and there's been comment from legislators on both sides of the aisle I think just recently I read in the news senator I believe it was Lindsey Graham said the privacy horse is out of the barn I don't know what a privacy horse looks like maybe because it's private but nevertheless it's it's it's quite it's a topic that is on the minds of all politicians and you'll definitely see in the news in the coming months and that's why we're here just to just to introduce this topic to you so some key points some key takeaways here you know only future's gonna tell what what happens between state and federal law in the US but we know that it's in it's in the public minds we know that it is certainly a concern of state legislators and in the federal legislature as as it progresses as these laws come out the underlying compliance methodologies are going to be fairly similar across these laws because it's universal knowing where your data is and in the organization is key knowing the flows of that data where it's stored and in understanding how to manage that data right art you know grapple with it you know know how to manage it and then having reasonable security measures in place that is something that is going to be I would venture to say across the board important and then finally architecting your when I say your could be your clients organization with privacy in mind and when they do new products keep that and keep that in mind as well so these are the central you know topics around around privacy there's certainly many other privacy laws out there in the landscape but this is just kind of an overview of them I think we have a few minutes left and if there are any you know questions we'll take some otherwise I will be available afterwards as well questions hi like the gdpr has been kind of a hot topic for discussion and I think rightly so for the past year or two but I'm curious if you have any best practices or things to keep top of mind for US companies that might collect Canadian customers information I'm sorry you say Canadian Canadian yes yeah so Canadian Canadian Canada does have its own privacy law and there are specific requirements around that as well again you're going to see similar aspects of these laws when you're talking to companies about compliance so those those key points those key takeaways I said about knowing where your data is and understanding how to manage that data within the organization or willing to help comply with a Canadian law or you know Japanese law or a Chinese law or around data privacy and these topics around developing a data subject rights program right and and then you know establishing you know certain security controls in place around that data are going to be universal thank you oh yes yes the has the California statute been challenged as an undue burden on Interstate Commerce has it been challenged as an undue burden on interstate commerce like at the federal level and constitutional right how much right Commerce Clause yeah I don't believe I mean it's it's survived this long I'd have to check to see if there's actually been a challenge I know that if it has it hasn't been successful at this point I think the push from from you know lobbyists and and other companies is is to push for a federal law that would that would trump it right other questions just to add to that because there are carve outs in the CCPA for federal regulations like HIPAA for example or GLBA covered information hi my question is also on gdpr so it's been going on for about a year and a half give or take do we know of any sanctions of US companies it's my understanding that it could be up to four percent of the global revenue for each company I try to look for case law because I want to know what the scope of the risk right for yours companies do we know of any cases that companies that have indeed been sanctions for non-compliance yes yeah there are there are companies that have been I talked to me afterward I have some material I could provide you on that you know there are large technology companies that have received some sanctions related to cheese appear okay thank you other questions now will seeing none Thank You Josh thank you [Applause]
