How Safe Do You Want to Be?

The scary thing about trying to prepare yourself and your law firm from intruders is identifying the possible source of attack. That’s why this infographic from The Guardian caught my eye. Do you know who is the bogeyman? You may be in for an Alfred Hitchcock surprise attack.


Insider Threats vs. Outsider Threats Cybersecurity Infographic

Infographic by Digital Guardian

Acting Competently: Complying with data security laws

image    by Sheila Blackford   ©2016      Lawyers have a fiduciary duty to preserve client confidentiality that has long been codified in Oregon under ORPC 1.6 Confidentiality of Information. For more than a quarter of a century, paper-based client files have become electronic files. The need to protect electronic client records has only become more imperative as lawyer have transmitted and stored their client files on the Internet.

ORPC 1.6 (7) (c):

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

 ABA Model Rule 1.6 Comments 18 and 19:

 Acting Competently to Preserve Confidentiality

[18]   Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.  The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.  Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.  Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.  For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].     

[19]   When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.  Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.


The words should fill you with dread. Then you will have the proper mindset to address the necessary protections so that you can prevent a data breach or at least insure that if data is breached, the data has been rendered unreadable because it is encrypted.

Be concerned about a breach of security and personal information. Both are defined terms in the Oregon Identity Theft Protection Act.  ORS §§646A.600-646A.628.

 What is a breach of security?

ORS §646A.602 (1)(a) “Breach of security” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. 

 What is encryption?

ORS §646A.602 (6) “Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.

What is personal information?

 ORS §646A.602 (11) “Personal information”:

(a) Means a consumer’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:

(A) Social Security number;

(B) Driver license number or state identification card number issued by the Department of Transportation;

(C) Passport number or other United States issued identification number; or

(D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account.

(b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer’s first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.

(c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.

How do we develop safeguards for this personal information?

 Requirement to Develop Safeguards for Personal Information ORS §646A.622

646A.622 Requirement to develop safeguards for personal information; conduct deemed to comply with requirement. (1) Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.

(2) The following shall be deemed in compliance with subsection (1) of this section:

(a) A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.

(b) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on October 1, 2007.

(c) A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on October 1, 2007.

      (d) A person that implements an information security program that includes the following:

(A) Administrative safeguards such as the following, in which the person:

(i) Designates one or more employees to coordinate the security program;

(ii) Identifies reasonably foreseeable internal and external risks;

(iii) Assesses the sufficiency of safeguards in place to control the identified risks;

(iv) Trains and manages employees in the security program practices and procedures;

(v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and

(vi) Adjusts the security program in light of business changes or new circumstances;

(B) Technical safeguards such as the following, in which the person:

(i) Assesses risks in network and software design;

(ii) Assesses risks in information processing, transmission and storage;

(iii) Detects, prevents and responds to attacks or system failures; and

(iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and

(C) Physical safeguards such as the following, in which the person:

(i) Assesses risks of information storage and disposal;

(ii) Detects, prevents and responds to intrusions;

(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and

(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

(3) A person complies with subsection (2)(d)(C)(iv) of this section if the person contracts with another person engaged in the business of record destruction to dispose of personal information in a manner consistent with subsection (2)(d)(C)(iv) of this section.

(4) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers. [2007 c.759 §12]

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Patients have federal legal rights to their protected health information. We sign forms about our privacy every time we go to the doctor’s office, treatment clinic, or hospital. Doubtful the average lawyer let alone average person has ever read the HIPAA rule which is nearly 700 pages long. Where this impact lawyers is when they are business entity that deals with health care providers, which includes CPAs, doctors, and lawyers.

HIPAA in Oregon. Oregon acknowledges a number of health-care provider/patient privileges that include preventing others from disclosing communications made with the health care provider for the purposes of treatment and diagnosis.  See OR. REV. STAT §§40.230, 430.235. Remember, that federal privacy regulations under HIPAA will preempt state laws unless the pertinent state law is more stringent.  See 65 Fed. Reg. 82,462, 82,464.

Lawyers need to be careful of individually identifiable health information. The best way to protect confidential client data: ENCRYPTION. Encrypting data which is then properly backed up and stored is the easiest way to begin fulfilling your obligations under HIPAA and under ORPC 1.6.

Gramm-Leach-Bliley Act 15 U.S.C. §§ 6801-6809 and §§ 6821-6827, as amended

  Under the Gramm-Leach-Bliley Act, financial institutions must protect the privacy of consumers’ personal financial information. This is why your financial institution provides you with annual notice of their privacy policies and why they must give notice and an opportunity to opt of before disclosing any of the consumer’s personal financial information to an unaffiliated party.

For lawyers, consider that you contain personal financial information in your client files, such as credit card numbers and bank account numbers. There may be a number of reasons that you have copies of your clients’ financial account statements, loan applications, tax returns, financial documents used in bankruptcies and dissolutions of marriages and business partnerships. How are you protecting the confidentiality of this information? Where are you storing it?

The best way to protect confidential client data: ENCRYPTION. Encrypting data which is then properly backed up and stored is the easiest way to begin fulfilling your obligations under Gramm-Leach-Bliley Act and under ORPC 1.6.   

Watch and Authenticate Email Sender Before Opening an Attachment


image  by Sheila Blackford   ©2016

Senders of malware are tricky, but lawyers and their staff are smart enough to thwart the sender’s efforts.

Recently a colleague here at the PLF was contacted by a concerned Oregon lawyer who received an email eCourt notice that turned out to be fake and trying to deliver an attachment that was a virus.  The facts are instructive.

Lawyer had an upcoming hearing in lawyer’s local county court. Let’s say the date of the court appearance was for May 18, 2016. The reminder purported to be from the local county court providing a court reminder of the upcoming hearing. The date was accurate. The attachment was labelled “Court Notice.” Lawyer’s virus , Oregon’s 4th Judicial District scanner detected this email as being a problem so flagged it as a virus. Although the email ‘said’ it was from the county court, the domain name was completely different. Lawyer did not open that “Court Notice” which would have launched a virus. Lawyer called to share the lesson.

What is the lesson? You can never be too careful with email mail attachment and emailed hyperlinks. Spoofers pretend to be legitimate companies. But if you look close, you can catch the spoof, whether the domain name doesn’t properly match or the email message reads a bit off. It calls for paying closer attention. For example Multnomah County Circuit Court has a very nice website. A specific judge at Multnomah County Circuit court would have their email address looking like this: Don’t just rely on the name, look for the actual email address coming from the expected domain name.

My email may show up in your email inbox as coming from ‘Sheila M. Blackford’ but pressing on the name, you will see my actual email address domain which will be SheilaBatOSBdotPLFdotORG.  I really don’t like spam or malware in my inbox. That’s why my email address spells out the proper email punctuation in the previous sentence. There are robots that harvest email addresses from the Internet so I wanted to be careful here.

A lesson about attachments, be careful before opening any attachment. It could be malware, not what you are expecting. Hopefully your malware protection software will flag it. But it may not. Unless you are downloading a program from the internet from a verified trusted site– you should never be opening a document that ends with .exe.  CAVEAT: Be certain that you are about to download a safe program from a  legitimate website such as downloading Windows 10 from  Microsoft Word 2016 documents end with .docx  You may notice that your malware protect software provides an option to scan a document before opening it.

I will never forget my own malware experience while in law school at University of the Pacific, McGeorge School of Law. I was about 80% done with the law review article to be submitted for making law review. It was good. Past tense. When I  booted up to finish the last 20%, a virus executed and wiped everything out. Everything. Ah! I tried to reconstruct that article which took hours and hours. Sleepless in the Bay Area, my husband volunteered to drive me the 3 hours to get to law school in Sacramento on time to turn it in at the last minute. But it bore a poor resemblance to the article I had lost. I did not make the main law review journal. I did not make the second tier law review journal. I ended up as an editor on the California Initiative Review. Better than nothing but a bummer.Sad story, huh? But a malware virus could have even worse consequences for you lawyers. Seriously, think if your hard work was destroyed. AH! So be careful. You don’t need to learn lessons the hard way.

Be safe.





Ransomware Alert: 7 Prevention Considerations

image   by Sheila  Blackford   ©2016   It is time to be scared about Ransomware, but not paralyzed by fear. The bad news is that there are more cases of ransomware – malware that seizes control of your data, encrypts the data, then demands a ransom to turn over the key to decrypt the data, though many are finding the ransom payment is no guarantee of the data. The good news is that there are things you can do proactively to protect your data, and that is empowering.

The FBI requested that the ABA share Private Industry Notification cybersecurity alerts with the legal community.  I want you to read this Ransomware alert then do at least one of its recommendations but I honestly hope you will be scared enough to do them all. To sign up for receiving future alerts, use this link to the ABA.  

‘While the FBI normally recommends organizations invest in measures to prevent, detect, and remediate cyber exploitation, the key areas to focus on with ransomware are prevention, business continuity, and remediation. “

7 Prevention Considerations from the FBI:

1.  Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.

2.  Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.

3.  Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.

4.  Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; and they should operate with standard user accounts at all other times.

5.  Implement least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Configure access controls with least privilege in mind.

6.  Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.

7.  Implement software restriction policies (SRP) or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.



The Gift of Time


image    by Sheila Blackford   ©2015   The 2015 holiday season is in full swing. This time of year, many lawyers question if they should leave their law firm and go solo or start up their own multi-attorney firm or just hang it up and retire or switch careers. These are all things that are best to think about. I just question whether this might not be the best time to be making such life changing decisions. It’s a bit like deciding whether to get a divorce. Good to consider but with the stress of the holidays and busy pace of visiting family and friends, this may not be the time when you can do your best thinking. Can you give yourself the gift of time?  Why, you ask? To give yourself time to consult with a good lawyer: yourself.

Take the time to think things through.

  • Can you see where this decision leads?
  • Do you need to sit down with a financial advisor to crunch numbers?
  • What about covering health insurance for you and any family members?
  • What practical considerations are needed in place to help you in the first six-month transition period?
  • Do you have the stomach for flying solo or weathering difficult relationship issues involving sharing control and maintaining trust?
  • If employees will be involved, do you have all the human resources areas taken care of before you create a BOLI complaint or lawsuit?
  • Do you need to sit down with a CPA and your tax returns and financial projections to determine your right choice of entity?
  • Should you and your prospective law partners do Myers Briggs, Strengthfinders, or some other psychological testing to determine if you really will bring compatibility and balance to the planning table?

Know your resources.

Oregon State Bar Economic Survey.

Oregon Attorney Assistance Program Attorney Counselors. For assistance with career planning and counseling.  503-226-1057  or 1-800-321-6227

  1. Shari Gregory, LCSW, JD on Ext. 14.
  2. Kyra Hazilla, JD, MSW on Ext. 13.
  3. Mike Long, JD, MSW, CEAP on Ext. 11.
  4. Douglas Querin, JD,LPC, CADCI on Ext.  12.
  5. Bryan Welch, JD counseling intern on Ext. 19.

Oregon State Bar General Counsel’s Office for assistance with ethics questions arising in the practice of  law. 503-620-0222 or 1-800-452-8260

  1. Helen Hierschbiel, General Counsel on Ext. 361. Will become Executive Director of OSB January 2016.
  2. Amber Hollister, Deputy General Counsel on Ext. 312. Will become General Counsel of OSB January 2016.

Oregon State Bar Client Assistance Office for assistance with initial screening of ethics complaints about lawyer conduct. 503-620-0222 or 1-800-452-8260

PLF Attorney Practice Management Advisors for assistance with the business of practicing law, including closing a law practice, departing from a  law firm, retiring or selling a law practice, or opening a new law practice.  503-639-6911 or 1-800-452-1639

  1. Sheila Blackford, JD on Ext. 421.
  2. Hong Dao,  JD on Ext. 412.
  3. Jennifer Meisberger, JD on Ext. 411.
  4. Beverly Michaelis, JD on Ext. 415.

PLF Claims Attorneys for assistance with handling situations where there is a concern of a potential malpractice claim. The receptionist will connect you to an available claims attorney.  503-639-6911 or 1-800-452-1639

PLF Practice Aids and Forms