LITIGATION SUPPORT TIP OF THE NIGHT

Cybersecurity Framework of the National Institute of Standards and Technology provides best practices which are widely followed by security professionals. The first principle listed in the Framework Core, is ID.AM-1, "Physical devices and systems within the organization are inventoried". This is analogous to CSC-1 of the Center for Internet Security's Critical Security Controls, entitled, "Inventory of Authorized and Unauthorized Devices". CSC-1 is specifically used as an informative reference for NIST's ID.AM1.

If a company uses IEEE 802.1X as a standard for network access control, it must have such an inventory so it can distinguish between authorized and unauthorized devices. Naturally this type of inventory is a great resource when performing electronic discovery. CSC 1.4 states that, "Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device." You can easily collect the hardware for agreed upon custodians with such an inventory.

In the Home edition of Windows 7, if you right click on any folder, select Properties, and then on the General tab, click on Advanced, you'll see an option 'Encrypt contents to secure data' which is grayed out.

. . . in order to get around this limitation, you can download NCH's MEO file encryption software, which is free. See: http://www.nchsoftware.com/encrypt/

After installing the software, click on options, and select a folder to hold the encrypted files that you'll create with the meo extension.

. . . then just select the folder you want to encrypt, enter and confirm a password and then it will be created in the output folder with an extension, .meo. You'll need to delete the source folder.

On March 1, 2017, the cybersecurity regulations of New York State's financial regulatory body, the Department of Financial Services, became effective. Both financial services companies and their law firms will have to comply with rules designed to protect costumer data. The regulations are the first of their kind in the nation. See the requirements, under Title 23 of the Codes, Rules, and Regulations of New York State, which are posted here.

The new regs require each covered entity to implement a cybersecurity program and have a written cybersecurity policy. There must be a specific incident response plan. Businesses must designate one person as their Chief Information Security Officer, who has to prepare a report to the board of directors each year, which lists material cybersecurity risks, and "material Cybersecurity Events involving the Covered Entity during the time period addressed by the report."

The cybersecurity program has to include penetration testing that is conducted annually, and have systems that provide for an audit trail for cybersecurity events, which is recorded for at least five years. Access privileges have to be implemented to control privileges for nonpublic information, and use of specific in-house applications. A risk assessment of information systems has to be performed periodically. Cybersecurity personnel have to receive continuing training in their field, and all users must receive some kind of cybersecurity training.

The policies must address the use of data by Third Party Service Providers, which include law firms. Compliance with this provision is not required until 2018.

Multi-factor authentication to required to access internal networks from external networks. There must be policies in place to dispose of nonpublic information when it is no longer necessary for a business purpose.

The regulations require that nonpublic information be encrypted in some circumstances.

When a cybersecurity event occurs, the Superintendent of the Department of Financial Services has to be notified within 72 hours.

Entities with fewer than 10 employees, or less than $5M in gross revenue, or less than $10M in assets, are exempt from some of the regulations.

Covered entities have to file a Certificate of Compliance with the Department of Financial Services by February 15, 2018.