If your firm needs to comply with regulatory standards for retaining your data, the Office 365 Security & Compliance Center provides features to manage the lifecycle of your data in Exchange Online. This includes the ability to retain, audit, search, and export your data. These capabilities are sufficient to meet the needs of most firms.

However, some firms in highly regulated industries are subject to more stringent regulatory requirements. For example, firms that deal with financial institutions such as banks or broker dealers may be subject to Rule 17a-4 issued by the Securities and Exchange Commission (SEC). Rule 17a-4 has specific requirements for electronic data storage, including many aspects of record management, such as the duration, format, quality, availability, and accountability of records retention.

To help these firms better understand how the Security & Compliance Center can be leveraged to meet their regulatory obligations for Exchange Online, specifically in relation to Rule 17a-4 requirements, Microsoft has released an assessment in partnership with Cohasset Associates.

Cohasset validated that when Exchange Online and the Security & Compliance Center are configured as recommended, they meet the relevant storage requirements of CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4.

Click below to download the report by Cohasset.

Office 365 Exchange Online Cohasset SEC 17a-4(f) Assessment

Highly regulated industries are often required to store electronic communications to meet the WORM (write once, read many) requirement. The WORM requirement dictates a storage solution in which a record must be:

  • Retained for a required retention period that cannot be shortened, only increased.
  • Immutable, meaning that the record cannot be overwritten, erased, or altered during the required retention period.

In Exchange Online, when a retention policy is applied to a user’s mailbox, all of the user’s content will be retained based on the criteria of the policy. In fact, if a user attempts to delete or modify an email, a copy of the email before the change is made will be preserved in a secure, hidden location in the user’s mailbox. Retention polices can ensure that an organization retains electronic communications, but those policies can be modified.

By placing a Preservation Lock on a retention policy, an organization ensures that the policy cannot be modified. In fact, after a Preservation Lock is applied to a retention policy, the following actions are restricted:

  • The retention period of the policy can only be increased, not shortened.
  • Users can be added to the policy, but no user can be removed.
  • The retention policy cannot be deleted by an administrator.

For more information on how the Security & Compliance Center can be leveraged to meet your regulatory obligations for email with Office 365 Exchange Online, Contact Legal Computer Consultants at (800) 646-9199.

CYBER SECURITY POLICY
KEEP CONFIDENTIAL INFORMATION SECURE
Our employer is implementing cyber-security policies and best practices to improve security of our computer network and confidential work product. Please review carefully, implement each policy immediately, print and sign this policy statement and return to administration immediately.

The employer provides network, communications systems, equipment, devices and access to cloud services (”technology resources”) to carry out legitimate employer business. By using these technology resources, any user consents to disclosing the contents of any data files, information and communications created on, stored on, transmitted, received or exchanged via its network, communications systems, third party hosted applications, cloud services, equipment or devices.

There is no right to privacy in the use of employer’s technology resources. By using the employer’s technology resources any user consents to monitoring, recording, and reviewing the use of that technology resource.

Users are expected to act lawfully, ethically and professionally, and to exercise good judgment.

Users who are granted access to critical data are responsible for its protection.

Use of technology in violation of this policy is subject to disciplinary action up to and including termination.

1) Password policy
a) Do not use the same password for different sites.
b) Passwords must be strong. Strong passwords should:
i) Contain at least 8+ characters, use a passphrase instead of a password.
ii) Include upper and lower case letters, numbers and special characters
iii) Not use dictionary words (brute force attacks)
iv) Be unique to one person
v) Not be reused on multiple account logins
vi) Changed every 60 to 90 days
vii) Be required after a period of inactivity (screen saver with password enabled).
viii) Never be shared with anyone else
c) Appropriate storage of passwords. Do not write down passwords on paper. Do not store passwords on individual laptops, mobile devices or home computers unless they are saved safely in an encrypted application on your mobile device. Example: https://start.1password.com search ‘1password’ in the app store on your device.
d) Never provide security or personal information by email to anyone.
e) Passwords should never be shared.
f) Legal Computer Consultants will never call you to ask for your password over the phone. If you do need to provide other confidential credentials ensure that the employee has authority to receive such credentials from firm administrators or partners.
g) Client Password storage (need to discuss this, do we want CLIENT passwords stored on anything but in OUR system?) DO NOT STORE CLIENT PASSWORDS ON INDIVIDUAL LAPTOPS, DESKTOPS, MOBILE DEVICES OR HOME COMPUTERS.

2) Secure your PC
a) Always lock your computer before leaving your desk: Press the [Windows Key]+[L] to quickly lock your screen.
b) Enable screen savers with a password to be required after a period of inactivity.
c) Discuss this: Do not use USB memory devices on office PCs. Do not save or open files on USB memory media. Do not charge/connect Android devices or ‘Trust’ iPhones in USB ports.

3) Be Careful when you click:
a) Do not click on any link unless you know you can trust the source and you are certain of where the link will send you. If you are unsure about a link, the best thing to do is call the sender prior to clicking on the link. Do not follow links in emails asking to login to existing accounts. Delete the email and go directly to the web site in a web browser to login to an existing account.

4) Do not share confidential information or credentials with anyone by phone or email:
a) Social engineering is a non-technical approach hackers use to get sensitive information. Social engineering techniques include phishing emails, fake phone calls, and physical impersonation.

b) Credit card information must never be sent or received via messaging systems and staff are prohibited from copying, moving or storing of credit/debit card holder information onto local hard drives and removable electronic media when accessing such data via remote-access technologies.

5) Never click on links asking you to update your credentials for any web site. If you think the email may be legitimate, you should go directly to the website to update credentials.

6) Appropriate Use:
a) Report any suspicious activity or security concerns immediately.
b) PCs and the computer network are the property of the employer and should only be used for business purposes.
c) Do not install software (like streaming music) or use personal email.
d) Do not use the computer (including browsing the Internet) for personal use.
e) Internet/Intranet Usage:
i) Usage should be focused on business-related tasks.
ii) There is no right to privacy in an employee’s use of the Internet/Intranet.
iii) Use of the Internet, as with use of all technology resources, should conform to all employer policies and work rules.
iv) Visiting or otherwise accessing sites such as the following are prohibited:

(1) Adult Content
(2) Games
(3) Violence
(4) Personals and Dating
(5) Gambling
(6) Hacking

7) Ownership of Data: The employer owns all employer data, files, information, and communications created on, stored on, transmitted, received or exchanged via its network, communications systems, equipment and devices, such as e-mail, voicemail, text messages and Internet usage logs “digital records” even if such communications reside in the cloud. The employer reserves the right to inspect and monitor any and all such communications at any time, including personal data stored on Employer systems, for any lawful purpose and with or without notice to the user. The employer may conduct random and requested audits of employee accounts (including accounts with commercial or other third party providers if used in the course of conducting Employer business) for any lawful purpose including but not limited to ensuring compliance with policies and requirements, to investigate suspicious activities that could be harmful to the organization, to assist the employer in evaluating performance issues and concerns, and to identify productivity or related issues that need additional educational focus within the employer. Digital records may be subject to public disclosure and the rules of discovery in the event of a lawsuit. The employer’s Internet connection and usage is subject to monitoring at any time with or without notice to the employee.

Agreement to follow cyber-security policy:
I understand and agree to abide by these cyber-security policies.

_______________________________ Dated: ____________

Advanced Threat Protection (ATP) is an external extra layer of protection offered by Microsoft Office 365 (before email gets to your office) added above the current virus protection and malware.
• ATP provides “zero-day” protection versus the current automatically scheduled updates
• ATP scrubs attachments before they get to your mailbox.
• Once deployed, you will notice that links in emails are “redirected links” to insure they are safe. ATP tests all links before forwarding them to your inbox.
• Also, ATP can help us diagnose, trace and report intrusion efforts to help us educate specific staff that may be clicking malicious links.

LCC recommends ATP for your firm.
Peter Rabbino
peterr@legalcomputer.com
www.legalcomputer.com
Legal Computer Consultants (LCC)provides comprehensive technology solutions exclusively for South Florida attorneys and their staff.

Law Firms are increasingly being targeted and computer networks are being penetrated, stealing intellectual property, and compromising client-privileged data.

The “Know the Risk, Raise Your Shield” materials are featured on NCSC’s website at https://www.dni.gov/ncsc/knowtherisk/tools/

Risks include: social engineering, social media deception, spear-phishing, mobile device safety, and foreign travel risks.

Federal Courts may require your firm to submit PDF files in a PDF/A compliant format.  PDF/A is type of PDF file that contains all the elements of the document ‘embedded’ in the document versus having links to content in the document.  This is important for long term archiving and subsequently preferred by the courts.

Here are two ways to convert PDF files to PDF/A compliant:
1.  Print PDFs to the PDF printer driver;  Choose, [File][Print] in the PDF and choose the PDF printer driver as the printer to create the output.  This is fast and simple, but the markups and other features like digital signatures, embedded content and encryption will be removed from the file.  This is usually OK for legal professionals submitting files to the courts.
2.  Using Adobe Professional, creating PDF/A files requires a few extra steps, but this method preserves the markups and other features.  Choose PDF/A-1b for Federal Court Filings:

Do not hesitate to email or call me to review PDF/A

Thanks,

Peter Rabbino

Mobile: (954) 937-4528

peterr@legalcomputer.com

www.legalcomputer.com

Legal Computer Consultants (LCC)provides comprehensive technology solutions exclusively for South Florida attorneys and their staff.   

law firm hurricane preparation

How should a law firm prepare for hurricane season?

Cloud computing changes how your firm can continue to work after an extended loss of power, a natural disaster, denied building access, or experiences other business interruptions.

Disaster Recovery & Business Continuity‘ planning enables your firm to weather the storm and get back to business as quickly as possible.

  • How quickly can your law firm can get back to business after a disaster?
  • Can you improve your firm’s security of important client files, minimize damage and get back to business?
  • Does your firm have a plan for denied building access, extended loss of electric power and worst-case scenarios?

The answers depend on emergency planning done today.

When should you being preparing?

NOW!

The goal of business continuity planning

  • Maintain access to; existing client files, case management databases, calendars and the ability to create new work product,
  • Maintain time and billing and general accounting functionality, and
  • Maintain telephone and email communication.

A comprehensive plan includes

  • Office and staff preparation checklists,
  • Failover systems in place and tested, and
  • Hardware replacement and systems restoration checklists.

Preparation tips before a hurricane strikes

  • Create an Emergency plan. Determine the critical components of your business and make contingency plans for every aspect.
  • Confirm you are properly insured. Consider business interruption insurance that covers you even if your business doesn’t suffer physical damage, but loses income because of a disaster, such as closed roads or loss of power.
  • Protect critical data; test backup systems and store the copies of digital and paper data off-site. Consider a fireproof safe for vital documents, software licenses, and media.
  • Finding reliable technical support after a disaster hits our community may be difficult. Be confident the technical support people most familiar with your systems will provide reliable service before and after an emergency strikes.

 

When a hurricane warning is issued

  • Confirm a recent full back up of the system, including the operating system and e-mail.
  • LCC recommends off-site backup service providers, but if your firm still uses local media, make sure it is stored in a safe place. Duplicate media should be stored in multiple off-site locations.
  • Confirm computer and printer hardware is plugged into an appropriate Uninterruptible Power Supply (U.P.S.). Properly shut down and turn off the server, computers, monitors and printers and unplug sensitive electronic equipment from the wall.
  • Store computer equipment away from the windows and off the floor.
  • Special precautions should be taken with network servers.
  • Safety is the highest priority. Heed official evacuation warnings and find the safest location to ride out the storm.

What to do after a hurricane

  • The electrical supply may be unstable and have unusual surges and flickers. LCC recommends U.P.S. equipment to protect sensitive hardware.
  • Verify the system is completely dry before turning on any hardware.

Relevant web sites