 Thank you, Sardin. Thank you everyone for joining and I want to thank Mary Shaughnessy for agreeing to partner with me and unfortunately, Brian Stemple who was going to join us. He's a great attorney, does a lot of pro bono work found tech from Kirkland. He was not able to join us today, so you're getting two out of three, which I guess is six to six percent so maybe that's not so bad, but he was going to talk. I'm going to try to cover some of what Brian was going to talk about, but we'll just jump right in. So there's a little bit of background and Sartre shared out the deck on Mary who I've known for I guess quite a few years now who has been, I think, a real innovator in working with her users with working across the city of New York. And it's really bringing people along which is so important with any kind of technology and increasingly important around security that you know security is a collaborative process and she has a unique background in auditing and studying sort of compliance and that's again sort of a really important part of security and as you can see she's been building sort of a broader experience in other areas such as business process analysis which is really taking off in the legal aid community. So thank you, Mary, for joining. And just a little bit on just tech and I won't bore you with it, but I'll just share a little bit of my background having started in legal aid out of law school after spending a number of years in IT and frankly, security has been, it kind of felt like it was left to me in a number of roles throughout my career in legal aid and I sort of always felt like it shouldn't be just up to me and it shouldn't just be my concern and that's gonna be, I think, a theme today. So a little bit of a roadmap. So we're gonna talk a bit about some of the risks and challenges and we're gonna be talking about policies and practices and they are not one the same together. A little update on what's happening in New York City on a pro bono project and then we're hoping to open it up for discussion to learn from each other. There's a lot of great expertise in the legal aid community nationally and so we will provide some perspective based on on our careers and our work with providers, but we really want to make it richer by including you all and then just a quick list of resources that we recommend as at least as a starting place or a place to go back to for some of us who may have visited some of these resources in the past but have gotten tied up in a lot of the day to day. So we all heard about the most recent breach and loss of data, the Marriott reservation system, 500 million records including mine, and we've heard about lots of other breaches and I think Mary and I and you know certainly have have been worrying about the stuff as many of our counterparts have been around legal aid and I think the the risks and the and the potential impact sort of are underscored almost every day in the newspaper or online or on TV and legal aid is no exception and I don't know Mary if you want to talk a little bit about some of your experience and some of what we've seen in the legal aid community in terms of those risks. One of the risks is just having people out on mobile equipment. We send our staff attorneys out to clinics and they use laptops, Chromebooks, and if information gets downloaded from your case management system, which is how a lot of web-based systems work, you wind up with client documents sitting around on a laptop that they may be encrypted to be able to live in a cache but there is a risk that if that laptop disappears someone will be able to hold a client document. And that's one thing that we worry about a lot. And actually speaking of that laptop, so California has a disclosure law and so we have to know and I don't want to pick on California but that one of our sister organizations had 10 laptops stolen in in 2013 that had client names and social security numbers on them now. I bet if we went across the country, we've had a lot more than 10 laptops stolen. With data, with drives that were not encrypted. ICANN, which a lot of us remember from a number of years ago, which was a really innovative project out of Orange County, had data on from taxpayers basically who had used the system available online and entirely accessible that they didn't discover until 2016. And again, because of California's law, they had to disclose that. But I'm sure we've we've all heard of other cloud-based data resources that are that are basically open to downloading or or reviewing or attacking and so you know, certainly we're not immune to it and I think we've all heard and I know at ITC conferences or formally TIG conferences, you know, the the number of programs hit by ransomware who are targeted by phishing attacks is you know, is is growing or or certainly it's it's been a huge risk. I think people are are strengthening their their training and their tools to protect against it to some extent. So this was just you know, sort of you know, obviously one of the things that I put in sort of small type here, the risks and challenges are constantly changing and so I think part of what you know, the takeaway here is that we want to make sure that that this is not a sort of a one, you know, do it once and be done with it, but that this is an approach. It's a it's building it into an organization as opposed to addressing some of the current issues and and then letting things linger or you know, sort of continue on in a in a steady state. So, Mary, maybe could you you want to talk about the the major data risks? Sure. Case management systems particularly in all of these I one of the things that we'll talk about a little bit is is turnover. If you have pro bono staff, if you if you have interns, a lot of us use interns on a regular basis to give them job experience, but also they have access to our systems. Well intentioned people you know, we're not don't assume as we talk through this that we're talking about evil people with nefarious intentions. A lot of this is well intentioned people who are not paying attention to protecting information. So case management systems where as I said files get downloaded onto a local drive in the course of your working with them, file servers, SharePoint, Google Drive, data management systems, just stuff is set up for permissive access, which can make people feel like oh, I can get my job done and I don't have to ask for help from anyone, but you're leaving information exposed. Accounting in HR systems, we're not talking just about our clients data. We're talking about our staff data. Yeah, your personal, my personal, you know, I-9 information, social security numbers, employment records, raises, that's out there too. Donor management, our donors want to stay private. They love to give us money. They may not want everyone in the world to know that they're giving money. Web presence, apps, and social media, we all know that our pictures and our posts can just go places we didn't intend them to and particularly if someone puts up a client story, that can lead to all sorts of trouble. And web presence might include now online intake for an increasing number of programs or some of the portal projects that are underway. So a lot of data and we have had in the past certainly a lot of programs or number of programs that have had their websites hacked, compromised as PHP exploits are developed and their applications aren't updated. So there's been a history of compromise certainly online. But yeah, I think the case management systems for a lot of providers, I mean, that's been a repository of data going back many years. So it's an enormous trove of a very personal, privileged, damaging or potentially damaging information in terms of identity theft or prejudicing our clients. So that's a massive one. And of course, I don't know too many programs that are very good at eliminating old documents electronically. So on their file servers or SharePoint, those just tend to grow. So that's, you know, the data risk side. Now the top ten and I think everybody probably could come up with their own list. This is the one that Mary and I put together. I don't know, Mary, would you take the lead on this? Sure. The small firms with limited budgets and tech capacity, the limit. We all work in a universe of limited resources and people who say that their computers aren't starting up, the printer is jamming, their passwords need to be changed, are not focusing on your, the IT persons need to deal with the plumbing, which they don't see, which is the security. And it's so tempting once the system is up and running to just let it go. It's there, it runs. We're not going to have to think about it and addressing each of your systems because as again, it's not just your case management. It's your HR. It's your file sharing. Each of those is going to have a different vulnerability. Mobile work environment, people take their own laptops. People take their cell phones and sometimes client data is on a user cell phone. I have had conversations with immigration lawyers who have gone on vacation internationally and what happens if someone takes that attorney's cell phone on the way back from vacation and wants to examine it? You know, I had personally owned devices get lost. I had one attorney lose an iPad in Italy. Fortunately, we'd already had a conversation about what happens if you lose your tablet and so I was able to wipe it remotely. But you have to have that conversation with your users. Client owned devices, what happens if a client who is a survivor of domestic violence has traces on her phone of contacting us and then the abuser gets hold of it? And how do you educate the user? How do you educate the client to manage her own phone? As we said before turnover, interns and volunteers, it is really a pain in the neck to manage your user accounts. So you have not just a network account, an email account, an education management system account, and a development system account. Accounts have to be turned off. They have to be disabled and then deleted on a regular basis. What that basis is is up to you, but you have to plan for it. Work data and work collaborations, private and sensitive data, our funders, our partners, researchers want to help us do better work for our clients. So they want to analyze data. They want to produce statistics. How we provide that information after anonymizing it is important. What does that anonymizing look like? For example, giving specific addresses out could be problematic with scarce clients because a single data point could identify a client where a heat map might not. So we think about how we share the data and there are always demands on improving our services. How we do that while there's always a drive to, well, let's find out more about our clients so we can talk about our client's stories. But what does that look like in collecting that data from people who often feel like they don't have any way to say no about sharing something very private to them? And cloud services, spinning them up and using them as one thing, decommissioning them as something else that you have to think about for long term. Right. And I would just add a few points that if you look at this list, I think legal aid has, as compared to sort of private law firm, has sort of a broader range of risks that they need to manage and those risks are heightened. I mean, just the turnover in interns and volunteers, certainly law firms have students coming in in the summer, but legal aid, a lot of legal aid programs live on volunteers and interns and certainly a lot of the volunteer lawyers projects do. But even those that are more traditional staff attorney models, so that turnover presents a much bigger training challenge, a much bigger account management challenge. You know, law firms don't typically turn over lots of data to funders or to partners. So we have, I think, a harder job to manage our security. And I think maybe that's, you know, I remember a number of years ago, one of the executive directors, in a conversation around case management, actually thought that we were not a target for security risks. This was maybe five, six years ago, you know, compared to big banks and large law firms. And I think, you know, in some ways, she was right that it's not the immediate, you know, uncovering of a merger coming up and being able to sort of take advantage of that in the stock market. But it's certainly a trove of information and a lot of these attacks are not limited now to high value targets or what's valuable is changing. So it's, that's, I think, you know, something for executive directors, for leaders, I mean, I think everybody within organization needs to sort of appreciate these risks and that legal aid is indeed, you know, a significant, of significant value, you know, to a range of actors. So potential impacts, I just, you know, maybe we'll share this one. I mean, so one of the things that, Mary, one of the things that I think was really interesting was a recent Supreme Court decision, Supreme Court Pennsylvania decision against the University of Pittsburgh Medical Center, a bunch of employees sued, and it wasn't until they got to the Supreme Court that basically they, you know, under state law, they recognized an affirmative obligation for employers to protect employee data against criminal hacking. And so it's, we're not just talking about notification costs and basic cyber insurance. We're talking about potentially significant tort actions, and that's certainly for employees, it potentially, you know, could happen that our clients could sue us as well for damages beyond the notification requirements. We've, you know, certainly New York, we highlighted New York and California. There are a lot of state laws at this point, but sort of those notification rules and now California, this brand new act that was somewhat similar to the European rules to protect consumer privacy is going to be coming into effect in 2020. And again, the liability is going to get, you know, sort of greater as it comes into effect. A number of legal aid providers are now covered by HIPAA based on some of the work that they're doing. So there's certainly a state and federal law framework that is significant and becoming more so. But apart from that, as Mary, you and I were, you know, we're talking about sort of the, you know, the safety, privacy and the expense of clients and staff. I mean, I think there's this real need to take that into account. Even legal aid attorneys and paralegals and professionals have very limited resources. So if your identity is stolen or you're advocating for clients or causes that are unpopular in your communities, your safety is at risk. And so we have to take that into account and in how we manage the security of our data. And if you want to talk about it, if you are hit with a ransomware, if you lose the ability to run your systems, you are losing the ability to serve your clients. And then your clients worry if they call and say, we need, I need help. And our systems are, you know, we're having some system problems. It's, you know, it doesn't inspire trust in people who desperately need to trust us. And time and cost of recovery. Several years ago, we did have an episode where we had a ransomware attack and it took several days to come back. Thank goodness, we had great backups. And we test our backups. So we brought back 98% of our files, but it took time. And it was time that was taken away from serving our clients. I needed my, I needed my lawyers to look at their files. And some grants and funding sources do ask now about cyber insurance and their right to do so. And I pointed out that, you know, with the California disclosure laws, so I found those, those breaches, you know, online, you know, to the extent that more of this comes out, or and maybe more of it should come out, you know, then the reputation of our programs starts to get hurt and maybe even the, you know, sort of the legal aid, because there are a lot of people who are, are not proponents of representing low income folks. So this could be damaging to the general support for access to justice. And then I guess the question is, you know, when does, or where does malpractice come into play? And there's certainly a lot of articles on the topic in terms of attorney ethics and responsibilities to maintain client confidence is not just of specifically confidential information, but other information that's that a client provides us. So that's a potential impact and certainly developing area. And I think the expectations are increasing over time. And it's, you know, what could a reasonable attorney be expected to know about the security of their systems? I think that bar is getting, it's getting lower in that you need, you will be expected to know more because it's out there in the world as opposed to, oh, it's a specialist. I shouldn't have, why should I have known about that? And now you should have known about it because it's out there. Right. So hopefully at some level, folks have, and for a lot of folks, this is not all new or maybe much of it isn't new. But everybody needs to have some appreciation of some of the risks and challenges that they're significant and they need to be addressed. And frankly, so, you know, one way or the other, we are aggravating or mitigating those risks. And just in thinking about this, and I know in New York, for instance, with the IOLA group, we've done a number of statewide surveys and there are very few programs with any policy, tech policy, or more than sort of very basic user policy. And it's been, you know, there's been some improvement over the years. We did a repeat of that survey this past year. But I was just sort of, you know, in sort of thinking this through, we really all have tech policies. And I think, you know, it's just not what we want them to be. And I think this is where sort of that time and attention is really important. So some IT risk aggravators, and Mary, I don't know if you'd like to start. I mean, I think that there's probably no program out there that has an IT budget, at least among the IT staff that they think is fully adequate. But do you want to talk about maybe some of the particular risks around, you know, the budgeting? At the point of which there's a zero-based budgeting, but zero-based budgeting does not mean you stay at zero when you build your budget. You go up from zero. And there has to be nutrition for the system built in, right? So out of date and unsupported systems over time become not the, oh, it works. We're going to leave it alone. The day comes when Microsoft has sunsetted an operating system in your server or TLS, the Transport Layer Security version 1, has become unsupported. And suddenly a user tries to connect to a server and they come back and say, you know, I can't get to this. And it's this error, T something not supported. And you haven't been upgrading your server 2003 because it seemed like it was working. And suddenly it is not only not supported, it is actively, I mean, it's completely vulnerable because nothing else is going to get patched on it. Team resources, as I said before, people want their passwords changed, they want the printer on Jam, they want a word lesson, which keeps them going day to day, but it's not allowing the IT staff to deal effectively with the plumbing, the unseen security pieces that we need. And as the systems get more and more out of date and slower, people feel like, you know, I bought my kid a computer that's better than this. And so the staff gets depressed, the IT staff get depressed because we don't want to work with badly out of date stuff. We want our users to have appropriate equipment. And it turns into the just band-aid approach, band-aid, band-aid, band-aid, and then the band-aids fall off. And if IT is isolated from the business, if IT is just, well, I'm going to sit here with these computers, I'm going to sit in my server room, the IT staff is isolated from what is actually happening with the business. What's going on? What kind of work are they doing? Where are the resources needed? And that's also demoralizing. And IT doesn't know what to train ourselves and we don't know what our users are going to need for training. That all leads to the inadequate leadership. The job gets too big. The job gets too critical. The critical failures start to overwhelm even the best intention staff who have not been trained because there's no budget for training. So I want to just add, so at this point we've worked with Just Tech and myself, my colleagues at Just Tech, have worked with on assessments about 30 different programs and we've learned from lots of other programs that we work with in other ways. And I think to a greater or lesser extent, all these are true in almost every organization we've worked with. And I'm sort of just so impressed, frankly, by how efficient people try to be with systems and budgets that are so limited, how they really want to get everything done. But they want to work on, let's say, multi-factor authentication, but they just can't get the time to set up a sandbox environment or spin up a VM in Azure for whatever the project is. They're not getting to move forward. And so it starts to feel like I'm just sort of keeping the lights on barely. And I think that IT training, a number of folks we've worked with, they're starving for it, the IT staff, and there's been very limited support for it, either because they can't afford to have them out of the office or they're not going to budget for the training. All these things, we're talking about the context of security here, but also about good technology management. And good technology management, I think, leads to better technology security and leads to that capacity and that looking forward and learning about what's happening because you've got to stay on top of a fairly diverse set of technologies within Legal Aid and certain technologies that are outside of Legal Aid that may impact your ability to keep your data and your system secure. I think we also see and I think we can probably all relate to executive directors, project directors, leaders who are strapped for time because they've got a gazillion projects going on, they've got a lot of threats against their funding, and frankly, not having that time carved out for tech reduces the ability, I think, for their IT team, whether it's staff or outsource, a program in Ohio that outsourced their IT had set up a weekly meeting with the executive director. So they purposely were trying to shift that dynamic so that the ED had that insight, had that communication understood, for instance, they were doing a training program for staff on security awareness and very few people were showing up and so it gives that ED the opportunity to really talk to their colleagues and figure out what the challenges are to getting people into training that's so critical and that they were spending money on. Again, I think the staff buy-in, if we're not leading and we're not addressing the needs of our advocates, then we don't have their support and typically, I think, which we'll see, you end up getting a lot of work around technology that hasn't been vetted or may not be easily managed or maintained. Another sort of instance, in terms of starvation budgets, I was meeting with a program recently that had an old case management system that would not run on anything that would not work basically if it was moved to anything past server 2008 and so they were stuck with the server 2008 environment and so that's a challenge without a date software and the actual case management system itself has some major security flaws but we need to be able to keep moving our IT forward and managing it well so that we can maintain that basic level security and also maintain support from staff and maintain the training of our IT teams and also sort of their focus, give them time to work on those projects that move security forward. So risk mitigation and certainly I think Mary, in your background around security, I don't know if you want to sort of share some thoughts. These were a few of the areas that we were thinking about. One of the things that works really well is celebrating people's catches. So when people get emails that look like fishes, they know to send it to me or they can call me, they can text me, they can send me a separate email and say I think I have this email that looks weird. I have 35 users so we are not that big an organization but it is always better for me to walk over to a desk, look at a fish, explain to the user why it is or is not and that way they've learned they feel good because they have been acknowledged as having made a good catch and they know to keep looking. One CIO of a big law firm said in a conversation somebody asked him how big is the security team and he said my security team is the entire organization. So if you encourage and celebrate people who they see something, they say something and even if they are wrong, which they usually aren't with fishes increasingly, they have done what we need them to do and the other side of that is the spearfishing of the email allegedly from an ED say hey please approve this wire transfer. In a small organization the financial manager gets up, walks down the hall and says to the ED, did you really send this? But the finance manager has to feel confident that she can do that and that the ED is not going to brush her off and when the ED says no I didn't and thank you for catching it everybody is part of the security culture and that that has been really effective here and telling people when stuff comes out I send an email out about once a month here's the latest thing that's happening. My users expect it, they read them and then they ask questions and that really builds the culture. Again the tech planning, this is not specifically around security but planning your systems, your technology needs with your users so that your users aren't using their own systems or their own workarounds really important or to the extent that you even come up with a basic system or service that you're going to use that fits the need making sure that you're looking at sort of the different use cases. Are people able to do it from a laptop or a tablet or their smartphone to really kind of digging deeper and again this goes back to resources having that time to do that, having that culture that really brings people into the discussion. It's not just that we're going to build a mobile first online intake system for clients, we spend a lot of time in legal aid typically asking clients to try it out and we study sort of how they're using it and figuring out sort of where we can do better. We need to sort of take that same approach to our staff to reduce the workarounds and the failures of that technology and so they start to think not just of the technology but the security that this is all there to frustrate them and obviously that's not our intention, I think Mary as you mentioned, I mean like we have lots of amazing wonderful people in the community who are really trying to do their best but they're stressed and they need things to work and again I see this again and again as we work sort of across the country we see providers coming up with really cool solutions that work in a lot of instances but not in all the instances that their staff or their volunteers need. So I think that's really important to managing security because if they're using your systems and you control the system, you control that data, you control access, if they work around that system then it's a much harder thing to manage and we talked about starvation budgets but you know longer term budgeting so that you can take on those bigger projects and reduce those back burners. I hear that repeatedly about how many back burner projects people have that sound like they're really important and a lot of them have to do with security. Mary anything to add on this one? I think just the risk and costs of all technology, that can also, one of the places that catches you is I don't think this is in any other slides of your website. You have to register your domain name, you have to have SSL certificates and those things expire, domain names expire and one big risk is that's something you renew. You might renew it every year, you might renew it every three years but if you have staff turnover, if you have IT turnover, that's not captured any place and someday someone goes to your website and it's not your website or you can't connect to your web-based online intake because you haven't kept up that security certificate. That's the kind of stuff that you need to keep in your planning. So here's some priority policies and practices, associated practices that we hope folks will consider. This is sort of an updated list of priority policy areas. When we actually first started in New York City on a project where I'm going to talk about in a little bit, we'd come away from working with the large law firms that had, I don't know, it seemed like a couple hundred different IT related policies. We didn't want to so overwhelm folks. I think this list can be overwhelming if you sort of look at standing on the ground but a lot of these policies sort of relate and so the idea is to develop policies that capture these ideas, these issues and I think to the extent that you do and then we're going to talk about sort of that implementation piece, you'll be able to be more confident in your planning and what you're budgeting for that you're actually sort of taking care of those things that the organization and its leadership feel are very important. So maybe Mary, I don't know if you want to start with the personnel related policies and these are rough categories. I just want everyone to understand it's not, there's no sort of clear to mark, the mark between the personnel and the data. Everybody, they're sort of interrelated for sure. One thing that we do with onboarding that's very helpful is we have an outsourced IT support organization. Our operations manager submits a user, a new user form and she tests the account before the user starts. So she makes sure that the password is what we expect the password to be, email, case management system and it is helpful to the new user who comes on and their first day, everything works which is very helpful. As part of that onboarding once the user arrives there's an orientation. This is what you can do. This is what you can't do. This is why you can't do it. Offboarding is equally important especially when you have that turnover in interns and volunteers. One thing that we are constantly asking for is what's the end date? Well this is persons last day and at 5.30 that day that account password gets changed. One thing people think about the offboarding and end of user cycle is well I can't delete the account, no you don't have to delete the account but you do have to make it inaccessible and the easy way to do that is to change the password so that if this happens a lot with volunteers they have saved a file someplace they shouldn't have saved it and their supervisor needs to get it. Deleting the account could do bad things to the user's private folder but just disabling access means that we can still get it if there's a business need and that ties into the security awareness training. The first day this is what to look for. This is the kind of email you may get. This is something you may not see at home. The BYOD and BYOA, particularly also for non-exempt employees this is a wage and hours thing that you should talk to your HR person about because non-exempt staff should not be required to check their email outside of ours. There's an employment thing there. Do you want email on your phone? Our policy is it is not required but if you are going to do this you have to call me as soon as you lose that device so I can wipe it remotely. There's no shame in it. You lost your device. I'm sorry but we have to protect our client data. Internet, social media and email use. One thing that we hear a lot about just generally is internet filters. If you're a domestic violence organization and you are doing research, sometimes information your advocates are going to type in might be caught up by a filter. A filter that might work in a regular business environment will not work for us. Just a little anecdote on that one. One of the programs we were visiting with this past year has a designated workstation in their office that they can go to to do those searches. A number of staff when we sat down with them were very like this is just so frustrating. Sometimes the computer is busy but it's like I just need to look something up and so I've got to go to a different floor to a different part of the office to get access to that computer so I can do this research for my clients. It's a frustration that rang pretty loudly but it's also an understandable desire of the organization to put some filtering in place to provide a safe work environment for staff to potentially reduce the risk of malware from websites that are not legitimate. This goes to the design piece too. If you're going to build these policies, you need to have an implementation strategy that actually brings your user's perspective into account and you come up with a solution that really fits and makes it easier for people to comply. It makes it understandable why we're doing it as opposed to you're just trying to make my life that's already more difficult. But yeah, I think having these policies, Mary, you mentioned the onboarding form. I mean having a policy about who has access to what, an intern is going to be the different classification that a staff attorney or a paralegal and maybe a grants manager is going to have different access than your basic grant account. So making some sense of this and putting this into policies, obviously these are more generic than the particular form, let's say, but these are the goals for our policy. This is why we have it. The one thing that works for protecting changes to your system is, and this is sort of a standard system administration thing that can work not just with your network but with your fundraising accounts and your grants accounts, any of your systems, it's for privileged users to have two accounts. The one they use to do their day-to-day work which is, you know, that's my Mario account. That's what I do when I'm doing my reports and all that other. But if I'm changing something to a system, I have to log out and log in again with an admin account specifically so that I'm paying attention to the specific task I'm performing and then log out again. So that's not just a network admin thing. It can be your case administration if someone's making configuration changes to your fundraising software or your donor management software. So that's another way to protect the system, protect the data, and get your users to understand the impact of what they're doing. Right. And having, you know, like an incident reporting and response policy and obviously there's going to need to be other forms and processes and people identified to manage that. But like that's something that, you know, to the extent that you want to know how you're going to respond because ultimately there's no perfect security. There's no reason to think that your firm is not going to be compromised at some point. But having had that time to prepare for kind of like you're preparing for a disaster if you're living in a hurricane zone or in an earthquake zone or in the wildfire zone, we're preparing for a security disaster. And so part of that is how do we respond? How do we ensure that the damage stops and that the documentation occurs, that, you know, the proper authorities are notified that the insurance provider, if there is one, is notified so and so forth so that you don't compound that problem or that breach by having to sort of work out sort of what your response is. And typically it's not going to be as good if it's a reactive response. Turning to privacy, I just, sorry, to data and privacy, but having an articulated privacy policy for client and staff data, I mean we probably all have one for our websites, but do we have, I haven't seen many privacy policies for, you know, client data and staff data. Policy is gone, you know, the data we collect and why and how, who makes those decisions to collect that data. Mary, you've been a big proponent of data destruction, of not keeping everything, you know, long term. And I got a second and third that because the less data you have, the less it can be compromised. But having that destroyed properly, you know, as part of that, the policy is critical. We're not just, you know, deleting files on a drive or deleting records out of a database without getting to, let's say, the backups. How do we make sure that we don't have backups of that data somewhere? And with database deletions, you have to be careful about data integrity, referential integrity. If you can't delete a user without deleting your history and some systems will not let you delete anything, which is one way of dealing with the database architecture. It's not necessarily my favorite. And then users are always afraid that they're going to lose something they need. Sort of e-horting is a thing. And no, you really do not need that sample brief that you wrote in 2003. I promise you don't need it, it can go away. So that there's an emotional reaction to when you start deleting stuff. So we've got a question here from the audience. And retention, so if you articulate a... Is there a good source to find best practices of policies and procedures that can be adopted for their organization? Where do you go to find this? Yeah. So I'm going to talk a little bit about that when we talk about the New York City project. I think it's a somewhat interesting evolved answer there. There are, you know, tools out there that kind of like hot docs, light tools that I played with, one in particular, instant security policies.com. And, you know, it's not free. But obviously, these sort of documents come at a cost to the provider to maintain. I think... I'll just sort of leave it there. I want to get to that question when we get to the New York City project, if I may. Is there any other question at this point? Just a quick comment on the data destruction. There is going to be a major session on data destruction at the MIE conference coming up in January. And it is a huge problem in our industry. Some of the case management systems don't even have the functionality to properly delete things without going through them as admins, which causes a giant transactional cost and means no one is doing it in the industry. This is something that really needs to be addressed. Right. Well, and I think on destruction as well, I mean, I think having... Well, I was going to say one of the things that... Where does it start? It starts at least from the client perspective with retainer. And having sort of these policies identified, you know, developed and identified and shared with the client. Here's how we're going to treat your privacy. Here's how we're going to treat your data. This is what we're going to retain. This is for how long? And in an accessible language. But that was sort of one of the things that a number of years ago, working with one of my board members, we were looking at, so how can we eliminate data sooner? And one of the sticking points became the retainer. And so having a retainer that makes it clear, we will keep your data, you know, obviously through the representation and for another year or another two years, at which point your data, you're entitled to get your data back and will otherwise be destroying it. But the destruction piece, so there are, you know, case management system serious. The document management piece is difficult in part because documents may live in multiple places. But if we can get a handle on this is sort of where the basic technology environment is so critical, if we can get a handle on our documents for knowledge management and production purposes, typically a lot of those more sort of sophisticated tools build in rule sets so that you can identify documents that should be set for archive and then should be set in destruction. So you're not spending a ton of staff time doing what we actually used to do in somewhat an easier fashion with paper case files. When I first got into legal legal aid, we had more significant case paper case files. And so things were sort of categorized by year. And then staff would go through it and pull out certain decrees, but then the whole file got shredded. So we need to agree a simple mechanism. And we're going to sort of get a little bit to that a little bit later. And so the policies are great. It is certainly the next stage is the implementation. I just want to point out that the sanitation redaction is sort of Mary sort of, you know, and I were discussing in this, in preparing this presentation. I mean, we have a lot of funders and now an increasing number of partners, medical legal partners certainly, but beyond that where we're sharing data. And so having a policy in place, so it's not just left that particular partnership or collaboration. This is how we approach sharing of data. This is the data. Again, these are our privacy policies for clients. So this is what we can and can't share without changing our policies or alerting our clients or alerting our staff. It's really, it's really important that we're, that we have that sort of basic policy in place so that we know how to handle those particular initiatives that were increasingly involved in. We're going to, I think we should probably sort of Mary move fairly quickly through some of these. I mean, so there are a lot of, you know, sort of basic security pieces. We, you know, Mary sort of spent a little time talking about the bringing your own device part of this or bringing your own account. And so all these physical security issues also sort of hit on or are of concerns who personally owned devices and controlled accounts. You know, this, you know, onboarding, off-boarding, you know, having that centralized use for authentication, having, you know, with the fact that we have a lot more mobile staff and volunteers out in the field, making sure that we've got sort of the security that they need, that they can authenticate into either cloud services or services that you're hosting in your offices in a way that doesn't negatively affect security. Encryption certainly, you know, it's a lot, you know, sort of easier to do with certain like operating systems now, you know, having it built in. But what needs to be encrypted, you know, how can we communicate going through and deciding all these, you know, pieces at a policy level is that first step. And I'm going to, sorry, move on to sort of that policies into good practice, which is, I think, sort of really a little bit more of what we see as an even bigger challenge, frankly. And I think, you know, so, sorry, the question, you know, in terms of like sort of model policies, if the policies really, if you have a model policy and some programs have actually sort of suggested they just want to adopt that model, what we've been sort of talking about, we'll be talking about two things in New York with this pro bono project that's been going on. And initially what we were thinking was we were going to do just that, develop some legal aid specific model policies that people could just sort of, you know, put their name on and stamp it. And two things sort of, you know, came out of that after some analysis. One was that by establishing these or the model policies were essentially sort of making that the industry standard. And so if organizations don't, a, adopt it and b, follow those policies, implement it, then there's an increased liability to the community. And so that could potentially be a negative. I'm somewhat persuaded by that. I certainly, you know, the intention of this project, this pro bono project and I think generally of folks in, in IT and in legal aid is not, not to increase the risk for, for providers. But I think the more, go ahead. That's an interesting one. But do you think the risk is actually higher than what's currently going on, which is no one has policies and they're not doing anything? The idea that if we create best practices and standards and then they don't follow them, that does create risk. What we're doing now is putting our head in the sand and pretending like we don't have to do anything. Right, right. Sorry to push back so hard, but no, no, no, no, please. I appreciate that. I say the status quo, I'd say the status quo is not okay. I think we are at greater risk with the status quo. It's sort of how do we get beyond that? And, and so what's, what's evolved and part of why this project has taken longer is that what we're doing, we're doing two things in this project and Kirkland is sort of taking lead. There are a number of firms, actually why don't I just sort of jump a number of sort of partners on this, on this project. And what we're doing is essentially providing sort of the legal basis for these policies. These are your risks. These are, these are sort of the potential liabilities because it's targeted for legal aid lawyers and law firms. This is what you need to manage these two obligations and then taking more of like a workbook approach. Instead of giving you the text of the policies, giving you these are the considerations for your policies. Now you need to piece this together kind of like these are the Lego blocks, the pieces. You need to piece this together in a way that actually fits your practice, your culture, your firm. And, and I think in so doing, you're building policies that have I think sort of greater resonance within the organization. It makes sense. People get it. It has legitimacy. It's got that input from, from staff. You know, why do we have this policy? If I don't believe in that policy, I'm probably a little less likely to be enthusiastically supporting it or helping others comply with it if I don't understand why we got to it. If you just adopted somebody else's policies, I think there's that legitimacy piece. But I think it's certainly the, the priorities. They're, they're, you know, as I mentioned, we, they're, you know, some of these large firms have a couple hundred policies in place. So where, what are the ones we're going to focus in on first and, and certainly we're, the, the workbook that's being developed is not going to have 200 areas. We're, you know, that, that would, that would sort of, we drown in all that. But getting people to, to work on those policies and then take that next step and that this is where the, sorry, the pro bono project is going to sort of move into once this, this book is, is put together is we're going to work with firms, we're not going to do the, all the work for them, but we're going to sort of be the, the guides and helping them both sort of, you know, tailor a policies to their organizations, you know, building on those blocks and then help them identify those systems that, that need to be adjusted that, or that systems that need to be purchased. If, you know, if monitoring is part of it or building an audit trail is part of it or, or a longer term, a lot of these policies are going to take a longer term planning. It's going to require that when we implement a new case management system, you know, the, for instance, that we just talked about is that we need to have the capacity to delete, effectively scrub the database of, of records that are, are, you know, determined that, you know, that it's time to scrub. And I think, you know, again, what we were, you know, you know, challenged by, and, and I, I certainly have seen this too, is, is that we have, you know, to the extent there are policies, a lot of these policies aren't effectively implemented and, and maintained. And, and so, you know, going into, if you're going to implement these policies, you know, there is this commitment to budget. It's a commitment to staff has, having like a designated, if, if, you know, for instance, you have a data retention, destruction policy, who's responsible for that. And, and it's not, it's actually in some ways it's, it's, it's probably one of the more expensive pieces of IT, you know, is the management of, of these, of these policies, because it does implicate the systems you use, you know, how you have to maintain them, and the people who need to be trained to comply with that. So it's, it's, it's pretty comprehensive. So I like the approach that you're taking, and I definitely think that it hits on some of the larger challenges that we have in this community with not having strategic IT staff at the kind of management level, because the type of implementation that you're putting forward really takes a dedication, not just from help desk, but from the organization systemically to make that happen. So I like where you're going with it, but there's a lot of need, or there's a lot of barriers to the implementation that we need to work on as a community. And I think that scope is really important. In order to keep your staff from being overwhelmed and keep your executive team from being overwhelmed, you have to pick something, you have to prioritize it. This is the most important, explain it, get by and implement it, then go on to the next and the next and the next, because if you try to do everything at once, people will flee from you. Right, right. And, and, you know, I think the, I mentioned this, this program in Ohio that, that was, you know, that had the commitment and the leadership to offer security awareness training, you know, in person security awareness training to staff. And, you know, like, but it was sort of outside the context of this sort of broader, you know, policy, that this is a requirement that, that, you know, that your, Mary, as you mentioned, sort of that large law firm where everybody is a member of the security team, you know. I don't know that that, that having that policy would have made the difference, but I certainly think it's going to, it's a cultural change that we need to make. And then, and then that training comes in the context of here's, here's what's expected of us and here's how we're going to help you get there and support you in doing it. Because this is in addition to, you know, continuing to, you know, sort of understand your client needs as they change, as the new populations, you know, new communities are emerging that need our assistance or the law that's evolving or new areas of the law that we're getting into. So, so we have all these massive amounts of, of knowledge that we need to develop and maintain. And I think along with that, we need to not, and frankly, it's not just security, because security, it's security because we're using this technology, but there's that knowledge to use the technology well and maintain security. So it's, it's, it's no small lift. And it's not, I think Mary, as you're sort of pointing out, it's not something you're going to do overnight. So if you can start, you know, somewhere with, you know, pick, pick your policy priorities, I, we haven't sort of gotten to that final version for this, this New York pilot. But I'm hoping that we're going to sort of prioritize, if you haven't done anything, these are the first two policy areas, you know, that you should be looking at building. And, and again, here are the considerations and, and, and some of the components of a good policy. So I wanted to, I mean, you know, we've been talking at, at folks. And so I wanted to open it up for, for discussion and, and to, you know, learn from each other and try to, you know, answer any, any questions folks have. So we had a question here from Molly French. LSC, I think requires a period of time, I think she says 10 years here, to have data or hard copies or e-copies. Is, is this the case and also what, how do you deal with data that's needed for conflict checks with regards to data destruction policies? So I had reached out to OCE at LSC a number of years ago about keeping paper versus digital. And they were very much open to keeping digital representations of the paper and not the paper. But that's, I mean, you know, that that's a good question that frankly, we might want to ask as a community or ask NLADA to, to talk with LSC about what's the, you know, we want guidance from them. We want to make sure that, you know, when it comes time to be audited that we've got everything, you know, that they need. I personally have been involved in some LSC audits where I've just provided them, you know, copies of retainers and attestations electronically, and they never went through any of the paper. And, you know, I think the other, you know, question is has, whatever their sort of position was, has it evolved. Certainly LSC is doing more and more of their own work online. So they may have, they may have come along if they've been a little bit more behind the times. I'm sorry, in the second part of the question, Sart was, was there a second part? I don't know if Sart's muted. I think he's muted. Great. I was muted there. I was talking and didn't realize no one could hear me. It was on keeping information with regards to conflict check. And one of the things that I'm more of there is that what you need for a conflict check is very different than what you need with their past case filings, their documents. There's a huge amount you can purge, but it's often state rule space. What other thoughts do you have on the conflict checks? Well, Mary, you and I were talking about, for instance, the social security numbers on this project. Right. Because we have, at her justice, we've made a conscious decision not to collect social, full social security numbers. So we can use date of birth and the last four digits. We do have lots of clients with similar names so that that's where our, that's where our unique identifiers come from. Yeah. Yeah. I mean, I think the conflict check, I mean, as far as I know, as long as you have attorneys who had access to that data, whether you keep that data or not, you know, those more senior attorneys that you're going to still have that conflict. Now, obviously those ethical rules may vary between states. But yeah, we have a long-term need to maintain conflict data. But I think, yeah, Mary and I were just talking about that. You know, if we collect less information that's particularly sensitive or a fragment of that more sensitive information like the last four, the social security numbers, that certainly helps. And yeah, in purging medical records, purging things that if they get out, it would be potentially damaging or, you know, or even a safety threat. I mean, I think to some extent sort of addresses names, numbers of relatives, you know, contacts where they might be living. Again, sort of being comprehensive in thinking through what's the data that we need and why do we need it and how quickly can we get rid of it. But conflicts I haven't heard of a way to sort of just delete all reference to a client or an opposing party. All right. Excellent. There was a question here with regards to something Mary said earlier, which is what are kind of the tips that you give to a client with regards to protecting their digital security online, especially if you've got a DV survivor or someone who has the potential of being stalked or found by the opposing party? Clear web cache. That is something that if an attorney, if one of our advocates finds that a client has a concern, I am happy to sit with a client. This is tell me what browser you use, I'm going to show you how to do this and I will give you a screenshot. And for a phone, I have sat with clients and show me what you're doing on your phone and I'll show you how to wipe out the information. I think that one thing that I have been very lucky at at Her Justice is that I'm seen as a part of the whole team so that if a client has a technology-related question like that, I do get brought in. And it keeps me feeling like I'm part of the whole organization. It shows the client that we do have resources she may not have thought about and she does get an answer. So absolutely, take five minutes and show a client how to clear her browser because it's something that will help her in her life. The New York City project, one of the concerns that came up was the threat to client safety. Certainly a person who has been trafficked by organized crime. The risks are very significant and so again discussions about this has come up in the context of working with individual programs like our communications with clients via text versus let's say WhatsApp or using Skype. What are the appropriate tools to secure those communications? I don't think I have any great answers here but I think together and Mary being brought in and being part of the broader team and understanding the needs and issues of the clients is so critical. So as she's working and learning more and more about security or technology or risks then she knows what to be looking for as well. So it's really it's a what's the what's the cycle, the beneficial cycle. There's a term of art that I'm a virtuous cycle as I think it's the term. So it really helps again part of planning when we're talking about how clients access our services. A migrant worker program that we work with has clients that leave the country at various points during the year and so communications are even more challenging and security maybe even you know of greater importance and so knowing you know and saying you know up to date this let's say this WhatsApp is now this version or there's a vulnerability that hasn't been patched so we should stop using it. One of the things that actually came up again from staff was that a lot of the a lot of clients don't have app stores so if we think that oh well there's this great security application that you can download to your Android or your iPhone well they don't have a credit card so they don't have access to the app store they can't download it or it takes more of an effort to get that software installed. So certainly being in the loop and then figuring out how we sort of cross that challenge together I think really helps. And asking for help from your other partners we have partnered with forensic accounting firms who don't necessarily do pro bono litigation but they will help us with other things and one of the things that comes up is that a client will have a series of threatening messages on her phone and we want to preserve that as evidence that is outside my capacity but a forensic accounting firm knows how to do that and has that kind of tool and so we will bring in a partner like that on occasion. Can you help us preserve this evidence and it's bringing more resources to bear and it's another it's another way to get pro bono assistance from firms that are not legal but who still want to help. Again I think security and privacy one of the one of the things that comes up in a lot of our clients in the community across the country use their phones to record evidence to record documents and so that's great there's this recording it's potentially a risk as Mary sort of points out with the residue on their phones the data on their phones but how do we get it which you're sort of pointing to and if we just connect the phone up to our laptop which is on our network are we potentially compromising our network security because that phone may be compromised if we're backing up that phone are we then taking everything from our client's phone and logging it and recording it and storing it on our network you know stuff beyond you know the data that we're looking for and so you know having these discussions again I mean I think going back to the policies that you know this this is the data that that we're you know getting there is this business purpose or this representation purpose this is how we're going to handle it it's going to remain encrypted and when it comes time to implementation then we actually sort of test it can we do this how how will we effectuate sort of that transfer data from my client's phone to our our records and not not go to a staff person's phone because then we just have the same same issue now it's that staff person's phone that we need to get the data from I think it's sort of another example where you know again the planning there's a you know again I think it could be any of any of our programs but you know an IT team that was working on on on providing SMS messaging to to their staff because their their clients increasingly don't want to be talking on the phone they have limited minutes or or it's inconvenient because they're working during the day they need to be able to communicate via text at night and so clients have been typically communicating with advocates on their either their their individual cell phone numbers that they own or their personal Google voice accounts or or the like and and staff know this is just this is not what they you know they're concerned about their clients they're concerned about their own you know time and space away and and forget about the exempt non-exempt issue but they're very raised because that's an important one too but so so this IT department was about to launch SMS messaging but but they they you know there wasn't enough communication there was enough collaboration to know that part of what's needed is the MMS messaging because they actually send photos and videos and so again we've got to design you know sort of the the solutions to fit the need and we really need to include staff with that so that we don't get 80% of what's needed and then that remaining 20 necessitates the continuation of that that Google voice account or that you know use of my personal cell phone so another quick question here and this is a pullback to what was being said about the bring your own device policies they lot of programs have their own devices and what are some of the things that you would recommend really seriously looking at and how would you kind of reach out and educate staff over that with regard to the bring your own device policies one thing that has worked for us is is our main phone system is voice over IP and we've upgraded it recently to include an app that essentially takes over the functioning of the staff person's phone so that they can make a call to a client or opposing council from their personal device but it goes through our voice over IP app and it does not expose our staff attorneys phone numbers so that's a big project getting a new phone system but it has proven to be very helpful in protecting staff data it's everything that travels through this app looks like it came from the staff attorney's office but there's learning curve and you have to open up the app to use it to make the calls that you want to make and protect protect your own personal phone number have the have the software installed and and logged in everything yeah it's it's there's a cost to it for sure beyond just getting that technology i would add you know again that it going back to the policies if you have sort of data policies that require you know that if you have client data on your phone that the phone be encrypted for instance let's say you know that that it be erasable and and now we have you know again mobile device management you know 10 years ago was was really just in the in the realm of the large private law firm because it was so bloody expensive i mean i i wanted it 10 years ago and we couldn't afford it but if we you know if we have again those policies some of these you know the technologies that evolve are going to fit that policy you're going to address that policy with less burden to our staff which is ultimately our goal we want to do the least to disrupt their advocacy their service to clients while maintaining compliance with with you know with basic policies so mdm is is now you know much more affordable largely because it's all what's not all but it's significantly moved to sort of a cloud offering and and even you know you know microsoft offers it at a discounted rate and number of providers will will give nonprofits a discount on it so it's certainly i would you know i'd recommend first having the policies but but having as as mary said some ability to mask your phone number so using essentially you know your office phone number whether it's a voidbap or otherwise there are other tools that if you control a number you're allowed to actually spoof that number legitimately they're new phones that now allow you to have multiple this gets to be a little expensive but you know multiple phone numbers associated with with the mobile phone i believe horizon and t-mobile have that i think 18 t may you know so they're again that technology evolves having that policy is sort of that starting point and and then working to make it more affordable and usable is is sort of the it's job we're we're down to about the last five minutes here our we have went through all of the questions that are here are there any last pieces of advice or places that you really want to send people we will definitely make sure that i copy that new york report gets into the blog oh perfect if you if you would like to talk about these that's great well prepared yeah um little mary i want you if you want to go first your your favorites uh sans is one of my favorites i'm in there all the time ouch oh sorry about that didn't catch that um and it toolbox has a lot of really accessible things for it staff at all levels of security experience and background yeah um yeah the so the the u.s. government u.s. sir their their tip sheet um you know i think you know again very approachable they have a number of these sites both give you a you know sort of examples of of compromises things you know so if you're wanting to share with your staff like send out like a weekly you know reminder of the risks are real and and relevant um i think that can be really useful um i mean we don't want to scare people to the point where they they they are not able to act but i think getting people to sort of understand um sort of their role in security i think is an important thing for us to do in management and it the uh you know i think sort of the um the cis security.org um uh actually was the the founder was a former nsa um uh a person who you know again you know takes an approach of less of less is more like lets we need to do these sort of basic um uh policies or or or address these basic security threats first and so they have a top 20 list um so that's a really good one um uh the uh and some of the some of the sites uh make it security um uh you know again it's the it's it's very approachable um i think it it's um their content you can share with your um your colleagues who may not be um uh sort of familiar with a lot of the terminology um and and so making this accessible especially if it's going to be you're going to be building a collaboration um a culture um it can't just be um it alone by any means um and certainly i think getting you know if you can get your executive director to sit down with you and uh and and you know attend an area you know sort of security you know briefing um or or you know go to the itc conference um or watch a webinar and and discuss it and and localize start that conversation i think um it you know we need the leadership involved um i think mary you'd mentioned uh we had talked about sort of the you know the the potential for board members to be involved a lot of our board members are from private law firms that are addressing security issues because they see big liability attached to it um uh so we we should be looking to build more pro bono involvement um from the private bar um and uh to some extent i think from from the academy as well i think you know law schools certainly are concerned about this stuff but but it you know start somewhere you know find the tools um i'm sorry find the sites that that that you know that you can relate to that you think your users um your leaders can um uh can benefit from and start talking about it talk about it and people people will listen because that they see the impact in their daily lives yeah yeah and i think every advocate cares about their client's safety and well-being and and uh and their own records like we you know we're not just talking about clients we're talking about your data we want to protect your social security number your data birth um your personal uh health information um and so we've got to do it together yeah to add my favorite uh resource there um we worked with joshua pesky out of tech roundtable last year um he did a 10 part series on how to become a cyber security ninja um we took that whole series put it up on our youtube channel and it includes uh kind of a test at the end um but they each cover different topics like bring your own device policies or social media or working with clients um and it's a good seven or eight hours of free content that's out there um nice to cover over a lunch hour and especially if you can do it with someone else that has different background and then talk to them about it uh and ask them questions if things in there don't make sense either or shoot um aso radella sent up a question and we're happy to help uh because this is one of the most important areas to our clients and we see the biggest potential for harm and the need to really step up the community's game here to protect our clients thank you well thank you everybody for coming out thank you so much john and mary um please uh i'll be sending you guys also directly our rfp but there were so many different topics here several of the things that we covered briefly i would love to see one or two of them as full longer webinars uh next year because there's so much going on in the community can do so much here well and i i'm really i mean i was hoping to have this this workbook done before this uh this webinar and i've i've seen um some drafts and so it's it's making progress but um but i'm certainly it's a not not fright you see this year um but i'm certainly hopeful in the uh in 2019 that we'll be able to share it out i've already been you know talking with uh the city bar and and the partners about you know making this a national uh resource that they can be you know improved upon as as a as a you know shared tool yeah as soon as it's available we're happy to blog about it share it into another webinar kind of highlighting what's there and walking people through it it sounds wonderful okay excellent thank you mary thank you sir thank you everybody for attending thanks everybody bye