Panel discusses cybersecurity in light of Target, Neiman Marcus breaches
Recent losses that have been reported at Target and Neiman Marcus have brought to the front pages of the news the importance of cybersecurity. In short, law firms and government law departments continue to be prime targets due to the valuable client information they hold, said panelists at an American Bar Association Midyear Meeting program on Feb. 8 in Chicago.
“Critical Cyber Issues Affecting You Today” addressed current cyber threats and ethical standards lawyers need to be aware of in this arena.
The assumption is often that “everything you’re doing is safe,” said Jill Rhodes, vice president and chief information security officer, Trustmark Cos.
Yet in 84 percent of cases, data compromise took hours or less, according to a recent Verizon survey.
“The majority of attacks are coming from outside the U.S., but they mimic as if they’re from California or Atlanta,” Rhodes said. “It makes it much harder to contain and to prosecute.”
There are three sources of risk, Rhodes said, including internal threats, external threats and unintentional insider threats. Internal threats often come from disgruntled employees. An unintentional insider threat might come from a well-intentioned person making a mistake, such as emailing information to the wrong person, using public WiFi or clicking on malware.
To mitigate the risk, you need to “know what data you have and the regulations behind it,” Rhodes said. “Be mindful of how data is used.”
Also, know your customers and employees, and set standards about what staff can do, she said. She emphasized the importance of staff education: “The more you educate people around you, the greater reduction in issues.”
The panel recommended leaning on ABA resources, such as “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals.”
“Lawyers and law firms are vulnerable, but we’re not technologists,” said Vince Polley, president of KnowConnect PLLC, and one of the handbook’s editors. “We’re managing client matters. We’re an extremely attractive target because we’re a soft target. Once they have our systems, they can access our clients.”
“The ABA Cybersecurity Handbook” is designed to do issue identification, Polley said. It points out where problems might reside and how you might approach them. It also includes actionable suggestions with checklists.
“It’s a useful tool for any lawyer in practice — small, medium — in any practice setting,” he said.
Evan Sills, an associate at Good Harbor Security Risk Management, suggested that firms also check out the ABA’s “A Playbook for Cyber Events.” “If you are an attorney and have been hacked, it tells you what the right questions are to ask,” Sills said.
“If you prepare yourself, you’re less likely to be hacked,” he added.
The playbook covers incident response plans and reporting and liability issues, among others, Sills said.
“No one is unsinkable when it comes to data security,” said Ruth Hill Bro, chair of the ABA Standing Committee on Technology and Information Systems. “Everyone is vulnerable.”
Lawyers have an ethical obligation to protect client data, Bro said, pointing to the 2012 update to the Model Rules of Professional Conduct. “Lawyers have to take reasonable efforts to avoid unauthorized access to client information,” she said.
There is also reputation risk to consider, Rhodes said. “Target has done a fabulous job with recovery, but how many firms could afford to respond that way?” she asked.
It costs an estimated $197 per exposure to respond to a data breach, not including any fines, Rhodes said.
“Offense is better than defense in this area,” said Harvey Rishikof, moderator of the panel and co-chair of the ABA Cybersecurity Legal Task Force.
Awareness is crucial, Polley said. “Perfect solutions do not exist,” he said. “You have to be aware of the broad risks.”
Rhodes suggested bringing speakers into your firm to discuss cybersecurity issues and conducting a risk assessment to understand what your vulnerability is. “Then you can talk to the appropriate people about how to protect [your firm],” she said.
Ongoing training is a must, Bro said. “Every person should be a security officer,” she said. “There are new threats constantly.”
The panel was sponsored by the ABA Cybersecurity Legal Task Force.
Video highlights from the program are available here.
Back to top