Attorneys certainly don't want to hear this, but law firms are increasingly becoming the targets of data thieves. Why bother trying to attack the sophisticated security systems of a government contractor manufacturing a new military weapon?
It’s so much easier to compromise the law firm of the contractor because the firm probably does not have very robust security measures. Essentially, data thieves consider law firms the “soft underbelly” of the system as they attempt to illegally obtain information.
YOUR FIRM HAS BEEN “PWNED”
Younger attorneys may recognize the term pwned as originating from the World of Warcraft game. Urban legend says that’s where hackers picked up the term. It’s probably more accurate that “pwned” is a misspelling for being “owned,” a term used by hackers to signify that they now “own” your computer system, with full access to your data. Not a very comforting thought, is it?
We’ve previously written about securing your data and protecting your computer systems. Unfortunately, most law firms don’t spend the money to protect themselves because they fail to acknowledge that they are highly vulnerable targets. So we address here what you will need to do after a data breach. Ironically, if you have already been compromised, you will spend significantly more money than you would have if you had invested in prevention.
THE UPCHUCK HOUR
You’ve just learned that your network has been compromised. What next? The first hour that a security expert spends with you has been called the “upchuck hour” because he or she will have nothing good to say. That’s certainly not to suggest that you shouldn’t listen very carefully. That hour is essential in identifying any information about the breach. Probably the most important issue is whether the breach is still active. So, if you know unauthorized access is ongoing, should you stop the attack immediately or allow it to continue? As a basic default action, we recommend that you take steps to halt the attack and prevent further leakage of data. After all, as a lawyer, you have ethical considerations with respect to client data. We’ll dig deeper into that issue later, but stop the bleeding for now.
In rare situations, you may want to let the breach continue, for example, when you need to gather more information about the attackers and the methods they used to gain access. Yet monitoring an ongoing attack without being discovered is a very risky business. Highly skilled and specialized experts are needed to accomplish this, with skills well beyond the ability of most law firm personnel. Therefore, simply pulling the network plug can stop the attack and let you take the next necessary steps.
PRESERVATION AND INVESTIGATION
Next you must preserve the appropriate data so you can investigate the breach and gauge the trouble you are in. The firm may have the skilled personnel to properly preserve the data, but you’ll likely need to hire security specialists as well. What should you preserve? That depends on the attack and where you think the compromise may have occurred. It also depends on the type of data you hold.
At a minimum, preserve any logs from the communication devices and server(s). As an example, all router logs should be captured so you can hopefully determine the attack’s origin. The server logs should also be preserved to help determine what data may have been accessed. Unfortunately, most servers are not configured for robust logging; typically, only basic default logging is enabled. The defaults are short-lived and don’t capture a significant amount of detailed information.
You may need to acquire forensic images (that is, exact copies with matching digital “fingerprints” or hashes to prove that they are exact copies) of several computers. These could be user computers or the server as well. Many data breaches are accomplished by unauthorized personnel who do not want to be found. They will take steps to delete information and cover their tracks, hence the requirement for forensic images.
The investigation is important to determine what data may have been accessed, especially if the firm has data that is subject to any regulatory notifications. Many law firms don’t believe they have important data. But if you practice family law, think of all the personally identifiable information and financial information—bank accounts, credit cards, assets, etc.—you may possess. And if you do estate and trust work—well, need we say more? Also, the investigation may take some time if a large amount of data was preserved and needs to be analyzed. This could impact decisions about data breach notifications, which we cover below.
Once you know what was accessed and how it was done, it’s time to fix the problem. Perhaps the attackers were able to get through to your data because you didn’t have the latest security patches installed, or didn’t have adequate malware protection. You may have a router connected to the Internet that is designed for the consumer market and is not intended for business installations. Higher-end routers have better logging abilities and inspect the contents of the data packets in a much more thorough fashion.
Don’t think you will be upgrading hardware and software as the only part of the remediation. Policies and procedures will need to be adjusted too. As an example, perhaps you don’t require periodic password changes or only require a minimum of four characters for a password. A 2010 study by the Georgia Institute of Technology showed that eight-character passwords can be cracked in less than two hours. The new standard is 12-character passwords, which could take more than 100 years to crack with today’s computing technology. If you’re lucky, maybe all you really need to do is change your policies to require 12-character passwords instead of the very weak four-character ones that were likely in effect at the time of the breach.
We hope you’ve been mentally adding up all of the probable costs to this point. The preservation, investigation and remediation are already totaling quite a sum—tens of thousands, even for small firms—and we haven’t even addressed notification requirements.
Depending on the data compromised, you may have legal obligations to notify your clients as well as state and federal authorities. Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have legislation requiring notification of data breaches. That’s in addition to federal laws or regulations that may apply. Think you’re out of the woods yet? Not so fast. As a lawyer, you also have ethical duties to notify your clients about the data breach even if it isn’t required by law.
Don’t be like the large New York law firm that refused to inform its clients that the FBI had found its data on servers in China. This was recently disclosed to Alan Paller, the director of research for the SANS Institute, which specializes in information security training. He interviewed firm personnel and, when asked what they were going to tell clients, they responded, “Are you crazy? Can you think of a better way to destroy their trust in us than letting them know we had lost every document they gave us under [attorney-client] privilege?” The firm clearly made the wrong ethical and legal decisions, and it likely will be investigated and disciplined by the New York State Bar.
As you can imagine, a data breach can be a public relations nightmare. Just ask the partners at Puckett and Faraj in Alexandria, Va., after the “hacktivist” group Anonymous obtained 3 gigabytes of the firm’s emails. Not all is gloom, though. Some businesses have prepared for potential data breaches and know how to properly handle the press and the potential black eye. For example, the security company RSA was hacked, and their very famous SecurID algorithm may have been compromised. While some feel that RSA handled the situation poorly, most customers and security professionals applauded its quick reaction and “coming clean” by disclosing the lessons learned from the incident.
The old adage was never more apt: An ounce of prevention is worth a pound of cure. So batten down the hatches now.