There was a collective gasp heard around the country the day the press reported that Bank of America Merrill Lynch was auditing the cybersecurity policies at its outside law firms, partly under pressure from government regulators.
Assistant General Counsel Richard Borden stated that Bank of America is “one of the largest targets in the world” for cyberattacks and that law firms are “considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information.”
Regulators at the Office of the Comptroller of the Currency, which oversees Bank of America and other financial services companies, “have focused on law firms,” according to Borden. “They are coming down on us about security at law firms. So we have no choice but to check the information security and to audit—to actually audit—the information security of our law firms that have confidential information. We spend a lot of money and use a lot of law firms, so this is casting a very wide net.”
Amid much hand-wringing, the prophecy that law firms would be forced to confront their data security shortcomings has finally come true. Clients, as well as regulators, now want assurance that law firm data is being adequately protected.
PAY NOW OR PAY LATER
Though law firms are not thrilled about lifting their data security skirts for inspection, this move was inevitable. For far too long, most law firms have paid scant attention to information security. We are hoarse from explaining that it is a “pay now or pay later” proposition—either law firms get serious about guarding their client data and spend the money to do so—or they will pay later when a data breach causes them to require the services of digital forensics experts to investigate the breach and an outside lawyer to advise them of their legal responsibilities. They will also incur the costs of remediating the vulnerabilities and the costs associated with complying with state data breach notification laws. Currently, 47 states have such laws.
The big firms have gotten the word, at least in part, but they are not thrilled. In a time where we are starting to see layoffs as a mirror of the “new normal,” large expenses on security—that never existed in the budget before—are very unpopular.
Previously, some clients wanted to see law firm security policies. Some have allowed law firms to effectively audit themselves. Today, clients want to see if security policies and plans are actually being followed. And they want independent third-party audits, sometimes including penetration testing.
A SMALL QUESTION OF ETHICS
This whole topic is hot, hot, hot—and it shows on the lecture circuit. Colleague Dave Ries sent a hypothetical currently being used for discussion in a CLE. The bulk of it was developed by the general counsel of Buchanan Ingersoll & Rooney. It goes like this:
Prior to being hired as counsel for Genetics-R-Us (GRU), Dewey, Cheatham & Howe (DCH) must meet certain GRU security requirements. GRU has stringent security requirements for its service providers, including law firms. Lawyer 1 and Lawyer 2 are meeting with DCH’s technology director to discuss GRU’s security requirements and a questionnaire about security that GRU has asked the law firm to complete. The technology director says that the firm meets most of the requirements, but not all of them. It will take weeks, or perhaps months, to comply with all of them. Lawyer 2 tells him, “We have to tell the truth, but put our best foot forward and stretch things a little if you have to. I’d hate to lose this work because you haven’t done your job. Just fill it out so we pass and send it back to GRU. It’s all tech stuff, so Lawyer 1 and I don’t need to review it.”
So what happened to the duty to supervise? Is the lawyer implicitly sanctioning deceit? Can you be competent under the new rules of professionalism when you say “it’s all tech stuff” as though you had no need to investigate and understand it? This has all the makings of an ethics disaster.
HOW DO YOU SURVIVE A CYBER AUDIT?
1. Be prepared for everything, including telling the truth.
2. Review your ethical responsibilities. Better now than when you are before a disciplinary board.
3. Make sure you have a diagram showing where all your data is.
4. Be especially careful about third parties holding your data—you may need to audit them! At the very least, you need to understand their security precautions and procedures.
5. Do an annual review of all policies and plans that impact data security and update them as needed. These may include but are not limited to
- business continuity plan,
- disaster recovery plan,
- incident response plan,
- remote access policy,
- employee termination policy,
- password policy,
- encryption policy,
- data access policy, including access by guests/vendors/clients,
- physical security plan, and
- bring your own device/bring your own network (BYOD/BYON) policy.
6. At least once a year, get a full-blown security assessment by an independent third-party security company.
(If you are a smaller firm, use a smaller security firm—the prices are much lower.) Remember that these firms are in the business of making assessments; their own credibility is on the line, so their assessments carry more weight. As a bonus, you may get a discount from your insurer on your premiums.
7. Consider whether you need penetration testing—actual attempts by experts to breach your network. Penetration testing can include network attacks and/or physically attempting to penetrate your facility to access the computing infrastructure. This may be overkill for a small firm but certainly not for a large firm.
8. Be prepared—make sure you have cyber insurance that will protect you fully in the event of a data breach. Most policies will not cover you in a data breach and require a specific rider.
9. Stop kowtowing to the demands of lawyers who want a BYOD or BYON policy. This is serious stuff, not a parlor game where willful children should rule.
10. Our advice? And yes, we’re serious: Law firm business should only be conducted on devices issued by the law firm, and no personal business should be allowed on those devices. Not many firms will have the gumption to do this (see the willful children remark above), but this will be a key measure valued by clients and regulators.
11. Encryption is not complicated. Make sure lawyers use it where needed!
12. If a cloud provider has a master decrypt key, encrypt before depositing any sensitive data there (e.g., Dropbox).
13. Install hardware and software that does real-time intrusion detection. If you are a smaller firm that can’t afford this, make sure you enable logging so there will be a trail to follow.
14. Twice a year, have mandatory security training. Keep employees advised of new security threats and underscore the need for vigilance, including being watchful for suspicious emails, texts, hyperlinks, etc., as well as social engineering ploys.
15. Document all your security measures so you can produce them as part of an audit.
16. Even if you are allowed to self-audit, don’t. The human tendency is to cut corners or say, “I think so,” which translates to “yes” in the audit when you are not really sure “yes” is the full or correct answer.
17. If you’re big enough, have an audit committee with players from IT, compliance, management and security. They will all have a part to play, and it is important to get buy-in across the board.
It is impossible in a short column to describe all of the steps a law firm should take when confronted by an audit; your clients will likely spell them out for you. With a little help from Google, search for “security audits checklist” and you’ll find plenty of reference material.
The time to get started on all this was yesterday. And we predict with a fair amount of confidence that many law firms will sashay into the future as vulnerable as ever unless clients force them to take security seriously.
We have all but throttled audiences in our passion to get them to understand how real the problem of data security is, but in the end, perhaps Matt Hooper (Richard Dreyfuss) said it best when he prophesied in the original Jaws movie, “I am familiar with the fact that you are going to ignore this particular problem until it swims up and bites you on the ass!”