The first half of 2016 is the time when law firm data breaches made the national headlines—big time! Last year’s ABA TECHREPORT on security started with the observation:
“Although they generally don’t make the headlines, there have been numerous law firm data breaches, involving incidents ranging from lost or stolen laptops and portable drives to long-term, deep intrusions, exposing everything in the networks. For example, an FBI speaker in January, 2013, warned, 'We have hundreds of law firms that we see increasingly being targeted by hackers.' Law firm data breaches are continuing. It was recently reported that at least 80% of the largest 100 law firms, by revenue, have been hacked since 2011."
This year, law firm data breaches widely made the headlines. In March, the FBI issued an alert warning that a “financially motivated cybercrime insider trading scheme targets international law firm information used to facilitate business ventures.” The scheme sought “material, non-public information” to be used in stock trading before the information became public. It was widely reported in the print and online press, including reports that hackers had actually broken into the networks of some major law firms.
Following this disclosure, the FBI started providing cyber alerts to the American Bar Association for distribution to members, including alerts on this inside information scheme, ransomware, and keyloggers.
Then, in April 2016, another law firm data breach made the international headlines: Mossack Fonesca in Panama. It has been called the largest volume data breach of all time (in millions of documents and terabytes of data). It resulted in disclosure of the “Panama Papers,” that aired details of offshore financial activities of dozens of global leaders, businesspersons, and celebrities.
These events are too recent to be included in the 2016 ABA Legal Technology Survey Report. It will be interesting to see if they have an impact on the responses next year.
The 2016 Survey explores security incidents and the security measures that reporting attorneys are using. It shows that many attorneys and law firms are employing a number of the safeguards covered in the questions and generally increasing use of the safeguards. However, it also shows that many are not using security measures that are viewed as basic by security professionals and are used more frequently in other businesses and professions.
Some attorneys and law firms may not be devoting more attention and resources to security because they mistakenly believe it won’t happen to them. Significantly, 14% of respondents overall and one in four respondents from firms with 10-49 attorneys and 500+ attorneys reported that their firm had experienced a data breach at some time.
Data security is addressed most directly in Volume I of the 2016 Survey, “Technology Basics & Security.” It is further addressed in Volume IV, “Web and Communications Technology” and Volume VI, “Mobile Lawyers.” This volume on security reviews responses to the security questions this year and discusses them in light of both attorneys’ duty to safeguard information and standard information security practices. Each volume includes a trends section, which breaks down the information by size of firm and compares it to prior years, followed by sections with more detailed information on responses.
The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6 and Comments). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. These duties present a challenge to attorneys using technology because they are not technologists and often lack training and experience in security. Compliance requires attorneys to understand limitations in their knowledge and to either obtain sufficient information to protect client information or to get qualified assistance if necessary. These obligations are minimum standards—failure to comply with them can constitute unethical or unlawful conduct. Attorneys should aim for security that goes beyond these measures as a matter of sound professional practice and client service.
Recognizing the Risk
Information security starts with a risk assessment to determine what needs to be protected and the threats that it faces. Comment  to Model Rule 1.6 includes a risk assessment approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are “the sensitivity of the information” and “the likelihood of disclosure if additional safeguards are not employed.” This analysis should include a review of security incidents that an attorney or law firm has experienced and those experienced by others—generally and in the legal profession. The 2016 Survey includes information about threats in its questions about security breaches.
The next factors in the risk analysis cover available safeguards. Comment  to Model Rule 1.6 includes them in the risk analysis for attorneys:
“...the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
Comment  uses a standard risk-based approach. The 2016 Survey includes information about the available safeguards that various attorneys and firms are using.
The 2016 Survey shares that about 14% of respondents overall reported that their firms had experienced a security breach at some point. The question is not limited to the past year, it’s “ever.” A breach broadly includes incidents like a lost/stolen computer or smartphone, hacker, break-in, or website exploit. This compares with 15% overall in 2015, 14% in 2014, and 15% in 2013—steady since 2013.
The largest firms (500+ attorneys) most often report experiencing a security breach (26%), compared with 25% in 2015, 10% in 2014, 13% in 2013, and 10% in 2012—a generally upward trend. Firms with 10-49 attorneys are a close second, with 25% reporting breaches, up from 14% in 2014, 19% in 2014, and 24% in 2013. For firms of 10-49 and 500+, that’s one in every four firms. Reports of breaches generally increase with the size of firm: solos (8%), 2-9 attorneys (11%), and 100-499 attorneys (20%).
Larger firms have more people, more technology, and more data, so there is a greater exposure surface. They also should have more resources to protect them. It is difficult to tell the completeness of larger firm’s responses because the percentage of those reporting that they don’t know about breaches (21% overall) directly goes up with firm size—reaching 61% in firms with 100-499 attorneys and 63% in firms of 500+. This makes sense because attorneys in medium and large firms may not learn about lower scale incidents, particularly at remote offices.
The majority of respondents (66%) reported that their firm had not experienced a breach. Hopefully, this does not include many firms that have experienced a security breach and never detected it. A common saying in security today is that there are two kinds of companies: those that know they’ve been breached and those that have been breached but don’t know it. The same is likely true for law firms.
The most serious consequence of a security breach for a law firm would most likely be unauthorized access to sensitive client data. The 2016 Survey shows a very low incidence of this result—about 2% overall, slightly down from last year. The reports of unauthorized access to client data show none for smaller firms (fewer than 49 attorneys) and for firms of 500+. While the percentages are low, any exposure of client data can be a major disaster for a law firm and its clients. Significantly, 25% of respondents from firms with 50-99 attorneys (one in every four) report unauthorized access to client data in security breaches—a very high incidence. For firms with 100-499, 11% report unauthorized access to client data.
The 2016 Survey responses make it difficult to tell how many breaches there have actually been with exposure of client data because almost 6% overall report that they don’t know about the consequences, with “don’t know” responses by 7% in firms of 10-49, 11% in firms of 100-499, and 28% in firms of 500+. The uncertainty is increased by the high percentage of respondents (21%), discussed above, who don’t even know whether their firm experienced a data breach.
Unauthorized access to non-client sensitive data is 7% overall, including 18% for solos, 8% of firms with 2-9, and 11% for firms with 100-499. As with client data, 25% of respondents from firms with 50-99 attorneys report unauthorized access to non-client sensitive data.
The other reported that the consequences of data breaches are significant. Downtime or loss of billable hours was reported by 37% of respondents, consulting fees for repair were reported by 28%, destruction or loss of files by 14%, and replacement of hardware/software reported by 22%. Any of these could be very serious, particularly for solos and small firms. No significant business disruption or loss was reported by 68% overall.
A little over 7% overall responded that they notified a client or clients of the breach. The percentage reporting notice to their clients ranges from 4% for firms with 2-9 attorneys to 25% for firms with 50-99 attorneys, and the others close to the average. This is equal to, or in excess of, the reported incidence of unauthorized access to client data for firms of each size. It is consistent with the view that ethical and common law obligations require notice to clients.
Overall, 10% of respondents reported notice to law enforcement. The responses by firms from 50-99 (25%) and 100-499 (11%) have consistent percentages for unauthorized access to client sensitive data, notice to clients, and notice to law enforcement, which suggests that they notified both clients and law enforcement when client data was accessed.
The 2016 Survey also inquired about infections with viruses/spyware/malware. Overall, 45% reported infections, 34% reported none, and 21% reported that they don’t know. Reported infections were greatest in firms with 10-49 attorneys (63%), 30% in firms with 500+, and approximately 40% in other firms. Infections can cause serious consequences, including compromise of confidentiality and loss of data. With just under half of respondents reporting infections, strong safeguards against them, including up to date security software, are clearly warranted.
Security Programs and Policies
At the ABA Annual Meeting in August 2014, a resolution on cybersecurity was adopted that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” The organizations covered by it include law firms.
Security programs should include measures to prevent breaches, like policies that regulate use of technology. There has been a growing recognition that security includes the full spectrum of measures to identify, protect, detect, respond to, and recover from data breaches and security incidents. Security programs should cover all of these areas.
An important initial step in establishing an information security program is defining responsibility for security. The program should designate an individual or individuals responsible for coordinating security—someone must be in charge. It should also define everyone’s responsibility for security, from the managing partner or CEO to support staff.
While a dedicated, full-time chief information security officer is generally appropriate (and affordable) only for larger law firms, every firm should have someone who is responsible for coordinating security. The larger the firm, the more it is necessary to have a full-time security officer or someone who is to dedicate a large part of their time to security. The 2016 Survey asks who has primary responsibility for security in respondents’ firms. As expected, responses vary by size of firm. The respondent has primary responsibility in solo firms (87%), an external consultant/expert in firms of 2-9 attorneys (30%), a chief information officer in firms of 100-499 attorneys (66%) and firms of 500+ attorneys (59%), and IT staff for firm size 10-49 attorneys (34%). A small percentage (3%) report that nobody has primary responsibility for security.
The 2016 Survey asks respondents about a variety of technology-related policies, rather than about an overall comprehensive information security program. Attorneys and law firms should view these kinds of policies as part of a coordinated program rather than individually.
According to the 2016 Survey, 56% of respondents report that their firms have a document or records management and retention policy, 49% report a policy regarding email use, 41% for internet use, 41% for computer acceptable use, 41% for email retention, 34% for social media, and 26% for employee privacy. The numbers generally increase with firm size. For example, about 37% of solo respondents report having a document/records policy, increasing to 60% in firms with 2-9, 68% in 10-49, 65% in 50-99, 78% in 100-499, and 71% of respondents at firms with 500+ attorneys. 19% of solos report having a computer acceptable use policy, 32% of firms with 2-9 attorneys, 53% with 10-49, 69% with 50-99, and 79% with 100+ attorneys.
Two responses that raise major security concerns are those that report having no policies (21% overall) and those reporting that they don’t know about security policies (7%). There is a clear trend by firm size in the responses of having no policies. There are no respondents in firms of 500+ reporting none. The percentage with no policy decreases by firm size, ranging from 2% of firms with 100-499 attorneys, 4% of firms with 50-99, 5% with 10-49, 25% in firms with 2-9, to 41% of responding solos. While it is understandable that solos and smaller firms may not appreciate the need for policies, all firms should have them, appropriately scaled to the size of the firm and the sensitivity of the data.
Incident response is a critical element of an information security program. A high of 60% of firms with 100-499 attorneys report having an incident response plan to address a security breach, followed by 50% of firms 500+, 50% of 100-499, 21% of firms of 10-49, 9% of 2-9 attorneys, and 5% of solos. As with a security program, all attorneys should have an incident response plan, scaled to the size of the firm. For solos and small firm, it may just be a checklist plus whom to call for what, but they should at least have a basic plan.
Security awareness is essential to effective security. There cannot be effective security if users are not trained or do not understand the issues and the applicable security policies.
In accordance with the ABA resolution on cybersecurity programs (and generally accepted security practices), all attorneys and law firms should have security programs tailored to the size of the firm and the data and systems to be protected. They should include training and security awareness.
Security Assessments and Client Requirements
Clients are increasingly focusing on the information security of law firms representing them and using approaches like required third party security assessments, security requirements, and questionnaires.
The increased use of security assessments conducted by independent third parties has been a growing security practice for businesses and enterprises generally. Law firms have been slow to adopt this security tool, with only 18% of law firms overall reporting that they had a full assessment. Affirmative responses generally increase by size of firm from 11% for solos to 21% for firms of 500+. For firms of 100-499, it’s 35%.
Third party assessments are often conducted for law firms only when a client requests it or requires it. Overall, 6% report that a client or prospective client has requested an audit or other review (down from 12% last year). The percentage of firms reporting a client request gradually goes up by size of firm, from .5% for solos to 26% for firms of 500+.
Overall, 31% of respondents report that they have received a client security requirements document or guidelines. Firms receiving them generally increase by size of firm, from 15% of solos to about 63% with 100+ attorneys.
As the headlines continue to be filled with reports of data breaches, including law firms, there has been a growing recognition of the need for cyber liability insurance. Many general liability and malpractice policies do not cover security incidents or data breaches. The percentage of attorneys reporting that they have cyber coverage is small, 17% overall (up from 11% in 2015). It gradually increases from 16% for solos to about 20% for midsize firms and only 15% for firms of 500+. In addition to cyber liability insurance—covering liability to third parties—there is also coverage available for first party losses to the law firm (like lost productivity and technical and legal expenses). A review of the need for cyber insurance coverage should be a part of the risk assessment process for law firms of all sizes.
Security Standards and Frameworks
A small, but slowly growing, number of law firms are using information security standards and frameworks, like those published by the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). They provide consensus approaches to a comprehensive information security program. Some firms use them as guidelines for their security programs, while a smaller group of firms seek formal security certification. The 2016 Survey asks whether respondents’ firms have received a security certification. Overall, only 5% report that they have received a certification, with a low for firms with 10-49 attorneys (2%) and a high for firms with 100-499 (15%). It is interesting that 5% of solos and 6% of firms with 2-9% report that they have received a certification.
Authentication and Access Control
Authentication and access controls are the first line of defense. They are the “keys to the kingdom”—controlling access to networks, computers, and mobile devices. The 2016 Survey covers access controls for laptops and smartphones. It would be interesting to see how attorneys fare on networks, desktops, servers, and other computers.
For laptops, a strong majority of responding attorneys—nearly all—report that they use access controls. Overall, 98% report using passwords, with firms of 500+ at 100%. For solos, the figure is 97%. In addition, 14% overall report using other authentication, which would include fingerprint readers and other alternatives. While this might suggest that all attorneys use some form of access control (98% + 14%), that is not the case. About 2% report that they use none of the listed laptop security measures. The response of none includes solos, firms with fewer than 49 attorneys, and firms with 100-499. As noted above, the largest firms report 100% use of passwords.
Use of authentication controls on smartphones is similar to those on laptops. Reported use of passwords is 95% overall (up from slightly from 92% last year)—increasing with firm size from 93% for solos to 97% for firms of 500+. Firms with 100-499 attorneys report 100%. Use of other authentication is 31%, while another 4% use none of the listed measures.
For both laptops and smartphones (as well as other mobile devices), all attorneys should be using passwords or other authentication.
Encryption is a strong security measure that protects data in storage (on computers, laptops, smartphones, tablets, and portable devices) and transmitted data (over wired and wireless networks, including email). Security professionals view encryption as a basic safeguard that should be widely deployed. It is increasingly being required by law for personal information, like health and financial information. The recent battle between the FBI and Apple and the current debate about mandated “backdoors” to encryption for law enforcement and national security show how strong encryption can be for protecting sensitive data. The 2016 Survey shows that use by attorneys of the covered encryption tools is very low.
Full drive encryption provides strong protection for all of the data on a server, desktop, laptop, or portable device. The data is readable only when it is decrypted through use of the correct password or other access control. Respondents report an overall use of full drive encryption of only 15% (down from 20% last year), ranging from 11% for solos to 43% for firms of 500+. File encryption protects individual files rather than all the data on a drive or device. Reported use of file encryption is higher than full disk—38% overall (down from 42% last year), ranging from 32% for solos to 60% in firms of 500+—but still just over one-third overall.
Use of encryption on smartphones appears to be significantly under-reported in the 2016 Survey. Respondents report an overall use of encryption of smartphones by only 16% (up from 14% last year). However, 75% overall report using iPhones and 95% report that they use password protection on their smartphones. On current iPhones, encryption is automatically enabled when a PIN or passcode is set. It appears that many attorneys are using encryption on their smartphones without knowing it. Encryption can be that easy!
Verizon’s 2014 Data Breach Investigation Report concludes that “encryption is as close to a no-brainer solution as it gets” for lost or stolen devices. Attorneys who do not use encryption on laptops, smartphones, and portable devices should consider the question: is failure to employ what many consider to be a no-brainer solution taking competent and reasonable measures?
Email encryption is another security measure with low reported use by responding attorneys. Overall, 26% of respondents reported that they use encryption for email of confidential/privileged communications or documents sent to clients (down from 35% last year). This ranges from 20% for solos to 48% for firms of 500+. There was a gradual trend toward increased use of encryption for email, growing from 23% overall in the 2011 Survey to 35% in 2015, then dropping to 26% this year. The use of email encryption generally increases with the size of firm, from 20% for solos and midsize to about 47% in the largest firms (50+ attorneys). In current versions of Microsoft Office, Adobe Acrobat, and WinZip, simply setting a password for the document encrypts it. While password protection of documents is not as strong as encryption of a complete email and attachments, it is much more secure than no encryption.
Email encryption has now become easy to use and inexpensive with commercial email services. Google and Yahoo, at least in part driven by the disclosures about NSA interception, announced in 2014 that they will be making encryption available for their email services. In its announcement, Google compared unencrypted email to a postcard and encryption as adding an envelope. This postcard analogy has been used by security professionals for years. Hopefully, the percentages of attorneys reporting that they have added the envelopes, where appropriate, will grow in future surveys.
Some Basic Security Tools
In addition to authentication and encryption, the 2016 Survey asks about security tools that are available to responding attorneys. Most, if not all, of these tools are security basics that should be used by all attorneys and law firms.
The most common tool is the spam filter, used by 90% of respondents. This may be under-reported because most email service providers have at least basic spam filters. Spam filters can be a strong first line of defense against phishing (malicious emails that try to steal information or plant malware). Filters are only part of the defense that weeds out some phishing emails, but are an important first step.
Other tools with high reported use include anti-spyware (80%), software-based firewalls (80%), antivirus for desktops/laptops (71%), email (67%), and networks (65%). Use of intrusion detection and prevention systems is reported by 27% of respondents overall. There has been a growing trend for a number of years to use security suites that combine some of these tools like malware protection, software firewalls, and basic intrusion protection in a single tool. Availability of the various security tools is generally stable across firms of all sizes, with increases for a few of them with the size of the firm. There is a general low incidence of “don’t know” responses for these tools, about 7% overall.
Disaster Recovery/Business Continuity
Threats to availability of data can range from failure of a single piece of equipment to a major disaster like a fire or hurricane.
Overall, 13% of respondents report that their firm had experienced a natural or man-made disaster, like a fire or flood (down from 17% last year). The highest incidence was 28% in firms of 50-99, followed by 26% in firms of 500+. The lowest reported incidence was for solos and firms with 2-9, both about 10%. Disasters of this kind can put a firm out of business—temporarily or permanently. These positive responses and the potentially devastating results demonstrate the importance for law firms of all sizes to be prepared to respond and recover.
Despite this clear need, only 38% overall of responding attorneys report that their firms have a disaster recovery/business continuity plan. Firms with a plan generally increase with the size of the firm, from 23% of solos, to about 65% of firms with 100+. In the equipment failure area, 38% of respondents report that their firm experienced a hard drive failure, while 38% reported that they did not. The remainder reported that they do not know, with the “don’t knows” increasing by firm size. In firms of 500+, 75% responded that they don’t know. In firms of 100-499, it was 67%. It is very likely that most large firms have suffered multiple hard drive failures, just not known by the individual responding attorneys. Even limiting the analysis to known hard drive failures, they have impacted over one-third of respondents. That’s a high risk, particularly considering the potential consequences, and all attorneys and law firms should implement backup and recovery measures.
Backup is critical for business continuity, particularly with the current epidemic of ransomware. Fortunately, most firms report that they employ some form of backup. Only 2% report that they don’t back up their computer files. The most frequently reported form of backup is external hard drives (41%), followed by offsite backup (28%), online backup (67%), network attached storage (16%), USB (9%), tape (7%), RAID (6%), CDs (4%), and DVD (4%).
The 2016 Survey responses show that 46% of respondents back up once a day, 23% more than once a day, 13% weekly, and 4% monthly. 9% report that they don’t know, with unknowns increasing with firm size. Attorneys and firms that don’t back up on a daily basis, or more frequently, should reevaluate the risk in light of ransomware and the incidents reported in the 2016 Survey.
The 2016 Survey provides a good overview, with supporting details, of what attorneys and law firms are doing to protect information. Like the last several surveys, it generally shows increasing attention to security and use of safeguards, but also demonstrates that there is still a lot of room for improvement. Those who are behind the reporting attorneys and firms on safeguards should evaluate their security posture to determine whether they need to do more to provide competent and reasonable safeguards. Those who are in the majority, or ahead of the curve, still need to review and update their security, as new technology, threats, and available safeguards evolve over time. Effective security is an ongoing process, not just a “set it and forget it” effort. All attorneys should have appropriate comprehensive security programs that include training, periodic review and updating, and constant security awareness.