©2017. Published in Landslide, Vol. 9, No. 3, January/February 2017, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.
The devices, instruments, and technology we use today are increasingly complex, and the huge amount of data generated is difficult to comprehend—and even more difficult to protect. Cybersecurity is on everyone’s minds, and it’s especially on the minds of lawyers and those we represent.
In the aviation industry, for example, one aircraft generates hundreds of gigabytes of sensor data per day. Global mobile data traffic grew 74 percent in 2015 and reached 3.7 exabytes per month at the end of 2015. Mobile data traffic has grown 4,000-fold over the past 10 years and almost 400 million-fold over the past 15 years.1 To put this in perspective, five exabytes will store all the words ever spoken by human beings. Tom Landauer estimated that the brain holds about 200 megabytes of information. For example, in 2015 we were exchanging more than three times the brain capacity of the world’s population monthly, and over the course of a year, more than 36 times the total memory of humans alive.2 Corporations and law firms transmit exabytes of sensitive data worldwide every second that are exposed to misuse and theft by anyone who can access the Internet. The challenge is to use technology for good not evil, by using the latest technological developments to protect data from illegal hacking.
In April 2016, an American Bar Association (ABA) meeting and article3 studied the threat to law firms. Over the past few years, law firms have fallen victim to simple, easily preventable data breaches.4 Those of us who have practiced in this area are familiar with terms such as bruiting, password hashes, malware, phishing, reverse shells, and SQL injection attacks. Dangers can come from many places, including organized crime, cyber thieves, hackers, malicious insiders, and busy or careless employees. Malicious actors use phishing e-mails, phones, websites, equipment, smart devices, wearable devices, and software.
In order to keep up with these threats, attorneys and all legal professionals must first understand the technology they use and understand the technical standards designed by the IT community to fight cybersecurity threats. Then we should work together, in our organizations and in the legal forums, to team up and fast track laws that will impact our corporations and firms and their ability to prevent “cyber misuse” and hacking.
There are a number of federal agencies working hard to help protect our companies and firms from cyberattacks. Currently, the FBI is responsible for coordinating effective responses in America by investigating high-tech crimes, including cyber-based terrorism, espionage, computer intrusions, and major cyber fraud. The FBI will continue to gather and share information and intelligence with public and private sector partners worldwide as long as it receives effective updates from the firms and corporations.5 The U.S. Securities and Exchange Commission (SEC) adopted Regulation S-ID6 in 2013 to protect individuals’ nonpublic personal information (NPI). The SEC requires consideration of cybersecurity risks. As part of the Cyber Intelligence Sharing and Protection Act of 2013, the Department of Homeland Security (DHS) was designated as the lead civilian federal entity to receive cyber threat information.
Prior to 2013, cybersecurity threats put confidentiality, integrity, and availability of critical services at risk. The DHS, along with its government and private sector partners, was tasked with countering cyber threats while supporting a cyber ecosystem that is open, transparent, and less vulnerable to manipulation. On May 16, 2013, the DHS National Cybersecurity and Communications Integration Center (NCCIC) announced plans to protect critical U.S. infrastructure from cyberattacks by coordinating private sector cyber threat information sharing. The NCCIC continues to provide comprehensive and robust information sharing, incident response, technical assistance, and analysis capabilities to private sector, government, and international partners.7
After 2013 and the formation of the NCCIC, U.S. corporate attorneys became much more aware of the danger cyber theft posed to their organizations. The federal government studied these issues and consolidated the responsibility in specific teams reporting directly to top management, as a well-protected organization is less likely to be victimized and stands to attract more security-aware customers as it is better positioned to deliver services with effective and secure technology. The advice of cross-disciplined teams usually includes both corporate attorneys and IT specialists because both legal and technical issues are involved.8
Law Firms Are Targets
One investigation of a Russian cyber theft revealed that 13 of the top 15 most prestigious law firms were on a list of targets. Why did the hackers focus on corporate law firms and not on other groups? One reason is that hackers see corporate lawyers as an easy target: “a back door to the valuable data of their corporate clients.”9
Many Wall Street workers are comfortable with math and science and know a thing or two about technology. Many attorneys went to law school because they are more comfortable working with words than with technology, and they can be susceptible to random phishing e-mails.
A second reason big law firms are at risk is the absence of cybersecurity policies. For years, Wall Street firms have instituted federally required internal controls that help with cyber defense, including preventing lawyers from accessing personal e-mail while at work. Hackers know that these organizations are less vulnerable. The legal industry is the latest gold mine for hackers, whose attacks continue to grow in sophistication, frequency, and motivation. This, together with the fact that so many law firms have branches and associates located around the world, means there are numerous entry points for hackers.10 But increasingly, corporate law firms are asked to show that they are paying more attention to cybersecurity issues in order to give corporations cyber-secure legal resources.
Another source of growing concern is the Chinese-developed system Baidu, which offers many services, including a Chinese search engine for websites. Baidu was adopted by thousands of applications because it was so easily used. However, it has interfaces that potentially expose personal data on any device that has loaded an application developed using the Baidu environment.
An effective cyber-secure system should include the development of a basic plan to protect, detect, respond, and recover that includes educating all concerned to support a climate of security. Continually update tools, systems, and processes, and use audit systems and processes managed by a dedicated internal group reporting to the board, or an external partner.
It is important to review and update cybersecurity policies annually and to test systems and processes for aberrant behavior as well as weaknesses, feedback, and failures. A cyber checklist11 will help, and at a minimum should include:
- Prioritization of data in order to apply a hierarchical security approach;
- Strong IT and password policies for all networked devices;
- Education, including trade secret and e-mail awareness training;
- Relationships with employees, contractors, and vendors;
- A breach response plan that takes into account the corporate cybersecurity insurance policies and other related outside resources that will help with recovery; and
- Cybersecurity insurance.
A few critical areas can be implemented immediately, including password control, encrypting communications, and controlling and auditing suppliers, vendors, and partners—in conjunction with the recognition of what is the most sensitive, valuable, and vulnerable data needing the most protection. It is also possible to layer the protection levels so that the most protection is applied to goods in the most sensitive and vulnerable class.
The techniques to protect trade secrets may be similar to what one’s company has been doing in the past but may need to be tailored to put more emphasis on the most important trade secrets that would be the target of most cyberattacks in order to efficiently direct scarce resources. There will need to be a team, with at least one member responsible for keeping up with the best source of cybersecurity information. In addition to the myriad reports from public and private sources, there are corporate surveys such as the Association of Corporate Counsel’s (ACC’s) State of Cybersecurity Report.12
Statistics and reports are one thing—taking action is another. By relying on the wisdom of others around the world, corporations and law firms will be in a much better position to deal with this new and growing threat to our economy. Working together, we will be stronger and better prepared when, not if, a cybersecurity-related event touches us.
1. Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2015–2020 White Paper, Cisco (Feb. 3, 2016), http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/mobile-white-paper-c11-520862.html.
2. Iqbal.latif, Data Storage Capacity by the 21st Century . . . and Still Rising!, Newsvine (Dec. 17, 2014), http://iqballatif.newsvine.com/_news/2014/12/17/27541918-data-storage-capacity-by-the-21st-centuryand-still-rising. Note that one exabyte is equivalent to one billion gigabytes.
3. Ivan Hemmans & Dave Ries, Cybersecurity: Ethically Protecting Your Confidential Data in a Breach-A-Day World (ABA 2016), available at, http://www.americanbar.org/content/dam/aba/multimedia/cle/materials/2016/04/ce1604lpi.authcheckdam.pdf.
4. Michael A. Riley & Sophia Pearson, China-Based Hackers Target Law Firms to Get Secret Deal Data,” Bloomberg (Jan. 31, 2012), http://www.bloomberg.com/news/2012-01-31/china-based-hackers- target-law-firms.html.
6. Regulation S-ID requires, among other things, that financial institutions adopt written identity theft prevention policies and procedures that (1) implement reasonable policies and procedures to detect, prevent, and mitigate the risk of identity theft; (2) are updated periodically to reflect different types of changes in identity theft–related risks; (3) senior management reviews and approves; (4) provide training on relevant risks and program implementation; and (5) allow for oversight of service providers. Identity Theft Red Flags Rules, Release No. 34-69359, 78 Fed. Reg. 23,638 (Apr. 19, 2013), available at https://www.sec.gov/rules/final/2013/34-69359.pdf.
7. Facilitating Cyber Threat Information Sharing and Partnering with the Private Sector to Protect Critical Infrastructure: An Assessment of DHS Capabilities: Hearing Before the Subcomm. on Cybersecurity, Infrastructure Prot. & Sec. Techs. of the H. Comm. on Homeland Sec., 113th Cong. (2013) (written testimony of Roberta Stempfley, Acting Assistant Secretary, National Protection and Programs Directorate Office of Cybersecurity and Communications, and Larry Zelvin, Director, National Cybersecurity and Communications Integration Center), https://www.dhs.gov/news/2013/05/16/written-testimony-nppd-house-homeland-security-subcommittee-cybersecurity-hearing. Other resources available include the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework), https://www.nist.gov/cyberframework. The NIST Framework is a voluntary, risk-based set of industry standards and best practices to help organizations manage cybersecurity. The NIST Framework addresses core cybersecurity activities, implementation tiers based on risk, and a profile that measures “current” versus “target” for specific cybersecurity activities.
8. Gary Owen, The Evolving Governance Model for Cybersecurity Risk, 2 Banking Persp., no. 2, 2014, https://www.theclearinghouse.org/publications/2014/banking-perspective-q2-2014/the-evolving-governance-model-for-cybersecurity-risk. Some of the typical publications these teams use to keep up with the changing threats, in addition to the normal corporate legal references, are cybersecurity blogs. They are a great way to stay safe and up to date on the latest industry happenings.
9. David Lat, Beware of Big Hacking in Biglaw, Above the L. (Mar. 30, 2016), http://abovethelaw.com/2016/03/beware-of-big-hacking-in-biglaw/.
10. A Brief History of Law Firm Cyberattacks, Law360 (June 2, 2016), http://www.law360.com/articles/800579/a-brief-history-of-law-firm-cyberattacks.
11. One example of a cybersecurity checklist is available from the American Institute of CPAs (AICPA). Roman H. Kepczyk, “Top 20” Cybersecurity Checklist, AICPA (July 7, 2015), http://www.aicpa.org/interestareas/privatecompaniespracticesection/quality servicesdelivery/informationtechnology/pages/cybersecurity-checklist.aspx.