November 01, 2014

Cybersecurity for Lawyers and Law Firms

By Vincent I. Polley

On November 18, 2009, law firms awoke to a new reality—the Federal Bureau of Invesigation (FBI) issued a formal advisory that firms were the active targets of systematic, sophisticated cyberattacks. It’s likely these attacks predated 2009; it’s certain that they continue.

Law firms are tempting targets for two reasons:

1. They hold troves of commercially valuable client-confidential information (M&A transactions, patent applications, contract negotiation strategies, etc.).

2. They are soft targets because lawyers generally are unsophisticated computer users and are loath to dedicate the time and money necessary to harden their systems.

Even small firms have been attacked through “ransom-ware”—viruses that can lock out the lawyer from her own computer files until a ransom is paid. And the attack doesn’t end with the law firm: Malware on law firm computers easily can jump to clients’ systems (there’s some evidence that clients are the ultimate target, while the law firms are chosen simply as an easy route to reach the clients).

Some computer attacks come from criminals who surreptitiously try to hack into the firms’ computers (e.g., through a misconfigured website, exploiting obscure software vulnerabilities). But most successful attacks exploit employee day-to-day activities:

  • an e-mail apparently from a client, friend, or family member that contains a hidden malware payload (almost impossible to detect after being clicked);
  • a thumb-sized flash drive inserted into a laptop;
  • unprotected use of public WiFi at a coffee shop.

Traveling overseas with a smartphone or a laptop raises a series of additional significant risks.

Cybersecurity risks don’t just afflict lawyers, of course. We know this because most states have breach notification laws that require notification to affected individuals when their personal information has been improperly accessed (the U.S. Securities and Exchange Commission (SEC) also advises companies to consider disclosure of other cyberattacks if they might have a “material” effect). Other U.S. laws reach data security activities in various sectors: medical records (by HIPAA), financial systems (by Gramm-Leach-Bliley), and so on. Another layer of complexity is added by the mosaic of international laws that may apply if the company has foreign operations, employees, or customers.

Almost all of these laws are equally applicable to law firms. But lawyers and law firms are subject to additional obligations imposed by ethics rules. In 2012, the American Bar Association updated the model ethics rules to require lawyers to keep abreast of the benefits and risks associated with new technology and to maintain basic competency in the use of computer technologies. A blizzard of ABA and state ethics opinions address lawyers’ duties to protect confidential client information and to keep clients informed (e.g., about losses of confidential information).

Awareness is the first step—you can’t prevent a problem you don’t see coming. This problem has been with us long enough that there are some very useful resources. Start with The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals (ABA, 2013). The Handbook provides detailed threat information, guidance, and strategies to lawyers and law firms of all sizes and explores the relationship and legal obligations between lawyers and clients when a cyberattack occurs. Some key steps:

1. Give a specific person responsibility for security planning. While “security is everybody’s business,” if someone doesn’t own the issue, it won’t be systematically addressed. If your firm is quite small, develop a relationship with a good, local technology security expert to help you.

2. Schedule periodic training/discussion sessions with everyone (all lawyers, staff, employees, and independent contractors—anyone who touches your computer system, ideally even family members).

3. Use encryption as much as possible for stored data. Password protect all computers, use codes to lock smartphones, and avoid using public WiFi. (Using encrypted e-mail may be appropriate for some client matters but is far from being a de facto best practice.)

4. Double-check the security practices of all third-party providers you use—cleaning staff, payroll and medical insurance companies, any “cloud” storage providers, etc.

5. Talk with your insurance provider about their expectations and recommendations.

6. Talk with some of your key clients about recommended best practices—depending on their size, you may help them to address the issue, and they may help you.

Of course, there are many more things you can do. The ABA Handbook has several checklists and a “Top-10” list of recommendations at the end of each chapter. There’s no magic bullet to achieve perfect security. The level of security you attain will be dictated by facts and circumstances specific to you and your firm. And because your circumstances (and the underlying technology) will always be changing, information security issues require a degree of constant attention, just like billables, marketing, and other client-service activities.