December 08, 2016 Articles

The Next Big Hacking Target: Law Firms

A guide to considerations lawyers and law firms should make to protect against cyber attacks.

By Steven S. McNew and Preston Fischer – December 8, 2016

Cyberattacks have evolved from a rare occurrence to a daily risk. Moreover, these incidents seem to be cyclical; when one breach is disclosed, a rash of similar incidents follows. Often, cyberattacks migrate from one “target” industry to another, and again a rash follows. Faced with the certainty that cyberattacks will only rise, the private sector would do well to ask, “Who’s next?”

“Law firms are the next big cycle target,” said Bob Anderson, former national security executive with the Federal Bureau of Investigation and leader of Navigant’s Information Security practice. “The Panama Papers were not the beginning and not close to the end. Breaches across the legal industry will continue to interrupt deals, litigation, and, most concerning for them, reputation.”

Law Firms: Huge Cybersecurity Risk
In the wake of the mounting number of high-profile cyberattacks in retail, financial services, government, health-care, and other sectors, more and more industries have invested in cybersecurity solutions and programs. Companies can no longer claim to be unaware of the risk as everyone around them bulks up their internal cybersecurity efforts, which resulted in 235 percent growth in the cybersecurity industry from 2011 to 2015.

Yet preventive security investments in any organization are typically underprioritized. A 2015 survey by the Institute of Information Security Professionals found that cybersecurity budgets are rising—but they lag behind a threat that is constantly evolving. Overall, companies are being reactive rather than proactive and may find themselves falling farther behind the readiness curve.

Cybersecurity issues are certainly evident in the legal profession. The American Bar Association found that one in four law firms with at least 100 attorneys has experienced a data breach. American Bar Association, Legal Technology Survey Report (2015).

Indeed, the lure of hacking law firms is clear: they are privy to companies’ most sensitive data, from personally identifiable information, protected health information, and proprietary information to confidential documents and discussions regarding pending mergers and acquisitions, litigation, investments, and other business transactions. Multiple stakeholders, including foes seeking evidence to win a case and activist groups angered by a firm’s representation of a particular client, may have something to gain by obtaining that information illegally.

Given these dangers, law firms should be on the vanguard of preventive cybersecurity. And yet, although “[l]aw firms have some of the world’s most sensitive information,” said Anderson, they also have some of the “most porous cybersecurity defenses.” A 2015 internal report by Citigroup’s cyberintelligence center found that law firms tend to be particularly far behind the curve in cyberattack readiness compared with other industries.

Assessment of Vendors’ Cybersecurity Readiness
Furthermore, according to the Citigroup report, law firms tend to keep cybersecurity incidents under the radar—meaning that when a breach does occur, it is rarely disclosed to the public. Since the legal sector is not subject to some of the more stringent regulations found in highly regulated industries, it can be hard for clients to gauge their firm’s cybersecurity readiness.

Given the increased use of outsourced vendor services and technologies by multiple departments within an organization, general counsel must be vigilant in ensuring that they are working with law firms that proactively manage their cybersecurity risk.

Asking five crucial questions can ensure that your vendor firms are protecting their own intellectual property and that of their clients:

1. Have the vendor firms allocated sufficient funding for the implementation of cybersecurity best practices? Two-factor authentication, widespread adoption of encryption, and multitier backup and testing schedules are not new. However, these safeguards are often viewed as nonessential protocols and are thus underfunded within law firms. By maintaining an ongoing dialogue, you can confirm that your firms are—and remain—up-to-date on cybersecurity best practices.

2. Do vendor firms have appropriate training in place? It’s often said that people are the weakest link in the cyberchain. Ensure that your firms offer routine training related to social engineering to prevent incidents such as phishing, spear phishing, and business email compromise. A solid training program should also include physical risks such as USB drives, phones, sensors, and devices with an IP address. Asking for copies of training programs, participation levels, and online materials will be helpful in an evaluation of training completeness.

3. Who has physical and electronic access to companies’ information? Vendor management should be most stringent with those who have access to sensitive information—including, of course, a law firm. Accessibility protections should include subcontractors as well as third-party software integrators. Companies should validate lists of personnel with access to company information, ensure appropriate password requirements, and understand what companies and systems will be involved in order to validate security protocols. Another recommendation is for law firms to complete routine vulnerability scans and to provide those results.

4. How will law firms respond to companies’ needs, both in terms of prevention and in the case of a breach? Law firms should immediately assume the role of strategic partner in aligning preventive preparations. In the event of a breach, they should be transparent and coordinate counsel, insurance, and IT teams. Companies should openly discuss and review protocols for a scenario in which company data may have been compromised.

5. Do the law firms have an up-to-date incident-response plan? Verifying that law firms have a well-developed incident-response plan is just the first step. To confirm that a law firm has kept pace with industry and technology developments, its incident-response plan should be reviewed by an independent party on an annual basis, at a minimum, and accompanied by facilitated tabletop exercises—that is, group meetings to hash out responses to various scenarios, intended to identify gaps in preparedness.

Vendor law firms routinely access and store companies’ most sensitive data. As such, corporations that retain a law firm without properly verifying its cybersecurity capabilities are putting themselves—and their clients—at enormous risk. According to former ABA President Laurel Bellows, “We live in a world where our national security is threatened by cyberterrorists, and where private enterprise is forced to respond to cybertheft of intellectual property on a daily basis.” ABA Cybersecurity Legal Task Force, American Bar Association (2016). While the challenges of cybersecurity continue to escalate for law firms, preventive measures and full disclosure about capabilities and breaches can deliver remarkable gains in security, risk mitigation, and peace of mind.

Keywords: litigation, corporate counsel, hacking, law firms, breach, cybersecurity, cyber attacks, best practices

Steve McNew is a managing director and Preston Fischer is a director in Navigant’s Global Legal Technology Solutions practice.

Navigant Consulting is the Litigation Advisory Services Sponsor of the ABA Section of Litigation. This article should be not construed as an endorsement by the ABA or ABA Entities.