December 11, 2017

Updated cybersecurity handbook a must to protect firms from hackers

When it comes to law firms dealing with the threat of a cybersecurity breach, it’s no longer a question of if, but when, according to Jill Rhodes, a co-editor of the newly released “ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition.”  Co-editors Rhodes and Robert Litt discussed the newly available second edition of the handbook at a luncheon sponsored by the ABA Standing Committee on Law and National Security. It was moderated by Judge James E. Baker, chair of the committee and former chief judge of the United States Court of Appeals for the Armed Forces, who said the book offers crucial advice and practical tips on protecting law firms from cyber intrusions.

Jill Rhodes, Judge James Baker and Robert Litt listen as a question is posed at Friday’s luncheon, sponsored by the ABA Standing Committee on Law and National Security.

The book advises lawyers and law firms to incorporate encryption to protect the valuable client data they keep. They should also develop plans for the management and disposal of personal information data, and adopt a cyber-risk management and incident-response plan to be prepared for a data breach.

Rhodes, a member of the ABA Cybersecurity Task Force, spent 20 years working in various capacities with the intelligence and national security communities of the federal government. Litt, a member of the Standing Committee on Law and National Security, is the former general counsel of the Office of the Director of National Intelligence.

The new edition was written as a kind of bridge to help move the legal community from the wake-up call of 2013 – when the first edition was released -- to regular and ongoing cybersecurity risk analysis, Rhodes said. Litt called the updated handbook “very readable,” adding that it addresses the changing threat landscape over the past several years and the increased role and responsibility for lawyers in helping businesses and organizations prepare for and respond to cyber breaches.

The book includes chapters on understanding cybersecurity risks, technology, and the legal and ethical obligations to clients. Other chapters focus on specific practice recommendations, such as small firms, large firms, government lawyers, nongovernment lawyers, in-house counsel and nonprofit organizations. Chapter 3, written by Paul Rosenzweig, former deputy assistant secretary for policy in the Department of Homeland Security, addresses the technology aspect of cyber intrusions, which is often a stumbling block for lawyers, Rhodes said.

“So many times lawyers are afraid to engage in technology issues or cyber issues because there’s a feeling that it’s all about technoolo0gy and I don’t understand technology,” she said. “Paul opens the door to that, and says, ‘let me tell you what you need to know.’”

Each chapter ends with a helpful top 10 list of practical considerations, sort of a Cliff’s Notes of issues covered in each chapter, Rhodes added.

Litt said most cyber intrusions are caused by employee error, usually after clicking on links that contain viruses or malware of some kind. “The great majority of cyber incidents involve some sort of human frailty,” he said.

Rhodes said training employees on preventing cyber intrusions is one of the most important steps an organization can take, because knowing what to look for and how to respond to hacking attempts is the first line of defense. The weakest link -- whether you work for a government agency or in the private sector, is always the “person who is sitting there at that computer clicking on things or doing things that they maybe shouldn’t be doing,” she said.

The book also addresses international norms, the role of insurance and the ethics and statutory requirements related to data security.

The first edition of the handbook was developed by the ABA Cybersecurity Legal Task Force in response to what the task force saw as general unawareness about the cyber risks faced by law firms, and the benefits of sharing information about data-breach incidents with law enforcement and other businesses.

“In the past four years, there have also been significant cybersecurity disclosures related to law practices,” according to the new edition of the handbook, which is available online at the ABA store, at a discount for ABA members.