Data breaches are an everyday event, and legal professionals have a specific obligation to protect themselves and their clients from exposure to these threats. The webinar “Darkest Hour? Shining a Light on Cyber Ethical Obligations,” is one in a five-part series sponsored by the ABA Cybersecurity Task Force and supported by “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition.”
The first thing lawyers must know is that it’s not usually obvious when a firm has been hacked. “The vast majority of the time, (hackers) are using your stolen credentials, as opposed to breaking through technical walls,” said panelist Arlan McMillan, chief security officer at Kirkland & Ellis in Chicago. “Then they act like you in the firm’s network, accessing all the files you have access to.”
Another common threat comes through malware in an email, also known as a phishing attack, where an individual is asked to click on a link or open an attachment that has been weaponized in such a way that the attacker gains access to your computer. Nation-state attackers target private businesses in 21 percent of breaches to steal data to advance their espionage activities or interests. And firm employees often don’t realize they’ve been hacked for weeks or months, and they usually find out after being contacted by the FBI.
Hackers may insert themselves into an email conversation related to a wire transfer, then redirect the funds to accounts they control. “This is a growing type of attack,” McMillan said. “This is real, and this is happening every day,” McMillan said. Traditional security measures – build big walls to keep out the bad guys – don’t work anymore. Now, firms must leverage good industry standard frameworks, regulatory requirements and tactical responses to guard against common threats.
“This is not an IT issue,” McMillan said. “This is a risk management issue about how you protect your data.” He recommends five steps to improve a firm’s security posture:
- Aggressively patch your computer systems (laptops, servers, etc.). Microsoft releases patches every month, and program patches are released regularly. “If you’re patching, it makes it much harder for hackers to take advantage of your computer systems.” On average, an unpatched computer exposed to the internet will be hacked within 90 minutes.
- Be a regular user, not an administrator. “Administrator” and “user” are designations that define how much authority you have to make changes on a computer system. Logging in as an “admin” exposes the computer to hacking; it’s more secure to log in as a “user.”
- Use strong passwords. McMillan recommends using pass phrases instead of passwords.
- Invest in email message and attachment scanning tools. This will help protect from phishing attacks.
- Invest in web-filtering tools. This will help you guard against malicious websites.
McMillan also advises designating a chief information security officer (CISO), which will decrease the cost and likelihood of a breach. “Hire somebody that is specialized in this field.” Define the role in your firm’s leadership and make sure the CISO reports to your general counsel.
Moderator Lucian T. Pera, a partner at Adams and Reese in Memphis, said the ABA Ethics 20/20 Commission proposed updates to the Model Rules involving the use of technology, which were passed in 2017. Most of the changes involve elements of competency (Rule 1.1), and confidentiality (Rule 1.6).
The changes are mostly common sense, but Pera warns that all lawyers run the risk of facing disciplinary measures if they are not familiar with the updates involving a lawyer’s duty to make “reasonable efforts” to secure client information, including email encryption. “If you’re only going to read one thing as a lawyer on cybersecurity, this is it … because it lays out a framework for how you should think about cybersecurity and your obligation to make reasonable efforts.”
In a nutshell, ABA Formal Opinion 477R offers the following considerations as guidance:
- Understand the nature of the threat.
- Understand how client confidential information is transmitted and where it is stored.
- Understand and use reasonable electronic security measures.
- Determine how electronic communications about client matters should be protected.
- Label client confidential information.
- Train lawyers and nonlawyer assistants in technology and information security.
- Conduct due diligence on vendors providing communication technology.
Panelist Karen Painter Randall, a partner and chair of the cybersecurity and data privacy practice at Connell Foley in Roseland, N.J., said law firms are targeted because they are rich targets for hackers due to the concentration of sensitive data. “It’s not a matter of if, but when,” she said.
What do you do when you discover a breach? “If you’re not prepared, it can be difficult to respond within a reasonable time period,” she said, especially the critical first 72 hours. Once a breach has been detected and verified, activate the data breach response team (representatives from firm leadership, IT, communications and human resources). The team will evaluate the severity of the breach and decide on next steps, including notification of law enforcement and clients.
Panelist Catherine Sanders Reach, director of Law Practice Management & Technology at the Chicago Bar Association, said many firms store information in the cloud. You should assume at least some of your information is stored on the cloud, and is therefore vulnerable, even in a private cloud. Check the terms of service and privacy policies on free services, and you’ll discover a surprising lack of privacy. “Generally, you get what you pay for,” Reach said.
You should assess the data security standards a cloud-computing vendor must comply with. Is data stored on servers owned by the provider? Where is the data stored, physically? And the backups? Is any data stored outside of the United States? Will the service notify the firm before providing access to government or law enforcement?
For third-party vendors, firms must keep an updated list of vendors they use. They should make sure all contracts are up to date and include terms to protect the firm in the event of a breach. Reach added that access to the firm’s data may need to be limited. Employees taking documents home on personal laptops is a security risk.
The bottom line is that all firms – big and small – need to be careful with data to protect themselves and clients, McMillan said. Practice good cyber hygiene and make sure your providers and vendors follow suit. “You can never outsource accountability.”