We all see the headlines about law firm data breaches, which can inflict far-reaching damage. Companies are making cybersecurity demands on their business partners – law firms, vendors and so on – and frequently these demands take people by surprise.
In the webinar, “What Clients Want: Cybersecurity Requirements You Never Dreamed Of,” the fifth and final installment from the Wake Up Wednesday Cybersecurity Series hosted by the ABA Cybersecurity Legal Task Force, a panel of experts discusses cybersecurity requirements all lawyers must consider.
Moderator Jill Rhodes, vice president and CISO (chief information security officer) for Option Care in Bannockburn, Ill., presented a fictional scenario to panelists Kevin Kalinich, Andy Sawyer and Lei Shen. Kalinich is managing director at Aon in Chicago. Sawyer is director of security for Locke Lord LLP in Dallas. Shen is a partner in the Cybersecurity & Data Privacy and Technology Transactions practice at Mayer Brown in Chicago. The three discussed the scope of lawyers’ duties under ABA Formal Ethics Opinions 477 and 483.
Rhodes said lawyers cannot afford to be intimidated by cybersecurity because they don’t understand the technology. Instead, they must realize that the focus on cybersecurity is fourfold and involves using skills they are comfortable with: governance, people, process and technology.
“We need to take a step back from the fear of technology” and take responsibility to protect our clients and their sensitive information, Rhodes said. She recommends reading “ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition,” which includes a chapter on technology basics for lawyers. Clients expect you to protect their information, no matter the size of your practice or firm.
Lawyers should look at cybersecurity from a holistic standpoint, asking these questions:
- Governance: What are our cybersecurity policies? What are our standards and practices?
- People: How are we educating staff and others around us to protect client data and company data?
- Process: Do we have an incident response process in place? What processes do we have to protect sensitive information?
- Technology: Whatever our level of technological know-how, we can ask the questions related to governance, people and process to protect our clients and firm.
Here is the scenario:
A partner at a Chicago firm gets a call from a client who is the CEO of a billion-dollar high-tech company who says the company has just been breached and proprietary data stolen. Patents and designs of their most recent Internet of Things (IoT) devices, employee information, financials, customer data – including a data broker, financial institutions and an EU-based company – may have been compromised. The CEO requests an immediate meeting. What should the partner be thinking about going into this meeting?
Shen said the partner should first get a handle on what types of data were stolen and which laws and contracts might apply, such as with the personal data that IoT devices collect. One customer in particular, the data broker, has likely already adopted stringent security requirements. Financial institutions also have specific state and federal privacy and security laws that apply. Data from the EU company would be subject to the General Data Protection Regulation (GDPR), Europe’s new data protection law. Data breach notification requirements also would come into play.
From a technical perspective, Sawyer said the partner should ask the CEO whether the breach has been contained and how it was detected to determine what policies and processes worked or didn’t work. Kalinich said the partner should also look at the firm’s existing insurance policies to see if there is coverage under the professional liability and malpractice policy and whether the cooperation clause – which requires engaging legal representation and performing technical forensics in the event of a breach – was followed.
The team later discovers that a spear phishing attack on a human resources employee led to the breach. The employee clicked on a link embedded in an email, which immediately compromised the company. Going forward, the firm should hire a hacker to “break in” to clients’ systems to determine vulnerabilities.
Post incident, the firm should make sure the intruder has been expelled and the client has regained control of its assets, including bringing in law enforcement or the Department of Homeland Security. The client should identify deficiencies in the execution of their incident response plan and the plan itself, including providing employees with education and training about cyber risk and conducting third-party assessments to ensure any third party accessing or storing their information is secure.
This program is the fifth and final installment in a series that also includes: Darkest Hour? Shining a Light on Cyber Ethical Obligations; Bumps in the Night: Cybersecurity Legal Requirements, Government Enforcement, and Litigation; While You Were Sleeping: Ever-Changing Cybersecurity Threats and What You Need to Know Now; and Cybersecurity Is Not One Size Fits All: Addressing Night and Day Differences for Solos/Small Firms, Megafirms, Companies, Government, and Nonprofits.