Law firms not immune to cybersecurity risks
Jill D. Rhodes
Vincent I. Polley
There are two types of firms: those that know they’ve been attacked and those that don’t, said Jill D. Rhodes, co-author of "The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals."
"It’s very easy for anyone to be attacked, with all the ways that a firm can be hit by cybersecurity issues," Rhodes said. "The question is, what are they going to do when it happens?"
The new book, co-written with Vincent I. Polley, aims to help law firms prepare for and react to cybersecurity threats. It provides practical threat information, guidance and strategies to lawyers and law firms of all sizes and explores the relationship and legal obligations between lawyers and clients when a cyberattack occurs.
Rhodes is vice president and chief information security officer for Trustmark Cos. in Lake Forest, Ill., and Polley is president of KnowConnect PLLC, which provides consulting services on information policy and knowledge management processes.
YourABA recently spoke with Rhodes and Polley about the issues of cyber and data security and the new book.
Why should law firms be concerned with cybersecurity?
Rhodes: First, we have to stop calling it cybersecurity. We need to call it information security. With cybersecurity, we think is the line going from my computer to wherever secure? We need to think of it more broadly. The fact is that lawyers work with personal data, and they need to maintain attorney-client privilege. The question is, how secure is that data?
Polley: Lawyers and law firms are at risk of losing client confidential information from both intentional hacking as well as accidental losses, such as lost laptops or misdirected emails. Governments, commercial entities and organized criminal actors actively pursue law firms’ data for financial gain. Many large law firms have been hacked; the FBI has warned that law firms are being targeted. In addition, some clients, especially in the financial services and insurance areas, are beginning to investigate the security profile of their existing and prospective outside law firms.
What are some of the ways that firms can address their overall risk?
Rhodes: They need to define the risk. Is the risk from external threats or insider ignorance — people who just don’t know better — for example, sending attorney-client-privileged information over a WiFi network at Starbucks. Firms need to consider where and how technology is being leveraged and what their vulnerabilities are.
Polley: At a minimum, firms should routinely employ encryption to protect data at rest — in storage on computers, smartphones, etc. This is becoming a standard practice, and failure to do this is increasingly unacceptable and unjustified. Larger firms should designate a chief information officer to oversee the adequacy of firm policies and practices.
Many of the root causes of accidental data loss can be ameliorated by employee awareness and training. Law firms should foster this awareness by making sure that data security becomes everyone’s business and that all employees become aware of the risks.
What are some of the challenges that new technology creates for lawyers?
Polley: Lawyers aren’t computer scientists and generally aren’t very technologically adept. When new technologies arise, lawyers may spot the opportunities, such as cost savings, but may lack an instinct to appreciate the accompanying vulnerabilities. As recognized by the work of the ABA Commission on Ethics 20/20, lawyers have a duty to keep abreast of technology developments and the accompanying risks.
Rhodes: One of the biggest challenges is BYOD (bring your own device). I do a lot of my business on an iPad, for example. What else do I have on that iPad? With all of my thousands of apps, how do I know what the security is of each of those apps?
What do law firms need to know about BYOD?
Rhodes: They have to have a BYOD program because basically their employees are going to start to do it whether they like it or not. There has been a lot of discussion about what’s permitted versus what’s not permitted. What kind of controls does a firm have over those devices? Can they require that I have a password on my device? What is the relationship going to be between the employee and the law firm?
Every firm needs a BYOD-specific policy. If you don’t monitor or regulate how those devices are used, you have absolutely no control over them.
Why are law firms prime targets for data breaches?
Rhodes: They have a lot of very private information — it could be anything from trademark to patent information to personal information to case information. I think law firms are as much at risk as other types of corporations.
What are some of the causes of data breaches?
Rhodes: I look at this a few different ways. First, there are external threats. These are competing organizations or an opposing side trying to get information, weakening the ability of the firm to do its work. Second, there is insider threat, which is generally a disgruntled employee or someone internally who wants to bring harm to the organization. And third — this is where the majority of the risk comes — is insider ignorance, or people doing silly things, and they don’t realize the risk they’re causing the firm. It could be sending information over the Internet that’s not encrypted, taking a laptop with a ton of data home and leaving it in a car and someone breaks in and takes the laptop, or not locking up a computer when you walk away from it. Training and policies can help prevent these types of problems.
Polley: In the last two years, there has been a marked progression toward intentional, purposeful hacking, as bad actors have come to appreciate the value of firms’ secrets. Many think that such purposeful hacking now causes the majority of law firm breaches.
What are the key steps a firm should take to protect confidential data?
Rhodes: They need to get their policies in place. They need to define what kind of data they want protected and who has the responsibility for protecting it. They should lay out data retention policies, a social media policy and a BYOD policy, among others. This is covered in the book.
Do lawyers have an ethical obligation to protect data and warn of breaches?
Rhodes: The short answer is yes. Chapter 3 of the book covers this. In August of last year, the ABA cast a new model rule that talks about an attorney being required to protect data. Ignorance is not an excuse.
What is the importance of cyber liability insurance? What type of coverage should a firm obtain?
Rhodes: I personally think that all firms should look into it. An incident costs $200 per individual to remedy the breach, not including any additional fines. So, a laptop gets stolen with names and Social Security numbers of a firm’s clients and there are 300 clients — that’s $60,000 right there for that one breach. Each firm should reach out to someone who focuses in this area. The risk is great and the cost of breaches is great.
Anything else you’d like to add about your book?
Rhodes: It has a top 10 list at the end of each chapter. What are the top things you should be thinking about with ethics, with respect to disaster recovery and other areas?
Polley: Lawyers are well trained in issue spotting. The book will serve to help lawyers appreciate the scope of the problem and will surface many of the important issues. As in most other cases, we’re able best to address problems after we’ve parsed them and begun intelligent, broad discussion of them.
Back to top