Cybersecurity & Law Firms: A Business Risk

Volume 39 Number 4

By Jody R. Westby

About the Author

Jody R. Westby is CEO of Global Cyber Risk LLC and the coauthor of four books on privacy, cybersecurity programs, cybercrime and ESPs. She chairs the Privacy and Computer Crime Committee in the ABA Section of Science and Technology Law and is leading the critical infrastructure working group of the ABA Cybersecurity Legal Task Force. 

Law Practice Magazine | July/August 2013 | The Big Ideas IssueLaw firms have never been very good with technology, and now they are struggling, as breaches in firms have made headlines and clients increasingly are asking questions about their security programs. The FBI has issued warnings to firms and held a meeting in early 2012 with about 200 firms in New York to discuss the risk of breaches and theft of client data. Around the same time, Alan Paller, director of research for the SANS Institute, a cyber training organization, revealed an amazing conversation that he had with partners from a New York firm who had been told—and shown—by the FBI that all their client files had been stolen. These warnings and many other instances of law firm data breaches have come squarely in the crosshairs of the ABA. Laurel Bellows, president of the ABA, has raised awareness within the legal community about cyber risks by launching a special Cybersecurity Legal Task Force to analyze a wide range of issues, including risks to law firms.

THE NEED FOR AN ENTERPRISE SECURITY PROGRAM

Many firms are now asking, “What do we do to keep our systems and data safe? How can we keep this from happening to us?” There is a simple answer to this question: Hire a chief information security officer, give him or her a budget to hire the staff needed to build and maintain an enterprise security program (ESP), and exercise appropriate governance over the firm’s digital assets.

Law firms are basically the same as any other company when it comes to countering cyber attacks and protecting their confidential and proprietary data. The only difference is that law firms have ethical rules that require confidentiality of attorney-client and work product data. That does not make them special, however, because accounting firms, engineers and medical providers also have privileged data. All companies—irrespective of whether they are engaged in expensive research and development, processing financial transactions, providing electricity or practicing law—must have a security program that comports with internationally accepted best practices and standards. (See “Cybersecurity Best Practices and Standards” box.)

This is usually where attorneys’ eyes glaze over and they want to call in their “IT guy” and go back to work. Not so fast. Security is an enterprise issue, and that means that attorneys, firm management and support personnel need to be involved.

Some basic activities must be undertaken to establish a security program, no matter which best practice a firm decides to follow. (Note that they are all harmonized and can be adjusted for small firms.) Technical staff will manage most of these activities, but firm partners and staff need to provide critical input. Firm management must define security roles and responsibilities, develop top-level policies and exercise oversight. This means reviewing findings from critical activities; receiving regular reports on intrusions, system usage and compliance with policies and procedures; and reviewing the security plans and budget.

The basics of an ESP, including the roles and responsibilities of all personnel, are provided in a security program guide developed by Carnegie Mellon University’s Software Engineering Institute. A simplified listing of the activities required to establish and maintain an ESP that has been tailored toward law firms is provided below:

  • Establish a cross-organizational team comprised of practice chairs, procurement (they buy copiers, faxes and printers, which have servers inside), finance, human relations, communications, office management, IT and security personnel. Meet quarterly.
  • Set the “tone from the top” and issue high-level policies regarding the privacy and security of firm data. This includes the use of encryption, remote access, mobile devices, thumb drives, laptops, Wi-Fi “hotspots,” clouds, Web email accounts and social networking sites.
  • Inventory the firm’s software systems and data, and assign ownership and categorizations of risk. Client data may need to be compartmentalized; not all clients are equal. Extremely sensitive matters have the highest risk and could cause the greatest magnitude of harm if breached. Firms may want to keep this data on a separate server with stronger security protections and stronger access controls.
  • Identify points of contact with law enforcement, Internet service providers and the communications companies that service the firm, and cyber forensic experts. If the firm has multiple offices, this should be done for each, with particular attention to foreign offices.
  • Conduct third-party vulnerability scans, penetration tests and malware scans. Antivirus software is essential, but it detects only a small percentage of new malware. Specialized services that detect sophisticated attacks may be required.
  • Perform software code reviews on Web applications and custom code to detect vulnerabilities.
  • Enough data is now gathered to develop a security strategic plan (a two- to five-year plan) and security program plan (the firm’s 12-month plan for security activities, which will include remediation activities identified in scans and penetration testing).
  • Deploy needed security technologies for encryption, intrusion prevention and detection, monitoring, security event management, etc.
  • Identify and document security controls.
  • Establish security configuration settings, access controls and logging.
  • Develop security policies and procedures to support the security plan and technologies.
  • Conduct training (general awareness, governance, operational and technical).
  • Develop incident response, business continuity or disaster recovery plans and communications plans. Test them.
  • Develop contractual security requirements for outsourcing vendors, cloud providers or other entities that connect to the firm’s network, including notification in the event of a breach.
  • Conduct regular reviews of the security program and update as necessary.

Some attorneys may fall into the trap of believing that the less they know about security threats to their system, the better. Security will never be bulletproof, but security fools are not treated kindly. Law firms, like any other business, are subject to breach notification laws, and many of them have pre-breach security program requirements. A firm will be in a far superior position with its clients, its state bar and any regulators that may become involved if it can show that (1) its security program is aligned with best practices, (2) its management is engaged, (3) it is complying with its policies and procedures, and (4) tools are deployed to detect malware and criminal behavior.

RESPONDING TO AN INCIDENT

Having a well-rehearsed incident response plan is critical. It must specify who will be notified, within what time frame, what documentation must be kept, who is designated to speak about the incident and who has authority to make certain decisions about the investigation. Serious incidents require specialized assistance from cyber forensic experts and careful documentation to preserve evidence. This is no time to learn on the fly.

While law firms need ESPs just like all businesses, special considerations arise at the time of an incident. With any breach, an almost instinctive reaction is to cover up the event and keep it secret. Paller’s previously mentioned conversation with the New York attorneys revealed, in stark terms, their intention to tell no one about the breach: “Are you crazy? Can you think of a better way to destroy their trust in us than letting them know we had lost every document they gave us under [attorney-client] privilege?”

Even if the event did not trigger a breach law, a law firm’s decision to cover up an incident can be a dangerous strategy. Some of the attacks against firms are suspected of having been sponsored by nation-states, and pushing these incidents under the rug may result in even further infestation of malware or exfiltration of data. Even large communication providers do not have the capabilities to ward off a nation-state without government assistance; to think that a law firm could is laughable. If investigated, some might consider this negligent behavior.

ETHICAL CONSIDERATIONS

Firms must also consider that ethics rules already have provisions addressing metadata and email, so if either of these were disclosed, an ethics issue is already in play. Whether a firm is ethically obligated to report a security breach of attorney-client documents to its clients is a question that many security professionals have bandied about.

New commentary to Rule 1.1 of the Model Rules of Professional Conduct requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” So the days of attorneys being technology troglodytes are over. Model Rule 1.6(c), on the confidentiality of client communications, acknowledges that disclosures can happen by providing: (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Commentary on the Rule notes that [18] Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.

Thus, Rules 1.1 and 1.6 may allow a law firm to avoid an ethics violation stemming from a breach if it has acted in a competent manner (e.g., having a strong security program) to protect its client data from disclosure.

Rule 1.6(c), however, does not address whether attorneys have to tell their clients about such an event. Law professor Benjamin Cooper’s Baylor Law Review piece, “The Lawyer’s Duty to Inform His Client of His Own Malpractice,” raises some very interesting points about self-reporting of negligence. In addition to discussing Rule 1.4 (communications with the client) and the fiduciary law governing the lawyer-client relationship, he explains that the Restatement (Third) of the Law Governing Lawyers states: “If the lawyer’s conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client.”

When I recently spoke with Professor Cooper, he observed that “firms have a duty under Rules 1.1 and 1.6 to effectively protect their clients’ information. If a firm is negligent in carrying out that duty because it has been lax with its security, and that resulted in client files being disclosed, it is potentially a problem.” Even if a firm has a very good security system, he observes that “the attorney absolutely has a duty to inform clients under 1.4 that their confidential information has been compromised.”

Accordingly, a strong security program may help shield a firm from an ethics violation caused by not appropriately protecting client data, and it may help them beat a negligence charge, but it has no impact on the Rule’s requirement to inform clients of security incidents. A good security program does, however, reduce the likelihood that such a painful conversation will have to take place. All together, it is clear that an up-to-date security program is the best defense that a law firm can have. Whether large or small, taking measures to establish a strong security posture is not only the right thing to do, it’s the ethical thing to do. It may help save the firm cases, clients and its reputation.

“We live in a world where our national security is threatened by cyberterrorists, and where private enterprise is forced to respond to cybertheft of intellectual property on a daily basis. The ABA Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, lawyers will not stand on the sidelines.”

–Laurel Bellows
2012-2013 President of the American Bar Association

Advertisement

Cybersecurity Best Practices and Standards

   

A number of organizations and entities have wrestled with the issue of what steps are required to construct and implement a viable ESP, thus keeping client information protected. The cybersecurity best practices and standards that have been developed by these organizations and entities are listed below.

   

Mission Statement of the Cybersecurity Legal Task Force

   

The ABA Cybersecurity Legal Task Force will identify and compile resources within the ABA that pertain to cybersecurity, and will focus and coordinate the ABA’s legal and policy analyses and assessments of proposals relating to cybersecurity.

   

Composed of ABA members with expertise in cybersecurity as well as government, technical and private sector representation, the Task Force will

  1. facilitate collaboration and information exchange among constituent ABA entities and with relevant public agencies and private organizations;
  2. serve as a clearinghouse among ABA entities regarding cybersecurity activities, policy proposals, advocacy, publications and resources;
  3. study and analyze executive and legislative branch cybersecurity proposals;
  4. identify cyber-related issues for appropriate action by the ABA, including filling gaps in policy, encouraging ABA entities to develop new policy as appropriate, and sharing best practices with members and their law firms; and
  5. advise and assist the ABA Governmental Affairs Office on cybersecurity advocacy and responses to government actions.

The Cybersecurity Legal Task Force Update

By Sharon D. Nelson

   

The ABA Cybersecurity Legal Task Force, chaired by Judy Miller and Harvey Rishikof, is hard at work on the Cyber and Data Security Handbook. The Cyber Incident Response Handbook, which originated with the Task Force, is expected to be completed and published by the ABA Section of Science and Technology Law in spring 2014. They plan to keep the books to a reasonable length, to include graphics and checklists, and, of course, to write them in plain English as much as possible.

   

The Task Force is looking at how China and other nations are breaking into law firms. What security measures are reasonable, and at what point do you tell clients about a breach? Does it make sense to draft a resolution of some sort? Have ethical obligations changed with technology and the nature of the threat? Are there different obligations for small and large firms and, if so, how should we determine them? One suggested solution is to let the client host the data in the matter you are working on for them. Then it would be up to the client to make sure that privilege is not broken by unauthorized people having access.

   

The government has divided critical infrastructure into 16 sectors—and legal isn’t one of them. Should there be a legal information-sharing environment technology system? There are a lot of questions—more questions than answers at the moment. And the Task Force has a short life span. Its work, which began in August 2012, is slated to be completed by this August.

   

More information about the Cybersecurity Legal Task Force may be found at americanbar.org.