This appeared in the October issue of YourABA
Law firms are increasingly attractive targets of cyberattacks, said Vincent I. Polley, moderator of the recent webinar Surviving a Cyber Attack on Your Law Practice. Firms of every size are exposed, and all of them should expect to be targeted by hackers, he said. The webinar is the first in a series called the Cybersecurity Core Curriculum, sponsored by the Center for Professional Development.
Polley and panelist Jill D. Rhodes are co-authors of The ABA Cybersecurity Handbook. They were joined by Lucy L. Thomson and Randy V. Sabett, who co-wrote the chapter in the handbook called “Understanding Cyber and Data Security Risks and Best Practices.”
Clients are starting to press firms on their cybersecurity awareness, planning and programs before they give them their business. Hence, it’s important for firms to be proactive, not reactive. Don’t wait until a breach has occurred to start your planning, the panelists agreed.
Sabett talked about the risks to law firms. Whereas in the past cybercriminals focused on financial institutions and merchants, more recently they have been targeting entire vertical sectors, including law firms. The attacks can come both externally (for instance through open ports or phishing) or internally (from those in trusted relationships or “smart people doing silly things”).
Attacks are more frequent and more severe than before. “Risk, both personally and corporately, continues to rise as technology makes it easier for information to be used in a variety of ways and, as a result, attacked, stolen or lost,” Sabett said. In one attack, the hackers took advantage of three different vulnerabilities. Hackers are taking their time, being careful and learning the company’s firmware, Sabett said.
A breach can happen in minutes and not be detected for months, leaving the hackers loads of time to wreak havoc.
Thomson talked about the black market for “vulnerabilities” (software bugs). She told of the underground world where an attacker can exploit a company’s vulnerability before its known to the community and sell the documentation for hundreds of thousands of dollars. She said this is a “dire threat” for law firms and clients. The hackers sell vulnerabilities as well as strategies and techniques to exploit them. More and more law firm information is available on the black market.
Rhodes said companies can survive fines levied for breaches of personal data (although those are substantial and can be in the millions) and investigations, but the biggest potential damage due to a cybersecurity attack is to reputation. “No matter how great your law firm is, one incident can set you back significantly with respect to losing/earning your clients’ trust,” she said.
Speaking on law firm data breaches, Thomson said one-third of them come from a combination of hacker attacks, lost or stolen mobile devices and malicious insiders. The other two-thirds come from inadvertent data disclosures and attacks on third parties that expose the firm’s data.
“Almost 75 percent of data disclosures and other cyber incidents are caused by employees creating a vector or exposing data in a way that increases their company’s vulnerability,” said Rhodes, who used as examples an employee clicking on a link (that launched malware) or leaving their device somewhere and creating a risk for the firm.
Law firms are particularly at risk because employees like to work at all hours of the day, on multiple devices and from multiple locations. Using Wi-Fi in a Starbucks or other public setting is not secure enough, and too often employees lack an understanding of the security risks. At the same time, law firms have a proliferation of data (think of the information surrounding mergers and acquisitions and patents, to name just two practice areas) that has true value to outsiders. Finally, too many firms lack policies to protect the information and enforcement mechanisms to enforce the policies.
The ABA’s Model Rules of Professional Conduct require that law firms and lawyers take the necessary steps to protect client information. Sabett noted that increasingly states are passing laws that go beyond just notifying clients about a breach to requiring information security procedures.
Creating a cybersecurity program in your firm is a daunting task, Polley said, but less so if broken into small tasks and approached that way.
Rhodes spelled out how to address cyberattack risks:
- Develop an appropriate security program
- Know your data
- Conduct a risk assessment; understand the level of risk
- Assess your technical controls
- Put pragmatic policies in place (i.e., don’t attempt to ban mobile devices)
- Educate your employees
- Create an incident response plan, and test it
Law offices need to protect a staggering array of sensitive and confidential data, including from clients, lawyer work product and e-discovery.
Risk assessment is something that may be new to law firms, but companies have been doing it for years. A very practical tool, it is used to identify:
- Relevant threats to the organization or threats directed through third party entities
- Vulnerabilities both internal and external to the organization
- The harm that may occur given the potential for threats exploiting vulnerabilities
- The likelihood that harm will occur.
Risk assessments determine where the weaknesses exist in the current framework. The good news is that you don’t need to hire a consulting firm to do a risk assessment – there are helpful tools and guidance available.
Work with your IT department to help identify current controls and determine if more are needed (i.e., encryption, mobile device management, etc.). Prioritize the risks and future requirements.
Rhodes spoke about how her company educated employees about cybersecurity:
- They identified top risks and educated employees about them.
- They made it fun: the company designed a superhero that adorns cybersecurity communications and company walls. They also had contests related to information security throughout the organization.
- They published newsletters to emphasize that security is everyone’s business.
- They used tools like sending fake phishing e-mails to increase awareness and see who was still clicking on them.
Advance planning is critical for effectively responding to a data breach, and that includes an incident response plan. The plan should include contact info for IT, legal and other incident response team members, initial data breach investigation/response procedures and the steps to take after the breach response is complete. The plan should also include if breach notification is necessary, whom to notify and the notification procedures and language for the relevant audiences. Finally, in terms of media relations, prepare statements for company officials and train employees and call center representatives to answer questions about the breach.
Upcoming webinars will cover Data Security for Lawyers: The Ethical Obligation to Clients and Moving Target: Cybersecurity Legal Requirements and Liabilities, among others.