[BreachExchange] Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers

[Audrey McNeil]

http://www.abajournal.com/magazine/article/prepare_
practice_protect_cyberthreats_lawyers

Corporate litigator Jane Doe sat down at her desk Monday morning and logged
on to her computer. She opened an email appearing to be from a client that
read: “Hi. Could you please take a look at this document? It’s urgent.” Doe
clicked on the attachment. Two weeks later, a hacker website published
confidential documents that one of her most important clients had given the
firm in connection with a lawsuit alleging environmental violations. Doe’s
client called, furious, to inform her that she was discharged, and that the
client was considering a lawsuit against her firm.

Every week brings news of major new cyberattacks—the stealing of personal
information from Equifax and the federal Office of Personnel Management,
the Petya and WannaCry ransomware worms, the Russian hacking of the
Democratic National Committee’s emails, to name a few. Indeed, the
cyberthreat from criminals, hacktivists and state actors is growing. The
costs associated with these malicious activities are staggering: Last year,
the Commission on the Theft of American Intellectual Property estimated
that the annual cost of IP theft in three major categories may be as high
as $600 billion and that the low-end total exceeds $225 billion, or 1.25
percent of the U.S. economy.

Law firms have not been immune. In fact, they have been a ripe target:

- Several major New York City law firms working on public mergers and
acquisitions were hacked in 2014 and 2015 as part of a sophisticated
insider-trading scheme.

- In 2012, hackers believed to be linked to the Chinese government obtained
confidential documents related to solar panel designs by hacking into a
prominent Washington, D.C., firm.

- A Panama-based law firm was the target of the largest data theft ever by
volume: A hacktivist website obtained 11.5 million individual documents
stolen from the firm (2.6 terabytes of data), which contained confidential
financial information about the firm’s clients.

- Among the many entities victimized by the Petya ransomware attack this
past year was a BigLaw firm that was forced to take some of its email
servers offline for an extended period.

The nature of their work and the resulting sensitive data make law firms
enticing targets. Law firms conduct due diligence and internal
investigations, negotiate settlements, provide advice on regulatory issues,
and handle important contractual negotiations and litigations. In the
course of their representations, they often have access to a wide range of
confidential client information, including trade secrets and other
intellectual property, financial data, business strategies and national
security information. All of this can be valuable to criminals seeking
monetary gain, to businesses seeking a competitive edge or to foreign
intelligence services.

Technology enhances the risk. Records that a law firm once kept on physical
pieces of paper in file cabinets now reside on data servers or in the
cloud. Lawyers increasingly communicate using mobile devices or email.
Firms’ use of a growing number of devices that are connected to the
internet—the “internet of things”—creates new vectors of vulnerability.
While these developments may have made the logistics of legal practice
easier, they have also introduced additional opportunities for illicit
access.

FIRMS OFTEN LAG BEHIND

Robert Litt

As in-house counsels heighten their focus on cybersecurity, they are
increasingly trained to ensure that any outside law firm has practices at
least as secure as the client. To date, the opposite is more often the
case: Law firms may have weaker cyberdefenses and less robust
breach-response plans than clients, many of which have long operated in
regulated industries that impose specific cybersecurity requirements.
Partly for cultural reasons and partly for economic reasons, law firms have
been slow to invest in and adopt strong cybersecurity measures. In
particular, a small law firm may find it difficult and seemingly
cost-prohibitive to keep abreast of the latest threats and defenses. And
large firms that rely extensively on international electronic
communications may be vulnerable—especially if they operate in countries
like Russia and China, where hacking is commonplace. Indeed, while in
government, we saw foreign adversaries deliberately target law firms and
sought to warn firms of the dangers.

Finally, law firms may be victimized by cyberattacks even if they are not
specifically targeted, as happened with the Petya ransomware. Phishing and
other attacks often operate indiscriminately, infecting anyone who happens
to open a link containing malware. The 2016 Mirai botnet attack shows how
the use of internet-enabled devices can increase risk. In that case,
malware infected internet of things devices such as printers, webcams and
copy machines and used them as the basis for a denial of service attack.

The consequences of a cyberattack for a law firm can be devastating. Most
obvious are the immediate financial costs flowing from the attack. A firm
may need to hire a forensic investigator to determine the scope of the
breach and ensure it is remediated. Valuable time that could have been
spent on client matters might be dedicated to a prolonged breach response.
Attorneys and other staff may leave, requiring resources to be spent
finding and training replacements. The damage to a law firm’s reputation
and business can be equally serious: If clients do not have faith in a law
firm’s ability to protect their confidences, they are likely to take their
business elsewhere.

LAYERS OF REGULATIONS

Beyond the financial costs, law firms have both legal and ethical
obligations to safeguard the confidential information of their clients, and
the failure to comply with these obligations can have serious consequences.
At the federal level, Congress and agencies have imposed a number of
sector-specific data-security obligations. Regulations promulgated under
the Gramm-Leach-Bliley Act, for example, require all banks to establish
written information-security programs describing how they will protect
clients’ nonpublic information. And the Health Insurance Portability and
Accountability Act of 1996 requires covered entities to take steps to
ensure the integrity and confidentiality of protected health information.
Businesses subject to these data-protection obligations often require that
they be observed by contractors such as their law firms. As a result, a law
firm that obtains protected information from its client may be required to
protect that information as well.

In addition to federal laws and regulations, many state laws require the
protection of various kinds of information. Some states, including
California, impose a general duty to implement “reasonable” security
procedures and practices. Others, like Massachusetts, are more specific,
requiring businesses to implement minimum safeguards, including malware and
firewall protection, encryption on laptops and portable devices, and
various user-authentication procedures to protect certain types of data.
The ABA Cybersecurity Handbook, which was recently published, lists the
relevant state and federal laws as of the date of publication, but lawyers
should be sure to check for more recent legislation or regulation in this
rapidly changing field.

International data-protection rules vary widely from country to country. At
present, there are over 100 national data-protection regimes around the
world. The European Union is preparing to implement its General Data
Protection Regulation, which goes into effect in May. It provides a strong
privacy framework for entities doing business in member states or
processing personal information obtained from people within the EU. It is
enforceable by potentially substantial fines. National laws not only vary
widely in their scope and substance but also are changing rapidly, and
lawyers must stay up to date.

Apart from legal rules, however, a lawyer’s ethical duty to protect
information obtained from a client imposes obligations to act prudently and
with discretion in the digital world as well as the physical one. Rule 1.6
of the ABA Model Rules of Professional Conduct requires a lawyer to make
“reasonable efforts to prevent the inadvertent or unauthorized disclosure
of, or unauthorized access to, information relating to the representation
of a client,” and a comment to Rule 1.1 makes clear that “a lawyer should
keep abreast of changes in the law and its practice, including the benefits
and risks associated with relevant technology.” This rule applies across a
variety of contexts; for example, in May 2017 the ABA Standing Committee on
Ethics and Professional Responsibility issued Formal Ethics Opinion 477R,
which modified an earlier opinion to make clear that it is not always
permissible for a lawyer to conduct confidential client communications

ACTION PLAN

So what should lawyers do to protect themselves against financial and
reputational loss and to comply with legal and ethical requirements? Firms
should focus on risk management and incident response planning, both of
which serve to prevent breaches and minimize their potential consequences.
As part of the risk management process, firms should take a number of steps:

1. Education and training. Many breaches begin with some sort of human
error, such as an insecure password like “Password123,” a lost laptop or an
unthinking response to a phishing email. Law firms should ensure that each
employee—lawyer and nonlawyer alike—understands that he or she has an
individual responsibility to protect confidential information and knows how
to do so. This training should be provided as soon as an individual joins
an institution and should be repeated throughout their employment.

2. Inventory. As part of the risk management process, law firms should
identify what their most valuable data assets are, where they are located
and who should have access to them. If a firm does not know what
information it maintains, it cannot expect to properly protect it. In a
world of finite resources, allocating security based on which data needs it
the most is prudent.

3. Access controls. Too often, a firm’s users and systems are connected by
default, with no consideration of the attendant risks or of employees’
actual access needs. But over-connectedness can enable a breach that might
otherwise have been relatively confined to inflict far greater damage. A
firm’s management should view access as a business decision and evaluate
whether the efficiencies gained by connection outweigh the risks.
Additional controls such as multifactor authentication, network
segmentation and encryption should also be implemented.

4. Monitoring. Mitigating the potential consequences of a breach requires
that it be detected quickly. Real-time monitoring is critical to swift
detection and response. Firms should install a system that monitors the
network and immediately identifies and corrects anomalies. Incidents may be
detected in a variety of other ways as well. An employee may report a lost
or stolen device or misdirected email. Law enforcement or clients may
contact the firm directly. A story may run in the press. Each firm should
therefore ensure it has a method by which all employees can report
incidents, such as a dedicated and routinely monitored email account or
help-desk phone number, and by which all such reports are followed up.
Being alert to all potential breach indicators will limit the time an
intruder can spend wreaking havoc on the firm’s systems.

5. Contractors. Law firms are increasingly making use of third-party
vendors, such as cloud service providers. They must make certain that those
third parties adequately protect data they obtain or have access to. If a
third-party contractor is hacked and the law firm’s data disclosed, the law
firm may well be held responsible. Firms should know the details of their
vendor contracts, especially which party has responsibility for which
aspects of security.

6. Incident response plan. But the strongest and most effective risk
management cannot prevent all cyberattacks. Former FBI Director Robert
Mueller made famous the aphorism that “there are only two types of
companies: those that have been hacked and those that will be.” This,
obviously, applies equally to law firms. Incident response plans are the
cornerstone of any organization’s preparedness and response related to
cyberthreats. They serve a variety of functions, including enhancing
communication within the firm, identifying and eliminating the source of
the incident, minimizing the damage where possible, and restoring normal
operations as quickly as possible.

An IRP sets out the concrete steps a firm should take in responding to an
incident, from assembling an incident response team and investigating a
potential breach to informing firm management and assessing notification
obligations. It should contain a list of key contacts and contact
information, as well as checklists (to ensure no step is left out in the
midst of a breach) and sample notice letters (to facilitate compliance with
data-breach notification laws, many of which require notice to relevant
individuals and state regulators mere days after a breach is discovered).
The plan should be printed in hard copy, in the event a breach takes down
the firm’s electronic systems, and it should be updated regularly based on
the current threat environment (typically at least once per year).

7. Practice, practice, practice. Creating an IRP forces a firm to consider
ahead of time the multitude of issues it will face during a breach. Because
the plan is written before it is needed, it fosters better decisions and
clearer communication than might occur during a crisis. It also enables the
firm to practice its response. Best practices include conducting tabletop
exercises based on the IRP to establish clear working relationships and
decision-making paths, such as who will make the crucial decisions, who
must be consulted, and who in the firm will handle crisis communications.
Tabletops thus serve as training vehicles and allow the core members of the
response team to practice working together.

Creating and practicing an IRP will do more than help protect a law firm
from the loss of data or access to systems resulting from a data breach. It
will also demonstrate to regulators and to the triers of fact, in the event
of lawsuits, that the firm’s preparation before the incident was
reasonable. Failure to have an IRP puts both a firm and its clients at risk.

8. Relationships with law enforcement. Finally, as part of their
preparation for a cyberattack incident, law firms should invest in building
relationships with law enforcement beforehand. These relationships can help
a firm to obtain the most up-to-date threat information, keeping it current
and in a position to maintain the strongest defenses possible. Moreover,
knowing exactly who in the government to call, and having a trusted
relationship with that individual, is important to ensuring a fast and
well-coordinated response. Law firms, like companies, are often reluctant
to involve the government in a breach; while law enforcement and regulators
encourage entities to voluntarily report incidents, they are also eager to
make examples of entities that, in their view, were not adequately prepared
for an incident or did not adequately respond to one. Law firms face the
unique issue of balancing the desire to inform clients and law enforcement
of a breach with the obligations of the attorney-client privilege. The
benefits of reporting an incident generally outweigh the potential harm,
but the report should ideally be made to a trusted individual within the
government. Firms should identify, in advance, who in law enforcement and
regulatory agencies they will contact and what they will tell them, as
advance planning and outreach may enhance the response and service they
receive.

Cybersecurity is a process, not an event. A plan that is reasonable in 2018
may not be reasonable in 2020. Law firms must recognize, and keep abreast
of, the threats they face, as well as their duty to protect their clients
and themselves. A plan built on preparedness, risk management and
resiliency will enable them to do just that. With current technology, there
is no way to reduce the risk of a breach to zero, but with the proper plan
and proper training, law firms can recover from an incident and get back to
the business of serving clients.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171228/5b00ac9c/attachment.html>