Get a (Law) Firm Grip on Data Breaches

How law firms manage and control information also contributes to the risk. Traditionally, law firms have implemented information management controls to their hardcopy records, but have not applied the same rigor to their electronic environment. In addition, some law firms have been relatively slow to adopt technology that would allow greater management and control of their electronic content. While many larger firms have started to address information management through the appointment of positions like chief information officer (CIO), chief privacy officer (CPO), and chief information security officer (CISO), a more comprehensive focus on information governance requires a shift in attitude and practice. This attitude shift will likely occur as millennials who were “born digital” become new lawyers, but it will be some time before they gain the seniority to influence firm culture and processes.

Understanding the Threat

To better address cybersecurity threats, firms need to understand the source of the risks. Hacking is often at the forefront of cybersecurity breaches so it is assumed that the biggest risk is technology related; however, the greatest risks (and the largest breaches) today are due to individual people, either through their own misconduct or as the innocent entry targets of cyber attackers. For example, stolen or lost mobile devices or misuse of corporate data assets by employees are regular sources of organizational data breaches. Cybercriminals, often nation-state sponsored, commonly use social engineering as a method of tricking people into breaking normal security behaviors and phishing attacks to steal account credentials. These fraudulently obtained credentials are then used to gain a foothold into corporate networks in order to steal intellectual property, trade secrets, or other valuable information. Law firms should bear these considerations in mind, especially as they expand their presence into markets where cyber threats are prevalent.

What Can Firms Do?

There are a number of steps law firms can take that will help minimize the risk.

Implement an Effective Information Governance Plan

Information governance is a coordinated, inter-disciplinary approach to managing information as assets in order to achieve compliance with legal and regulatory requirements, mitigate risks, reduce unnecessary costs, and optimize information value. Privacy and security considerations are integral to an information governance program. By following standard processes and procedures for data access, control, and retention (including policies related to mobile devices, social media, and other common threat areas), and ensuring that content is effectively managed and not kept longer than necessary, law firms can understand the data that may be at risk and minimize the amount of data potentially subject to attack. A law firm's information governance plan should address both the firm's own information and how it deals with client data.

Track and Map Data

Law firms should carefully track client data from its entry into the firm until its ultimate disposition. There should be detailed procedures regarding how to treat data when a matter closes or when a client, partner, or someone with primary access to client data departs the firm. A law firm should have specific, well-documented disposition plans, including clearly delineated, safe standards for the destruction of client information.

Law firms also need to understand how client content is managed by outside vendors, such as discovery providers. Those providers' processes should go beyond standard care, custody, and control of client content and include assurances that information is returned to the client or effectively destroyed once an engagement has ended. Measures such as issuing a vendor survey regarding vendors' internal processes and performing vendor audits on a regular basis to ensure appropriate controls remain in place will help law firms ensure that their vendors adequately secure client content.

Implement Appropriate Protective Technology

Many law firms still lag behind their corporate peers when it comes to the appropriate measures for storage and management of information. As an example, many firms have been slow to adopt technologies like data loss prevention (DLP), which can help reduce information leakage outside of the firm's systems. DLP tools flag and block sensitive information as it is sent outside the firm or moved to devices and external systems. While effective, DLP can draw the ire of impatient attorneys working late at night should their activities be blocked based on a potential violation of data policy.

Fortunately, a number of law firms have started addressing data risks with the use of specific technologies such as data encryption, secure file transfer services, mobile device management systems, secure remote access, and active monitoring of their networks. Some firms are even submitting themselves to external security audits and threat assessments in order to provide their clients assurances that they are doing their best to protect client content.

Screen and Train Employees

Screening any staff with physical access, including custodial staff, may seem like common sense but can be overlooked. Similarly, law firms should screen their vendors and application or service providers who may have access to their premises. (The well-known Target breach apparently came about via an HVAC repairperson.)

There are also simple practices that can help prevent some forms of security breach. For example, a clean desk policy keeps sensitive information from being easily accessible to prying eyes. Similarly, locked files make it more difficult for wrongdoers to gain access.

Law firms can help limit the potential of insider threats by establishing an ongoing employee training program regarding their information governance polices as well as potential ways that wrongdoers can gain access, and related preventive measures. However, firms will need to recognize that mere training is not enough; it is important to ensure compliance with the training through auditing employee behavior. While these activities may be normal in the corporate environment, they may be new to many firms and an appropriate support environment may need to be developed.

Plan for Breach Response

Although the above measures focus on proactive steps that a firm can take to avoid cyber attacks, it is nonetheless fair to say that it is not a question of “if” but “when” a breach will occur. In the event a law firm suffers a data breach, a breach response plan is critical. The breach response plan should include specific procedures for the following, at a minimum:

• Assessment of the size and scope of the breach;
• Evaluation of location and entry points to determine the source of attack;
• Identification of an internal breach response team;
• Notification of third parties if necessary; and
• Proper communication with law enforcement.

Unlike other industries such as financial services and healthcare, the legal industry generally does not have specific requirements to report a breach. A law firm may be reluctant to report for fear of “looking bad.” While understandable, not reporting a breach may put client information at continued risk and can ultimately make a firm look worse. Reporting a breach allows potentially affected clients and others to take remedial action, and also helps to identify sources of potential threat that may impact others. A recent Executive Order on cybersecurity encourages organizations to share information about threats in order to prevent them from happening to their peers. Law firms are now starting to work together to address the privacy and security risks faced by the legal sector. An alliance of leading firms in New York and London has announced that they share information about threats and develop best practices for the legal industry.

What Can Clients Do To Protect Their Information?

Clients should also take action to protect the data they entrust to law firms. One way to do this is to adopt metrics-based assessments of law firms, service providers and software companies. Clients are moving from subjective measurement of law firms and other legal service providers to objective measurements, using scorecards to assess their security and privacy capabilities (as they already assess non-legal vendors). With this objective information, clients can better assess the level of risk involved in transferring data to the law firm or other service provider against the privacy/security capabilities of the entity that will be receiving it. Thus, a client might choose a lower cost firm or provider for low risk matters even if that provider has a lower security standard, but would insist on the highest standards for providers who will handle high-risk matters. Interestingly, law firms and other providers are not pushing back on being rated in this way, as might be expected, because the high risk matters are also likely to be the high dollar, high profile matters in which they are most interested.

Adapting To the New Reality

Data breaches are the new reality. Fortunately, law firms are client service organizations and tend to respond to client demands ' particularly when those demands can affect the bottom line. Clients are now beginning to treat law firms like any other vendor with access to sensitive company data. They are asking for greater protection and getting it: Law firms are beginning to take privacy and security seriously.

David Ray is a technologist turned attorney with experience in privacy, information security, records and information management, and e-discovery. Currently a director in Huron Consulting's Information Governance and Compliance group, he can be reached at [email protected]. Reggie Pool is a director in Huron Consulting's Information Governance and Compliance. He helps organizations address the rapidly changing requirements of data privacy, security and content control. He can be reached at [email protected].

Law firms are as much at risk for cyber attacks as any other industry, a point emphasized in a recent internal report at a major bank that warned employees about the threat of attacks on the networks and websites of big law firms, according to the New York Times. See, “Citigroup Report Chides Law Firms for Silence on Hackings.”'Because of the lack of reporting requirements in the industry, it is unclear how many breaches have actually occurred. Law firms have been relatively unwilling to share information about security breaches because of potential concerns about how that information would affect their credibility. In fact, digital security at many law firms, despite improvements, generally remains below the standards set for other industries. Fortunately, law firms are now recognizing the risk and beginning to take preventive action. This article describes some of the reasons law firms are cyber-attack targets, steps they can take to reduce their risk, and what clients are doing to encourage law firms in those efforts.

Law Firms As Targets

It should not be a surprise that law firms are ripe targets for data breaches. Their data and document repositories may contain a variety of sensitive information ' not only traditionally privileged information, but also competitive information related to their clients' business strategies and other forms of private data held in connection with client work. For example, a law firm may not accept credit cards, but it may have payment card information as part of a matter it is handling. Similarly, while a law firm may not be a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it might be considered a “business associate” under the Health Information Technology for Economic and Clinical Health Act (HITECH) because of the services it provides to HIPAA-covered entities.

How law firms manage and control information also contributes to the risk. Traditionally, law firms have implemented information management controls to their hardcopy records, but have not applied the same rigor to their electronic environment. In addition, some law firms have been relatively slow to adopt technology that would allow greater management and control of their electronic content. While many larger firms have started to address information management through the appointment of positions like chief information officer (CIO), chief privacy officer (CPO), and chief information security officer (CISO), a more comprehensive focus on information governance requires a shift in attitude and practice. This attitude shift will likely occur as millennials who were “born digital” become new lawyers, but it will be some time before they gain the seniority to influence firm culture and processes.

Understanding the Threat

To better address cybersecurity threats, firms need to understand the source of the risks. Hacking is often at the forefront of cybersecurity breaches so it is assumed that the biggest risk is technology related; however, the greatest risks (and the largest breaches) today are due to individual people, either through their own misconduct or as the innocent entry targets of cyber attackers. For example, stolen or lost mobile devices or misuse of corporate data assets by employees are regular sources of organizational data breaches. Cybercriminals, often nation-state sponsored, commonly use social engineering as a method of tricking people into breaking normal security behaviors and phishing attacks to steal account credentials. These fraudulently obtained credentials are then used to gain a foothold into corporate networks in order to steal intellectual property, trade secrets, or other valuable information. Law firms should bear these considerations in mind, especially as they expand their presence into markets where cyber threats are prevalent.

What Can Firms Do?

There are a number of steps law firms can take that will help minimize the risk.

Implement an Effective Information Governance Plan

Information governance is a coordinated, inter-disciplinary approach to managing information as assets in order to achieve compliance with legal and regulatory requirements, mitigate risks, reduce unnecessary costs, and optimize information value. Privacy and security considerations are integral to an information governance program. By following standard processes and procedures for data access, control, and retention (including policies related to mobile devices, social media, and other common threat areas), and ensuring that content is effectively managed and not kept longer than necessary, law firms can understand the data that may be at risk and minimize the amount of data potentially subject to attack. A law firm's information governance plan should address both the firm's own information and how it deals with client data.

Track and Map Data

Law firms should carefully track client data from its entry into the firm until its ultimate disposition. There should be detailed procedures regarding how to treat data when a matter closes or when a client, partner, or someone with primary access to client data departs the firm. A law firm should have specific, well-documented disposition plans, including clearly delineated, safe standards for the destruction of client information.

Law firms also need to understand how client content is managed by outside vendors, such as discovery providers. Those providers' processes should go beyond standard care, custody, and control of client content and include assurances that information is returned to the client or effectively destroyed once an engagement has ended. Measures such as issuing a vendor survey regarding vendors' internal processes and performing vendor audits on a regular basis to ensure appropriate controls remain in place will help law firms ensure that their vendors adequately secure client content.

Implement Appropriate Protective Technology

Many law firms still lag behind their corporate peers when it comes to the appropriate measures for storage and management of information. As an example, many firms have been slow to adopt technologies like data loss prevention (DLP), which can help reduce information leakage outside of the firm's systems. DLP tools flag and block sensitive information as it is sent outside the firm or moved to devices and external systems. While effective, DLP can draw the ire of impatient attorneys working late at night should their activities be blocked based on a potential violation of data policy.

Fortunately, a number of law firms have started addressing data risks with the use of specific technologies such as data encryption, secure file transfer services, mobile device management systems, secure remote access, and active monitoring of their networks. Some firms are even submitting themselves to external security audits and threat assessments in order to provide their clients assurances that they are doing their best to protect client content.

Screen and Train Employees

Screening any staff with physical access, including custodial staff, may seem like common sense but can be overlooked. Similarly, law firms should screen their vendors and application or service providers who may have access to their premises. (The well-known Target breach apparently came about via an HVAC repairperson.)

There are also simple practices that can help prevent some forms of security breach. For example, a clean desk policy keeps sensitive information from being easily accessible to prying eyes. Similarly, locked files make it more difficult for wrongdoers to gain access.

Law firms can help limit the potential of insider threats by establishing an ongoing employee training program regarding their information governance polices as well as potential ways that wrongdoers can gain access, and related preventive measures. However, firms will need to recognize that mere training is not enough; it is important to ensure compliance with the training through auditing employee behavior. While these activities may be normal in the corporate environment, they may be new to many firms and an appropriate support environment may need to be developed.

Plan for Breach Response

Although the above measures focus on proactive steps that a firm can take to avoid cyber attacks, it is nonetheless fair to say that it is not a question of “if” but “when” a breach will occur. In the event a law firm suffers a data breach, a breach response plan is critical. The breach response plan should include specific procedures for the following, at a minimum:

• Assessment of the size and scope of the breach;
• Evaluation of location and entry points to determine the source of attack;
• Identification of an internal breach response team;
• Notification of third parties if necessary; and
• Proper communication with law enforcement.

Unlike other industries such as financial services and healthcare, the legal industry generally does not have specific requirements to report a breach. A law firm may be reluctant to report for fear of “looking bad.” While understandable, not reporting a breach may put client information at continued risk and can ultimately make a firm look worse. Reporting a breach allows potentially affected clients and others to take remedial action, and also helps to identify sources of potential threat that may impact others. A recent Executive Order on cybersecurity encourages organizations to share information about threats in order to prevent them from happening to their peers. Law firms are now starting to work together to address the privacy and security risks faced by the legal sector. An alliance of leading firms in New York and London has announced that they share information about threats and develop best practices for the legal industry.

What Can Clients Do To Protect Their Information?

Clients should also take action to protect the data they entrust to law firms. One way to do this is to adopt metrics-based assessments of law firms, service providers and software companies. Clients are moving from subjective measurement of law firms and other legal service providers to objective measurements, using scorecards to assess their security and privacy capabilities (as they already assess non-legal vendors). With this objective information, clients can better assess the level of risk involved in transferring data to the law firm or other service provider against the privacy/security capabilities of the entity that will be receiving it. Thus, a client might choose a lower cost firm or provider for low risk matters even if that provider has a lower security standard, but would insist on the highest standards for providers who will handle high-risk matters. Interestingly, law firms and other providers are not pushing back on being rated in this way, as might be expected, because the high risk matters are also likely to be the high dollar, high profile matters in which they are most interested.

Adapting To the New Reality

Data breaches are the new reality. Fortunately, law firms are client service organizations and tend to respond to client demands ' particularly when those demands can affect the bottom line. Clients are now beginning to treat law firms like any other vendor with access to sensitive company data. They are asking for greater protection and getting it: Law firms are beginning to take privacy and security seriously.

David Ray is a technologist turned attorney with experience in privacy, information security, records and information management, and e-discovery. Currently a director in Huron Consulting's Information Governance and Compliance group, he can be reached at [email protected]. Reggie Pool is a director in Huron Consulting's Information Governance and Compliance. He helps organizations address the rapidly changing requirements of data privacy, security and content control. He can be reached at [email protected].