Cybersecurity Data Sharing Now Available To Law Firms

Cindy Donaldson, FS-ISAC's vice president of products and services, says the center has been communicating with more than 180 law firms.

Davis Polk & Wardwell is among the firms that have applied. “Today, law firms are working pretty independently on fighting off the different attacks that are coming toward us,” says John Kapp, Davis Polk's global director of information technology. He says the new cyber group “is a force multiplier when we can share information amongst ourselves anonymously and we can be aware of what attacks are happening against other law firms. We protect our law firm and vice versa.”

Although law firms receive threat data through trade groups and the FBI, Donaldson and law firm security directors say the legal information sharing office is the first of its kind to provide a centralized platform to share cyber threat information anonymously.

“It is the first formal attempt to pull law firms” into the threat information sharing environment, says Lisa Sotto, a Hunton & Williams partner who focuses on privacy and cybersecurity.

To become a member of the law firm forum, firms must submit an application, pay an $8,000 membership fee and meet eligibility criteria. The primary criteria is that a firm have the majority of its lawyers in the U.S., Canada or the United Kingdom, Donaldson says, adding that could change over time. Firms of any size are eligible.

The forum was created after the financial services industry advocated for law firms to establish a platform.

Law firm members within the International Legal Technology Association (ILTA) and its cybersecurity focused component, LegalSEC, also played a significant role in working with FS-ISAC to establish the service.

Law firm members of the service will receive e-mail alerts and advisories on cyber threats and vulnerabilities, as well as physical threats such as weather events, for actionable intelligence in the hopes of preventing an attack. Firms will be able to submit information anonymously.

“The overall goal is to share information about cyber and physical threats and vulnerabilities to mitigate risks,” Donaldson says, noting that law firms handle some of their clients' most sensitive business data.

Legaltech News, an e-Commerce Law & Strategy ALM sibling, reported last month that Mandiant, a division of FireEye, found that 80 of the 100 biggest law firms in the U.S. have been hacked since 2011. See, “Heightened Risk of Cyberattacks Puts Pressure on Law Firms to Bolster Defenses.”'

Winston & Strawn is among the interested firms. David Cunningham, Winston's chief information officer, says data protection is a security issue as well as a matter of meeting business expectations.

Like other firms, Winston hires security companies to test the firm's strengths and weakness and spends hundreds of thousands of dollars each year to prevent and detect intrusions, Cunningham says. “It's a big area of investment for us.”

Cunningham praised the establishment of a legal services information sharing organization. “Law firms don't really have that kind of forum to find what happened and why one firm had a breach and another didn't.”

But he and others have expressed some reservations.

Cunningham says if the firm experienced a data breach and told other firms about it, “we lose control about what people say about it” and it may not be not clear whether a client would want that breach further advertised. Keeping the information anonymous may not completely eliminate the risk, he says, if other members can infer who was targeted.

Christopher Ward, director of information security at Vinson & Elkins, says he is cautious about joining, noting the pool of cyber threat data he is seeking comes not only from other law firms but also from clients.

Firms face a risk in having access to an incredible volume of threat information but not being able to respond, says R. Jason Straight, a senior vice president for cyber risk solutions and chief privacy officer at UnitedLex Corp., which provides security consulting services to law firms and other businesses.

Straight says few firms realize the resources required to take action. “I'm a big fan of threat information sharing, but there's an underemphasis on orchestrating all the threat intelligence and doing something useful about it.”

Christine Simmons is the Business of Law Reporter at the New York Law Journal , an ALM sibling of this newsletter in which this article originally appeared. She can be reached via e-mail at [email protected] or on Twitter @chlsimmons. The American Lawyer's Nell Gluckman contributed to this report.

Law firms now have access to a platform that allows them to share data on cybersecurity threats anonymously.

The Legal Services Information Sharing and Analysis Organization (LS-ISAO) announced its launch last month and will alert firms to potential cyber threats and vulnerabilities.

The Financial Services Information Sharing and Analysis Center (FS-ISAC), the financial industry's forum for cyber threat discussion, is providing guidance and support to the law firm service.

Cindy Donaldson, FS-ISAC's vice president of products and services, says the center has been communicating with more than 180 law firms.

Davis Polk & Wardwell is among the firms that have applied. “Today, law firms are working pretty independently on fighting off the different attacks that are coming toward us,” says John Kapp, Davis Polk's global director of information technology. He says the new cyber group “is a force multiplier when we can share information amongst ourselves anonymously and we can be aware of what attacks are happening against other law firms. We protect our law firm and vice versa.”

Although law firms receive threat data through trade groups and the FBI, Donaldson and law firm security directors say the legal information sharing office is the first of its kind to provide a centralized platform to share cyber threat information anonymously.

“It is the first formal attempt to pull law firms” into the threat information sharing environment, says Lisa Sotto, a Hunton & Williams partner who focuses on privacy and cybersecurity.

To become a member of the law firm forum, firms must submit an application, pay an $8,000 membership fee and meet eligibility criteria. The primary criteria is that a firm have the majority of its lawyers in the U.S., Canada or the United Kingdom, Donaldson says, adding that could change over time. Firms of any size are eligible.

The forum was created after the financial services industry advocated for law firms to establish a platform.

Law firm members within the International Legal Technology Association (ILTA) and its cybersecurity focused component, LegalSEC, also played a significant role in working with FS-ISAC to establish the service.

Law firm members of the service will receive e-mail alerts and advisories on cyber threats and vulnerabilities, as well as physical threats such as weather events, for actionable intelligence in the hopes of preventing an attack. Firms will be able to submit information anonymously.

“The overall goal is to share information about cyber and physical threats and vulnerabilities to mitigate risks,” Donaldson says, noting that law firms handle some of their clients' most sensitive business data.

Legaltech News, an e-Commerce Law & Strategy ALM sibling, reported last month that Mandiant, a division of FireEye, found that 80 of the 100 biggest law firms in the U.S. have been hacked since 2011. See, “Heightened Risk of Cyberattacks Puts Pressure on Law Firms to Bolster Defenses.”'

Winston & Strawn is among the interested firms. David Cunningham, Winston's chief information officer, says data protection is a security issue as well as a matter of meeting business expectations.

Like other firms, Winston hires security companies to test the firm's strengths and weakness and spends hundreds of thousands of dollars each year to prevent and detect intrusions, Cunningham says. “It's a big area of investment for us.”

Cunningham praised the establishment of a legal services information sharing organization. “Law firms don't really have that kind of forum to find what happened and why one firm had a breach and another didn't.”

But he and others have expressed some reservations.

Cunningham says if the firm experienced a data breach and told other firms about it, “we lose control about what people say about it” and it may not be not clear whether a client would want that breach further advertised. Keeping the information anonymous may not completely eliminate the risk, he says, if other members can infer who was targeted.

Christopher Ward, director of information security at Vinson & Elkins, says he is cautious about joining, noting the pool of cyber threat data he is seeking comes not only from other law firms but also from clients.

Firms face a risk in having access to an incredible volume of threat information but not being able to respond, says R. Jason Straight, a senior vice president for cyber risk solutions and chief privacy officer at UnitedLex Corp., which provides security consulting services to law firms and other businesses.

Straight says few firms realize the resources required to take action. “I'm a big fan of threat information sharing, but there's an underemphasis on orchestrating all the threat intelligence and doing something useful about it.”

Christine Simmons is the Business of Law Reporter at the New York Law Journal , an ALM sibling of this newsletter in which this article originally appeared. She can be reached via e-mail at [email protected] or on Twitter @chlsimmons. The American Lawyer's Nell Gluckman contributed to this report.