Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The top recommendation I always make when it comes to protecting against top cybersecurity attacks, like ransomware, is to back up your data and test your backups. And while this advice holds true, it's important to recognize that you can back up your data, but you can't back up your brand.
Restoring IT assets is simple in comparison with re-establishing a tarnished or dented reputation. As Benjamin Franklin said: “It takes many good deeds to build a good reputation, and only one bad one to lose it.”
Sadly, the legal industry is still lulled into a false sense of security, mistakenly assuming that they are immune to a significant IT business outage, and that those unfortunate firms affected by cybercriminals were somehow lacking in adequate cybersecurity presages. That's simply not true. Even Achilles had a weak spot.
As is the case for law firms (like any other homogenous industry segment) that depend upon a core profile of infrastructure services. This technical foundation is considered as critical to business as electricity and an Internet connection. When we flick the switch, we expect the lights to come on, and we trust the utility company to deliver a ubiquitous flow of power.
But when you flick a light switch, do you ever consider how the utility provider protects you from external risks? Most likely not. Why? Because we t ake electricity for granted, and we've come to rely on our legal services with the same trust and dependence. Consider document management, billing, or e-discovery services. Once the service is established, it assumes a level of implied trust, and we turn our suspicions and cynicism to new services, like artificial intelligence-based systems.
So why does this matter? Ask DLA Piper, a global law firm that was disrupted by NotPetya. This is less about DLA Piper (that, by the way, was a haphazard victim of the attack) and more about the unwitting accomplice in the attack, called MeDoc. Cyber criminals infiltrated this little known financial software company and weaponized software updates, which they then used to distribute their malware through MeDoc infrastructure.
Subsequent investigations allege that the company's central servers used to distribute software updates relied on outdated FTP (file transfer protocol) with a known vulnerability that was easily exploited with a publicly available tool, ProFTPD Mod_Copy.
This scenario represents an industry-wide risk. Criminals know about economies of scale and leverage the best practices seen in Fortune 500 companies. They improve efficiencies to reduce costs, increase revenue, and improve profits. Criminals are targeting law firms. And what better way to scale than to target a trusted industry vendor using this unwitting accomplice to simultaneously attack multiple law firms en masse? That's what happened with MeDoc.
Industry-specific attacks are not new. Two years ago, hedge funds were targeted by a low-and-slow attack that spread through targeted phishing attacks. Once one fund was compromised, email accounts were used to spread to the next funds, and so on down the line until multiple funds were compromised. While the attack was detected and stopped before any negative consequences occurred (or were discovered), what we came to know as FIN4 shook the Securities Exchange Commission (SEC) with a systemic attack that set the foundation for industry-wide market manipulation.
More recently, the hedge fund Tillage Commodities Fund launched a file suit against a fund administration service called SS&C Technologies, in response to SS&C allegedly transferring almost in $6 million in fraudulent redemptions to cyber criminals.
Did MeDoc clients take security for granted and consider the core service provider a trusted partner in the business? Consider your reliance on established services, such as document management, billing, or e-discovery services. Are you blindly trusting? In the event of a cyber incident, can you answer the following questions?
Identifying Risks and Conducting Due Diligence
The American Bar Association Cybersecurity Handbook provides guidelines you can use to conduct vendor risk assessments:
The handbook also provides measures to clearly outline vendor responsibilities in the event of a cybersecurity incident. This includes reporting, publication, and making affected parties whole.
You can leverage SSAE certification, which establishes standards for auditing the security policies, procedures and operations of your third-party vendor. These Service Organization Controls (SOC) establish “Trusted Service Principles” used to test and report on controls (Type 1) and report on controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system (Type II).
Establishing Contractual Obligations
There are no industry standards when it comes to contractual obligations as they relate to cybersecurity; however, a contract with a third-party vendor should:
In New York, the Department of Financial Services released the New York Cybersecurity Requirements for Financial Services (referred to as 23 NYCRR 500). Regardless of whether your firm does business with governed New York financial institutions, the NYCRR recommendations provide a reasonable framework for contracts.
The first component covers notification obligations resulting from a third-party cybersecurity event that directly impacts the non-public information or information systems of a law firm. There are two components to consider: What constitutes an event? What are the timing expectations when it comes to reporting an event?
I highly recommend that an event includes any cyber activity that leads to intentional or unintentional violation of a security policy, whether it's unauthorized access to privileged or non-public information. In the event of a breach, almost every state has notification laws that govern reporting and notification to clients or consumers. While there are no standards in legal services for notification timing, several highly regulated industries, such as HIPAA in the healthcare industry, require notification within 72 hours from the initial indication of a cybersecurity event.
The second component covers representations and warranties addressing the third-party service provider's cybersecurity policies and procedures that relate to the security of a law firm's information systems or nonpublic information. In these cases, consider rebates, waived fees, and refunds to cover service fees, but also consider the cost of breach investigation and notification to your clients.
While this is good practice, remember you are indemnifying your firm from incident costs, but in no way protecting your reputation from damage. No amount of warranties or insurance can provide such coverage.
*****
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA) and is a member of the Board of Editors of this newsletter. He can be reached at [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.