Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

CybersecurityFeaturesTechnology Media and TelecomCybersecurity Law & Strategy

Law Firm Security Q&A

By Adam Schlagman
February 01, 2018

With the Appleby data breach still top of mind of many law firm and legal department professionals, cybersecurity has become a major area of concern. To learn more about how law firms can protect themselves against cyber attacks and data breaches, I sat down with Laurie Fischer, managing director at HBR Consulting. Fischer leads the Information Governance practice at HBR, where she helps address the increasingly complex and demanding regulatory and technological challenges of today's information management environment. She has over 25 years of consulting experience partnering with clients of all industries and sizes to help them achieve their enterprise-wide and governance objectives.

Law firms are now regularly targeted by cyber criminals, most recently Appleby. Are these attacks designed to obtain specific types of information? What and why?

By their very nature, law firms maintain a higher percentage of sensitive, confidential and personal data than other industries. Most of their data also falls under attorney-client privilege, which allows clients to share highly confidential information with their attorneys without fear of it being disclosed. Law firms maintain confidential data and often sensitive information on everything from litigation case files to merger and acquisition due diligence and negotiations — and even high-profile divorce cases. This may include client Social Security numbers, medical records, intellectual property, sensitive tax and financial information, such as information on offshore transactions, as demonstrated in the Appleby case. The data maintained by a law firm is a cyber-criminal's dream! And, having access to this data can result in extortion, ransoms and exposure of highly personal and reputation-damaging information.

What are the most important steps firms should be undertaking to deter or eliminate these attacks?

It is no longer enough for a firm to simply state that their security program is ISO compliant. To help mitigate today's risks, firms must have a dedicated and active program that addresses the ever-evolving cyber risks.

Unfortunately, many firms are still taking the “wait-and-see” approach. As a result, security is not always at the top of every firm's risk management agenda. To avoid data breaches, law firms must establish the appropriate policies and procedures. For instance, firms should audit their internal processes, train employees on best practices on identifying cyber risks and set aside budget for security efforts.

That said, firms that recognize the high level of risk they face are proactive in addressing security challenges by providing the right level of funding, expertise and implementing firm-wide privacy programs. They also have established committees with representation from various departments across the firm, including IT, security, privacy, finance and HR, along with executive leadership. Firm leaders should play an integral role in establishing the correct standards and ensuring that employees are aware and trained on the risks and potential damages a cyberattack can cause. Firms must also ensure that systems are regularly updated and audit their existing programs annually, including the security practices of their third-party vendors.

To determine the maturity level of their privacy and information security practices, firms should consider a comprehensive third-party assessment of its current information security and privacy program — including its strategy, tools, technologies, processes, roles and responsibilities. After this is accomplished, the next step should be an analysis of the firm's current state against industry standards and best practices — such as ISO 27001 or the NIST Cybersecurity Framework — which will result in a gap analysis. Firms should then prioritize the cybersecurity delinquencies and develop a comprehensive action plan to close gaps in security to bolster protection. Also, firms should consider scheduling consistent testing of their security controls to ensure constant cybersecurity maintenance.

Does it make sense to prioritize certain types of clients or certain types of cases or should the same level of security be applied across the board?

Although there are certain types of cases and clients that may be more sensitive, no client would accept a substandard level of security and protection. Security measures should be consistently applied to all data and processes — no matter the client or case. This includes the implementation of measures that go beyond security-focused activities, to the appropriate management of sensitive data, through adopting policies such as Privacy-By-Design and data governance.

What are a few less obvious solutions that firms may not have heard or considered?

Firms may consider options that remove data from their networks — and even from their data-centers. Solutions such as “air-gapping” where older, infrequently accessed data is archived to an off-network solution (and even separate location) decrease the risk of a hacker even being able to access certain data. Other options include leveraging highly secure environments provided by platforms such as Microsoft Azure and Office 365, or true infrastructure-as-a-service solutions such as Amazon Web Services. Both managed services offerings provide security options, such as MYOK (Manage Your Own Key) or BYOK (Bring Your Own Key) where the firm's data may reside on Microsoft or AWS, but the ability to access the data is controlled via encryption, and the firm manages its own encryption keys. The firm benefits from the secure infrastructure but ultimately controls who can see its data.

Should law firms be conducting preparedness exercises and unannounced tests to insure both lawyers and staff are complying with security protocols?

Unfortunately, breaches are often the fault of uninformed attorneys and staff members who have not been adequately trained on firms' security measures and privacy protocols. Before conducting preparedness exercises and tests, an important first step to ensure all employees are complying with security protocols is to roll out a comprehensive training program for all staff, with regular refreshers. This training should also be included during the new employee onboarding process. That being said, preparedness exercises and unannounced tests should still be conducted regularly as well, as they are an effective way to measure staff's understanding of all aspects of firms' security policies and procedures. Firms should also conduct tabletop exercises of their breach response plans, including response drills to emulate cyber breaches to evaluate the effectiveness of the incident response plan.

If a cyber breach is detected what are the actions that should be undertaken in the first hour, the first day and the first week?

Breach response actions and timelines should be clearly spelled out in firms' privacy and security policies. It is important for firms to have a pre-established and well-documented breach response process that addresses the steps the firm should take in the event of a data breach.

  • Within the first hour, firms should focus their attention on identifying the source of the attack, initiating the breach response protocol, determining the nature of the breach and stopping additional data loss. These activities will involve action from the firm's breach coordinator, their incidence response team, internal IT and security personnel, and possibly the use of third party cybersecurity and forensics experts.
  • During the first day, firms should establish appropriate communication channels, determine the nature of the breach — including its origin and target of the attack — and take the necessary steps to prevent any additional data loss. Firms also need to determine all obligations for notification of the breach, including legal, contractual and insurance requirements.
  • Within the first week, firms' breach response team will need to assess the breach's overall damage to the organization, both financially and in terms of its reputation. The firm will also need to determine the best course of action moving forward, including interviewing all employees and third-party vendors with knowledge of the breach, determining notification and remediation activities, and taking necessary steps to prevent it from happening again.

*****
Adam Schlagman is the Editor-in-Chief of Cybersecurity Law & Strategy.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.