The Growing Cybersecurity Concerns in the Legal Industry
The need for solid cybersecurity controls came into clear focus for the legal industry during January and February of this year. Several law firms suffered from data breaches during those two months, including
10 attacks that targeted six different law firms, according to security news site Dark Reading.
In a separate attack,
the law firm for ride-share giant Uber suffered a data breach that exposed the data of an undisclosed number of Uber drivers. In that instance, the attackers gained access to the systems of Genova Burns LLC and stole sensitive driver information such as names and Social Security Numbers.
Understanding the Threat Landscape
Why Law Firms are Targeted by Cybercriminals
Such events raise several issues for law firms, including loss of revenue, reputational damage, and potential legal consequences related to contractual and ethical obligations related to protecting client data.
To assist law firms in thinking about data security in a rational and holistic manner, the American Bar Association (ABA) published
Formal Opinion 477 (revised as 477R) in May 2017. In tandem with
ABA Rule 1.6, Formal Opinion 477R sets the foundation for how law firms should approach building a reasonable security program for protecting firm systems and client data.
As the Opinion points out, “Law firms are targets for two general reasons: (1) they obtain, store, and use highly sensitive information about their clients while utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.”
The Need for Modern Security Controls
Essentially, attackers target law firms because they have a concentrated bucket of highly sensitive client data while maintaining security controls that have not been keeping up with the pace of adversarial innovation. The attackers are going after the weakest link of the supply chain, and they are finding that the law firms are that target point.
What should law firms be doing to better protect their client’s data? The ABA provides a seven-step risk management process that all law firms, regardless of size, should implement. As explained in The
ABA Cybersecurity Handbook, this process “adopts a fact-specific approach” that “rejects requirements for specific security measures,” but requires a process to “assess risk, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
In essence, the ABA is recognizing that the adversary is creative, attacks will get more aggressive and innovative over time, so mandating specific technologies or approaches is counterproductive (yesterday’s control may become tomorrow’s vulnerability). Instead, firms need to conduct continuous risk assessments and have a process for continuous improvement related to securing their systems and data.
More specifically, Formal Opinion 477R recommends the following seven steps to implementing a reasonable security program:
The ABA’s Seven-Step Risk Management Process
1. Understand the Nature of the Threat
This is no different than understanding opposing counsel in a legal case. If you know the tactics and approach that your opponent is taking, it becomes much easier to build your defenses and win the case.
2. Understand How Client Confidential Information is Transmitted and Where it is Stored
In the Genova Burns LLC incident, there are several questions as to why the firm was even holding Uber driver sensitive information. Law firms need to understand what data they are holding, where they are storing that data, and how it is being protected. In many cases, cybercriminals know more about the law firm’s systems and data than the firm does.
3. Understand and Use Reasonable Electronic Security Measures
Based on items 1 and 2 above, the firm needs to implement the proper technical controls to protect systems and data from the adversary. It’s a constant analysis, like a coach preparing for each individual game during a long season. As risks change, the approach to mitigating those risks needs to evolve.
4. Determine How Electronic Communications About Clients Matters Should be Protected
As the Opinion states, “Different communications require different levels of protection.” Firms need to understand how the data is flowing inside and outside of the organizational IT networks. Highly sensitive data should be more thoroughly protected than the coordination of a lunch meeting.
5. Label Client Confidential Information
Not all data is created equal. Some data, such as health records, merger and acquisition plans, and financial information is more highly sensitive than other types of data. Firms need to understand the differences so they can store and transmit sensitive data in a secure manner.
6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security
This is an absolute necessity, as it is with any other business venture. The firm’s employees are both the last line of defense and one of its biggest sources of risk. It is imperative to train lawyers and support staff, so they are better defensive players while posing less and less cybersecurity risk. Investment in robust security awareness and education is one of the biggest security ROI items.
7. Conduct Due Diligence on Vendors Providing Communications Technology
Just as Uber should have vetted their law firm more thoroughly, law firms need to understand the risk that their vendors are adding. This is known as supply chain risk, and it is becoming critical that any company understands how secure their vendors are before sharing data and integrating systems.
Overcoming Challenges
The Importance of Competency and Consulting
Following this process may be challenging to many law firms. In those cases where a firm does not have sufficient competency to execute these seven steps effectively, they should consider bringing in a competent consultant or advisor to help assess the risk and prioritize the remediation steps.
The ABA recognizes this and addresses it in the Opinion: “Any lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.”
The Urgency of Taking Action
If you have any doubts about the significance of cybersecurity risk, just insert your law firm’s name into the headlines described above and think about the reaction of your clients, shareholders, and business partners. The world is changing rapidly, risks are increasing exponentially with technology, and standing still is falling behind. Act now to improve your controls, not after a security incident when costs and scrutiny will be much higher.
Future blogs will cover each of the seven steps above in more detail, so stay tuned for more guidance and advice.
