Auxiom Logo Outsmart Chaos Gold

Raising The Bar On Cybersecurity

Picture of Earl Duby

Earl Duby

CISO | Trusted Advisor | Board Member | Change Agent | FBI CISO Academy

The Growing Cybersecurity Concerns in the Legal Industry

The need for solid cybersecurity controls came into clear focus for the legal industry during January and February of this year. Several law firms suffered from data breaches during those two months, including 10 attacks that targeted six different law firms, according to security news site Dark Reading. In a separate attack, the law firm for ride-share giant Uber suffered a data breach that exposed the data of an undisclosed number of Uber drivers. In that instance, the attackers gained access to the systems of Genova Burns LLC and stole sensitive driver information such as names and Social Security Numbers.

Understanding the Threat Landscape

Why Law Firms are Targeted by Cybercriminals

Such events raise several issues for law firms, including loss of revenue, reputational damage, and potential legal consequences related to contractual and ethical obligations related to protecting client data. To assist law firms in thinking about data security in a rational and holistic manner, the American Bar Association (ABA) published Formal Opinion 477 (revised as 477R) in May 2017. In tandem with ABA Rule 1.6, Formal Opinion 477R sets the foundation for how law firms should approach building a reasonable security program for protecting firm systems and client data. As the Opinion points out, “Law firms are targets for two general reasons: (1) they obtain, store, and use highly sensitive information about their clients while utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.”

The Need for Modern Security Controls

Essentially, attackers target law firms because they have a concentrated bucket of highly sensitive client data while maintaining security controls that have not been keeping up with the pace of adversarial innovation. The attackers are going after the weakest link of the supply chain, and they are finding that the law firms are that target point. What should law firms be doing to better protect their client’s data? The ABA provides a seven-step risk management process that all law firms, regardless of size, should implement. As explained in The ABA Cybersecurity Handbook, this process “adopts a fact-specific approach” that “rejects requirements for specific security measures,” but requires a process to “assess risk, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.” In essence, the ABA is recognizing that the adversary is creative, attacks will get more aggressive and innovative over time, so mandating specific technologies or approaches is counterproductive (yesterday’s control may become tomorrow’s vulnerability). Instead, firms need to conduct continuous risk assessments and have a process for continuous improvement related to securing their systems and data. More specifically, Formal Opinion 477R recommends the following seven steps to implementing a reasonable security program:

The ABA’s Seven-Step Risk Management Process

1. Understand the Nature of the Threat

This is no different than understanding opposing counsel in a legal case. If you know the tactics and approach that your opponent is taking, it becomes much easier to build your defenses and win the case.

2. Understand How Client Confidential Information is Transmitted and Where it is Stored

In the Genova Burns LLC incident, there are several questions as to why the firm was even holding Uber driver sensitive information. Law firms need to understand what data they are holding, where they are storing that data, and how it is being protected. In many cases, cybercriminals know more about the law firm’s systems and data than the firm does.

3. Understand and Use Reasonable Electronic Security Measures

Based on items 1 and 2 above, the firm needs to implement the proper technical controls to protect systems and data from the adversary. It’s a constant analysis, like a coach preparing for each individual game during a long season. As risks change, the approach to mitigating those risks needs to evolve.

4. Determine How Electronic Communications About Clients Matters Should be Protected

As the Opinion states, “Different communications require different levels of protection.” Firms need to understand how the data is flowing inside and outside of the organizational IT networks. Highly sensitive data should be more thoroughly protected than the coordination of a lunch meeting.

5. Label Client Confidential Information

Not all data is created equal. Some data, such as health records, merger and acquisition plans, and financial information is more highly sensitive than other types of data. Firms need to understand the differences so they can store and transmit sensitive data in a secure manner.

6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security

This is an absolute necessity, as it is with any other business venture. The firm’s employees are both the last line of defense and one of its biggest sources of risk. It is imperative to train lawyers and support staff, so they are better defensive players while posing less and less cybersecurity risk. Investment in robust security awareness and education is one of the biggest security ROI items.

7. Conduct Due Diligence on Vendors Providing Communications Technology

Just as Uber should have vetted their law firm more thoroughly, law firms need to understand the risk that their vendors are adding. This is known as supply chain risk, and it is becoming critical that any company understands how secure their vendors are before sharing data and integrating systems.

Overcoming Challenges

The Importance of Competency and Consulting

Following this process may be challenging to many law firms. In those cases where a firm does not have sufficient competency to execute these seven steps effectively, they should consider bringing in a competent consultant or advisor to help assess the risk and prioritize the remediation steps. The ABA recognizes this and addresses it in the Opinion: “Any lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.”

The Urgency of Taking Action

If you have any doubts about the significance of cybersecurity risk, just insert your law firm’s name into the headlines described above and think about the reaction of your clients, shareholders, and business partners. The world is changing rapidly, risks are increasing exponentially with technology, and standing still is falling behind. Act now to improve your controls, not after a security incident when costs and scrutiny will be much higher. Future blogs will cover each of the seven steps above in more detail, so stay tuned for more guidance and advice.


  • Earl Duby

    Earl Duby is a proven cyber security leader with over 25 years of experience leading security teams in multiple industries, ranging from large financial services companies to Fortune 150 manufacturers. Recently, Earl spent 6½ years as the Chief Information Security Officer (CISO) for Lear Corporation in Southfield, Michigan. Before that, he was Vice President of Security Architecture for Synchrony Financial as it spun off from General Electric. Earl has held several other security leadership roles and has earned Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Fraud Examiner (CFE), Certificate of Cloud Security Knowledge (CCSK), SABSA Certified Foundation and Certified Information Systems Auditor (CISA) certifications.

Related Posts