Law Firm Data Security: Guardians of the Information Galaxy
Let's start with what we know: attorneys must protect the information entrusted to them, and yet it may be impossible to prevent a data breach - even in the most controlled environments. We are all familiar with the phrases "it's not a matter of if, but when, you will be breached ..." and "there are firms that have been breached, and firms that don't yet know they’ve been breached." These maxims should provide a certain call to action. The dangers in our digital environment cannot be denied, and attorneys who use the digital environment to facilitate the practice of law are obligated to navigate the risk in a manner that protects the information entrusted to them.
Some basic goals for the good guys.
Cybersecurity consumes precious time, energy and money. For lawyers, it may affect time that could be used actually practicing law. Unfortunately, a lack of familiarity with certain cybersecurity laws could pose serious problems to attorneys and law firms who are charged with complying with those laws.
Here are some basic goals:
- Satisfy ethical duties. Ethical rules require lawyers to safeguard sensitive client information. This is typically perceived to be the information covered by the attorney-client privilege, and requires attorneys to take appropriate care to ensure that the information will remain confidential and that the information is secure against risk of loss. Other data types, like client financial or medical information and intellectual property, must also be protected. Ethical rules also generally require attorneys to keep abreast of changes in the law and its practice – and not only with the risks associated with technology but also with how to use it to secure data and deliver cost effective services.
- Comply with the law. This may mean, for example, that if a law firm has a client subject to 23 NYCRR § 500, which sets forth cybersecurity requirements for entities engaged in banking, insurance or financial services in New York, the law firm must not only be familiar with the law to guide its client in compliance, but that the law firm is likely also required to comply with the law. Depending on the source of data, federal standards, like those imposed by the final omnibus rule issued pursuant to HIPAA, may affect a law firm’s obligations to keep data secure. It may also mean, for example, that if a law firm is subject to Kan. Stat. § 50-6, 139b, which sets forth information security standards for businesses that collect, maintain or possess information of Kansas residents (like laws in 17 other states), it must implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure.
- Do the next right thing. Who knows what the next moment will bring, and every type of law practice has its own dynamic for what the immediate future might hold. In our digital environment, however, the dynamics constantly change, and it is incumbent upon attorneys, whether technologically savvy or not, to recognize what the next right thing might be – or have resources available to guide them. Many law firms have a treasure trove of sensitive information. Those law firms should ensure that they have the internal or external resources to take appropriate measures to ensure the security of that information. Even those law firms with little or no sensitive client-related information in their possession have confidential information about their employees which must be protected. So, law firms, like any business, must be prepared to respond to a data security event – and to comply with the myriad laws that pertain to data security.
The exploits of the bad guys.
Law firms are frequently targeted with "spear-phishing" attacks. The bad guys are more patient and persistent that ever before. They do their homework and identify attorneys working on sensitive deals or cases, or who have responsibilities that likely involve the possession of highly sensitive information. The bad guys then engage in substantial reconnaissance to determine the most effective attack vector. They may then send their target a carefully crafted email that is a convincing forgery of a legitimate request. That email may contain a link or an attachment containing malicious code that provides the bad guys access to the law firm's sensitive information. The bad guys then exfiltrate the information they need to turn a financial profit through insider trading, by blackmailing the client or the firm, or by monetizing stolen data on the dark web.
The malicious arsenal of the bad guys is continually changing and always adapting to the best defenses. The goods guys are on notice, however, that the bad guys are constantly attempting to access sensitive information. The good guys must therefore do all they can to prepare to respond to the growing number of exploits and dangerous vulnerabilities:
- Social engineering. A caller pretends to be a vendor who needs employee information or an executive who forgot a password. The staff member is convinced that the caller is legitimate and gives the caller sensitive data or the information they need to access the sensitive data.
- Phishing – and counterfeit checks. Like spear-phishing, but not targeted to a specific individual. Think of that Nigerian prince who contacted you asking for account information to park a substantial sum of money. Law firms often get requests from foreign businesses supposedly seeking representation in the United States. Sometimes the domain name in the email link even looks like the real firm's domain: "I23lawfirm.com" instead of "123lawfirm.com", for example. Once they “hook” an employee, they may arrange for a “retainer check” to be sent, which inevitably is more than the retainer requested. After the law firm returns the “over payment,” it learns that the counterfeit check did not clear the bank, and the firm now owes the bank for the entire amount of the counterfeit check.
- Ransomware. Often the result of a successful phishing attacking, the attackers encrypt the network share associated with the compromised device or system. They then offer to return the data – provide the decryption key – for a price. Unfortunately, a new trend involves the bad guys using an encryption attack to cover their tracks – from a prior system compromise – rather than a “conventional” ransomware attack. Or, as is increasingly common, the ransom may be required to avoid the bad guys publishing the data they exfiltrated. This variation allows the bad guys to collect ransom even if the target has secure, duplicate copies of the data accessed by those demanding ransom. This can be particularly problematic for law firms, which have a fiduciary duty to prevent disclosure of client confidences. It points up the utility of having a cyber insurance policy which includes coverage for extortion and the utility of having sensitive data encrypted while at rest as well as when it is in transit.
- Network intrusions. This is what most people think of when they hear the term "hacking." Unfortunately, it is often not the result of sophisticated reconnaissance or the deployment of a zero day exploit, but may include access to an unsecured guest network that provides a gateway to the document management system, or the existence of a default password on network- connected hardware. The profusion of access points to networks or endpoints, which make lawyers nimble and able to respond to client needs any where, any time, not only improve the quality of service but also may increase the attack surface and security obligations. Who knew that printers, fax machines or even automated HVAC controls could be such a menace? Having access to someone who understands the network architecture and an incident response plan has never been more important.
- The danger within. Insider threats, unauthorized access of management information, disgruntled employees, employees working around security features for convenience, and innocent employees losing unencrypted devices - all pose serious threats to a law firm's data security. Fortunately, with guidance from a data security team, and an appropriate mix of training, good policies and technology can mitigate these exposures.
- Data loss. Business continuity and disaster recovery planning have never been more important. Whether it's electronic or physical, a host of disasters can destroy data essential to clients or firms. Input from experienced professionals can help eliminate weaknesses in continuity and recovery plans, like storing the backup data in the same location. A fire or flood taking down the network would also take out the backups.
And these are just some of the issues that should be addressed as quickly as is feasible. Other issues should also be on the radar of law firm management. What about the more complicated risks associated with data access and ownership in cloud storage? What about due diligence and management of other third party technology providers? What about vendors entrusted with confidential information, e.g., consultants and experts, duplication services, contract attorneys and technology service providers? Because cybersecurity issues are challenging, law firms should educate themselves and allocate resources appropriate for the exposures each has and address them expeditiously in light of the circumstances. Taking on all these issues at one time may not be practical or affordable, but law firm management should be identifying the exposures, evaluating the magnitude of the threat posed, and developing a plan to address them. Unfortunately, the threat environment is dynamic and growing as are the potential solutions; so, the plan, which may operate as a roadmap on the data security journey, should be updated regularly.
Preparation – the most important tool of the trade.
Cybersecurity is just one aspect of enterprise risk management – but it is an essential part of the plan. Whether the resources are internal or external, law firms must identify and properly secure all sensitive data they receive, store or transmit. A managing partner, a management committee, or even a chief information security officer, cannot be solely responsible for a law firm's data security. Instead, throughout the enterprise, individuals and business units must do their part to secure the data.
Adopt an information security framework: For many law firms, an information security framework begins with the procedures and protocols developed when paper was king and data was stored on shelves in a file room. This provides a foundation that can support a cybersecurity framework – a defined set of critical security controls for electronic data. This does not require a law firm to create controls out of whole cloth. Fortunately, a number of well developed templates exist, like those managed by the Center for Internet Security. A broad consensus recognizes these controls involve administrative, physical and technical protocols and practices to secure information systems. Often the cybersecurity framework may be selected or developed by information technology professionals, like a chief information security officer or a third party technology provider. Experience teaches that for these frameworks to be effective, firm management must be apprised of the cybersecurity plan. Firm management should know, at least generally, of the applicable security controls for their information system and how the system is being upgraded to meet the evolving threats, whether identified or anticipated.
Develop an incident response plan: A review of the many security controls is beyond the scope of this blog and will be addressed in those that follow. One of the first administrative controls firm management should consider, understand and complete is an incident response plan. A number of guides are available. One law firms should consider is the National Institute of Standards and Technology Computer Security Incident Handling Guide, Special Publication 800-61 Rev. 2. In the course of developing an incident response plan, a law firm should consider identification and involvement of key stakeholders, the acquisition of cyber liability insurance, the facilitation and execution of Master Service Agreements with breach response service providers (digital forensics services, a cybersecurity lawyer to serve as a breach coach, consumer notification/call center services, credit monitoring/identity protection services, etc.), and introductions to appropriate law enforcement personnel. Experience shows preparation is a critical phase in the incident response life cycle, and law firms are well advised to identify and engage appropriate resources to prepare for the inevitable security incident. Studies comparing outcomes between those who prepared for breaches and those who responded ad hoc show those who prepared have superior outcomes both in terms of lower cost and less reputational injury.
Test the incident response plan: Once an incident response plan is in place, the law firm should test the plan on at least an annual basis with a “table top” exercise, which simulates a data security event. The exercise should be enterprise wide – data security is not simply an information technology issue, it is an enterprise risk management issue. The exercise should involve key stakeholders and assist them to identify and experience their roles and responsibilities in responding to a data security incident before an actual crisis occurs. “Experiencing” a data security incident before it actually occurs accelerates an organization’s ability to effectively contain and remediate an incident. Benefits from a well run table top exercise include identifying and resolving gaps in incident response plans and enhancing a law firm’s enterprise security posture.
Secure sensitive data: The incident response planning process should help a firm to identify: (1) the type of sensitive data it creates, receives, transmits stores, and destroys (2) where the data is located and (3) how it is secured. Answers to these three questions are essential. This can be facilitated through an information system risk assessment. Knowing what type of data is handled, and where it resides, greatly improve the prospects for cost effectively allocating resources to secure it. The firm must recognize that protected health information (PHI), personal information (PI), and payment card industry (PCI) data may be subject to certain legal protection and may obligate the firm to take certain specific measures to secure the data through encryption or other means. If the firm fails to take appropriate measures to secure the data and the lack of security is a contributing factor to subsequent unauthorized access, the firm risks not just reputational damage, but expensive scrutiny from regulators, and substantial third party liability. Furthermore, a security compromise could expose the clients providing the data to the firm to regulatory action or litigation because entities outsourcing protected data often have obligations to make sure those receiving it will protect it to the same degree to which they are required.
Enable foundational security controls: Foundational security controls generally include inventorying hardware, inventorying software, securely configuring hardware and software on devices, continuous assessment of vulnerabilities, continuous remediation of vulnerabilities, controlled use of administrative privileges, enabling and monitoring of audit logs, and adequate protection of email and web browsers. Depending on the circumstances, there may be additional controls that should be in place, and law firm management should either take an active role in allocating appropriate resources to enable the appropriate controls, and to stay engaged in the process of information security or delegate the responsibility and authority necessary to exercise it to qualified persons either within or outside the firm.
Information security is a critical ongoing process – do the next right thing. Information security is more important than ever before, and it is a continuous journey, not a destination. Measures to secure data will continue to evolve and adapt to the malicious exploits that are developed to defeat them. As well resourced as the bad guys appear to be, the good guys have few options other than to step up their game, prepare well, and be vigilant to detect and thwart the next incident. Law firms must take at least as much care as the parties providing them with data to assess whether the appropriate security controls are enabled within their information systems. Appropriate protection of attorney client communications may require additional measures. When weighing whether to add or turn on a control, it is important to recognize why they exist, the purposes they serve and the risks they mitigate. Any control that is not activated or deployed may be the next attack vector– and the cost to enable it would likely be a fraction of the cost to respond to a data security incident, and will undoubtedly be less than the cost of responding to an actual breach, the associated reputational harm, and the likely third party liability. The cost of any security stratagem should be measured against the incremental improvement in security likely to be achieved. The bottom line - do the next right thing for your information security.