Cybersecurity is triggering migraines for litigation and transaction lawyers, CIOs, risk management officers, information governance teams, and scores of other legal professionals. The headaches increased this February, when former National Security Agency contractor Edward Snowden released documents revealing an American law firm's confidential client communication may have been viewed by an NSA-ally foreign country.
Speculation swirled that it was Mayer Brown; the firm has rebuffed but not denied the assumption. Meanwhile, government spying on law firms (and sharing intelligence with other agencies) even hit prime time—it was a plot line on March episodes of the television legal drama "The Good Wife."
The concept of client confidentiality is straightforward. The American Bar Association's Model Rules of Professional Conduct, adopted in whole or in part by all states except California, include Rule 1.6(c): "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." California's Business and Professions Code §6068, on the duty to protect confidentiality, "is one of the strongest such protections in the nation. Virtually no exceptions," says Santa Clara County Superior Court Judge James Towery, who previously was chief trial counsel overseeing attorney discipline at the California State Bar.
The command to protect data may have been relatively easy to execute in the days of paper and lockable file cabinets, but technology has shattered such simplicity. With the rise of sophisticated mobile devices and services (smartphones, laptops, tablets to Wi-Fi and jump drives) and Web-based work platforms, where lawyers can meet, collaborate, research, and draft and store documents, protecting confidential client data becomes more difficult by the day.
Lawyers and law firms that stumble can face disciplinary charges from regulatory agencies and lawsuits from clients. Before 2011, there weren't many reported breaches involving lawyers, probably because of the nature of attorney-client relationships and to avoid media attention, wrote Matthew Mead, shareholder at Buchanan Ingersoll & Rooney, in "The Computer & Internet Law" (a Wolters Kluwer publication).
The damage could be fatal. If a firm gains a reputation for being unable to protect confidential data, particularly client data, it can be "devastating to its image, its ability to retain and attract clients, and its standing in the legal community," Mead warned.
The 2013 Am Law Tech Survey found that 85 percent of responding CIOs/CTOs say they are more concerned about security threats than two years ago.
Incidents involving lawyers have definitely escalated. For example, banks are starting to push back if they find that law firms did not follow reasonable security protocols to protect their accounts. At last summer's International Legal Technology Association annual meeting, Dominic Jaar, a partner at KPMG Canada, reportedcyberthieves robbed Charlotte-based Wallace & Pittman of $300,000 by capturing passwords. Two banks are suing the firm to recover money they had originally refunded the firm.
TARGET
"Law firms have big bull's-eye status because they are viewed as vulnerable and are known to maintain material that hackers would consider to be of high value," says attorney Gabriela Baron (pictured left; click image to enlarge), senior vice president at Xerox Litigation Services.
Major law firms get media coverage when they are involved in investigations and litigations, she explains. With sophisticated Internet search tools, it's easy to identify which firms are representing which corporations, she says.
Big firms have repositories of some of the most sensitive data across industry sectors, making them "targets for cyberspies and thieves, ranging from lone-wolf criminals to nation-state actors," says Edward McAndrew, leader of the Delaware Supreme Court Commission's Data Security Working Group and the cybercrime coordinator in the U.S. Attorney's Office for the District of Delaware. "Every lawyer in every firm needs to understand the particular threat landscape in which they operate and take reasonable measures to protect their clients and themselves from computer-facilitated crimes."
Sanjay Naik, senior managing consultant at IBM Security Services, says the most serious vulnerability is "the improper planning and design of mobility and cloud services without a well-orchestrated security strategy and enterprise architecture framework." Key issues, he says, include:
Mobility: Increased risk due to immature "bring your own device" policies, lost and stolen devices, mobile malware and lack of security controls on mobile devices.
Cloud services: Firms rush to adopt cloud services without proper understanding of risk and cross-border data privacy concerns.
Malware, phishing, social engineering and targeted attacks that can expose confidential data.
Lack of well-defined and enforced policies to restrict use of personal emails and free file-sharing services.
Cybersecurity and advanced persistent threat attacks from national governments, hacktivists, hackers and others.
ADVICE • Develop and drive a well-defined security framework, organizational policies and security strategy for data protection. • Enforce a security awareness program; develop governance and risk management practices. • Develop and enforce a culture of data classification. —Sanjay Naik
Ultimately, "the biggest threat is not knowing what you don't know," says Michael Lombardi (pictured left, click image to enlarge), president of Vertigrate Inc. "Firms must understand the plumbing of their data technology." By evaluating questions such as "What do we have?" "Where do we keep it?" and "How is it accessed?" can they begin to not only prioritize security initiatives, but fold better security tools into other technology projects, he says.
"Firms are starting to sober up from the consumerization of IT," Lombardi says. They are beginning to better understand the ramifications of the infiltration of mobile devices and cloud services into the firm's infrastructure.
THIRD-PARTY ATTACKS
"Some of the most pernicious of third-party attacks are drive-by download attacks [that] install viruses and spyware, and otherwise take control of unsuspecting users' computers," says Reed Smith CIO Gary Becker . "These are particularly dangerous because they're so stealthy and have the ability to automatically install malware on the personnel's computers without them knowing," he says.
ADVICE • Hold annual security awareness training for all personnel, addressing physical and electronic security of all data. • Follow security "best practices" for data, including encryption, strong passwords, two-factor authentication. • Conduct regular assessments of physical and electronic vulnerabilities; address all risks quickly. —Gary Becker
In the course of their work, Big Law lawyers regularly browse the Web, and can easily happen upon a site that downloads malware onto their computers—including legitimate websites that cybercriminals have compromised through existing vulnerabilities, explains Becker.
KPMG's Jaar cited other recent cyberhits on law firms. In Toronto, sensitive data was stolen and destroyed at four prestigious firms. And Puckett & Faraj, which practices military law, had its website "decorated" by hacktivists, who also posted firm emails on Pastebin.com.
Traveling overseas presents a raft of data security problems, says Washington, D.C., consultant Joel Brenner, former senior counsel at NSA. He warns lawyers traveling to China and Russia about "the risks that bubble beneath the surface of smiling negotiations." Large, international law firms, he says, are key targets for systemic attacks, including hacking and phishing—which are viewed by the perpetrators as routine research business practices. Lawyers should expect that their computers will be "imaged" by the time they get to their hotel.
One U.S.-based company lost $1 billion of intellectual property, representing 20 years of work, all stolen electronically by an adversary, Brenner notes. With Wi-Fi and high capacity jump drives, "anybody can walk out of a room with 65 gigabytes of info on her key chain."
"Internal and external threats are equally likely," says David Cunningham (pictured left, click image to enlarge), CIO of Winston & Strawn, "but external threats are generally significantly higher in terms of impact."
His approach: "Trust nobody and work to address the question, 'How will I know if we have compromised the confidentiality of our data?'" More than the type of practice group, the nature of the client and its international footprint determine the likelihood of a risk event, he says. "Who would want to know what you know?" Firms shouldn't be looking to identify specific practice groups to prioritize, he asserts. "It is easy to imagine or even argue that one particular practice group may be more vulnerable to breaches or attacks over another, but to adopt an approach to security based on practice group would be naïve, given the value of all data, especially because we now live in a Big Data world."
CLOUDY WEATHER
McAfee Labs' "2014 Threats Predictions " cites seven key cybersecurity worries: mobile malware, virtual currencies, cybercrime and cyberwarfare, social attacks, PC and server attacks, Big Data, and attacks on the cloud. Cybercriminals will focus on cloud-based applications and data repositories, "because that's where the data is, or will be soon enough," McAfee says.
Business applications that have not been assessed by IT for conformity to corporate security policies are especially vulnerable—more than 80 percent of business users use cloud applications without the knowledge or support of corporate IT, it says. Cloud applications offer benefits but expose firms to a "new family" of attackers. "This loss of direct control of the enterprise security perimeter puts tremendous pressure on security leaders and administrators to make sure that the cloud provider's user agreement and operating procedures ensure security measures are both in place and constantly upgraded to meet the evolving threats landscape," warns McAfee.
Peter Vogel, a partner at Gardere Wynne Sewell, chairs the firm's e-discovery group and its Internet, e-commerce and technology industry team. All practice areas are vulnerable, he says, because lawyers regularly share information with clients—not just by email, or sharing thumb drives and DVDs, but also by remote cloud services like Dropbox, he says.
ADVICE • Rely on IT leaders or outside IT consultants to help identify technology weaknesses and vulnerabilities. • Engage outside consultants to validate and test (and repair) IT and cloud security. • Continually test for new cyberattacks, viruses, system weakness. Move quickly to change IT/cloud when malware or cyberattacks occur. —Peter Vogel
Lawyers who practice remotely are likely not to be protected by firm firewalls, whether using a firm or a personal device, he says. Bring Your Own Device policies can be a weak area for firms when personnel control so much of the technology, but firms have a duty to protect the firm and client data, whether using containerized technology or other methods, warns Vogel.
Firms must do their homework when hiring cloud services, and know where the firm's data will reside, he says. "What if the data is not in the U.S., but in Russia? China? Or the EU? Clearly different laws would apply to data privacy," he warns.
Many countries belong to the Mutual Legal Assistance Treaties, which allow a number of governments access to cloud data. MLAT includes the U.S., Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain and the United Kingdom. Lawyers' reliance on cloud providers must depend on strict compliance with terms and conditions, which must include location of cloud data, cybersecurity protection, insurance, and related protection, advises Vogel.
INSIDE THE FIRMS
John Tomaszewski (pictured left; click image to enlarge), senior counsel at Seyfarth Shaw, says installation of technology must include security protocols. "You can't just buy, plug in and play. You have to understand how to manage the entire network fabric that is the IT backbone of the firm. Often businesses (not just law firms) will deploy technological tools without really understanding how the technology can 'open doors' to the network," he says. "Case in point, wireless routers come with default administrator passwords. If you don't change those when you deploy them, you are leaving the network open to anyone who comes by with a laptop," says Tomaszewski.
As for the most vulnerable practice groups, or types of practice, "large multi-party litigation or contract negotiations have a fairly complex interactive structure—and the more complex the interaction, the more there is to go wrong," he observed. Patent and trade-secret practices are "at risk simply because of the financial incentives present to break into those systems," he says. "Any time you have a well-funded adverse party who has a lot of money at stake, the risk goes up—they have incentive to try to compromise your networks," notes Tomaszewski.
"The trick with technology is that with increased ease of collaboration and interconnectedness comes the increase in ways the 'wrong' person can get to client data. It isn't just email. It's the entire IT infrastructure," he says.
But sometimes, says Adam Losey , an associate at Foley & Lardner and president of IT-Lex, good old-fashioned email causes a lot of havoc. "Poor email practices continue to be a major and easily fixable issue," he says.
"It is very common to see inadvertently sent emails containing privileged or confidential information—clicking the wrong button, using a workplace email account for personal privileged communications, forwarding an email to a friend, or entering the wrong email address is easy to do and can have serious consequences. The fix is simple: Use a strong password, and think before you click," Losey says.
PEOPLE
The weakest line is people, says Jason Thomas, manager of innovation, government segment, for Thomson Reuters—those who either work with the data or are responsible for managing the systems where data resides, he says. Law firms must monitor and audit everyone who comes in contact with those systems and data, including outside contractors, Thomas advises.
If you're skeptical, just remember the nightmare faced by Jones Day Reavis & Pogue in 2003. The firm hired a copying company to help with discovery in litigation between DirecTV and a security vendor. Igor Serebryany, 19, plead guilty in the first federal case in Los Angeles under the 1996 Economic Espionage Act. He confessed to copying and distributing to hackers (he wasn't paid) data about a DirecTV access card.
"Firms must continue to educate personnel on how not to fall prey to outsider schemes, such as launching a virus via malicious websites, virus-infected email attachments, how to protect all the confidential data they encounter," says Reed Smith's Becker.
"Risk is unavoidable in large-scale, data-intensive litigation," says Baron. "It is so commonplace these days to see everyone working away on their laptops, on planes, trains and in public spaces," but few use security screens, she observes. "People seem to assume that a passersby can't see their screens or are disinterested, which is not a safe assumption."
Stakes are high for Big Law, and higher still for their employers. "Clients should understand the cyber risks that they are facing, whether it is regulatory or competitive, and convey those risks to their counsel," says Lombardi. "They should demand a level of protection of their data that is commensurate with the fees they are paying, and firms should be able to articulate those protections to their clients."
"Clients should know how their sensitive data is being used by the firm, who has access to it (including contractors and vendors), and how the data is being stored—including the physical location of data centers where the data resides," advises Thomas. Clients should ask 1) whether data centers are owned by the firm or a third-party vendor; and 2) what data management protocols are in place (e.g., if their data is commingled with other law firm client data), he says. "And they should demand an accounting of all security processes and protocols to ensure that their data is safe."
Then there's cybercrime insurance, a relatively new option. Judy Selby, partner at Baker & Hostetler, reports that "standardized industry policy forms have not yet been adopted, and policies often contain manuscripted provisions arising from negotiations between the insurer and the insured." But they provide important first-party coverage, she says, "which can mitigate the 'What do I do now?' reaction organizations can feel after learning that they've been the victim of a cyberattack." Coverages include forensic analysis to determine the nature and extent of the breach, notification costs, crisis management, data restoration, and business interruption expenses, she says. Cyberpolicies also can provide liability coverage for regulatory defense costs, including fines and penalties, regulatory fines, and defense and indemnity costs for lawsuits.
ON NOTICE
"The Snowden events have put us all on notice that our networks are being probed, if not outright compromised," says Tomaszewski. "Consequently, as a profession, we must take active steps to protect the confidences of our clients—and those steps are a combination of technical, procedural and administrative safeguards which are implemented pursuant to a comprehensive and holistic information security plan."
But for some clients, confidence in their outside lawyers may be eroding. "Corporate clients are starting to treat law firms like regular vendors," observes D. Casey Flaherty , corporate counsel for Kia Motors America. "For a long time, law firms were afforded a special status that included a favorable presumption of competence. No more, especially in areas like cybersecurity. Scrutiny is increasing. Clients are finding that many of the cobbler's children have no shoes (i.e., law firms do not abide by their own advice re: securing confidential data)."
But Flaherty realizes that it's a two-way street. "To be fair, it is easier for inside counsel to beat up on outside counsel than get their own house in order. Just because a corporate client is throwing stones does not mean that the client has vacated their glass house."
Flaherty compares cybersecurity's learning curve to e-discovery's. "Most lawyers know just enough to be scared. It is a dark cloud, ominously looming on the horizon. No one knows when it will rain. But you have a sense that the storm is coming and we are ill-prepared."
Monica Bay is the editor-in-chief of Law Technology News and a member of the California bar. Twitter: @LTNMonicaBay.
"Law firms have big bull's-eye status because they are viewed as vulnerable and are known to maintain material that hackers would consider to be of high value," says attorney Gabriela Baron (pictured left; click image to enlarge), senior vice president at Xerox Litigation Services.
ADVICE
Ultimately, "the biggest threat is not knowing what you don't know," says Michael Lombardi (pictured left, click image to enlarge), president of Vertigrate Inc. "Firms must understand the plumbing of their data technology." By evaluating questions such as "What do we have?" "Where do we keep it?" and "How is it accessed?" can they begin to not only prioritize security initiatives, but fold better security tools into other technology projects, he says.
ADVICE
"Internal and external threats are equally likely," says David Cunningham (pictured left, click image to enlarge), CIO of Winston & Strawn, "but external threats are generally significantly higher in terms of impact."
ADVICE
John Tomaszewski (pictured left; click image to enlarge), senior counsel at Seyfarth Shaw, says installation of technology must include security protocols. "You can't just buy, plug in and play. You have to understand how to manage the entire network fabric that is the IT backbone of the firm. Often businesses (not just law firms) will deploy technological tools without really understanding how the technology can 'open doors' to the network," he says. "Case in point, wireless routers come with default administrator passwords. If you don't change those when you deploy them, you are leaving the network open to anyone who comes by with a laptop," says Tomaszewski.
"Law firms have big bull's-eye status because they are viewed as vulnerable and are known to maintain material that hackers would consider to be of high value," says attorney Gabriela Baron (pictured left; click image to enlarge), senior vice president at Xerox Litigation Services.
ADVICE
Ultimately, "the biggest threat is not knowing what you don't know," says Michael Lombardi (pictured left, click image to enlarge), president of Vertigrate Inc. "Firms must understand the plumbing of their data technology." By evaluating questions such as "What do we have?" "Where do we keep it?" and "How is it accessed?" can they begin to not only prioritize security initiatives, but fold better security tools into other technology projects, he says.
ADVICE
"Internal and external threats are equally likely," says David Cunningham (pictured left, click image to enlarge), CIO of Winston & Strawn, "but external threats are generally significantly higher in terms of impact."
ADVICE
John Tomaszewski (pictured left; click image to enlarge), senior counsel at Seyfarth Shaw, says installation of technology must include security protocols. "You can't just buy, plug in and play. You have to understand how to manage the entire network fabric that is the IT backbone of the firm. Often businesses (not just law firms) will deploy technological tools without really understanding how the technology can 'open doors' to the network," he says. "Case in point, wireless routers come with default administrator passwords. If you don't change those when you deploy them, you are leaving the network open to anyone who comes by with a laptop," says Tomaszewski.
No comments:
Post a Comment