Web of trust: Five steps to protect your law firm from cyber attacks

---

Five things you will learn from this Masterclass:

1. How to implement a cyber security programme

2. How to adopt a robust incident response plan

3. How to test whether your firm’s systems are secure

4. How to protect your firm’s breach assessments

5. How to deal with client guidelines on data security

---

 

There is evidence to suggest that law firms are the next big target for cyber attacks. In 2009, the FBI warned US law firms that hackers had orchestrated an email scam that was aimed at stealing sensitive data within a law firm network. In 2011, the FBI met with 200 large law firms in New York City to emphasise the importance of cyber security policies and improving their systems.

As reported by the ABA Cybersecurity Legal Task Force, it is estimated that 80 per cent of the 100 largest US law firms were subject to successful data breaches by malicious intruders in 2011. Examples of high-profile breaches are in the news.
In late 2012, a law firm’s trust account was hacked and a six-figure amount was stolen. It was reported early in 2013 that hackers from China targeted specific Canadian
law firms seeking information about a US$40 billion corporate deal.

Law firms also face internal cyber threats from employees who intentionally access systems for improper purposes or inadvertently serve as a conduit for unauthorised access (such as via a lost laptop) or installation of malware (such as via a phishing email). Given the wealth of information available to many levels of employees in a law firm, a culture of convenience in accessing information across different systems, and, at times,
less cyber security oversight than employed by corporate clients, law firms are becoming increasingly vulnerable to these types of cyber security risks.

Law firms should strive to be as secure as their corporate or technology clients. There are five key steps to address and defend against cyber breaches before
they occur.

1. Implement a cyber security programme

To minimise the threat of data breaches or compromise of data from cyber incidents, recognise the magnitude of cyber security risks facing your firm.

A common mistake made by law firms is to think of cyber security as purely an IT issue rather than a risk management issue. The best defence against a cyber breach is to prevent attacks from happening by having a robust cyber security programme. Developing a plan to prevent, identify and respond to cyber attacks requires a serious look at your firm’s particular needs, exposures, vulnerabilities and client base.

A primary consideration is the type of client information held by your firm’s information systems. For example, law firms that have records of individual health information or personal information may require a higher level of protection than others. Even firms that do not regularly store personally-identifiable information may have social security numbers or other personal or health-related information in documents produced in litigation. Likewise, firms with valuable confidential business information from corporate clients may determine that enhanced protections are necessary in light of the attractiveness of the data to hackers.

Your firm should develop policies and procedures on:

• the encryption of sensitive data;

• the trend of bring your own device (BYOD);

• the protection of data on laptops and mobile devices when personnel are travelling overseas to areas (such as China or Russia) that have a heightened risk of cyber attacks; and

• security scanning of CDs, thumb drives and external drives before connecting them to your computer systems.

For example, you might adopt policies requiring the segregation and encryption of sensitive technical, business and personal data. Or, you could require that, before overseas travel, laptops are scrubbed of confidential information that could be compromised and require that the laptops are inspected again upon return to ensure that data has not been accessed and no spyware or malware has been installed. Other basic security elements include updated anti-virus protections, secure connections and firewalls.

Another best practice is continuous monitoring for anomalous activity on your firm’s system and regularly reviewing logs. Sometimes firms rely on automatically-generated activity logs, but no one reviews them until there has been a breach. Activity logs should be monitored for real-time information so that a potential issue can be addressed as soon as it happens. When your firm is familiar with ‘normal activity’ on its systems, anomalous patterns can be identified before a breach even happens.

Also consider what constitutes a breach that will trigger an investigation and require reporting to appropriate federal and state authorities, clients or individuals whose personal information may have been improperly accessed. This determination will require an assessment of federal and state breach notification laws, along with any requirements imposed by clients. For some firms, an unsanctioned presence in their system will be a code red; others may not ring the alarm until there is evidence that confidential data has been improperly accessed or even exfiltrated.

A cyber security plan should also address physical security issues. Many law firms have mechanisms in place to restrict physical access to the buildings and floors in which they have offices, but fail to lock the rooms where their servers are located. Your facilities housing servers and data centres should be secured and protected and your cyber security plan should identify who has access to keys to these locations.

A critical part of breach prevention is the training and education of staff on cyber security risks, the firm’s cyber security policies and breach responses. Training is not a one-time thing, but should be repeated to guarantee awareness and update staff on new cyber threats and changes to firm policies. Also consider limiting which employees have access to confidential information to avoid inadvertent disclosure and minimise the potential for
an internal attack.

Further, vendors should not be given access to your firm’s networks or data without safeguards in place. Contracts with vendors should specify their agreement to and compliance with your firm’s security requirements before they can access your network or confidential information. Consider including indemnity or holding harmless provisions in your vendor contracts. Also, identify which obligations
a third-party vendor has to your firm upon a breach of its own system: is it contractually obliged to notify your firm and assist with recovery? Can it be liable for reckless maintenance of data or other treatment of confidential information?

2. Adopt a robust incident
response plan

Too often, law firms believe that cyber attacks should be reported to the head of IT and that the IT team will then handle the incidents as they deem appropriate. However, given the significant ramifications of a cyber security breach, your firm should develop a written plan that addresses contingencies and ensures that established protocols are followed. Having a plan in place helps to avoid panic after a cyber attack; it may also provide a defence against lawsuits alleging negligent investigation and breach response.

First, your plan should address to whom a potential incident should first be reported and designate a preliminary incident response team. There should be a data breach ‘owner’ who can run triage on security breaches and oversee efforts by the response team. The response plan should include an organisational flow chart delineating a clear command structure for an incident response, who will make the ultimate decisions on reporting obligations and the next steps.

The plan should also contain information on the firm’s computer networks and servers, including their physical locations and the types of information stored on them to facilitate immediate implementation of an appropriate internal investigation.

The obvious objective of the internal investigation is to determine whether the breach is limited to a single incident or has been ongoing, whether one server or an entire information network has been compromised, whether information has been accessed, corrupted or exfiltrated, how the breach occurred and the appropriate remedial steps.

To that end, the internal investigation portion of the incident response plan should take into consideration the possibility of insider involvement and consider the use of outside technical experts for forensic examination. The plan should ensure that investigations are conducted in a manner that will preserve evidence (such as computers, networks, files, emails, log files, metadata and backups), and include a policy for deciding whether to involve law enforcement to assist in the investigation
or to pursue criminal charges against
the hackers.

An incident response plan should also have notification and reporting policies for disclosing the incident to affected staff, clients and other individuals whose personal information was accessed, as well as to state and federal regulators. The policies should also outline a public relations and media strategy for incidents likely to generate media attention.

Notification obligations often will depend upon the type of data at issue and the type of incident (suspected improper access? corruption of data? actual information breach?). Sometimes, whether and when a disclosure must be made is governed by statute.

Forty-seven US states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have legislation that requires private entities or the government to notify individuals of security breaches involving personally-identifiable information. At least 16 states require entities that experience a breach of security resulting in the unauthorised acquisition of electronic data to also notify a state regulator (such as the state attorney-general) simultaneously with notifying affected citizens. States’ notice provisions vary based on the type of information at issue and the type of
cyber incident.

Your firm may have disclosure and reporting obligations imposed by state law depending on where the breach occurred or where those affected by the breach live; your incident response plan must take these varying obligations into account. Cyber incidents can also trigger other notification and disclosure obligations under federal US law. For example, law firms that store or possess health records and information from their ‘covered entity’ clients may be deemed to be ‘business associates’
who are subject to HIPAA and the
HITECH Act, which impose information security requirements.

Your firm’s incident response plan should also document who should make executive decisions as to whether an investigation into a breach is done internally, by outside experts, or at the direction of outside counsel.

3. Test if your systems are secure

A cyber security audit can confirm compliance with relevant statutory and regulatory requirements, best practices and other requirements imposed by clients.

Some firms use ethical computer hackers (sometimes called white hat hackers or red teams) to stress test their systems’ effectiveness, including using penetration testing.

This type of rigorous testing can expose flaws or weaknesses in security procedures, security tools and internal controls. If the security programme prevents the white hat hackers from penetrating the system or from obtaining confidential data, the test was a success. If the testing exposes vulnerabilities, the firm can undertake remedial measures to eliminate or minimise weaknesses.

4. Protect your breach assessments

The maxim of a self-representing lawyer having a fool for a client is true. A law firm experiencing a cyber security breach is like toppling dominoes. There are numerous issues happening at once, each of which is critical to containing the breach and preserving the firm’s reputation.

In addition to enveloping the process in privilege, outside counsel can address a law firm’s risks and exposures and draft protocols to prevent, detect and address cyber attacks. This process, through which outside counsel engages security experts and other vendors, ensures that vendors report to the attorney and preserve
the privilege.

Some states recognise other privileges, such as the seven states that recognise the self-critical analysis privilege, to protect communications relating to a voluntary self-assessment. The risk, however, is that this privilege is not as well defined or litigated as frequently as the attorney-client privilege and the work product doctrine.

In order to protect pre- and post-breach assessments of cyber security systems and protocols, involvement of a lawyer to maintain the privilege is critical. Your firm’s general counsel may serve this role, but it is increasingly difficult for courts to delineate between an in-house counsel’s business and legal advisory roles; many times, this results in a finding of no privilege due to the mixed role. An engagement letter with outside counsel can help to define the representation and protect the privilege.

This area of law is expanding and changing. In the wake of high-profile cyber attacks on clients, law firms will be expected to maintain a high standard of data protection.

5. Deal with client guidelines on data security

Many clients want law firms to provide guarantees that their systems are cyber secure before they will trust them with sensitive and confidential data. These range from a simple cyber security questionnaire for the law firm about the existence of a written information security plan to hundreds of pages of detailed substantive cyber security guidelines issued by clients.

Law firms may find that, not only are they asked by clients to use a particular system to guard against cyber security attacks, but also that their lawyers must ‘certify’ compliance with clients’ guidelines. Some clients may even want demonstrations or other access to written security plans to ensure compliance with their guidelines. There are certain steps that your firm should take to deal
with these requirements.

New matter intake for any representation that requires adoption
of client cyber security guidelines must include a thorough review of those guidelines by your firm’s head of IT and cyber security ‘owner’ before the new matter is opened. They should then give
an honest and accurate assessment of
your firm’s current compliance or ability
to comply with the client’s guidelines.

If your firm does not currently comply with the client’s guidelines, or is unable (or unwilling) to upgrade its systems or procedures to reflect those guidelines,
you should make a disclosure to the prospective client. Under no circumstances should your firm accept a representation couched on its ability to provide cyber security that it cannot provide.

A law firm that fails to abide by client guidelines (or best practices) for cyber security and then experiences a breach that involves loss of or improper access to client data may face breach of contract, misrepresentation and negligence claims, in addition to a traditional legal malpractice claim. Further, there could be an issue with whether your professional liability insurance policy would cover what could be considered intentionally reckless or dishonest behaviour in promising a specific level of security that your firm never intended (or was unable) to provide.

Competitive practices

Until the recent past, very few clients were concerned about a law firm’s ability to protect their data from disclosure as a result of a cyber breach. Now, nearly every client has confidential information that is attractive to hackers. They recognise that best practice dictates that this information not be entrusted to outside vendors, including law firms, that have inadequate cyber security measures in place. Law firms that fail to have a well-developed cyber security programme may find themselves no longer competitive in the legal marketplace.

Elizabeth Ferrell is co-chair of McKenna Long & Aldridge’s cyber security practice, Shari L. Klevens is deputy general counsel and chair of the firm’s law firm defence and risk management practice, and Alanna Clair is an associate at the firm and co-author of The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.