The need for better cybersecurity, along with the responsibility to safeguard client and firm information from the risk of loss from cyberattack, has been the focus of considerable discussion by law firms for the past four years. While some law firms have recently awakened to this key issue, significant further work needs to be undertaken. Let’s look at the progress (or lack thereof) of law firm security over this four-year period — and four ways firms could improve both the speed and effectiveness of their cybersecurity going forward.
The Treasure Trove
When asked why he robbed banks, Willie Sutton reportedly replied: “Because that’s where the money is.” From the perspective of today’s cyber-criminal, law firms may not have much cash lying around, but they have a treasure trove of valuable information—the universal currency of the 21st century.
Almost all law firms of any size or legal specialization have in their custody and control sensitive client and firm-business information. Right this minute, law firms have all or some combination of the following:
- case and/or litigation strategy information, including settlement parameters and argument weak points;
- confidential client business information (this information may be either retrospective information about the circumstances of the matter at hand, or prospective information about future plans and initiatives – or both);
- attorney-client privileged communications and other legally privileged information (such as attorney work product);
- client intellectual property, such as patent, copyright and trade secret information;
- a range of personally identifiable information (PII) of all kinds for employees, clients and third parties, such as personal health information and various account and account-access information that include customers’ name and address information; and
- payment card information, including card numbers and PIN numbers.
In short, firm confidential information includes much information for which the firm has a legal, ethical or business requirement to protect from disclosure or compromise.
The ethical standards to ensure that attorneys and firms maintain the confidentiality of all information relating to the representation of a client are well-known. ABA Model Rule 1.6(c) requires that “[a]lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Most states have similar ethical provisions. In addition to the ethical rules, bar-governing authorities have issued a number of opinions interpreting their respective rules regarding confidentiality in the context of digital information.
In a 2011 opinion, the ABA considered Rule 1.6 in the context of the duty to protect client email communications between a lawyer and the client. The ABA opinion noted that:
“a lawyer must act competently to protect the confidentiality of clients’ information. This duty, which is implicit in the obligation of Rule 1.1 to ‘provide competent representation to a client,’ is recognized in two Comments to Rule 1.6. Comment  observes that a lawyer must ‘act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.’”
In 2010, the State Bar of California considered whether the duty of confidentiality was violated by the use of technology to transmit and store confidential information when the technology was susceptible to unauthorized access by others. Specifically, the California Bar reviewed a matter in which an attorney used his personal laptop to work on a client’s information from home; access a public Wi-Fi network to conduct legal research for the client’s matter; and communicate via email with the client while away from his office. The California Bar analyzed this issue by reference to the attorney’s duty of competence. The opinion concluded that: “An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.” (Emphasis added.)
In addition to these ethical requirements, some of the information stored and used by law firms on behalf of their clients, as well as in management of the firm itself, is subject to statutory, regulatory and contractual requirements regarding the use and protection of the information. Well-known examples of this type of data protection are the HIPAA Data Security Regulations and the HIPAA Privacy Regulations (see here and here).The January 2013 amendments to the regulations expanded the definition of “business associate” in a manner that encompasses law firms performing legal services for a “covered entity,” such as a doctor, hospital or other healthcare entity. Law firms that possess and use protected health information (PHI) are required to handle that information in conformance with the HIPAA data security and privacy regulations.
The data security regulation requires that covered entities and business associates have a data security plan setting out reasonable steps to be taken to ensure the security of PHI. The regulation borrows heavily from the longstanding guidelines of the Gramm-Leach-Bliley–inspired “Safeguards” rule. Law firms with such information must “protect against “reasonably anticipated uses or disclosures of the protected information,” but are given the leeway to do so in ways that take into account the probability and criticality of potential risks to the protected health information, the complexity and capabilities of the business and the costs of security measures. Finally, a business associate has to periodically review and modify implemented security measures.
A number of states have enacted statutes that protect the personally identifiable information (PII) of their citizens and specifically require individuals and any business that does business in the state to encrypt, under certain circumstances, PII used by the business. In 2008 and 2009, Nevada and Massachusetts , became the first states to pass such provisions. The Massachusetts data security regulation requires encryption of PII that is transmitted over the Internet. Law firms having offices in or otherwise doing business in Massachusetts must comply with this regulation or face potential civil and/or criminal penalties.
Similarly, law firms with offices in countries that are members of the European Union (EU), or who handle and store protected personal information pertaining to citizens of the EU that they have received from or on behalf of their clients, are under similar requirements to take measures to ensure the security of that information. Currently, this is an indirect result of the EU’s broad data privacy regulations (see here and here). However, the EU is now considering new and very specific data security regulations that would more specifically and comprehensively cover the protection of this information.
Lawyers are under both ethical and legal requirements to safeguard a large range of the information that flows into and out of their firms. However, too many firms have been either unaware of the risks of compromising this sensitive information or have not taken those risks seriously.
Asleep at the Switch
In 2009, the FBI issued an “alert” advising law firms that they were being specifically targeted by organized cybercriminals through the use of email phishing campaigns. This was only the beginning.
The cybercriminals discussed in the FBI’s alert and those behind subsequent law firm breaches are just one of the groups within a vast network of sophisticated, highly organized and well-funded criminal organizations. These groups are often, but not primarily or exclusively, foreign-based. They are sometimes state-funded, and like Willie Sutton, their motivations for breaching law firm security and stealing confidential information are primarily economic.
Given the sophistication and economic power of these organizations, one might think their methods would be equally sophisticated. They are. The techniques used to steal from law firms and other high-value targets are stealthy, persistent and challenging to detect. Because of these characteristics, they are sometimes referred to as advanced persistent threats (APT). In addition to the methods used to effectuate these attacks, APT attacks are known for their use of sophisticated targeting techniques that are aimed at high-level individuals within the law firm or corporation being attacked, and which often feature meticulously crafted email messages designed to fool even careful readers.
In 2010, several news stories revealed law firm data breaches and chided firms on their absence of security and attention to what appeared to be a growing problem. A good example is a March 2010 article in the National Law Journal titled “Firms Slow to Awaken to Cybersecurity Threat,”which included comments by Mandiant (a digital forensics firm that would later become famous for its data breach work for the New York Times, the State of North Carolina and in other high-profile cybersecurity incidents) that it had been involved in the investigation of over 50 law firm data breaches.
The same year, a Los Angeles-based law firm, Gipson, Hoffman & Pancione, publicly revealed that it had been the subject of a sophisticated phishing attack, which the firm and its forensic experts believed originated from China. A week before the attack, Gipson had filed a $2.2 billion copyright infringement suit against the People’s Republic of China on behalf of its client. At the time, this attack was widely covered by the press, including the Wall Street Journal and others. The Journal quoted a member of the firm as stating: “They were e-mails targeted at individuals in our law firm that were made to appear as if they were coming from other individuals at our law firm,” he said. “They attempted to get the target to click on a link or attachment.”
Also in 2010, at least seven Toronto, Canada–based law firms were attacked in an effort to derail a $40 billion acquisition of the world’s largest potash producer by an Australian mining company that was a principal competitor of the second-largest producer, a Chinese company. These attacks did not come to light until two years later.
A year later, in November 2011, the FBI invited 200 of the largest law firms to a meeting in New York to discuss the agency’s concern that sophisticated cyberattacks targeting the gold mine of information that law firms hold were increasing, and its expectation was that they would continue to do so. In a January 2012 Bloomberg article that later discussed this meeting and law firm data breaches in general, FBI Special Agent Mary Galligan summed up the meeting this way: “Some were really well prepared; others didn’t know what we were talking about.”
In March 2012, Jeffrey Brandt, a well-known law firm IT professional and blogger, wrote an article titled “When Good Enough – Isn’t,” in which he lamented the extremely “abysmal” state of law firm security. Among other things, Brandt discussed the then-most recent (October 2011) International Legal Technology Association (ILTA) study. Some key findings from that survey were:
- 86 percent of firms do not use or require two-factor authentication.
- 78 percent of firms do not issue encrypted USB drives.
- 76 percent of firms do not automatically encrypt content-based email.
- 58 percent of firms do not encrypt laptops.
- 87 percent of firms do not use any laptop tracking technology.
- 61 percent of firms do not have intrusion detection tools.
- 64 percent of firms do not have intrusion prevention tools.
Law Firm Reactions
The 2011 ILTA study covered a time (between October 2010 and October 2011) before some of the public disclosures and discussion described earlier (notably the FBI meeting in New York), and when law firms may not have really been “awakened” to the issue. However, by late 2013, law firms should have taken cybersecurity and the protection of confidential information to heart—and firms should have made significant improvements to their security postures. Yet as late as November 2013, Joe Patrice, a law firm IT specialist wrote a blog post blasting the lack of attention and interest by lawyers in security issues and terming law firms the “soft underbelly of American cybersecurity.”
Not everyone involved in law firm security would agree that such a grim assessment. In July 2014, Judith Flournoy—a respected law firm CIO and chairwoman of ILTA’s legal security working group—responded to Patrice’s characterization, contending that law firms have received the message and are addressing security concerns through the use of, among other measures, client security questionnaires and audits and, perhaps most importantly, the pursuit of ISO 27001 certification.
If the concept of law firms receiving the message and actively addressing cybersecurity concerns was real and not a mirage, this would be great news, and it would perhaps signal a key turnaround in law firm thinking and action. However, ample evidence seems to indicate that such a change in attitude and action regarding cybersecurity has not yet occurred. Most firms are still not really serious about cybersecurity.
For example, the 2013 ABA Legal Technology Survey (a product of the Legal Technology Resource Center) found that no more than half of the firms responding presently had written or implemented essential cybersecurity policies, such as those covering privacy, email retention, Internet use, email use, computer use and document records management. More precisely, the survey showed that 50 percent of the firms responding had document management policies. In every other policy-related category, less than 50 percent of the firms responding had the specified policies.
Most concerning is the most recent ILTA Tech Survey. This survey reveals that while law firms arguably may have awakened recently to the substantial risks posed to their confidential information, and despite any movement toward ISO certification, what is actually being done to address these risks is far from satisfactory. Law firm reaction is perhaps best characterized as slow and tepid.
The most recent ILTA survey was released in November 2013 and encompasses the year between October 2012 and October 2013. This is a period in which firms should have been aware of the serious security risks they faced and moved to address them. The chart below compares the results of the surveys in the same seven areas discussed almost two years earlier in Jeffrey Brandt’s blog.
|% in 2011||Security Measure||% in 2013|
|86||Do not use or require two factor identification||76|
|78||Do not issue encrypted USB drives||72|
|76||Do not automatically encrypt content-based emails||64|
|58||Do not encrypt laptops||56|
|87||Do not employ any laptop tracking technology||90|
|61||Have no intrusion detection tools||no change|
|64||Have no intrusion prevention tools||no change|
While minimal improvement was reported in some areas, the overall result is essentially the same as was described by Mr. Brandt over two years ago: abysmal. In the four years since this issue became publicly known on a wide scale, lawyers and law firms appear to have failed to make obvious yet essential changes that could make a difference in their security posture.
“Compliance Is Not Security”
This is a well-known saying by those who work in the information security field. It is why the mere fact that large law firms now may be making progress toward becoming ISO 27001 certified provides little comfort regarding the actual readiness and ability of firms to protect the confidential information entrusted to them.
ISO 27001 is a risk management standard. It describes what ends should be achieved, but not how to achieve them. Moreover, ISO 27001 is neither mandatory nor does it have a method of enforcement that can ensure that the requirements of the standard are being followed and kept up-to-date. Unfortunately, the history of the information security industry reveals that security standards are more often than not used as a checklist item (or a checklist of items) merely to attain the goal of certification, and then put aside to gather dust (if and) until the next occasion to be “certified” occurs.
Pursuit of industry standards is a useful step toward achieving organizational security objectives. However, it is not a key step, and it should not be the first step taken by law firms to meet their obligation to protect confidential information. ISO 27001 certification will likely be a trump card to play when firms are pressured to respond to security questionnaires and audit requests from their clients., It may ultimately help with the firm’s security posture when fully and finally implemented. However, it will do little to reduce the risks firms face in the immediate and short term. It has been at least four years since the first publicly revealed attacks, and two years since the great awakening. Yet the most recent ILTA survey reflects that at present, only 2 percent (the lowest percentage for any category on the survey besides “other” at 1 percent) of firms indicate that they are ISO certified.
When law firms place emphasis on attaining ISO or any other certification, it may complicate, delay and distract firm management from well-defined steps that can and should be taken in the short term.
Toward a Better Response
By almost any objective measure, the collective actions taken by attorneys and law firms to deal with the risk of exposure of their confidential information have been anemic at best. While a minority of firms and attorneys have taken real steps and measures, most firms have done little to effectively address the risk. The actions taken seem to be focused on the wrong problems or at least on problems unrelated to the most common and most serious security risks. To have real progress and impact on the security of a firm’s confidential information, two vital areas should be quickly and resolutely addressed.
“I have seen the enemy and he is us.” A principal cause of the lackadaisical manner in which a security risk has been handled is cultural. While firm CIOs and their staffs have awakened to the seriousness of the problem and are augmenting existing security efforts, the same cannot be said of lawyers. The bad and outdated attitudes that many attorneys have toward information security measures (and therefore necessarily, if unknowingly, their responsibility to protect confidential information) must be overcome. Many of these attitudes reflect one of the general characteristics of the legal profession: conservative by nature and slow to change habits and behavior. Lawyers, curiously enough given their profession, often dislike and are reluctant to abide by mandated rules or proscriptions. This is especially so if they do not adequately understand the particular proscriptions and the reasons behind them.
A successful information security initiative requires the cooperation of a law firm’s technical (the CIO and IT staff) and non-technical (attorneys and executive staff) personnel to address this issue. This requires consensus regarding (1) the information that requires protection; (2) the nature and extent of the risks to that information; (3) the firm’s risk appetite, including an understanding of the risk level to confidential information that the firm is willing and legally permitted to tolerate; and (4) the amount of resources the firm is willing and able to commit to insure that level of risk. Information risk management is not a responsibility that can or should be handled solely or primarily by the IT staff and then handed down like sacred tablets to the firm’s lawyers and staff.
Failure to win the hearts and minds of the firm’s attorneys (and staff) is a recipe for lethargic and/or ineffective attention to cybersecurity. To get serious about law firm cybersecurity, attorneys have to awaken to the reality of cybersecurity risk, and begin to embrace and cooperatively implement solutions.
Confidential law firm information faces two primary forms of risk: theft of data and leakage of data. As discussed above, awareness of and most public discussions about law firm cybersecurity risk primarily have been driven by and focused almost exclusively on high-profile theft of data. This has had the unfortunate effect of distracting and perhaps hindering firm leadership from recognizing and fully comprehending the imminent peril posed by more prevalent but equally dire risks. To get serious about cybersecurity, firms must better understand the threat landscape, and adopt measures that can reduce the risk in these two most-pressing areas of concern for law firms.
This form of risk has been and will remain a significant threat to law firms. As noted previously, the cybercriminals perpetuating these attacks are extremely sophisticated, and their attacks are highly targeted. Their efforts at espionage and theft are not simple-minded, poorly written “spam” email attacks, but rather, well-researched “phishing” efforts directed almost exclusively at selected individuals (very often of a high level) and law firms or other companies. Email phishing, however well done, is not the only means employed by these attackers to gain entrance to high-value systems. Last year, one of the largest and most prominent Barrister houses in Britain with very strong ties to the energy industry was the subject of a “waterhole” attack. In the simplest terms, these attacks succeed by implanting malware on legitimate (and usually highly reputable) websites likely to be visited by the target. Once the target interacts with the poisoned site, the target’s computer is infected and the first stage of the attack begins.
Regardless of the means used to initially gain entry into a law firm’s system, these attacks fall within in the category of APT. They are so named because having once entered a system, they are designed to remain undetected while they acquire knowledge about the operation and data layout of the system. This malware will first look for information of interest. This may be specific pre-identified information or more general categories of information of potential interest. The malware will next collect and store the identified information within the system. Finally, the collected information is exfiltrated to computers owned or controlled by the authors of the malware. In some instances, the APT malware will attempt to hide evidence of it ever having been in the system and then erase itself. In other instances, it may continue to lurk indefinitely in the system, or until it is detected and removed.
Apart from the targeted and specialized theft described above, other less sophisticated, but more frequently encountered, problems may compromise confidential law firm information . The leakage of a firm’s confidential information may occur through many means, including insider misuse; loss of an unsecured laptop or other mobile device; communication over public or other unsecured networks; visiting questionable websites; and downloading unapproved software onto the firm’s computer network or onto a mobile device, which connects to a repository of confidential firm information. Let’s briefly look at two examples.
A key form of data leakage involves law firm “insiders.” “The greater hazard to private enterprises may come from insiders who have ready access to sensitive information and either misuse or mishandle it,” wrote Michael McNerney and Emilian Papadopoulosin a 2012 article titled “Hacker’s Delight: Law Firm Risk and Liability in the Cyber Age.”
The 2014 Verizon Data Breach Investigations Report found that 19 percent of the breaches reported were the result of insider misuse. “Misuse” encompasses any intentional, non-intentional, legal or illegal activity undertaken by an insider that results in the loss or exposure of confidential data. It occurs when someone uses data in a manner counter to an organization’s policies (e.g., an employee sending intellectual property to his or her personal email account is an example of email misuse).
Law firm insiders include attorneys, staff and third-party partners. While Edward Snowden may be the poster child for the risks related to the disclosure of confidential information from insider abuse, such intentional criminal behavior is an aberrational, though not unheard of, concern for law firms. Recently, a former employee of Simpson Thacher & Bartlett LLP was accused of stealing client information and passing it on to accomplices as part of an insider-trading scheme. In 2011, an employee who had been fired from a Pittsburgh-based law firm used his old and unretired computer credentials to give members of the protest group “Anonymous” access to the firm’s systems. Once access was obtained, the group copied various files and then erased all of the firm’s files and backup files.
The communication of unsecured confidential information also poses a very high risk for data leakage. Lawyers use email each day to transmit confidential information in the normal course of performing their legal responsibilities. Only a small portion of this information is encrypted during transmission. Moreover, when encryption is used, it is often based on an ad hoc, individually determined decision and is not the result of policy requirements. A 2014 LexisNexis Report found that almost 90 percent of the respondents (a mix of attorneys from all size firms) communicated with their clients, or with privileged third parties, by email. However, only 22 percent encrypted these emails. Yet, 77 percent included a confidentiality statement in the body of the email. Another 21 percent included a confidentiality statement in the email header. Confidentiality statements provide little help for the risks of data leakage. As the report notes: “The use of the confidentiality statement conflates the duties to maintain client-attorney privilege, and the duty to protect client confidential information. … [C]onfidences, once let into an unsafe ether, are put at risk, and no ‘confidentiality statement’ can mitigate that.”
Cloud-based file sharing services, such as Dropbox™, Box, and others, are another way confidential information leaks out of a firm. The LexisNexis survey found that 52 percent of the lawyers surveyed used such services to transmit and share client-privileged information. Typically, the cloud service is being used through the attorney’s personal account, and the firm may not even be aware that files are being transmitted and stored in this fashion! To address these issues, many large firms prohibit, as a matter of policy, the use of such services for these purposes. Some firms also block access to such services from the firm’s desktop computers. Unfortunately, many firms do not.
The risk posed to the firm’s confidentially held information from this form of stealth data transmission and storage was illustrated earlier this year when a firm experienced the release of a client’s confidential tax and real estate information. The unencrypted information had been stored on a cloud service but was, without the knowledge of the firm, made publicly available over the Internet as the apparent result of the attorney’s failure to properly configure the “sharing” function of the service.
The perilous drip of confidential information out of law firms through means like those described above is because many law firms have not implemented and adhered to specific, basic, but highly effective security controls. In short, the compromise, actual or potential, of confidential information in this fashion is a self-inflicted, but self-correctable wound.
What Can Be Done Now
Each firm or solo practitioner’s situation is somewhat different, and the particular risk-management policies, processes and security controls employed will also be different. The development, configuration and actual implementation of a law firm’s final, fully-formed risk management plan is best accomplished through a risk management platform like ISO 27001 or the NIST Framework.
Several cybersecurity components are essential to a law firm’s cybersecurity risk management plan. They are applicable to almost any business, but are particularly vital for law firms because of the breadth, volume and sensitivity of the confidential information handled by attorneys. The absence of, or failure to implement, one or more of these essential components significantly reduces the likelihood that a law firm would be able to successfully argue that it had employed reasonable security measures. These cybersecurity components can be implemented without having to wait on the development of a comprehensive cybersecurity risk-management program. After implementation, they can be later integrated into any well-designed plan. Highlighted below are four components that are listed in their relative (not absolute) order of priority.
Encryption. Encryption is the acid test of seriousness. As a matter of policy, it must be used to protect the firm’s confidential information. It’s that simple. If a firm is not encrypting its confidential information, then it is not being serious about the risk of potential compromise of that information. Confidential information should be encrypted every time it is transmitted into or outside of the firm. Further, consideration should be given to encrypting specified categories, or all confidential information at rest (stored) within the firm.
The manner and nature of the encryption employed may vary depending on the specific threats involved, but will nearly always provide for the encryption of laptops, cell phones and other mobile devices; and the encryption of email and file transfer related communications.
Intrusion Detection and Prevention. As discussed in this article, the likelihood of attack by sophisticated APT malware and other methods continues to pose a serious threat to the ability of law firms to maintain the security of their confidential information. This form of threat cannot be effectively addressed, let alone defeated, without using the appropriate intrusion detection and prevention tools. The early detection of this malware and the timely prevention of information loss from these forms of attack mandate appropriate use of well-trained forensic specialists; deployment of sophisticated counter espionage software; and development and maintenance of specialized threat detection and prevention hardware and software. Use of these measures will carry a greater cost. Nonetheless, it is essential to countering this threat. The widespread practice of having IT personnel review firewall and other system logs, and relying only on yearly (or greater) penetration testing/auditing is insufficient. For this menace, these practices most often are too little, too late.
Meaningful User Education. Law firms, much like other businesses, have neither viewed nor effectively employed user education as an essential part of good cybersecurity. Yet it is apparent that the users of law firm computing systems may constitute the most critical component of the security protecting the firm’s confidential information. Whether analyzing the theft of information via the most sophisticated APT, or the leakage of information through transmission of unencrypted email, a common denominator defining successful attacks has been the actions that a system’s user took (or failed to take) in initiating or propagating the attack.
Risky user behavior and a reluctance to embrace security protocols and procedures are often directly related to not understanding the nature of the threats to the firm’s confidential information, the reasons why a particular security protocol needs to be followed or the real-life consequences of failing to do so. Firm IT “training” often does a good job at explaining the “how” of any technology or practice, but it can be far less adept at explaining the “why.”
Law firms may want to begin approaching cybersecurity education as an opportunity to make each user a willing and enthusiastic protector of the firm’s confidential information.
Written Policies. Law firms must have up-to-date written policies addressing key cybersecurity topics. Firms should have a breach response policy that spells out precisely, and in reasonable detail, who, what and how the firm will respond to a breach, leak or other actual or potential compromise of its confidential information. Firms also should have a computer use policy in place. This policy should describe the rights and responsibilities of the users of the firm’s computers (desktop or mobile) and any other computers used to access or hold the firm’s confidential information.
While most firms may now be more aware of the risks to their information, there is all the difference in the world between knowing that you live in a high-crime neighborhood and actually putting locks on the doors and buying an alarm system. To date, most law firms of any size have not sufficiently addressed the threats to the security of their confidential information. In addition to any damage attendant to the compromise of their information, firms also risk the potential economic and reputational fallout from being found to have violated their ethical or legal duties.
The four key measures proposed here can help firms potentially avoid this outcome by considerably diminishing the most common and recurring cybersecurity threats. They can be implemented immediately (or in fairly short order). Prompt adoption and implementation will not interfere with or delay development of more comprehensive plans and measures. Most notably, if implemented, they can significantly reduce the risk of compromise to a firm’s confidential information. When implemented, they will represent a serious response to law firm insecurity.
About the Author
Joseph M. Burton (@JMBurton88) a partner in the San Francisco office of Duane Morris LLP (@DuaneMorrisLLP). He can be reached at 415-957-3014 or JMBurton@duanemorris.com.