The revelation that some of the country’s most prestigious law firms were hacked in an attempt to uncover confidential information, coupled with the “Panama Papers” scandal, has put an uncomfortable spotlight on law firms and their data security programs.
This may be the much needed wake-up call to law firms—big and small—to conduct an audit of their information security systems and protocols, and be more proactive in their efforts to prevent data breaches that could potentially have significant ramifications, both for their clients and their livelihood. In this month’s roundtable, law firm leaders and cybersecurity experts discuss why law firms are vulnerable to hackers, and what needs to be done to prevent a consequential data breach.
This is the first of a two-part roundtable. Read Part II of “Law Firm Data Hack Attack.”
Our Moderator
Nicholas Gaffney (NG) is a veteran public relations practitioner in San Francisco and is a member of the Law Practice Today Editorial Board.
Our Panelists
| Françoise Gilbert (FG) Françoise is a partner at Greenberg Traurig LLP. She advises public companies, emerging technology businesses and non-profit organizations, on the entire spectrum of domestic and international privacy and cyber security legal issues. | |
| Kevin Murphy (KM) Kevin is the Co-Founder of Wingman LegalTech and CFO. | |
| Yong-Gon Chon (YC) Yong-Gon is the CEO of Cyber Risk Management with more than 20 years of experience building and leading global security teams. | |
| Robert Owen (RO) Robert is Partner in Charge of Sutherland Asbill & Brennan’s New York office, has decades of commercial litigation experience in New York and around the country. | |
| Braden Perry (BP) Braden is a litigation, regulatory and government investigations attorney with Kennyhertz Perry, LLC. | |
| Alvin Tedjamulia (AT) Alvin is the Chief Technology Officer with NetDocuments and frequently speaks on security topics. | |
| Angela Hickey (AH), Angela is the Executive Director of Levenfeld Pearlstein, LLC overseeing the firm’s financial and operational functions. | |
| Sharon D. Nelson (SN), Sharon is the President of Sensei Enterprises, Inc., a digital forensics, information security and information technology. | |
| John W. Simek (JWS) John is the Vice President of Sensei Enterprises, Inc. Mr. Simek has a national reputation as a digital forensics technologist and has testified as an expert witness throughout the United States. | |
| Joshua Stein (JS) Joshua is the sole principal of Joshua Stein PLLC, a boutique commercial real estate law firm. | |
| Peter Zver (PZ) Peter is the President of Tikit North America and has been serving the legal technology market for over two decades. | |
| Marco Maggio (MM) Marco is the U.S. Director of All Covered’s Legal Practice and is responsible for the strategy, marketing, and education of the national Legal Practice. |
NG: What was your response to the revelation that recently a number of law firms had been hacked?
FG: Breaches of security are not new. They have happened for at least 30 years. In the past, companies did not have to report them. Thus the public was left out of it. Now numerous laws require the disclosure of certain categories of security breaches. As a result, the public has a better understanding of the issue.
There is no such thing as 100% effective security anywhere. Many entities have been hacked. This has happened to the US government, the top banks, major insurance companies, major hospitals, and many others. It is not surprising that law firms would be hacked as well. Statistically, this has to happen.
KM: It is a sign of the times, and now more than ever law firms need to be diligent about their information security, not just protection through technology, but training their staff on what to look for. It’s always been important to protect yourself and make sure the law firm is doing its best to manage its security, but something law firms should also consider is what happens if data is compromised.
YC: This is a call to action, but not at all surprising. Legal, accounting, consulting and other firms are increasingly targeted by adversaries due to the concentration of crown-jewel types of data they are often entrusted with. These organizations are often perceived as trusted advisors to large companies or high net worth individuals who have access to closely held secrets.
RO: My response was a complete lack of surprise. Law firms have always operated inside a bubble of their own making, in which information security will take care of itself because “we’re all good people” and “we’ve been careful in hiring and training.” A moment’s reflection reveals the vacuity of those attitudes when put up against determined, full-time, state-supported hackers.
BP: It’s not surprising that some 50 law firms have been hacked, and I suspect many more, some who may know, and some who may not know that they have been the victim of intrusion. Most large law firms have likely had level of intrusion. There’s no requirement or that a law firm inform the public they have been hacked, so the number is likely much higher.
AT: This is very unfortunate, but it is just a premonition of what will come in a much grander scale in the future.
AH: This is not surprising. Law firms possess highly sensitive and confidential information and also have access to large amounts of money.
SN+JWS: Nearly 50 law firms were targeted by a Russian cybercriminal who posted on a cybercriminal forum seeking a hacker to collaborate with him. He hoped to hire a black-hat hacker to handle the technical part of breaking into the law firms, offering to pay $100,000, plus another 45,000 rubles (about $564). He offered to split the proceeds of any insider trading 50-50 after the first $1 million. Sporting of him. The list of law firms reads like a “Who’s Who Among Top Law Firms.” But it is important to note that many folks got confused—these firms were targets, not actually hacked. Though we know that two of them were hacked last summer by someone else, as numerous press sources have reported. Heck, we believe most of them have been breached. Just keeping mum—which has been the response for some time—no one wants to acknowledge a breach, the data breach notification laws and ethical duties notwithstanding.
PZ: This did not come as a surprise as the nature of law firm data is of very high value and the content can easily be linked to financial gain for hackers or their clients. In addition, by nature, law firm data exhibits very appealing properties like “multi-organizational sources” and “confidential by nature,” both of which are attractive to criminals. This is equivalent to a thief gaining access to a high-end department store vs. a single retail outlet. And lastly, as most security breaches arise out of human error/negligence, the organizational structure of a law firm (partnership) makes it difficult to impose rigorous compliance and mitigate this type of risk.
MM: I was not at all surprised. I think that number is vastly understated based on what I experience firsthand throughout my travels and conversations with firm leaders across the country. The fact that firms are typically not required to report unwanted network intrusions lulls other firms and the public into a blurred sense of reality in regards to what is really happening in the marketplace. When I’m in a group setting, I still don’t see many people raise their hands to discuss a recent breach, but almost all of them have some type of incident to share that occurred at their firm when we are behind closed doors.
NG: How seriously do most firms take the issue of data security?
FG: I do not have access to statistics regarding this information. Most large law firms have an in-house staff of information technology and information security specialists, or outsource their needs to competent service providers.
KM: This seems to be top of mind for the majority of law firms we work with. They have an ethical obligation to protect their client’s information. It is just difficult for law firms of all sizes to stay up to date with the latest security standards.
YC: There is greater awareness of cybersecurity across the board in the legal industry, but awareness is not necessarily commensurate with budget to effectively minimize risk unless they’ve already experienced a breach and got religion. Firms most often operate as partnerships, which means every data security investment is viewed as a cost of doing business, which takes profits right out of the partnership’s pockets. The bar association doesn’t regulate cyber risks like attorney client privilege, which is why the financial services, health care and federal sectors lead in data security investments and budget, due to heavy regulation.
RO: They are only now beginning to wake up. The Cravath hack, although said to be ultimately harmless, should have stunned many firms into wakefulness. Smaller firms are perhaps less inviting targets (for now) but I suspect that they are also very easy targets. How many firms, even in 2016, don’t have dual factor authentication? I would not be surprised to learn that fewer than half are so equipped.
BP: Overall, most law firms understand the danger and have implemented practices to prevent such intrusions, but the number of attempts keep rising. But most don’t take it as seriously as many of their regulated clients, who may have a regulator reviewing their practices, i.e. the SEC/Finra, CFTC, CFPB, FTC, etc.
AT: International Legal Technology Association technology surveys indicate that security is one of the top technology concerns for law firms. In practice, however, law firms are woefully sub-standard on security best practices.
AH: This is a very significant concern for law firms of all sizes. Law firms are held to a strict standard and have a duty to protect the confidentiality of clients and client information.
SN+JWS: The Am Law 200 now take cybersecurity very seriously, spending an average of 1.9% of gross revenues on keeping their confidential data secure. And they have now, appropriately, accepted the notion that they can’t keep hackers with sophisticated tools and adequate funding out—they are focusing on detecting breaches, then responding to and recovering from them.
PZ: Firms absolutely take security seriously, especially in light of outside counsel guidelines and security audits they need to adhere to. However, once compliant at this level (aka the sigh of relief) it’s unclear how well the security message becomes top of mind, day-to-day, at the attorney level, in order to mitigate the breaches caused by human behaviors, which have been quoted as accounting for 50% of all breaches and even 90% according to some sources. A lot of this has to do with firms’ commitment to the level of monitoring and communication, keeping security top of mind.
MM: At Konica Minolta we are seeing some larger firms taking cybersecurity and compliance extremely seriously, and others that feel that they’re not big enough to generate any interest from a cybercriminal. Some don’t understand that it is not the size of the firm, but the sensitivity and value of the data that they maintain that determines if they will or will not be targeted. These firms have data security pushed down on their budgets and their list of firm priorities. I’m relieved to see many larger firms mapping to controls such as the NIST framework and/or ISO 27001, but I think the industry still has a long way to go to truly understand what “reasonable efforts” they should maintain to protect their clientele.
NG: Are law firms particularly susceptible to hacking/data breaches? Why?
FG: Any entity that holds data is susceptible to hacking and breaches of security. Hackers are usually interested in money, confidential information, or sometimes revenge. Thus, a hacker will look for places or people that have money or confidential information. Law firms fall in the category of “holding confidential information”.
KM: Law Firms are healthy targets for hackers because of the type of data they deal with, from personal information to business transactions.
Most of the breaches we’ve seen have been related to the cryptolocker virus which uses email attachments to infect a user’s network by encrypting data and holding it for ransom. This type of maliciousness is not industry specific. They are preying on human error.
YC: Law firms face regular external attack as well as insider threats, no different than other vertical markets. It’s the impact of a breach that makes them a target-rich environment. Like many other companies, law firms have shared services functions (Finance, HR, Facilities, etc.) that are often not as technically or cyber-savvy, which makes these departments more vulnerable to phishing attacks cybercriminals can use to obtain unauthorized access to systems and data. Once an attack establishes the right foothold, it can cascade via malware to compromise an entire department or organization.
RO: As I said, law firms have always operated inside a trust bubble, which could also be characterized as a “close our eyes” bubble. Historically, law firm security amounted to keeping strangers out of your office’s sensitive areas, which was relatively easy to do, so firms don’t bring a tradition of suspicion and watchfulness to information security. That is changing, but slowly.
BP: Law firms are an attractive target, especially large firms with diverse practices that may include sensitive corporate or government information.
AT: According to the FBI, law firms are high-value targets because a single firm can give the hacker access to numerous corporate data. However, law firms in general are much more lax on security than the corporations they represent.
Here’s an evaluation of how firms measure up against four major areas of data security:
- Perimeter defense on the physical facilities and electronic network to stop outsiders from accessing data, to prevent denial of service, and to enforce encryption in transit.
Law firms in general have average network security with firewalls, but tend to have low technology for web application firewalls, intrusion detection/prevention, usually no denial of service protection, and low best practices on security, enabling experienced hackers to penetrate the perimeter defense.
- Data encryption with entropic cryptography and customer custody over cipher keys, for encryption at rest, encryption in use, prevention against internal collusion and subpoenas, and nation state attacks.
There is almost complete major vulnerability across all law firms in this area as cryptography, at best, only exists at the hardware level (which has low security value).
- Application security to ensure that each user is bound to the access control and ethical walls of each document, each container, and each profile metadata, which establishes a pessimistic security model, enforced via two-factor authentication.
Very few firms enforce best practices on a pessimistic security model, and only a limited number of firms enforce two-factor authentication.
- End user security training to teach, monitor, and encourage best security practices for every lawyer, secretary, and staff.
There is a great deal of variability across firms in managing a regular method of training and enforcing end-user security best practices. Some firms have implemented regular, ongoing security training, while others have not done any security education with their employees, with most firms somewhere in the middle.
SN+JWS: They are. Many are not well protected, but they are a particularly attractive honey pot because they hold the data of so many clients. Those who hold intellectual property and merger and acquisition data are phenomenally attractive. As Willy Sutton used to say, he robbed banks because that’s where the money was. Breaching law firms is a great way to make money.
JS: Yes. Lawyers tend to be very unruly and disobedient as a group, which is odd for a group focused on understanding and applying legal principles that define how things are supposed to be. Lawyers tend to want to do things their own way. They tend to be smart. They tend to think they can do things better than other people. So they’re not very good at just following the rules when it comes to administrative matters.
PZ: Absolutely. Law firm data is perfectly packaged, sensitive, confidential, high value, easily convertible and under the custody of an organization whose governance is highly susceptible to security breaches originating from human behavior.
MM: The term “treasure trove” is being used quite often in the press these days, and I think it’s an accurate depiction of law firms as a cyber target. Small and medium sized law firms typically operate with a minimal IT staff that are tasked with everything from end user technology support to keeping email operational and when they have time, instituting security measures. Even when IT leaders in these firms clearly understand the threats, they struggle to convince firm leadership to reprioritize efforts and establish needed budgets. It has become abundantly clear to hackers that it’s much easier to get data from a third party, like a law firm, than it is to attack an enterprise account or major financial institution. The cybercriminals no longer need to break through a sophisticated enterprise security team if the same data resides on virtually unprotected servers.
This roundtable is continued in Part II. Read Part II of “Law Firm Data Hack Attack.”