Law Firm Data Hack Attack, Part II

This is Part II of “Law Firm Data Hack Attack,” click here to read Part I. 

The revelation that some of the country’s most prestigious law firms were hacked in an attempt to uncover confidential information, coupled with the “Panama Papers” scandal, has put an uncomfortable spotlight on law firms and their data security programs.

This may be the much needed wake-up call to law firms—big and small—to conduct an audit of their information security systems and protocols, and be more proactive in their efforts to prevent data breaches that could potentially have significant ramifications, both for their clients and their livelihood. In this month’s roundtable, law firm leaders and cybersecurity experts discuss why law firms are vulnerable to hackers, and what needs to be done to prevent a consequential data breach.

Our Moderator

Nicholas Gaffney (NG) is a veteran public relations practitioner in San Francisco and is a member of the Law Practice Today Editorial Board.

Our Panelists

Françoise Gilbert (FG) Françoise is a partner at Greenberg Traurig LLP. She advises public companies, emerging technology businesses and non-profit organizations, on the entire spectrum of domestic and international privacy and cyber security legal issues.
Kevin Murphy (KM) Kevin is the Co-Founder of Wingman LegalTech and CFO.
Yong-Gon Chon (YC) Yong-Gon is the CEO of Cyber Risk Management with more than 20 years of experience building and leading global security teams.
Robert Owen (RO) Robert is Partner in Charge of Sutherland Asbill & Brennan’s New York office, has decades of commercial litigation experience in New York and around the country.
Braden Perry (BP) Braden is a litigation, regulatory and government investigations attorney with Kennyhertz Perry, LLC.
Alvin Tedjamulia (AT) Alvin is the Chief Technology Officer with NetDocuments and frequently speaks on security topics.
Angela Hickey (AH), Angela is the Executive Director of Levenfeld Pearlstein, LLC overseeing the firm’s financial and operational functions.
Sharon D. Nelson (SN), Sharon is the President of Sensei Enterprises, Inc., a digital forensics, information security and information technology.
John W. Simek (JWS) John is the Vice President of Sensei Enterprises, Inc. Mr. Simek has a national reputation as a digital forensics technologist and has testified as an expert witness throughout the United States.
Joshua Stein (JS) Joshua is the sole principal of Joshua Stein PLLC, a boutique commercial real estate law firm.
Peter Zver (PZ) Peter is the President of Tikit North America and has been serving the legal technology market for over two decades.
Marco Maggio (MM) Marco is the U.S. Director of All Covered’s Legal Practice and is responsible for the strategy, marketing, and education of the national Legal Practice.


NG: What can/should the typical law firm do—that it is not currently doing—to better protect client information?

FG: I don’t know what law firms are not doing. However, when I advise clients on these issues, I provide a variety of suggestions that are based on the numerous laws, standards, guidelines and best practices currently available. Since many security breaches are caused by human error—for example, victims of social engineering—I also usually recommend intensive training of the personnel on information security issues.  

KM: We always think it is important to get a security audit done by an information security company like Tevora. This will point out your vulnerabilities and help you understand how to fill those gaps.

YC: Firms can take many actions including:

  • Create a cyber aware culture across your entire organization, including your vendors/supply chain.
  • Rely on multiple layers of data protections that involves pervasive use of encryption and strong authentication.
  • Run breach readiness assessments and drills to see how your organization would react when something inevitably happens.
  • Determine the relative value of breach impacts, so you can prepare in advance. For example, a nuisance intrusion into non-core systems, if caught and contained in time, may not bring the repercussions of attorney-client data being stolen.
  • Obtain cyber risk insurance for the value of risk (damage, disruption, etc.) that cannot be mitigated.

RO: First, at a bare minimum, law firms should require dual-factor authentication when staff are working outside of the office. Second, they should require passwords to be changed frequently. Third, they should train email users to stay alert for scams and periodically remind them of them. Finally, they should transition to device-level security, as Google announced just today, and abandon the moat concept. People are far too mobile for the moat (aka, the firewall) to protect information when they are out of the office unless a firm has made this transition.

BP: Law firms should understand the risk and have strong policies and procedures in place both for prevention/detection and mitigation of the information. If some client information is sensitive, measures should be taken to avoid storage where it is easy to obtain. Similar to the old practice of keeping paper files under lock and key, partitioning of especially sensitive data should be practiced. Law firms should have a data storage policy that only keeps documents on their main systems if necessary, then transferred to a more secure storage vehicle.

AT: Based on our vast experience in working with law firms on client information security, the following standards and best practices should be evaluated and, ideally, implemented:

  • Make information security a commitment from the partners and executive committee, down to the IT group and other departments, to every user.
  • Engage in conversations with cloud vendors where security could be built-in into the software and infrastructure.
  • As appropriate, consider engaging reputable third-party security consultants for best practices.
  • Make a serious effort to implement all appropriate control requirements major banks and other financial service organizations impose on their outside counsels.
  • Implement best practices for data protection.
  • Adopt a multi-factor authentication and pessimistic security model.
  • Obtain SSAE SOC-2 Level 2 and ISO 27001 certification.
  • Implement a Hardware Security Module (HSM) cryptography, hopefully compliant to FIPS 140-2 Level 3.
  • Encrypt every document and every email, possibly with a unique cipher key for each file.
  • Deploy entropic strong cryptography not based on pseudo-random generators.
  • Adopt segregation of duties where no single person, or even no two persons can unilaterally disclose data.
  • Ensure that all logs generated by software, network, and hardware devices are managed by a third party so there is no tampering of access history.
  • Make sure every defective electronic media is degaussed and destroyed, and never recycled.
  • Perform regular certified penetration tests, vulnerability tests, and ensure all software vendors to the firm follow static source code security tests.
  • Implement best practices in user security and education:
    • Perform annual background checks on every employee.
    • Conduct effective quarterly training on security.
    • Log attendance on quarterly training and offer make-up classes.
    • Conduct targeted end user vulnerability tests.
    • Adopt a cloud infrastructure to simplify the adoption of the above intense security requirements.

AH: It is standard industry practice to request all employees to annually sign confidentiality agreements and also to require non-disclosure agreements from all external vendors. It is also standard for law firm technology infrastructure to include security monitoring systems, firewalls, blocking the ability to upload files to external devices, frequent password changes, etc. Our firm also has regularly scheduled penetration tests as part of an annual security audit performed by an outside technology company. Despite every recommended precaution, the largest risk of a cyber breach is through the people who work in law firm. It is important to find ways to heighten the awareness levels and to train law firm employees on their role in preventing cyber breaches.

SN+JWS: They need to buy or appropriately configure data loss prevention and intrusion detection systems (they come in many names) that will alert them to the “touching” of sensitive files or an unusual number of files, among many other things. And they need to train their employees, ALL the time, to reduce the ongoing click-happy folks who let malware in by clicking on links in or attachments to suspicious e-mails, or sending out sensitive data at the apparent request of a partner, CEO, etc. without checking to see that the request is valid.

JS: I really don’t have enough information to say, but as an overall matter I think the key is to set reasonable procedures that don’t get in the way too much; communicate them; and then make sure people follow them. Ideally, you should build those procedures into the software and interfaces your lawyers and staff use every day. The more you can do that, the better, because then people don’t have to remember things, and you don’t have to educate them and keep reminding them.

PZ: Law firms need to seriously consider outsourcing security and moving their data to an environment (i.e. cloud) which exhibits state of the art security but more importantly an ever evolving security model (i.e. hourly) that keeps pace with the hacker community. If law firm data is under the custodianship of such organizations most likely they have “hacker” talent on board which is re-assuring for law firms.

MM: Firms should start by understanding what their clients expect of them. Mapping to a security framework is always recommended, or take a step further and get ISO 27001 certified. They should get regular penetration tests and vulnerability assessments from a third party. Firms should encrypt data, test their backups, partition and limit data to only those who need access. They should develop and implement the right policies for their practice areas and continually educate the entire staff of potential threats and ensure they understand their responsibility for protecting data. Lastly, and most importantly, if you need help… get help. There are many qualified vendors in the industry that can share numerous industry best practices and help a firm develop a plan before they really need one.

NG: Do you think clients are aware of the risk they run when sharing confidential information with lawyers?

FG: The question should not focus on law firms in particular. The issue is the same for all types of companies. There is a risk in entrusting anyone, whether your doctor, your banker, your insurance company, or your lawyer with sensitive information.

KM: Yes, because data breaches are always in the news. I imagine they are thinking if it can happen to Target or another large corporation, that it could happen to any size business.

YC: I think clients are very aware of what is at stake with the confidentiality of their data anytime information is entrusted to an attorney. Clients expect that attorneys will have equivalent – or greater – security controls than they do. The data security expectations for law firms keep rising, regardless of their size or resources.

RO: Some of our major clients have been issuing audit requests concerning our cybersecurity for the past 15-18 months, and including cybersecurity questions in their RFPs to us. This is not the case with most clients, however.

BP: Clients are counseled by their lawyers to be open and honest, as the lawyer-client relationship is one of the oldest and most powerful privileges there is. I don’t think many understand that their sensitive information can be exposed by intrusion and that many law firms have had intrusions at some level.

AT: The expectations of the corporate customer are that their outside counsel has as good of a security standard as the corporation has internally.

AH: Unless they have worked in a law firm, I don’t think clients know “how the sausage is made” and many would probably be surprised at how fluid information-sharing is within a law firm. Clients should ask to see a firm’s business continuity plan, or at the very least have a conversation with their law firm about the precautions in place to guard against the risk of a cyber breach.

SN+JWS: They are now! Law firm clients are increasingly demanding that law firms have third-party security audits performed. They were once “hands off” and accepted what the law firms told them. Those days are over, never to return.

JS: Clients expect lawyers to maintain confidentiality. Lawyers almost universally live up to that expectation. Even with the occasional data breach – just like you have with any big organization – I don’t think clients have much to worry about.

PZ: I think we are starting to witness (recent breaches) the law firm as a primary target for the reasons already mentioned, and as such this will elevate the awareness of GCs, which will translate to more rigorous diligence as part of initial engagements, but also requests from GCs for evidence of ongoing monitoring (more audits).

MM:  I think that many clients are very aware of the risk. With that stated, I think that too often they are put at ease by simply instituting contractual obligations with their outside counsel. The terms and conditions are a much needed step to adequately communicate expectations, but I’m seeing a frequent trend where the conversation stops there without any inspection. Many firms’ clients are not taking the next step to actually audit or obtain proof that the firms are implementing the right controls to protect their data.

NG: What does the future hold for law firm data security?

FG: The question should not focus on law firms in particular. The issue is the same for all types of companies. There is a risk in entrusting anyone, whether your doctor, your banker, your insurance company, or your lawyer with sensitive information.

KM: The future is in leveraging resources by taking advantage of the cloud/hybrid-cloud solutions and educating staff on how to detect potential breaches. The technology industry is always coming out with security tools that adapt to the new working environment. As an example, there’s a solution called Vera that secures files no matter where they are located, including internet based storage.

The key is to keep adapting and be aware of security vulnerabilities.

YC: This is an interesting time, where we are seeing age-old legal industry norms like attorney-client privilege and cross-practice collaboration collide headlong with irreversible trends like mobile devices, cloud computing and borderless networks. The current wave of incidents could have a cascading effect on rates, as firms look to increase investments in data protection that their clients may begin to question. If the impact of incidents continues to grow, you may see eventual regulations and/or standards emerge, which could create a conundrum of protected attorney-client privileged data against breach notification requirements and information sharing.

RO: There will be more hacking attempts and more successes, more awareness of the problem at firms and clients, a transition of business away from firms that don’t adapt to the new client requirements, and tighter controls (both in terms of hardware, software and policies) at the firms.

BP: Like most cyber environments, there will be a strong market for security experts to monitor, prevent, detect, and mitigate the increasing numbers of attempted breaches. The market will only get stronger as the publicity of the intrusions and the sophistication of the hackers increases.

AT: Here are five law firm data security musings:

  • Entropic cryptography and digital rights management will be required in the future.
  • Security is a journey and never a destination, and it is much more efficiently prescribed if it is a service, instead of an arduous never-ending internal task.
  • Clients will impose more security requirements to law firms.
  • Law firms who do not engage in third party security services will lose in the market place against those who engage in software-as-a-service based security and cryptography.
  • Law firms are realizing that a competent cloud infrastructure vendor can offer much more security than their internal infrastructure.

AH: More layers of security for access to information. It’s interesting to consider that many law firms have responded to client pressure for cost reduction by outsourcing seemingly low level tasks such as document review and production. Outsourcing and offshoring arrangements may lower the personnel cost of a law firm but they also increase risk and may just shift the cost to other areas, namely IT and security. It is also interesting to consider that as clients demand faster response times, law firms may actually need to slow things down in order to reduce risk of cyber breach. This can be frustrating for clients and also adversely impact outcomes because so many transactions are time sensitive.

SN+JWS: Encryption has surged. As they say, “Dance like no one is watching. Encrypt like everyone is.” Because they are. Defense-in-depth is a rapid trend, as is staying abreast of the latest threats and the ways to defend against them. Multi-factor authentication is surging too. The list of security measures being taken now is nearly endless. Each day, the threat/defense landscape changes. Information security means eternal vigilance.

JS: Greater emphasis. More use of the cloud. A move away from passwords to something else. More data breaches. But overall we’ll be OK.

PZ: With big data and the ability to synthesize and convert data to valuable information, the threat will increase as law firms have been identified as primary targets. The bigger issue is how quickly security can become top of mind in the course of daily work by professionals. It is easy for shareholders/stakeholders to sit in and offer support on firm security discussions but changing individual behavior to be more security conscious and compliant is another thing.

MM: I think that one of the challenges we’ll continue to see in this area is that there isn’t an end goal, and it’s too often thought of as too large of a problem to adequately address. It needs to be commonly understood that although there is no amount of money, insurance, employee policies, or security measures that will guarantee 100% protection from a hacker, firms still need to put forth “reasonable effort” to protect clients’ data. That will certainly continue in the coming years. Data security has slowly been and will continue to get prioritized throughout the legal industry, but we’ll also see much more sophisticated attacks widely publicized in the near future. Trends such as third-party attestation will continue to grow and be enforced by several industries. The push towards cloud storage for law firms will also change the landscape as the focus shifts to accessibility to data rather than where it physically resides. I also think that we’re going to see much more cybersecurity legislation created and enforced and the requirements for meaningful attestation will become standard in the legal industry.

Send this to a friend