Jack M. Vaughan and Eben Kaplan 2015-10-26 12:05:29
Cyber Breach Getting ready for your worst tech nightmare. In the past decade, cybersecurity has evolved from a niche information technology worry to a top concern for corporate leaders. Organizations of all types and sizes have been breached, and the problem has become so rampant that cyber professionals often quip that there are two types of organizations: those that know they’ve been hacked and those that don’t. Law firms are no exception. The cybersecurity threat to the legal sector is real, persistent, sophisticated, and potentially very, very harmful to your firm, your firm’s people, and especially to your clients. Consider the following: • As early as 2009, the FBI issued an alert advising law firms that they were being specifically targeted by organized cybercriminals through the use of email phishing campaigns. • By 2011, a well-known security firm reported evidence that 80 of the 100 largest U.S. law firms had been hacked. Law firms remain in hackers’ crosshairs, with the most sophisticated attackers honing in on information about contract negotiations, patent applications, trade secrets, and military systems. • More recent statistics suggest that the median breach goes undetected for 205 days. In 69 percent of cases, the organization that was attacked learned about it from an outside source (e.g., security researchers or law enforcement). • Four out of every five law firms indicated in a recent survey that cybersecurity is one of the top 10 risks they face. Yet, nearly three quarters have failed to assess what the impact of a data breach would be.¹ Law firms are repositories of huge troves of sensitive, privileged, confidential, and proprietary client and employee information. This is what makes them such attractive targets. Firms have an obligation, both ethically and professionally, to make all reasonable efforts to protect the information they hold.² Some clients, especially public companies and financial institutions, are increasingly requesting that their law firms demonstrate their cybersecurity programs and safeguards.³ Law firms are facing on-site technology audits by bank clients, and requests for proposals now include inquiries about cybersecurity efforts. Many firms have answered the call for better security by hardening the perimeter defenses of their networks. They use firewalls, email safeguards, encryption, and password management to protect their information. Some, recognizing that humans are often the weakest link in the security chain, emphasize training in good cyber hygiene. These are important measures, but they are increasingly proving insufficient. The most successful organizations take a holistic approach to their cybersecurity. This begins with evaluating the information that a firm holds and the potential consequences if that information were accessed by outsiders. It continues with a threat assessment tailored to the individual firm. This should identify who would want to target information on your network and how they would do it. Any additional defenses should be informed by the threat assessment and designed to address the specific risks the firm faces. Often these include inward-facing measures that concentrate on detecting a breach before the intruders can do any damage. They also include limiting access to highly sensitive matters, such as merger or acquisition matters and high-profile litigation disputes. Only the attorneys working on these matters should be given access to the documents and data. Some firms implement this policy for all matters. Each organization is unique and must find an approach tailored to its circumstances. Several existing standards can serve as a guide, but these increasingly emphasize process rather than specific defensive measures. That process typically involves understanding the risks, taking steps to mitigate them, and preparing in case those mitigations fail. Almost invariably, this requires attention at the executive committee level to ensure that these risks receive the focus and resources that they merit. Some firms have even begun to run exercises with their management to help illustrate the nature of the risks and highlight areas where their planning could improve. Despite a firm’s best efforts, breaches do go undetected. When they do, a firm’s response can considerably mitigate the consequences. Firms should craft a response plan in advance and ensure that all response team members understand the plan and their responsibilities. Decisions will have to be made regarding notification of clients and, perhaps, firm employees. This can be an arduous process, as there are 47 different breach notification laws at the state level and several more at the federal level. 4 There may also be hard decisions about technical response measures; some can have repercussions for business operations. There is no shortage of resources for firms that want to step up their cybersecurity efforts. The American Bar Association’s Cybersecurity Legal Task Force has published the ABA Cyber-security Handbook, a 300-page road-map for lawyers and law firms. And, there may soon be a forum for firms to share information about the kinds of threats they’re seeing. They should have measures in place to ensure that their systems are up-to-date. Some law firms work with consultants to guide them in this, as well as to perform forensic analysis and secure a system in the wake of a breach. Organizations are increasingly realizing that cutting-edge technology is less important than having the right organizational framework in place to help a firm do the following: • Identify the firm’s most important assets. Determining what matters most will inform decisions about where to prioritize defenses. • Understand the risk. Not all organizations face the same threats. A firm that recognizes the specific threats it faces will be able to make smarter decisions. • Recognize the business context. Heightened defenses can at times limit efficiency or convenience—ultimately affecting the bottom line. Firms must decide how much risk they’re willing to take and strike the appropriate balance. • Plan ahead. Breaches are inevitable. How a firm responds can make all the difference in the eventual outcome. Of course, none of this is feasible without buy-in from senior management. These serious risks to your firm must be addressed at the strategic level. Doing so sends a message to your firm and ultimately to your clients: Your firm will do everything reasonably possible to prevent, detect, and respond quickly to a breach in the security of the firm’s information systems. Time is of the essence. Notes 1) According to a survey of law firms by Marsh, USA, in August 2014, cyber threats feature prominently on most law firms’ risk radar ... and yet many lack in their preparedness against a single event. https://www.marsh.com/us/insights/more-cyber-preparedness-needed-2014-law-firm-cyber-survey.html. 2) ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Most states have similar ethical provisions. 3) Jennifer Smith and Emily Glazer, Banks Demand that Law Firms Harden Cyberattack Defenses, Wall Street Journal (Oct. 26, 2014). 4) Almost all states—Texas included—now have security breach notification laws, as do several federal agencies (HIPPA, banking agencies, the IRS, etc.). JACK M. VAUGHAN was the administrative partner in Fulbright & Jaworski (now Norton Rose Fulbright) for 27 years. He currently consults with law firms on risk management issues and is an adviser to Control Risks, an international risk consultancy. EBEN KAPLAN is a senior consultant at Control Risks, where he focuses on cybersecurity. He previously worked as an analyst for the Department of Homeland Security.
Published by State Bar of Texas. View All Articles.
This page can be found at http://mydigimag.rrd.com/article/Technology/2306031/278019/article.html.