Ready or not, as the hacking community continues to evolve law firms have become a definitive target. The legal industry has typically struggled to stay in front of the technology curve and many still do not have formal controls in place to adequately address the rapidly growing demand of cybersecurity. Usually security is at the top of the list of concerns for a firms’ IT Staff, however, many are still challenged to get the necessary budgets approved within their firms. Most firms operate in more of a reactive mode than they would prefer, and budgets are approved as needed
when things “break.”
This behavior enhances the risk of an unwanted intrusion resulting in lost revenue to the firm, as well as potential for triggering the loss of clients. Although security is quickly evolving into a higher priority for law firms, many still have a long way to go to catch up to the level of protection that is expected from their clients or their insurance carriers.
Hackers have now long discovered that the law firms and accounting firms are easier to penetrate than their clients’ for access to sensitive data. In fact, they have both been deemed as “treasure troves” for hackers as the least defended paths to the most valuable data. The priority of cybersecurity within all law firms needs to be escalated. The legal industry continues to establish standards for what “reasonable efforts” should be maintained to protect their clients’ data, but the onus of reasonable effort must be driven from the ground level. It is important to note, that there are a handful of firms throughout the industry that are setting themselves apart by setting the protection of their clients’ data as their number one priority.
We are constantly surprised at how many firms have corporate clients which have not set any security or compliance standards for the law firms handling their matters. Nor have they ever inspected how their data is being managed within a law firm. Contractual agreements may be put into place, but there is very little inspection, auditing or security compliance certifications required from the firm. However, that is quickly changing. Corporate executives are now clearly communicating and documenting their expectations of their outside counsel.
They discuss the regulations that their organization must adhere to, and expect the law firm to also adhere to them. They may even explore a law firm’s attestation plan/strategy and may require third-party attestation. Your law firm should consider mapping to a security controls framework such as ISO 27001 or the NIST framework in order to be prepared when your current or potential clients approach you about security within your firm. Although these frameworks do not guarantee hacks from occurring, they are certainly a much more pragmatic means to ensure that firms are executing industry best practices. Your firm should also educate employees about potential risks and threats. The firm should partition and limit access to data to only those who need truly access to it. Access should be limited down to the department or practice levels and in most cases by matter. Firewalls and other security devices should be maintained with current updates. Security Information and Event Management (SIEM) should be considered to provide a holistic view of an organization’s IT security platform. A firm should engage a third party to perform information security management system (ISMS) gap assessments, vulnerability assessments and penetration tests on a regular basis to ensure that the clients’ information is adequately protected. A firm should also have network and security policies, as well as breach response and incident response plans in place and they should be monitored for effectiveness. A firm should also have suitable cyber-risk insurance policies for both first-party loss and third-party liability coverage.
Some of these suggestions may seem overly obvious, but the obvious is commonly overlooked. The bottom line is that you need to ensure that your firm is prepared for a cybersecurity event and that there is a plan in place on how to respond to that event long before it occurs.
Once a firms’ network is believed to have been hacked, they should confirm that an actual hack has occurred and assess the impact. They should use a previously developed incident response form to document the incident throughout the investigation and remediation. Preservation of evidence is key once attacked so the system(s) should be isolated and taken offline immediately to prevent further leaks or damage. At this point, information exchanges should be limited to only those who need to know about the incident. A digital forensics expert should begin an investigation, continuing to documenting everything as the analysis proceeds. Once a determination is made regarding the full impact of the hack they should disclose with their clients and any other governing bodies that the scenario deems necessary, including law enforcement if determined appropriate. They should know what their clients expect in regards to disclosure processes, content and timing and they should prepare a communication for impacted employees as well. You should also notify your insurance carrier if needed. Further mitigation can be provided with the engagement of protection services or credit monitoring for those who are impacted, and a determination should be made as to whether the situation calls for public awareness. Communication lines should remain open with affected clients and the point of hack should be closed and affected systems should be scrubbed. The security team should then convene to develop a plan to prevent a similar attack from happening again.
Again, this really comes down to having a comprehensive plan before you need one. Firms should develop and implement the right policies for their practice areas and continually educate the entire staff of potential threats and ensure they understand their responsibility for protecting data. Most importantly, if a law firm needs help they should get outside help. There are many qualified vendors in the legal technology industry that can share and implement best practices and help a firm develop, execute and manage a plan before they experience any type of unwanted intrusion.
Backups should be performed much more frequently than just once a night. A Business Continuity Plan should be developed and updated frequently with the target always being that your firm could survive being down for 4 hours and experience little to no data loss. There is technology available that allows for recreating entire servers and data files within 20 – 30 minutes. Having the proper business continuity plan may just save your firm from eventual collapse resulting from a cybersecurity incident.
There are various types of litigation that could potentially be brought against firms who have been hacked or breached. The resulting action heavily depends on the hack and the information that was obtained. The majority of litigation is regarding the loss of personally identifiable information, private personal information and personal financial information, (PII, PPI & PFI). These suits, sometimes class action, are coming from customers, employees, shareholders and law firms’ clients. Damage can range from financial penalties, significant reputation impairment, potential loss inrevenues, and/or loss of clients that no longer feel comfortable in sharing data with their outside counsel. An additional source of potential litigation is when a law firm is found to have been negligent and did not use commercially reasonable efforts to protect their clients’ data. This includes either reducing the risk of a hack from occurring, or adequately responding with a comprehensive plan for remediation once a hack did occur. The legal industry should expect much more guidance, opinions and legislation created and enforced in the near future. There will be many more examples of penalties assessed against firms from data hacks until firms make security a priority and take a proactive approach to protecting their networks, educating their users, and implementing security plans. As menacing as it sounds there is no definitive fix to prevent any and all unwanted internal and external data losses. Despite how much you spend, or how much effort you exert, a good hacker can still get to your data.
Firms should simply take one step after another and have a manageable plan in place to prove that they protected their data with commercially reasonable efforts. Having a strong security program will assist in avoiding ethics violations of the Model Rules of Professional Conduct stemming from a breach. The average cost to remediate a cyber-attack can be in the range of $25,000 to $100,000 and the cost to your corporate clients is exponentially larger so it is imperative to reduce these risks and potential disruption so you can continue to focus on the practice of law.