If you were a hacker trying to decide your next target, you’d likely want to pick an entity that has highly valuable and useful information that, simultaneously, lacks an effective security program.
Though so many of us focus a significant portion of our in-house practices on cybersecurity and data breaches, it may not come to mind right away that this target is right in our backyard: the law firm.
In a recent webinar put on by Logikcull, Olga Mack and Brian Focht (@NCCyberAdvocate) discussed not only the vulnerabilities every law firm is facing, but specifically focused on the kinds of cyber and data security related questions in-house counsel should be asking when hiring outside counsel.
As entities, law firm systems contain highly-sensitive financial data, corporate strategies, trade secrets, business transaction information and plenty of both PIIA and PHI. Unfortunately, many firms lack a complete, effective, privacy and security program. According to an ALM Legal Intelligence study, 22% of law firms did not have an organized plan in place to prepare for or respond to a data breach. Only 50% of law firms included in the study have cyber security teams in place to handle and implement the types of complex programs and initiatives necessary to deal with a data breach.
And, unsurprisingly, hackers have noticed these vulnerabilities. In February of 2016, Russian cybercriminal, under the name of “Oleras,” targeted law firms; in March, the Wall Street Journal reported that the nation’s biggest firms have been hacked (including names like Cravath and Weil Gotshal); in April, the “Panama Papers” were leaked, revealing confidential attorney-client information detailing tax evasion techniques; in May, a Chicago-based law firm was sued by a client for cybersecurity flaws that “systematically expos[ed] confidential client information”; in December, the DOJ charged three Chinese nationals for insider trading based on information hackers obtains from law firms.
2017 didn’t bring better news. In June, a ransomware attack exploiting a vulnerability in Windows, shut down DLA Piper. When DLA Piper’s was first hit in Madrid, and then kept going throughout its global offices. It shut down email, phone and computer systems forcing DLA to request extensions in at least five civil cases. It took almost a week for DLA to restore its email and other systems. Undoubtedly, this caused a great loss of productivity, billable hours and an increase in the potential for client-driven litigation. Logikcull ran the numbers: the loss of billable hours in DLA Piper’s DC office alone could cost well over $500,000 a day.
Focht also brought up the example of Moses Afonso Ryan Ltd. v. Sentinel Insurance Co., Ltd, a firm that fell victim to a ransomware attack and sued its insurance carrier to cover $700,000 in lost billings. What’s even scarier is the tedious and lengthy process the firm had to go through to recover its data. A picture is, indeed, sometimes worth a thousand words:
Clearly, in-house counsel need to be proactive in making sure their outside counsel are taking the necessary steps to minimize an attack’s impact on sensitive data. So here are the 9 questions you should always ask your outside counsel about its security measures and readiness in the event of a cyberattack:
- Does your firm use Two Factor Authentication (aka 2FA)? It is a good idea for law firms sign up for 2FA for all services and/or applications housing sensitive data. 2FA puts an extra barrier in the way of someone who wants to access email, data storage, or other systems storing confidential data. With 2FA, a password is not sufficient to gain access. Instead, you need to enter both your password, and a secondary code – typically sent to your smartphone via SMS message or via an app like Google Authenticator.
- How often does the firm update its operating system? While installing updates is annoying, it is strongly recommended for security reasons. Many updates involve fixing known bugs in the operating system (Windows or Mac) that create security vulnerabilities. How does your law firm make sure that every device installs those pesky OS updates as soon as they’re available?
- What’s encrypted and how? It’s simple to encrypt the entire disk of either a Mac or PC. The benefits are enormous and the costs are negligible. With encryption, the contents are unreadable unless you’ve logged in with your password. Devices and laptops get stolen all the time, and desktop computers are also vulnerable. Law firms need to intentionally encrypt more of their data – and be able to explain their efforts.
- Do you use a password manager to set strong passwords? The human brain can only hold so many good passwords. Weak passwords based on things like the names of our pets, our addresses, or simply the word “password” or “12345678” should be avoided. Password managers can help generate strong passwords and manage credentials for multiple accounts – requiring you to only remember one good password.
- Do you regularly educate your employees about security? If so, how? Many security breaches result from hackers tricking users into doing things such as downloading a file infected with malware, sending sensitive data to the hacker, or sharing account credentials with the hacker. It is important to ensure that all members of the law firm – both staff and lawyers — are educated about both phishing and security. Everyone should know how to spot red flags, and how to react to a potential security threat.
- What’s your security insurance coverage? What and whom does it cover? All the caution in the world can’t prevent every cyberattack throughout a law firm’s entire lifetime. It’s important to make sure that law firms are insured just in case a breach does occur.
- Do you have a disaster recovery and incidence response plan? Similarly, it’s important to know a law firm’s plan once something does go wrong. How does the firm plan on recovering? Do all key employees understand what role they play? It’s as important to prevent as it is to respond. Since there’s a high chance your data may be impacted, you should know what the firm will do should a cyberattack occur.
- What does your physical security look like? In addition to talking about prevention, planning and training, it’s important to inquire about the physical security of the space and how the firm controls access to sensitive information.
- Do you conduct regular security risk assessments? While it’s great if a firm seems to be on top of security, its plans are only valuable if the firm stays current with the most up to date risks to its systems. Hackers get better and better every day, and your firm needs to know whether it’s systems are open to new vulnerabilities.
While it’s easy to dismiss these questions as “typical legal overthinking.” ultimately, even if you never need to use it, having an intentional and systematic security approach is a competitive advantage. After all, it’s better to have one and not need it, then the other way around!