Law firms have long held a hallowed position in the corporate world, as the preeminent keeper of confidences. But the frequency with which law firms are falling victim to data breaches and hacks should leave clients questioning their firm’s data security. Due to their trusted position in the business world, law firms have become a prime target for cyber criminals, and without adequate data security confidential client information can fall into the hands of a wide variety of bad actors.
Consider the following hypothetical about a top global firm. It has attorneys working with companies and individuals in virtually every industry in the world. These attorneys are privy to a wide variety of highly sensitive and confidential financial information — information that would be of great value to cyber-criminals. A senior mergers and acquisitions partner chose to use his smartphone for both work and personal use. As a senior partner, no one was willing to require the need to segregate data and users. The senior partner regularly let his son use the smartphone to surf the Internet and download games. One day, the son downloads a game which has malware code attached to it. The malware infiltrated the firm’s email server. This silent intrusion allowed a cyber-criminal to monitor all emails in the senior partner’s practice group. The cyber-criminal was able to access confidential financial information, which allowed him to engage in insider trading, making millions of dollars off of the information, and causing serious harm to the firm’s client by driving up the price of the stock.
While the above hypothetical may seem like a doomsday scenario, it can happen, as revealed in a recent indictment in the Southern District of New York. The indictment alleged that three criminals gained access to a top law firm’s email server through undisclosed means. On multiple occasions, these criminals were able to gain confidential inside information about pending M&A deals. The criminals were then able to trade on that information, making more than $4 million before being caught. The criminals were charged with insider trading, wire fraud, and violations of the Computer Fraud and Abuse Act. While the facts are little known for how the criminals in the above case broke into the firm’s mail servers, it’s likely that the criminals exploited a lawyer with access to the email server — a much easier pathway — rather than attacking the system directly.
While the recent actions of the US Attorney in the area of cybersecurity and prosecuting cyber-crime is a great step forward in raising awareness about law firm vulnerabilities, it only begins to scratch the surface of the issue. A 2015 survey from the American Bar Association (ABA) found that one in four law firms acknowledged having experienced a computer systems breach. That number does not include firms who have yet to discover the breaches in their systems. Moreover, as US Attorney Preet Bharara warned, law firms “are and will be targets of cyber-hacking, because you have information valuable to would-be criminals.”
There are several useful, cost-effective tools available to all law firms, whether a solo practice or multinational firm, to help secure the firm’s data.
This example is not meant to scare law firms out of engaging in important work, and it is not meant as a prompt for law firms to radically overhaul their policies and procedures in an attempt to pursue perfect cybersecurity. What this example should do, is highlight the risk of poor cybersecurity, and serve as a conversation starter for how to develop a strong cybersecurity infrastructure and culture within a law firm.
There are several useful, cost-effective tools available to all law firms, whether a solo practice or multinational firm, to help secure the firm’s data. These tools include email encryption services, secure file management and transfer solutions, multi-factor authentication, mobile device management and integrated malicious code detectors that operate across both computers and mobile devices.
Often times, for a small premium, these individual tools can be bundled into a single solution that is managed by external third-parties. Taking these relatively simple steps will significantly hamper all but the most serious cyber-criminals and nation-state actors. Why then, if these steps are cost effective and simple do firms still face a significant threat of cyber-attack? The answer is simple: law firm culture.
The above-discussed tools, are for all intents and purposes, a sophisticated alarm system. Defeating an alarm system can be a difficult task for a criminal, but the alarm system requires that the homeowner properly follow the alarm’s procedures in order to work. If a homeowner chooses to leave the front door open, no matter how effective the alarm system is, it cannot prevent a criminal from breaking in. Consequently, law firms must pay serious attention to developing a security conscious culture, and must be sure to close their digital front door. Training is a very good and necessary starting point to develop an effective cybersecurity culture. However, training should not just be checking a box. Every employee of the firm must be committed to taking the steps necessary to protect the firm’s information and systems, even if there is some measure of inconvenience. The stakes are too high to do otherwise.
Not only is it [law firms’] responsibility as fiduciaries of their clients’ data, but their decision not to implement these measures will become an untenable business position as clients begin auditing the law firms they employ.
Additionally, law firms can participate in cyber threat sharing through the Legal Services Information Sharing and Analysis Organization (LS-ISAO). LS-ISAO helps member law firms share cyber threat information to collectively improve their knowledge of threats in the community and better prepare for them. Information sharing can result in improving decision making, avoiding redundant effort, and promoting alignment with the most up-to-date best practices.
These are a few of the measures that law firms must begin and continue to implement in order to achieve meaningful data security. Not only is it their responsibility as fiduciaries of their clients’ data, but their decision not to implement these measures will become an untenable business position as clients begin auditing the law firms they employ.
With that said, there is no one-size-fits-all approach to cybersecurity, and every firm must carefully consider the risks, costs and benefits, and then make an informed decision as what solutions would best protect the firm and its clients.
Richard Borden, Counsel of Robinson+Cole and a specialist in cybersecurity risk management, contributed to this blog post.