John Reed Stark
There have been several very high profile news reports of significant law firm data breaches. It is not a mere coincidence that law firms increasingly are targeted in data breach attacks. Law firms have a trove of information that makes them highly attractive to cybercriminals. In the following guest post, John Reed Stark takes a look at the reasons for the rise in the number of cyber attacks as well as the steps that law firms can take to try to defend themselves and their clients. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket.com. I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
******************************
Forget credit card numbers, social security numbers and medical records, law firms are currently under what could become the most significant cyber siege in history. Why? Because law firms possess a lucrative cache of data that makes them incredibly attractive to cybercriminals.
Law firms provide a “back door” for a treasure trove of cherished electronic material for cyber criminals eager to gain an edge in the stock market or capture a particularly sensitive batch of data to sell or ransom, including:
Secret and sensitive information about corporate client’s finances;
Documents relating to confidential corporate deals;
Valuable information relating to patented, original and invaluable intellectual property and trade secrets;
Key evidence pertaining to bet-the-company litigation; and
Gigabytes (perhaps even terabytes) of emails involving the most intimate, delicate and private details of their client’s personal and professional lives.
Is this highly confidential and imperative electronic data hard to locate and identify on the devices and networks of law firms? Not at all. The most critical and important documents, presentation decks, PDFs, spreadsheets and the like are typically (and conveniently) labeled in folders and directories named “hot docs,” “confidential info,” “top secret” or other similar sequestered nomenclature.
Introduction. Last year, the American Bar Association reported in its annual Legal Technology Survey that one in four firms with at least 100 attorneys have experienced data breaches involving hackers, website attacks or stolen or lost smartphones, tablets or laptop computers. Forty-seven percent of respondents said their firms had no response plan in place to address a security breach. Among the largest firms of 500 or more attorneys, 55 percent had a security breach response plan in place. More than half of attorneys, 58 percent, said their firms did not have a dedicated Chief Information Security Officer (CISO) or another staff member charged with data security, while 34 percent said their firms did. Clearly, law firms are significantly behind the curve, despite law enforcement agencies and cybersecurity firms issuing repeated warnings about the risks of attacks by insiders, fraudsters, hacktivists, unscrupulous competitors and nation-states.
This month, cyber thieves reportedly broke into a slew of national law firms, including two New York law firms, Cravath, Swaine & Moore and Weil Gotshal and Manges, who represent Fortune 500 companies and financial institutions all over the world. Cravath said the incident, which occurred last summer, involved a “limited breach” of its systems and that the firm is “not aware that any of the information that may have been accessed has been used improperly.” The firm said its client confidentiality is sacrosanct and that it is working with law enforcement as well as outside consultants to assess its security. Weil Gotshal declined to comment.
This month, news also broke concerning the law firm data breach surrounding the so-called Panama Papers, thus far involving more than 11.5 million documents detailing how hundreds of wealthy people hid money in offshore banks and investments to avoid paying taxes, causing international headlines, a presidential resignation and celebrity embarrassment. The head of the Panamanian law firm, Mossack Fonseca, which specializes in setting up offshore companies, denied any wrongdoing, and said his firm has fallen victim to “an international campaign against privacy.”
On March 3, meanwhile, the FBI’s cyber division issued a Private Industry Notification, warning law firms that “in a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms,” Bloomberg reports. This is not the first time interested parties have used hacking to gain access to private data – the Rupert Murdoch phone hacking scandal of several years ago was similarly scandalous.
Even not prompted by the latest headlines, every law firm executive committee realizes that its law firm can (and probably will) fall victim to a cyber-attack, and even worse, that the executive committee will need to clean up the mess and superintend the fallout. Just like the role of the corporate boards of directors has begun to evolve to embrace cybersecurity oversight responsibilities, law firm executive committees now have to do the same.
As cyber-attacks continue to proliferate, more and more law firm executive committees will come to realize that cybersecurity risks now actually trump most (if not all) other business risks – and not just because technology and networks touch every aspect of a legal enterprise. For law firms in particular, this is the dawning of a new era of data breach and incident response, where trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year. The nature, extent and potential adverse impacts of these risks call for a proportionate response.
But cyber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies, fulfillment of a confusing constellation of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan – and the list goes on. During the aftermath of a data breach, a law firm’s notification responsibilities alone involve a lengthy list of relevant constituencies, including clients, vendors, joint venturer’s, employees, affiliates, insurance carriers and a range of other interested parties.
And besides the more predictable workflow, a law firm is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage; loss of productivity; extended management drag; and a negative impact on employee morale and overall law firm performance.
So what is the role of a law firm executive committee amid all of this complex and bet-the-company workflow? For certain, simply receiving regular reports on a law firm’s cybersecurity risk management is no longer enough. Both a law firm’s clients and employees now expect law firm executive committees to make a substantial effort to understand and oversee cybersecurity, even though the typical law firm executive member has limited IT experience. But how? The answer lies in this cybersecurity guide, specially tailored for law firm senior executives.
Within this guide, law firm leaders will find a hefty catalogue of cybersecurity considerations that provide a bedrock of inquiry to help take their responsibilities seriously, specifying the requisite strategical framework to engage in an intelligent, thoughtful and appropriate approach to reducing a law firm’s cybersecurity risks.
By following this guide, law firm leaders can not only become more preemptive in evaluating cybersecurity risk exposure, but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item, at the top of a law firm executive committee’s oversight agenda.
NIST Cybersecurity Framework. A good starting point for a law firm executive committee, when kicking off its efforts to assess internal cybersecurity measures and develop a comprehensive cybersecurity risk management plan, is to review the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (“NIST”) in response to President Obama’s issued Executive Order 13636, titled “Improving Critical Infrastructure Cybersecurity.”
The NIST Cybersecurity Framework is intended to provide companies, including law firms, with a set of industry standards and best practices for managing their cybersecurity risks. The Framework is a user-friendly text, which does not require a computer science degree in order to understand its basic and fundamental notions. NIST also provides a “Roadmap for Improving Critical Infrastructure Cybersecurity,” which is a nine-page companion to the Framework, discussing NISTs next steps with the framework and identifying key areas of development, alignment and collaboration.
While the Framework is aimed at security of critical infrastructure, it is “principles based,” using generally accepted security principles that can apply to all kinds of businesses and enterprises, including law firms. It provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
The Framework sets out five core functions and categories of activities for companies to implement that relate generally to cyber-risk management and oversight. The five core functions are: Identify, Protect, Detect, Respond and Recover. This core fundamentally means the following: law firms should (i) identify known cybersecurity risks to their infrastructure; (ii) develop safeguards to protect the delivery and maintenance of infrastructure services; (iii) implement methods to detect the occurrence of a cybersecurity event; (iv) develop methods to respond to a detected cybersecurity event; and (v) develop plans to recover and restore the companies’ capabilities that were impaired as a result of a cybersecurity event.
The Framework provides law firm senior executives with a controls paradigm to use as the foundation of a cybersecurity program. Law firm clients, especially larger and more sophisticated clients, may send their own list of cybersecurity recommendations and law firm managers may be tempted to base cybersecurity programs on these specific client requests. This is a mistake. Multiple clients will send their own cybersecurity requests and standards, which will not only create an undue burden on a law firm’s IT staff but the burden will be continuous, because clients will be constantly changing and updating their security standards, requiring annual confirmation that robust cybersecurity is in place.
For law firms in particular, using the NIST framework not only saves time and money but will also avoid the unnecessary management drag of customized client security solutions. Moreover, law firm clients will ultimately appreciate a law firm’s use of a common Framework, which their respective regulators always encourage.
ISO 27001. Another potentially important standard for law firms is ISO 27001:2013, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. Developed to provide an international model for establishing, implementing, operating, monitoring and maintaining an information security management system, ISO 27001 is widely recognized as the highest security standard in the industry for examining the efficacy of an organization’s overall security posture.
Reportedly, at least a dozen Am Law 200 and Magic Circle firms have attained ISO 27001 certification to demonstrate their dedication and commitment to protecting their documents and communication systems from security breaches, and at least 21 more are in the process of seeking the certification.
Kansas City law firm Shook, Hardy & Bacon achieved ISO 27001 certification in 2013 and described the standard as a key selling point for their firm. “We wanted to make sure we had the processes in place so our clients had confidence that we were doing the best we could,” said the firm’s chair, John Murphy. Goodwin Proctor also achieved ISO 27001 certification and trumpeted the standard in a press release, stating, “At Goodwin, protecting the security and confidentiality of client and personal information is a top priority.” David Fleming, the firm’s Chief Information Officer, also stated, “We are pleased to be recognized among the small group of law firms that are certified against the stringent ISO 27001 standards.” According to Shook CIO John Anderson, Shook spent about $30,000 in 2013 and another $30,000 in 2014 on consultants and auditors to earn the certification; on top of additional cybersecurity-related spending to support the law firm’s security strategy.
The ISO 27001 certification process is rigorous, often taking as much as 6-12 months to complete, and includes:
Creating/executing comprehensive information security management system;
Drafting detailed policies and specific strategies in compliance w/ ISO standards;
Taking inventory of firm’s electronic information/storage locations; and
Selecting and implementing the appropriate security controls.
But while SO 27001 certification can: reduce insurance costs; enable a law firm to produce an objective, thoughtful and meaningful response to a client’s security questionnaire or audit requests; and improve a law firm’s overall cybersecurity posture (especially internationally) — it is not a panacea. In fact, ISO-27001 may not satisfy a firm’s biggest clients, especially financial institutions, which are being pressured by regulators t, demand adherence to even tougher standards to guard against cyber-attacks.
Further, ISO-27001 is process oriented i.e. becoming ISO 27001 certified means that a law firm has processes and protocols in place to keep confidential information secure. The certification is not a technological tool nor a cybersecurity solution, leading one commentator to warn law firms about confusing compliance with security. Becoming ISO 27001 certified arguably provides little comfort regarding the actual readiness and ability of firms to protect the confidential information entrusted to them. ISO 27001 dictates how to go about managing the cybersecurity function but leaves all of the actual execution to the law firm. Moreover, the lengthy and tedious process of becoming ISO 27001 certified can complicate, delay and distract firm management from well-defined steps that can and should be taken in the short term.
The bottom line on ISO-27001: It is an internationally recognized, certifiable, information security standard that formally specifies an information security management system to bring information security under explicit management control – which is obviously an added benefit for any law firm.
Moreover, ISO 27001:2005 (the predecessor to ISO 27001:2013) certification was the gold standard for many years for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented data security management system within an organization or data center. (N.B. the key changes in the 2013 revised standard relate to: improved handling of IT security risks, such as identity theft, mobile device threats and online vulnerabilities; improvements and consolidations of security controls; and allowing companies to have an integrated management system, rather than distinct separate ones.)
Finally, at present having ISO-27001 is (at least for now) a unique market differentiator for law firms (who reside in a fiercely competitive space). Moreover, because the certification requires organizations not only to uphold specific standards but also to review continuously, and improve, their security postures, the certification plainly evidences a law firm’s bona fide commitment to cybersecurity.
Penetration Testing/Risk and Security Assessments. Just like an annual physical check-up by a physician, a law firm should undergo a risk and security assessment of its inner cybersecurity workings. Implementing cybersecurity solutions requires a comprehensive risk assessment to determine defense capabilities and weaknesses and ensure the wise application of resources. What works best is a disciplined yet flexible methodology that incorporates a law firm’s organizational culture, operational requirements and tolerance for risk, and then balances that against current technological threats and risk. Since data breaches are inevitable, a proper risk and security assessment quantifies risk, develops meaningful risk metrics and conveys the effectiveness of risk mitigation options in clear and concise terms.
To begin with, consulting firms and cybersecurity shops market a myriad of services: penetration testing, risk and security assessments, data security audits, application security evaluations, code reviews and other similarly described services. Even the consultant jargon is unclear. For purposes of this guide, all categories will fall under the label of penetration (or “pen”) testing, which is standard parlance and also considered the lowest common denominator for evaluating cybersecurity.
Common types of pen testing for law firms should include: an external penetration test or vulnerability scan to assess Internet-facing computers, including firewalls, VPNs and other online gateways; an internal penetration test or vulnerability of a law firm’s internal network, such as desktops, laptops, servers, printers, VOIP phones and other online devices; a web application assessment to analyze a law firm’s website security; and social engineering testing to assess the “human firewall” of a law firm, and reconnoiter law firm staff cybersecurity awareness. In addition, law firms should conduct an unannounced spear-phishing tests. Spear-phishing tests help determine employee resistance to one of the most common methods of remote compromise. The tests also help gauge the risks associated with permissive egress filters, targeted malware, the establishment of remote command and control channels, and the susceptibility to undetected bulk data exfiltration.
A law firm’s pen tester should have substantial technological abilities, including expertise in testing web applications, mobile applications and devices, software products, third-party service providers, cloud solutions and IT infrastructure.
One mark of a good pen tester is to be a thought leader in the infosec community – authoring theoretical publications, giving peer conference presentations, contributing to open source projects, writing blogs or publishing vulnerabilities. It also helps if a pen tester has so-called “blue team” experience, (that is, he or she has managed networks or systems or developed applications).
Good pen testers mimic the methods used by sophisticated attackers to identify vulnerabilities before they can be exploited. That is best achieved by using specialized, manual testing, not by running automated tools. Automated tools do have a place (it’s a good practice to run them internally looking for low hanging fruit) but custom tools will typically prove far more effective. No two pen testing engagements are ever the same; even the same vulnerability can vary wildly in different environments, and having a proprietary set of tools evidences a pen tester’s ability to venture off-script and improvise when necessary. Proprietary tools also typically allow for a more detailed explanation of the so-called “kill chain” or path of an attack.
There exists no standardization about pen testing (like some sort of emissions or DNA test), so law firm executives should give careful consideration to who should conduct a law firm’s pen testing and how to best interpret the results. Before conducting any test or assessment, law firm leaders should make sure IT departments document all cybersecurity policies and procedures, not just to get credit for good behavior and practices, but also because documentation is a beneficial compliance exercise.
Law firms will want to avoid engaging pen testers who present deliverables that provide a written laundry list of problems in need of solutions or a so-called “heat map,” which identifies the most serious potential weaknesses. The reason? Because the reality is that most companies will not be able to cure all weaknesses (because of cost concerns, logistical impossibilities, practical barriers, etc.).
Though intended for a law firm’s benefit, heat maps and laundry lists can also unfortunately provide regulators, law enforcement, class action lawyers and other disgruntled parties with a handy and helpful roadmap for liability. Thus, the primary deliverable for any pen test should begin with a briefing, where law firm executives can discuss the format of any ultimate deliverable with the pen testing results.
One final note on choosing the right pen tester. When I was three years old, my family moved into a new house. To manage our home’s HVAC, electrical, security, and other related systems, my late father hired a small company called Systematic Control, run by a superstar engineer named Neil Carbone. But Neil was not just a repair ace; he also became a part of our family. For the next 40 years, Neil’s phone number was posted on our refrigerator door and we called him when anything went wrong. Neil became our most dependable and trusted adviser; he cared for our home (and our family) like it was his own.
When Neil stopped by annually to develop new ideas to make our house better, safer, more fuel efficient, and so forth, he never brought a checklist. Instead, Neil took a holistic approach toward servicing our home, observing not just how our family lived, but also incorporating how our house’s environment was changing.
These two lessons from Neil are probably the most important for selecting a pen tester. First, good pen testers not only possess bona fide technological chops, an ethos of dedication, and a philosophy of service. Just like Neil, they also strive to become a law firm’s trusted adviser. Second, threat landscapes, activists, random hackers, and state-sponsored actors constantly evolve, refining their techniques, altering their motivations, and shifting their resources. Just like Neil, good pen testers take a holistic approach to their works, carefully considering changing threat actors, advance network telemetrics and emerging attack vectors.
So when checking the references of pen testers (a must, by the way), in addition to considering common recommendations and caveats, consider most of all, my late father and Neil Carbone. Together they kept our home and family safe and prosperous for more than 40 years.
Top Down Commitment. Strong cybersecurity is a business imperative, yet too often cybersecurity is too far down on a law firm executive committee’s priority list or because it is so complex, simply delegated to lower level technical personnel. Some questions for law firm executive management: Is there a commitment from the top down, both culturally and financially, to rigorous cybersecurity? Who in leadership is driving the cybersecurity agenda? Is it a C-level accountability and part of the day-to-day business focus? Do current reporting lines and assigned areas of responsibility make sense?
Given the responsibilities and accountability needed to execute the incident response plan, are the right employees, possessing the appropriate skillsets, adequately empowered? If the team charged with overseeing cyber-defense the same team who reports up the chain about breaches and who would oversee any response, that dual-role indicates an inherent conflict of interest.
Effective security awareness demands top-down commitment and communication, a characteristic that is often lacking at law firms, especially where legal practices (and partners) are “siloed” or otherwise isolated. Law firm executive committees should enforce the notion that the firm has an institutional commitment to protect client data reflected by involvement and engagement by senior firm leaders – not just IT. In the least, law firm executive committees should establish a cross- organizational team (including practice chairs, procurement, finance, human relations, communications, office management, IT and security personnel) that regularly convenes to discuss, coordinate and communicate information security issues.
Drills and Table-Top Exercises. Tabletop exercises enable organizations such as law firms to analyze potential emergency situations in an informal environment, and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements. Such exercises are a natural fit for information and physical security, because they provide a forum for planning, preparation and coordination of resources during any kind of attack.
Most cybersecurity firms and pen testing firms offer some form of table top exercise program, which in order to be successful, should: involve detailed preparation; include multiple parties throughout the law firm; leverage resources from within the law firm industry and government; and will be timely and realistic. Law firm executive committees should also reach out to law enforcement agencies such as the FBI and request for a federal agent to participate as well. The FBI supports this participation and collaboration with U.S. companies, especially law firms, and can provide valuable insight throughout the drill.
Incident Response Plan. Having an incident response plan is a notion that has been preached over and over again to every law firm, retailer, manufacturer, financial organization or otherwise, but still warrants a quick mention nonetheless. When contemplating cybersecurity, most companies allocate significant resources to fortifying their networks and to denying access to cyber-attackers. However, it is now a cliché, well founded in reality, that data breaches are inevitable. As cybersecurity experts have noted, “There’s a saying in the cybersecurity industry that there are two types of businesses today: Those that have been breached and know it and those that have been breached and just don’t know it.”
Along those lines, just like a fire evacuation plan for a building, a law firm should have a plan in place to manage data breaches; an art form less about security science and more akin to “incident response.” In the least, an incident response plan specifies the:
Members/titles/contact details of the response team responsible for each of the functions of the plan (management, IT, information security, human resources, compliance, marketing, etc.);
Communication lines in the event of a cyber-attack;
Notification protocols and priorities (including law enforcement, regulators, customers, joint venture partners, vendors and anyone else who might require or contractually be entitled to, notice);
Documentation and logging plans in the event of a breach;
Contact list of relevant outside parties such as outside counsel (who specializes in data breach response), outside digital forensics experts, local law enforcement agents, PR firms and relevant financial firms (including the firm’s bank and insurer);
Law firm employees who have authority to speak and make certain decisions about the investigation;
Cyber insurance information;
Containment, remediation, recovery, training, and testing plans; and
The nature and location of any data that is covered by other legal obligations like medical records under HIPAA; financial records covered by the Graham Leach Bliley Safeguards Rule or specific client contractually created data protection/breach notification requirements.
Law firm executive management should understand their current incident response plans; when the plan was last updated (and how often); who prepared the plan; who approved the plan; and the general approach and general principles of the plan. There should also exist an accurate and current network topology diagram that is adequately documented, and periodically re-assessed and revised as internal systems and external factors change.
Law firm executive committees should also avoid using templates for incident response plans. While templates can serve as a decent starting point, no two law firms are identical and all have different business processes, network infrastructures and types of data-sets. Along these lines, NIST has published a Computer Security Incident Response Guide that can help law firms develop appropriate policies and procedures and provide a useful reference for law firm executive committees when meeting with IT department heads. The abstract for the NIST guide states:
“Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. ”
One unintended benefit of a strong incident response plan is that it can serve as an effective business development tool. In addition to promulgating security procedures, incident response plans for law firms (and many other professional service providers) can also serve as effective powerful collateral. More and more, clients and insurance companies are asking to review law firms’ incident response and factoring the value and efficacy of an incident response plan into the calculus of their hiring and procurement processes.
Preservation Challenges. Every cyber-attack response begins with the simple notion of preservation, i.e. collecting and preserving, in a forensically sound and evidentiary unassailable manner, any “electronically stored information” (ESI), devices, logs, etc. that could become relevant to the cyber-attack.
Unfortunately, preserving ESI after a cyber-attack can quickly become a challenging, costly and resource intensive task. Most law firms have ESI in so many locations (both physical and virtual) that, after a cyber-attack, it becomes an onerous struggle to locate and preserve relevant ESI and to piece together information about sometimes complex and disparate systems – all under the intense pressure of an active digital forensic investigation (with serious consequences for error or omission).
By way of background, preservation is a critical work stream during a cyber-attack because incident responders will be scrutinizing every byte of data, especially any fragments, artifacts or remnants left by the attacker in all sectors of any relevant device (including within “deleted recoverable files,” “unallocated and slack space” or the boot sector.) These artifacts can include: Internet addresses; computer names; malicious file names; system registry data; user account names; and network protocols.
The most effective investigative methodology of a cyber-attack is one based on targeted incident response practices and does not solely rely on “signature detection” technologies, such as antivirus software. Rather, careful investigators employ an iterative process of digital forensics, malware reverse engineering, monitoring and scanning.
As analysis of known or suspected compromised systems identifies new so-called Indicators of Compromise (“IOCs), investigators will examine network traffic and logs, in addition to scanning hosts for these IOCs. When this effort discovers additional systems, those systems are forensically imaged and analyzed, and the process repeats. Armed with the information gathered during this phase of “lather, rinse, repeat,” a victim law firm can begin efforts to remediate the malware, rebuild compromised systems, reset compromised account credentials, block IP addresses and properly initiate network and host monitoring in an effort to detect additional attempts by the attacker to regain access.
Preservation is also critical because investigators will likely need to scour all ESI in search of so-called personally identifiable information or “PII.” The search for PII is necessary to determine whether the attacker exfiltrated (removed from a corporate IT environment) any data containing personal information relating to any individuals, who may require notice of the cyber-attack, credit monitoring services and other remedial action.
Protecting PII relating to individuals from identity theft has become a significant focus of U.S. state and federal agencies, and of new state and federal laws and regulations. In the U.S., laws and regulations vary from state to state, and between state and federal law, as to exactly what information comprises PII. Generally, the definition requires both a name and some additional item of information that could be used to steal a person’s identity or access his or her financial accounts (or, in some cases, healthcare information) without authorization. N.B. that for purposes of this article, we refer generally to protected information about an individual as PII, even though some state or federal statutes may use a different nomenclature or categorizations.
Finally, just about every cyber-attack response also involves the forensic imaging and reviewing of emails and other relevant communications from laptop computers, desktop computers, network servers, backup tapes, mobile devices, tablets and other systems. The cyber-attack investigation may have sprouted from a customer who complained that his or her data was used for a fraud; from a report that a computer system was found to be communicating with an unscrupulous Internet address; from the FBI, U.S. Air Force Office of Special Investigations; US Secret Service or other law enforcement agency notifying a law firm of a possible cyber-attack into its systems; or a slew of other sources.
Under any circumstance, investigators will first analyze whatever initial information is presented and use the preliminary evidence to help identify the likely locations of additional evidence. An investigator will consider all computer devices as likely locations to target for investigation. These devices will typically include: law firm laptops and workstations; network storage servers; firewalls; intrusion detection systems; webservers; customer databases; and e-mail servers.
It can even take days after learning of a cyber-attack before a law firm realizes that they maintain an electronic purging process that deletes data (such as relevant logging information) on a regular schedule. Without having proactively made the effort to understand information sources, assets and their key characteristics, these purging schedules can become unintended and latent causes of spoliation.
Data-Mapping. Given the challenges of preservation discussed above, law firms should probe their own data practices carefully. Where information relevant to identifying and describing potentially accessed/target/exfiltrated systems has never been data-mapped, establishing a strong and effective incident response plan for addressing cybersecurity risks can become challenging. Without any sort of responsible system overview or asset classification exercise, law firms not only make mistakes in their cyber incident response plans, but law firms can also make mistakes in allocating available resources to the investigation.
In addition, law firm executive committees should press to identify and understand the most critical datasets of law firm information. What are the law firm’s most valuable intellectual property assets and consumer/customer based informational assets, and how are they currently being protected? Where are these assets stored or located — internally, at a third-party data center (in the U.S. or overseas), or in a cloud-based environment? Asking these and other similar questions will help a law firm executive committee better understand the law firm’s posture with respect to securing its virtual assets and inform what additional steps, if any, management can take to improve such practices.
Law firm executive committees should also consider implementing a sophisticated and intelligent data classification scheme. For example, consider parsing data sets into: 1) general use data, such as information published on the law firm website and included in public releases or disclosures; 2) internal use data, such as non-confidential internal communications; and 3) confidential data, such information carrying a legal confidentiality obligation like attorney-client work product or privileged attorney-client communications.
Confidential data in particular can be organized into narrower classifications such as: 1) information subject to protection under specific government statutes or regulations, including medical records protected under HIPAA or financial records under SEC Regulation S-P; 2) commercially sensitive information about clients, such as trade secrets, future business plans or negotiation strategies; 3) contractually protected information subject to a particular client agreement regarding that client’s data; and 4) other confidential or sensitive information such as evidentiary data pertaining to active or closed litigation engagements.
Law firms with offices in countries that are members of the European Union (EU), or who handle and store protected personal information pertaining to citizens of the EU that they have received from or on behalf of their clients, are under special requirements to take measures to ensure the security of that information. Currently, this is an indirect result of the EU’s broad data privacy regulations, special directives and other increasingly strict and rigorous data-related rules and requirements.
PCI Responsibilities. Executive committees at law firms should determine whether the law firm has any PCI compliance issues and if so, that those PCI-related concerns are being addressed.
By way of background, when a cyber-attack targets electronically transmitted, collected or stored payment card information, so-called Payment Card Industry Data Security Standards (PCI-DSS) compliance is often one of the first aspects investigated. The Payment Card Industry Security Standards Council is the international organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006, which develops and manages certain credit card industry standards, including the PCI-DSS. PCI-DSS is a set of requirements created to help protect the security of electronic payment card transactions that include PII of cardholders, and operate as an industry standard for security for organizations utilizing credit card information. PCI-DSS applies to all organizations that hold, process or pass credit card holder information and imposes requirements upon those entities for security management, policies, procedures, network architecture, software design and other critical measures that help to protect customer credit and debit card account data.
If a cyber-attack against a law firm involves credit cards or other similar modes of payment and triggers PCI-DSS compliance, the workflow involving the PCI-DSS can be extremely costly, cumbersome and disruptive. For instance, merchants are responsible for all costs associated with any system modifications required to achieve PCI-DSS compliance and the card brands may levy significant fines and penalties on merchants that are not in compliance with PCI-DSS. Such penalties and fines, imposed separately by each card association, can include:
Hefty fines (in multiples of $100,000) for prohibited data retention;
Significant additional monthly fines (can be $100,000 or more per month depending on the nature of the data stored) assessed until confirmation is provided indicating that prohibited data is no longer stored;
Separate fines (in multiples of $10,000) for PCI-DSS non-compliance;
Additional monthly fines (likely $25,000 per month) assessed until confirmation from a qualified security assessor that the merchant is PCI-DSS compliant;
Payment of monitoring (can be as high as $25) and reissuing (up to $5) assessments for each card identified by the card association as potentially compromised; and
Reimbursement for any and all fraudulent activity the card association identifies as being tied to a security data breach.
In addition, when an organization suspects a PCI cyber-attack, the card brands’ PCI-DSS require hiring a PCI-approved forensic investigator (also known as a PFI) from a small list of card brand approved vendors. When a breach is suspected, a PFI is required to perform a specified list of investigative work including writing a final report that is issued to both the client and the various credit card companies, which is then used by the card brand companies to calculate potential fines that will be levied against the acquiring banks. These fees are then passed along to the victim company in the form of indemnification. Further, after a breach, a merchant’s classification or “tier” may be adjusted upwards, resulting in the imposition of further obligations and potentially even greater fines and penalties should another breach occur.
Data Loss Protection. Law firms should work towards adopting security mechanisms such as data loss protection (DLP) systems (also known as “data leak prevention systems”), to help detect and prevent the potential unauthorized transmittal of confidential information by employees. DLP systems aim to prevent end users from sending sensitive or critical information, such as attorney work product or privileged attorney-client communications, outside a law firm’s network.
Such systems classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could place the organization at risk. For instance, by installing data loss prevention technologies that “tag” certain files, phrases, and code names, a law firm could block or flag transmissions of those tagged files, with the aim of preventing sensitive information from leaving the firm’s network.
Third Party (Including Local Counsel) Due Diligence. Outsourcing of services (such as IT, payroll, accounting, pension and other financial services), which typically involve the transfer of, or allowing access to, PII from a law firm to its vendor, has become increasingly common for law firms. Both law firms and service providers, including local counsel in litigation and other corporate matters, must contend with a matrix of obligations governing the disclosure of personal information under federal and state laws and regulations, common law privacy principles and industry guidelines and standards.
Thus, law firm executive committees should be concerned if any third party vendor has access to a law firm’s networks, customer data or other sensitive information — or if there exists any sort of other cybersecurity risk of the outsourced function. Law firm executive committees should also understand that third-party risk management is a security function as well as a compliance requirement. If a cybersecurity plan focuses only on internal security, a law firm misses a substantial risk. Numerous studies have shown that third parties represent between 40% to 80% of the risks associated with data breaches.
Given that cyber-attackers will often traverse across a law firm’s network and into the networks of its vendors or vice versa, cyber-attacks can also result in disputes as to the culpability for an attack. As a result, in most data breach scenarios, vendors and law firms can end up pointing the finger at one another for their respective cybersecurity failures.
Vendors who become entangled in the cyber-attack of a customer that includes PII of, for example, their customers’ employees, can be subject to claims by those whose information is lost, as well as by their client. For example, in Caudle v. Towers, Perrin, Forster & Crosby, a federal judge dismissed claims for negligence and breach of fiduciary duty brought by an employee against his employer’s pension consultant whose laptop containing PII of employees was stolen. The judge dismissed the negligence claim in the absence of evidence that the information had been accessed or used. It also dismissed the claim for breach of fiduciary duties, again on the ground that the plaintiff had not shown he had suffered any damages. The court did allow the claim for breach of contract to proceed to allow discovery on the issue of whether the employee was a third-party beneficiary of the contract between his employer and the vendor under the terms of the contract.
Similarly, in Ruiz v. Gap, Inc., where a company’s vendor was sued for losing its client’s personal information when a laptop was stolen containing information with job applications, a federal judge dismissed the claims for lack of requisite appreciable harm (because the plaintiff had not been a victim of identity theft but rather was claiming increased risk of future identity theft and seeking credit monitoring costs).
In addition, law firm executive committees should understand if and how the law firm incorporates requirements relating to cybersecurity risk into its contracts with vendors, which can, for example, trigger notification responsibilities. In the event of a data breach, corporate vendors will want to know all relevant facts relating to the cyber-attack, especially: if their data has potentially been compromised; if services will experience any disruption; the nature of remediation efforts; if there are any official or unofficial findings any investigation; or if there is any other information which can impact their operations, reputation, etc.
Vendors may also request images of malware and IOCs or to visit/inspect the law firm with its own investigation team. Venders may ask for weekly or even daily briefings and may demand attestations in writing with respect to any findings pertaining to their data. Some customers may also have contractual language establishing their rights when a cyber-attack occurs, which can range from notification, to on-site inspections, to the option of an independent risk and security assessment of the victim law firm (at the victim law firm’s, and not the vendor’s, expense).
Moreover, if third party vendors conduct remote maintenance of a law firm’s networks and devices, in the event of a cyber-attack, the law firm should confirm it can obtain copies of any relevant logs, as well as access the third party system to scan for IOCs.
Law firm executive committees should inquire about the practices and procedures with respect to the cybersecurity of local counsel in particular, asking about information security procedures (including training) and outside access to the third party’s own internal network. Big firms working with local litigation counsel may risk making themselves just as vulnerable as their less protected co-counsel. Just like with other vendors, the mantra underlying local counsel cybersecurity concerns is simple: Any attack upon a law firm’s local counsel can easily become an attack on the law firm itself.
Buy Cyber-Insurance. Just like with other hazards of doing business, law firms have begun taking into account cybersecurity concerns when considering overall enterprise risk management and insurance risk transfer mechanisms. Clearly, cyber insurance will eventually become yet another basic element of a law firm’s insurance coverage, just like property insurance for companies and health insurance for individuals. For law firms, their clients will also likely (if they have not already done so) demand that their law firm carry cyber insurance as a matter of good business practice.
According to insurance brokerage Aon, more than 60 out of the 250 medium and large law firms that it services have purchased cyber insurance within the last two years. Insurance broker Marsh has reported that close to 40 percent of its roughly 100 large law firm clients have purchased the insurance, up from 20 percent two years ago.
Interestingly, law firms who maintain cyber insurance might also have the best cybersecurity policies and practices, probably because before obtaining cyber insurance coverage, a law firm is typically subjected to a fairly rigorous underwriting process. Just like the physical exam typically required by insurance companies before issuing life insurance, which can prompt better personal wellness practices, a cyber insurance exam might trigger or prompt better law firm cybersecurity wellness. Moreover, while it has been suggested that having insurance encourages companies to slack off on security, some research suggests the opposite i.e. that those companies with good security practices are more likely to purchase insurance.
Just like many corporations, law firms are finding that their professional liability insurance, general liability insurance and property insurance does not cover many of the costs associated with cyber-attacks. Factors depend on the nature of the breach, the relationship of the parties, the type of the information in issue (such as personal information, intellectual property, trade secrets, and emails), the precise form of the operative policy and, if related to third-party liability claims, the allegations asserted and the type of damages sought.
Meanwhile, though the market for cyber insurance continues to evolve and grow dramatically, there still has not materialized any form of standardized cyber insurance policy language, and whether standard property casualty provisions even cover losses relating to cyber incidents often remains an open question. Stand-alone cyber insurance policies offer broader coverage and should be explored by every law firm executive committee, along with an evaluation of the sufficiency of the law firm’s liability insurance program.
Indeed, relying on a general property insurance policy for cyber-attack coverage is risky and law firms should not rely on commercial general liability policy to cover a data breach, as it most likely will not. For example, in the data breach involving Sony, the breach reportedly exposed the personal information of tens of millions of users, and Zurich American stated in court papers that as a result, Sony was the defendant in over 50 class action lawsuits. Because the Sony policy required the policyholder (Sony) to perpetrate or commit the act of publication of the personal information, the judge stated, “Paragraph E (oral or written publication in any manner of the material that violates a person’s right to privacy) requires some kind of act or conduct by the policyholder in order for coverage to present.” This decision highlights the hazards of relying on traditional CGL coverage policies for potential data breach coverage.
Indeed, the case law concerning general property insurance and cybersecurity is all over the map. Some examples in favor of the insured:
Computer Corner, Inc. v. Fireman’s Fund Ins. Co. (holding that loss of the pre-existing electronic data was tangible property damage covered by CGL policy where computer store repairing customer’s computer permanently lost all the data);
American Guar. & Liab. Ins. Co. v. Ingram Micro, Inc. (holding that computer data permanently lost during a power outage constituted “direct physical loss or damage from any cause” covered by first-party insurance policy);
Southeast Mental Healthcare Center, Inc. v. Pacific Insurance Company (finding a direct physical loss occurred where the insured’s pharmacy computer data was corrupted due to a power outage.);
NMS Services Inc. v. Hartford (characterizing the erasure of vital computer files and database