Law firms must manage cybersecurity risks
Photo Illustration by Brenan Sharp
It’s another busy day at the office when you receive an email with an attached memo. You don’t remember asking for the memo, but you download the attachment anyway. Alarm bells! It’s not an attachment. It’s malware that’s now infecting your computer and every other computer in your law firm.
This was the situation that Jessica Mazzeo and Fran Griesing faced. In July 2016, the computer system for their small Philadelphia firm of 12 lawyers was infected with malware. They contacted Integrated Micro Systems, their outsourced information technology provider.
“We caught it almost immediately,” says Mazzeo, chief operating officer at Griesing Law. “We took down our network and ran virus software on every computer in the firm. Once we located where the virus originated, we wiped the hard drive.”
That incident changed the way the law firm dealt with websites, emails and mobile devices. As a small firm, Griesing Law leans on outside providers for help. The firm uses Workshare, a cloud-based program that allows users to send files securely online, and Trend Micro to quarantine suspicious emails. It also made firewall changes to block certain websites from being accessed by employees because of the risk of malware. A new policy was implemented last year on internal email: If the source is unknown or if you’re not expecting the email, don’t open it.
“We look at the issue of cybersecurity not just from the client perspective but from a reverse standpoint,” Mazzeo says. “We want to make sure that we are covered internally. If we are protected, then our client information is protected.”
the BIGGEST RISK
Cybersecurity is evolving. This is more than just a technology issue or an added clause in the retainer agreement—it’s the biggest risk that law firms face in 2017. Cravath, Swaine & Moore and Weil Gotshal & Manges, two of the largest firms in the United States, got caught in a major cybersecurity breach later linked to a $4 million-plus insider-trading scheme. (See “6 major law firm hacks in recent history” sidebar.)
Cybersecurity no longer can be relegated to the IT department or be part of general guidelines on computer use. Cybersecurity, or as some industries call it, cyberrisk, is part of doing business.
Why are law firms behind on this issue? The problem is money. Each person quoted in this article mentioned cost as a major factor for why law firms are lagging in preparing for cyberattacks. To have an effective cyberrisk program requires, at minimum, up-to-date software, which—for any size law firm—can be very expensive.
“We are a self-governing profession, and there hasn’t been an environment to do cybersecurity,” says Daniel Garrie, founder of Law and Forensics, a tech firm that specializes in forensic investigations for law firms and others. “The economics of the practice of law doesn’t allow for investment. ... Even in the biggest firms, there are only three or four people [working] on cybersecurity. There’s not much investment in people, resources, and they can’t pass the cost on to clients.
“Some firms are involved in the biggest deals in the world, and now companies are demanding a level of security,” Garrie adds.
But pressure from clients is causing firms to invest and focus on cyberrisk. According to the 2016 ABA Legal Technology Survey Report, 30.7 percent of all law firms and 62.8 percent of firms of 500 lawyers or more reported that current or potential clients provided them with security requirements. At Griesing Law, the corporate clients demand that the firm has detailed cyber-security plans and prevention tools.
Fran Griesing. Photograph courtesy of Griesing Law.
“We review data guidelines and protocols on how to use, store and protect their data,” Mazzeo says. “Many of our corporate clients evaluate cybersecurity performance for all outside vendors and notify if expectations have been exceeded or require improvement.”
a GROWING MARKET
This push from clients is causing law firms to jump into the expanding world of cybersecurity. According to research firm MarketsandMarkets, the global cybersecurity market will exceed $202 billion by 2021.
European law firms face greater scrutiny for cybersecurity. The European Union’s General Data Protection Regulation, which goes into effect in May 2018, will require law firms based in the EU and those with EU clients to disclose data breaches to clients. TruShield, an IT security company, reported in 2015 that the legal industry was the second most targeted sector for a cyberattack. Even more alarming, the 2016 report revealed that small law firms were now the most targeted.
“Law firms are at the intersection of two significant threat trends,” says Luke Dembosky, a cybersecurity and litigation partner at Debevoise & Plimpton and former deputy assistant attorney general for national security at the Department of Justice.
Dembosky spent 14 years there specializing in cyber investigations and prosecutions. “First, as vendors, law firms are attractive targets. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems,” he says. “Second, law firms are seen ... as high-value targets for the rapidly growing use of ‘ransomware’ and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.”
More tech breaches mean more demand for cybersecurity advisers. Lawyers from the government sector—including law enforcement—are going into private practice. And Dembosky is part of the rising trend of lawyers who help other lawyers identify the threat and build incident response plans. He worked on the investigations into the Sony Pictures, Home Depot and Target hacks.
“Managing a cyber event is something you don’t want to practice for the first time in the actual crisis,” Dembosky says. “When you don’t have a plan, the risk that a breach will have substantial impact goes up significantly. You waste crucial hours fumbling around with questions like ‘Whose job is it to do this or that?’ ‘When do you call law enforcement?’ ‘What about privilege issues?’ These decisions cannot be made by IT alone. These are business decisions and governance decisions about enterprisewide risks, and it’s important not only to plan for them but to practice addressing them.”
Read the sidebar: 6 major law firm hacks in recent history
WHAT TO DO
Law firms are built on reputation management. This means that firms must begin to adapt their technology to protect their data. One alarming statistic is that cybersecurity firm Mandiant estimated at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011.
“If your data is all in one place without any layers, then your eggs are in one basket, and that raises the stakes of a breach dramatically,” Dembosky says. In the Panama Papers hack, “40 years of information was lost in one breach. Start by determining what is most essential to protect, and layer protections accordingly. Don’t retain what you don’t need, or at least move it to an archive that is much less accessible.”
Jessica Mazzeo. Photograph courtesy Out There Creative Media.
As law firms wade into cybersecurity practice, the glaring reality is that most law firms aren’t prepared for a major breach. According to the 2016 ABA technology survey, only 17.1 percent of all law firms had an incident response plan in place to address a security breach, and only 50 percent of firms of 500 lawyers or more had such a plan in place.
“There needs to be senior management engagement in cyber preparedness, and senior-level accountability in this area is increasingly expected by regulators and courts,” Dembosky says. “Certainly, some aspects of breach preparation and response are IT-focused, but when a major cyber incident occurs, other executives at the company will need to weigh in, for example, on disclosures to the media, regulators, law enforcement and others.
“Law firms have tended to be behind the curve on these issues, but many are working hard to catch up. In many cases, because they are vendors to their clients, law firms are doing so because their clients are requiring it.”
Industry standards give law firms a benchmark, and some firms are using ISO/IEC 27001 certification, which covers information security. The National Institute of Standards and Technology framework from the DOJ also provides guidance for law firms in cybersecurity protection.
The ABA is working to give lawyers more guidance, as well. The second edition of The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals will be published before the ABA Annual Meeting in August.
“The first edition was a wake-up call for lawyers,” says Jill Rhodes, board member of the ABA Cybersecurity Legal Task Force. “This edition comes from the perspective that cybersecurity is important, and they will be accountable for the loss of the data. We have a full chapter on technology. We talk about the legal and ethical obligations and practice setting much more in-depth. We’re also looking at the cultural changes. How partners think about technology may be very different than associates.”
The cybersecurity task force is focusing more on small firms and hopes to develop a handbook aimed at small firms.
“We’re putting together information about how small firms can conduct self-assessments, what to do with third parties and identifying resources small firms may leverage to help secure their data,” Rhodes says. “Large firms are starting to hire chief information security officers, but for small firms it’s hard to even hire an IT person. Small firms are getting calls from large firms and clients asking if they are compliant with cybersecurity regulation and how compliant the small firm is with various cybersecurity requirements. It’s about how to be prepared.”
The conversation about cybersecurity in law firms also is growing. The Legal Services Information Sharing and Analysis Organization began in 2015 as a way for law firms to share information about data threats anonymously.
“Don’t be a Lone Ranger defender,” Dembosky says. “Sharing cyberthreat information is an important way risks are reduced. Hackers build campaigns to go against an industry. Ideally, sharing the information means the hackers will have success only once or very few times. If we don’t share information and adapt our defenses quickly, the hacking campaign will have a chance to succeed across the entire sector.”
RECOGNIZING the RISK
Jennifer Martin has been looking at cyberrisk for a long time. The former mathematician and programmer had the right skills for the DOJ in 1999. Her lack of fear of computers gave her the advantage to work on cyberrisk. She ran domestic and international investigations before she worked at Symantec, where she dealt with cybersecurity protection. Now she’s helping to build the cybersecurity practice at Covington & Burling, focusing on incident litigation support, navigating regulation for clients and keeping track of the latest threats.
Jennifer Martin. Photograph ourtesy of Covington & Burling.
“About two years ago, there was an uptick in cyberattacks targeting media holding companies to steal information for insider-trading purposes,” Martin says. “For example, by stealing quarterly earnings information prior to their public release in the afternoon, intruders could trade on that information. Similar motives also resulted in an increase of targeted attacks on law firms, too. Hackers recognize the value of the confidential financial and transactional information held by lawyers.”
Hackers are increasingly turning to ransomware to profit off stolen data. Ransomware is a combination of stealing data and blackmailing law firms, blocking access to a computer system’s data until a ransom is paid. If firms decide not to pay, they could lose their data permanently.
After the hacking revelations from the 2016 presidential campaign, it’s no surprise that different nation-states continue to attack private businesses, as well. Last year, Crain’s Chicago Business reported that the Ukraine-based hacker group Oleras targeted 46 U.S. and two U.K. law firms.
“The bad guys are saying, ‘How can I monetize information?’ ” Martin explains. “Recently, we have seen intruders extort organizations either through ransomware attacks ... or through the threat of publication of embarrassing information. More and more companies are pushing down security requirements through contracts, as well as breach notification, cooperation requirements and audit rights. Vendors have to sort through all these new requirements to figure out how to comply and how much it will cost.”
One must-have item for every vendor, including law firms, is an incident response plan. These plans are more specific and sophisticated than crisis management policies and clearly lay out what the roles are and what has to be done when a breach happens.
“The plan should fit the natural responsibilities of the management team, and that varies from company to company,” Dembosky says. “It should make clear who will be the core individuals involved and what their respective roles will be.
“I’ve seen ones that are two pages and ones that are hundreds of pages, and neither tends to serve the company well. It needs to be something you can take off the shelf and use it right away. It should be in plain, action-focused speak without a bunch of flowery policy language—save that for other documents.”
A good incident response plan is not complete without a good team, according to Martin. She recommends having a cross-functional team and performing multiple practice drills.
“Cybersecurity requires organizationwide coordination,” says Martin, who worked as the director for the Cyber Security Incident Response team at Symantec. “Cross-functional cooperation needs to be seamless and efficient, and the processes need to be tested. It’s like a hub-and-spoke [structure]: Establish a command and control center to manage the event, but allow for individual departments to go off and implement agreed-to action items. But the most important thing is to develop trusted relationships beforehand.”
when BAD GUYS GET IN
It’s amazing how hackers can get into a law firm. John Reed Stark, the former chief of the Securities and Exchange Commission’s Office of Internet Enforcement, investigated hundreds of breaches, including those at law firms. His most unusual story is hackers who used a law firm’s outdated printer software to get access to the firm’s network.
Luke Dembosky. Photograph courtesy of Debevoise & Plimpton.
“There are so many types of cyberthreats,” says Stark, president of John Reed Stark Consulting, a firm that provides expert data breach response services and advises law firms about cybersecurity. “For lawyers in particular, to be disciplined with emails, texting, laptops, smartphones, desktops, wireless environments is a lot to ask. Working long hours and managing demanding clients is difficult for attorneys. For example, suppose a law partner or associate is working late at night, bleary-eyed; he or she clicks on a PDF file attached to a bogus email from a client that is part of a phishing scheme—that’s it, game over.”
Stark’s curiosity about computers led to work on computer crimes and eventually teaching at the FBI Academy about cybersecurity. His passion is evident in his book The Cybersecurity Due Diligence Handbook.
“There is bound to be a major law firm data breach that will blow up a law firm sooner or later,” Stark says. “Law firm clients are beginning to require that law firms complete extensive and exhaustive data security questionnaires and might even send due diligence teams to a law firm’s office to inspect their technology and physical security.”
Law firms have to have a good glimpse of what their risks are through security assessments and penetration testing. This includes external tests to see what part of the system is vulnerable on the internet, testing the vulnerabilities in web and mobile applications, and testing the security of wireless technology. Small firms can have their IT service provider perform a risk assessment or use major service providers, such as Microsoft or Clio, which have regular security assessments of their systems.
“What works best is a holistic approach,” Stark says. “It’s a lot like having a physical from an internist or a cardiologist checkup after your 50th birthday. You may not be able to plug all the holes. But like a trusted internist, a trusted cyber adviser can help a firm not only fortify and strengthen cyber hygiene but also help with preparedness and response for when the inevitable cyberattack happens.”
Prevention is about managing risk, and security assessments take a comprehensive look at what’s missing in a law firm’s IT security and help lawyers identify risk.
“You want to employ risk-based metrics, identifying which categories of data security represent the biggest risks,” Stark says. “There’s business continuity, cyber insurance, BYOD [bring your own device] management, cloud computing, vendor diligence, and the list goes on.”
Stark recommends fostering a strong relationship with law enforcement officials before being hit with a breach. Law firms can contact the FBI and host a mock exercise of going through a cyberattack.
“When a cyberattack happens, time is too often lost on getting organized and figuring out who to call, what to do first and so on,” Stark says. “Yet the first minutes after a breach are crucial, and a lot of important tasks must begin immediately.
“The reality is that there are very few bona fide data breach response firms, so finding the right response team can be a real challenge. The best practice is to develop key cybersecurity relationships beforehand, for example, master-service agreements, which many cybersecurity firms are willing to sign. The key is to get all the contract procurement done before the cyberattack or go a bit further and engage a cybersecurity firm to do a minor cybersecurity assessment and build a relationship that works.”
Getting the help a firm needs at the right time is critical because companies in cyberattacks are judged by their response. At least four states—California, Massachusetts, Oregon and Washington—require some form of public access to data breach reports that affect their citizens. Contacting law enforcement can help repair the damage, but catching the perpetrator can be almost impossible.
John Reed Stark. Photograph courtesy of John Reed stark Consulting.
“When do you ever read about international hackers getting caught?” Stark asks. “At the SEC, we froze the cash of foreign perpetrators of cybercrime, but that was often the most we could do, and it was probably viewed ... as the mere cost of doing business. The criminals remained free to strike again.”
LAW-FIRM-CENTRIC SERVICE
Because cybersecurity is a rapidly evolving field, services geared toward the legal industry can be difficult to find. Major players in cybersecurity are jumping in to fill the gap. In November, Thomson Reuters, megafirm Pillsbury Winthrop Shaw Pittman, and the growing cyber-security firm FireEye announced their collaboration to become a one-stop shop for law firms in cyberrisk.
“This collaboration originated from a discussion between Pillsbury and Thomson Reuters about the legal services we were already providing for our clients related to cybersecurity,” says Christy Weisner, director of Thomson Reuters Legal Managed Services.
“We realized that while we were each addressing a piece of the puzzle individually, we were not always working as part of a diverse team to address the problem holistically. And if we were not, it is likely that many organizations are also missing pieces of the puzzle.”
In the cybersecurity compliance program, Pillsbury provides legal counsel on regulations and drafting third-party contracts; Thomson Reuters reviews and identifies risks in the contracts; and FireEye performs technical assessments, including penetration testing and response readiness on third parties. For mergers and acquisitions, the added bonus is expertise in cybersecurity in due diligence work and addressing security gaps.
“As part of your security and risk management program, you should understand what’s valuable and how would an attacker get to it and design your defenses accordingly,” says Karen Kukoda, FireEye’s partner alliances director. “Over the last year, we saw a sharp increase in ransomware attacks caused, in part, because Bitcoin enabled anonymous money transfers.”
The program also helps organizations navigate through the recent New York State Department of Financial Services regulations, which apply to about 3,000 organizations that operate in the financial industry. Third-party vendors, which include law firms, are required to have written cybersecurity plans and annual risk assessments, and to report cyber events when they happen.
Karen Kukoda. Photograph courtesy of FireEye.
“The new cybersecurity regulation is incredibly impactful,” Weisner says. “It is extremely broad in its scope, sets very high expectations, and has incredibly quick reporting requirements after vaguely defined cyber events. It requires boards of directors to review the organization’s compliant cybersecurity plan and be approved by a senior officer on an annual basis. Organizations regulated by the DFS must move quickly to design and implement a cybersecurity program that addresses all these issues.”
Meanwhile, some long-standing players in the market are focusing on law firms. Professional services firm Deloitte has been working on this issue on a broader scale through its cyberrisk programs.
“We talk about cyberrisk as opposed to cybersecurity in order to evolve the issue to the executive level and to be able to innovate at that level,” says Mary Galligan, managing director of cyberrisk services at Deloitte. “If we look at cyber from only the technical side, we get lost. If we look at the issue as risk, we can spread the issue across the business.”
Galligan knows the severity of cybercrimes. She worked in the FBI’s cyber unit for more than 25 years. While she led the New York City office as the special agent in charge of cyber and special operations, she investigated hundreds of breaches.
“The biggest issue with law firms is the culture,” Galligan says. “Firms need to consider how to reduce the cyberrisk with the volume of information there is and the need to share the information. In a very connected world, everyone is a third party. Law firms as third parties are considered risks, and clients for law firms are third-party risks. With vendor or third-party risk, you have to identify risk and prioritize.”
Deloitte provides comprehensive services on prevention and planning for security breaches. This includes intelligence that helps firms monitor trends in cybercrime. When responding to a breach, Galligan suggests the first step should be to find the source of the breach.
“First and foremost, law firms need to be disciplined about access management,” she says. “What occurs in most breaches is someone obtains an employee’s credentials and uses them to gain access to the system. When this occurs, it is very hard to identify and track.”
According to the Deloitte report Beneath the Surface of a Cyberattack: A Deeper Look at Business Impacts, law firms face hidden consequences from a data breach, including increased insurance premiums, loss of intellectual property and lost contract revenue.
“Ransomware is not just about the money I pay,” Galligan says. “It is also about the questions ‘Do I pay it?’ ‘Now that I know someone is in my system, how do I fix that?’ ‘I have now lost time and data, and insurance doesn’t cover those hours. How do I make up for hours of lost work which I can’t bill?’ ”
OWN IT
Law firms have to respond to the cyberrisks around them. To have the proper leadership and oversight, it’s good to have a person in the firm take ownership of cyberrisk. Usually, this is restricted to the IT department, but Fox Rothschild decided to try something new. In September 2015, Mark McCreary, a partner who practices privacy law, became the firm’s chief privacy officer.
Mark McCreary. Photograph courtesy of Fox Rothschild.
“I love the business of security and privacy,” McCreary says. “Until you have the conversation with the business, you don’t realize how many issues you have or how many ways you can screw up.”
Fox Rothschild is only one of a handful of U.S. law firms with a CPO. McCreary’s main duties are to educate lawyers and staff about cyberrisk and take care of client requests. McCreary recently wrapped up visits to each of the firm’s 22 offices to give lunch seminars on cyberrisk.
The firm also is undergoing a reevaluation on data classification, which includes where data is stored, how it’s stored, and who can access the most sensitive data to protect against major breaches.
Client management, particularly client expectations, is one of McCreary’s top priorities. He warns that law firms should be careful to look at added clauses to retainer agreements.
“Pay attention to what you’re promising to your clients,” McCreary says. “Usually, clients will send back clauses for the retainer agreement, and lawyers will just quickly look at it and sign it. If they read the retainer agreements, they would get a wake-up call. Some clauses include obligations to delete all data upon termination of the representation, which, just technically, is not realistic because of the way data backups work and the nature of email.”
Cyberrisk can be overwhelming. Firms can’t always be 100 percent safe, but they can take steps to protect themselves.
“For a lot of firms, they think the Panama Papers scenario won’t happen to them,” McCreary says. “If someone loses their laptop, law firms don’t tell their clients. You get a reaction where partners hope that the people who steal laptops will want to just wipe the laptop and sell it on eBay.
“Lawyers have an ethical obligation to notify clients,” McCreary says. “We have the ethical obligation of protecting and safeguarding client data. People expect lawyers to know better.”
Julie Sobowale is a lawyer and a freelance writer based in Halifax, Nova Scotia. This article originally appeared in the March 2017 issue of the
