Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers

Digital Dangers

Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers

ACTION PLAN

So what should lawyers do to protect themselves against financial and reputational loss and to comply with legal and ethical requirements? Firms should focus on risk management and incident response planning, both of which serve to prevent breaches and minimize their potential consequences. As part of the risk management process, firms should take a number of steps:

man smiling

R. Taj Moore

Education and training. Many breaches begin with some sort of human error, such as an insecure password like “Password123,” a lost laptop or an unthinking response to a phishing email. Law firms should ensure that each employee—lawyer and nonlawyer alike—understands that he or she has an individual responsibility to protect confidential information and knows how to do so. This training should be provided as soon as an individual joins an institution and should be repeated throughout their employment.

Inventory. As part of the risk management process, law firms should identify what their most valuable data assets are, where they are located and who should have access to them. If a firm does not know what information it maintains, it cannot expect to properly protect it. In a world of finite resources, allocating security based on which data needs it the most is prudent.

Access controls. Too often, a firm’s users and systems are connected by default, with no consideration of the attendant risks or of employees’ actual access needs. But over-connectedness can enable a breach that might otherwise have been relatively confined to inflict far greater damage. A firm’s management should view access as a business decision and evaluate whether the efficiencies gained by connection outweigh the risks. Additional controls such as multifactor authentication, network segmentation and encryption should also be implemented.

Cybersecurity and the law

A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force

Monitoring. Mitigating the potential consequences of a breach requires that it be detected quickly. Real-time monitoring is critical to swift detection and response. Firms should install a system that monitors the network and immediately identifies and corrects anomalies. Incidents may be detected in a variety of other ways as well. An employee may report a lost or stolen device or misdirected email. Law enforcement or clients may contact the firm directly. A story may run in the press. Each firm should therefore ensure it has a method by which all employees can report incidents, such as a dedicated and routinely monitored email account or help-desk phone number, and by which all such reports are followed up. Being alert to all potential breach indicators will limit the time an intruder can spend wreaking havoc on the firm’s systems.

Contractors. Law firms are increasingly making use of third-party vendors, such as cloud service providers. They must make certain that those third parties adequately protect data they obtain or have access to. If a third-party contractor is hacked and the law firm’s data disclosed, the law firm may well be held responsible. Firms should know the details of their vendor contracts, especially which party has responsibility for which aspects of security.

Incident response plan. But the strongest and most effective risk management cannot prevent all cyberattacks. Former FBI Director Robert Mueller made famous the aphorism that “there are only two types of companies: those that have been hacked and those that will be.” This, obviously, applies equally to law firms. Incident response plans are the cornerstone of any organization’s preparedness and response related to cyberthreats. They serve a variety of functions, including enhancing communication within the firm, identifying and eliminating the source of the incident, minimizing the damage where possible, and restoring normal operations as quickly as possible.

An IRP sets out the concrete steps a firm should take in responding to an incident, from assembling an incident response team and investigating a potential breach to informing firm management and assessing notification obligations. It should contain a list of key contacts and contact information, as well as checklists (to ensure no step is left out in the midst of a breach) and sample notice letters (to facilitate compliance with data-breach notification laws, many of which require notice to relevant individuals and state regulators mere days after a breach is discovered). The plan should be printed in hard copy, in the event a breach takes down the firm’s electronic systems, and it should be updated regularly based on the current threat environment (typically at least once per year).

Practice, practice, practice. Creating an IRP forces a firm to consider ahead of time the multitude of issues it will face during a breach. Because the plan is written before it is needed, it fosters better decisions and clearer communication than might occur during a crisis. It also enables the firm to practice its response. Best practices include conducting tabletop exercises based on the IRP to establish clear working relationships and decision-making paths, such as who will make the crucial decisions, who must be consulted, and who in the firm will handle crisis communications. Tabletops thus serve as training vehicles and allow the core members of the response team to practice working together.

Creating and practicing an IRP will do more than help protect a law firm from the loss of data or access to systems resulting from a data breach. It will also demonstrate to regulators and to the triers of fact, in the event of lawsuits, that the firm’s preparation before the incident was reasonable. Failure to have an IRP puts both a firm and its clients at risk.

Relationships with law enforcement. Finally, as part of their preparation for a cyberattack incident, law firms should invest in building relationships with law enforcement beforehand. These relationships can help a firm to obtain the most up-to-date threat information, keeping it current and in a position to maintain the strongest defenses possible. Moreover, knowing exactly who in the government to call, and having a trusted relationship with that individual, is important to ensuring a fast and well-coordinated response. Law firms, like companies, are often reluctant to involve the government in a breach; while law enforcement and regulators encourage entities to voluntarily report incidents, they are also eager to make examples of entities that, in their view, were not adequately prepared for an incident or did not adequately respond to one. Law firms face the unique issue of balancing the desire to inform clients and law enforcement of a breach with the obligations of the attorney-client privilege. The benefits of reporting an incident generally outweigh the potential harm, but the report should ideally be made to a trusted individual within the government. Firms should identify, in advance, who in law enforcement and regulatory agencies they will contact and what they will tell them, as advance planning and outreach may enhance the response and service they receive.

Cybersecurity is a process, not an event. A plan that is reasonable in 2018 may not be reasonable in 2020. Law firms must recognize, and keep abreast of, the threats they face, as well as their duty to protect their clients and themselves. A plan built on preparedness, risk management and resiliency will enable them to do just that. With current technology, there is no way to reduce the risk of a breach to zero, but with the proper plan and proper training, law firms can recover from an incident and get back to the business of serving clients.

John P. Carlin is a partner at Morrison & Foerster. Robert S. Litt, of counsel at Morrison & Foerster, is a former general counsel for the director of national intelligence. Hayley R. Curry and R. Taj Moore are associates at the firm.