You're Going to Need a Bigger Boat: Small Firms Face Large Privacy Requirements
Small firms can find themselves trapped between cyberattacks, like ransomware, that don't prejudice based on the size of firm, and regulators who are indifferent to your size, when investigating a potential violation.
May 30, 2018 at 10:00 AM
8 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
“You're gonna need a bigger boat.”
Sheriff Brody said it best when he came face-to-face with the great white shark that was menacing the town of Amity Island in Spielberg's 1975 blockbuster, Jaws. And the same sentiment holds true for smaller law firms hunting large clients. The risk and responsibilities that come with large clients, such as pharmaceutical companies, disruptor banks, and investment firms, remain the same, regardless of the size of your law firm.
Unlike large firms with comparable resources with which to protect client non-public information, small firms can find themselves trapped between cyberattacks, like ransomware, that don't prejudice based on the size of firm, and regulators who are indifferent to your size, when investigating a potential violation.
The attack on Wall Street law firms Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP demonstrated how stolen information, such as FDA filings and press releases, could be used to front run trades. In this case, a law firm managed HIPAA protected healthcare data and the stolen information was used to violate SEC rules and federal market laws.
These regulated clients create a significant reporting burden. Consider for example that under HIPAA compliance standards for healthcare operators and New York financial institutions governed by the Department of Financial Services (DFS), you would be required to report a material cyber breach with 72 hours. Moreover, under DFS you would have to contribute to an annual declaration on the part of the client in which not only material breaches are inventoried, but unsuccessful attempts are also documented. This can be a significant task for banks with large security teams, let alone a small law firm outsourcing IT operations.
As an industry, law firms have improved their overall cybersecurity hygiene and practices, which has resulted in a lower-than-average amount of nuisance cyberattacks as compared to other industries like healthcare, manufacturing and energy. That said, criminals consider law firms a lucrative target, and as a result, our research shows the legal industry suffers 30% more malicious attacks than other businesses. This is a symptom of cyber threats evolving from opportunistic means and transactional payments, to targeted and negotiated extortion.
These trends do not delineate by firm size. A 90-day snapshot of eSentire's security operations statistics comparing large firms to small indicates a proportional volume of security incidents, but not so when examining breaches and security events that require immediate response. For example, consider that a large firm may represent 500-750 attorneys across 20 locations, while a small firm may have 25-50 attorneys at one location. Now consider that the small firm generates about 65,000 security traffic elements that filter down to 20 incidents, leading to one urgent incident requiring immediate response. On the other hand, the large firm generates over 40 times more traffic, 325 security incidents (16 times more), but only one escalation.
While the larger firm generates significantly more security traffic elements, the large firm/small firm ratio of escalated incidents requiring emergency response moves closer to one-to-one as the security events are investigated. Diving deeper, the data indicates that the emergency incidents were born of the same, industry-targeted attack. In other words, both the large and small firm were impacted and breached by the same targeted attack. Neither the criminals, nor their tools discriminate by the number of attorneys.
ABA Cybersecurity Recommendations
It's not unreasonable to think that the common cyber practices and investment levels of a large law firm are not the same as those that a small firm can manage. There is no one-size-fits-all when it comes to establishing standards of reasonable care. The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals contains a resource-right-sized approach with a checklist that smaller firms can use to build a simplified cybersecurity program:
1. Inventory hardware, applications. Keep a register of all laptops, servers, and applications. This should include cloud services, such as Amazon EC2, Microsoft Office 365, or other document management services.
2. Identify and audit data and related obligations. By extension, you have the obligation to understand the legal and regulatory boundaries in which your clients operate, and to meet those requirements. Ensure you understand your obligations.
3. Engage an IT consultant. Managed services firms can provide device management (updates and patching), along with basic system on-boarding and off-boarding processes. They can also help you encrypt devices and set up private networks to encrypt email and file transfers.
4. Investigate the security of cloud service providers. Cloud services supply multi-tenant offerings that extrapolate the need for on-site management services. Remember, however, that cloud service providers are obligated to protect their servers from attack, but they are not responsible for the consequences if your credentials are hijacked.
5. Establish cybersecurity and acceptable use policies. Leverage a consultant to build fundamental policies about the management, transfer, and storage of client confidential information.
6. Protect sensitive data and avoid portable media. Avoid using media, such as USB keys, to store and transfer non-public information. USB keys are a main source of infection and are difficult to control if the data is not removed once the authorized use is complete.
7. Require encryption. Unfortunately, password credentials are routinely acquired by unauthorized users. For this reason, you should encrypt hard drives or devices. Encryption offers an additional layer of security. The following links provide step-by-step instructions on how to encrypt your mobile hard drive or device:
|8. Establish a back-up system. Leverage an outsourced IT service to routinely backup and then test backups to reduce the business disruption impact in the event of a cyber breach. Backups are the best defense against ransomware attacks and avoiding having to pay ransoms.
9. Establish a records management policy (control and destruction). Determine how documents are stored, who has access, and establish “least privilege” with a “need to know” attitude and consider how you securely destroy old documentation.
10. Consider cyber insurance. Engage an agent to weigh the cost and benefits of insuring your business against cyberattacks and whether your business disruption, lost revenue, or other non-cyber specific policies cover cyber incidents.
11. Review website security. Use an outsourcing service to manage your website, keep it patched and up-to-date, and consider how you protect data that is collected through Web forms or application.
12. Establish mobile device rules. Use a Mobile Device Management (MDM) software to remotely establish required security settings (such as minimum password strength), forced encryption, and the ability to perform a remote device wipe to remove all data (called a poison pill) when the device is lost or stolen. MDM adds an additional layer of security but is costly and not a default feature of most mobile devices.
13. Use VPN security. The best way to protect data in motion from such attacks is to use a Virtual Private Network (VPN) service. A VPN creates a secure and encrypted connection through which your data travels from you to the intended recipient. No information (including passwords) are transmitted in the clear. There are many low-cost and easily deployed VPN services.
As you look to expand business or retain your key clients in a growing environment of cyber threats, remember Sheriff Brody's advice: Size does matter when you're going after big fish. Weigh the benefits and risks, and recognize that there is chum in the water, put there by criminals and regulators alike. And be prepared for the behemoth that might bite your line.
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA). He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250