Cyber Resilience and the Importance of a Plan: How Law Firms Can Defend Against Cybersecurity Risks
World-famous boxer Mike Tyson once said, "Everyone has a plan 'til they get punched in the mouth." Those words of wisdom can pertain tobusiness,…
November 22, 2019 at 04:03 PM
9 minute read
World-famous boxer Mike Tyson once said, "Everyone has a plan 'til they get punched in the mouth." Those words of wisdom can pertain tobusiness, life, and in today's tech-driven world, cybersecurity and resiliency.
Many organizations now find themselves completely unprepared for a significant attack and the even greater business disruption it brings. According to the American Bar Association's Legal Technology Survey Report (2019), 26 percent of survey respondents said they had experienced some type of data breach at their firm, yet only 19 percent reported they did not know if they had fallen victim to a cyber attack or breach.
The negative consequences of digital security incidents in a law firm can be significant, with loss of billable hours and reputational damage at the top of the list. There are three basic things you can do to help better protect your firm and your clients from the embarrassment and mayhem typically associated with modern-day cyber attacks.
Know Your Business and Your Risk
The single most important thing you can do to better protect your firm or business from the chaos and destruction of a cyber attack is simple: know your business and understand the specific risks you face. As an attorney, you spend most of your time trying to understand how to better serve your clients, be more profitable, and perform work at the pinnacle of efficiency. But do you know where your clients' data is kept on your network and can you validate its integrity and security?
Banks have some level of physical currency on hand, which might be enticing for someone to steal, so they typically employ armed security guards and other security measures to protect those assets. Restaurants and retail stores are constant targets of cybercrime as they collect massive amounts of credit card data, so they conduct annual privacy assessments and audits to better identify weaknesses in security and adherence to data protection standards.
But what about law firms? What information might they possess that makes them a high-value target on today's cyber battlefield? Law firms and independent attorneys alike should be aware of three significant areas of data that entice thieves and hackers:
- The law firm's own internal data – This could include the firm's own financial data, client lists and contact information, and firm marketing materials and business plans for managing existing and growing future business.
- Data related to the work and representation a law firm provides to its clients – Communications, particularly emails, between the firm and its clients are desirable. Work product the firm has prepared in conjunction with its representation of its clients, including memos outlining strategies developed for advancing a client's interests, analysis of key legal issues, confidential presentations made to clients, drafts of contracts and other documents prepared by the firm which may contain comments related to confidential communications, intellectual property applications or data related to the fees charged to or collected from a client are also valuable.
- Sensitive information the firm has collected related to a client or an opposing party – Through the discovery process in litigation, a law firm becomes a repository for significant amounts of sensitive business and proprietary information it will end up producing, as well as what's already produced by the other side, and may include a protective order by a court regulating the use and disclosure of this type of information.
These assets can be extremely valuable to common cyber thieves as well as more sophisticated organized criminal operations, and most firms' business networks are left completely unprotected.
Be Proactive
Take a quick glance around your home or office. You likely have physical items and systems in place to notify and protect you in the event of a fire or intruders, including smoke detectors, alarms and fire extinguishers. Likewise, home security and video systems send push notifications when a door or window is opened or if movement is detected in your home, so you feel secure 24/7.
Just as we rely on these types of safety and monitoring systems in our homes, many of the world's largest corporations rely heavily on similar security technology to alert and proactively defend their networks and systems from both external and internal threats. And due to significant advances in modern technology, this type of monitoring is no longer reserved just for Fortune 500 companies.
Proactive 24/7 monitoring by a reputable cybersecurity firm can help your law firm or business easily achieve better security by:
- Scanning and patching your computers and servers for known vulnerabilities and exploits.
- Identifying all computers and devices connected to your network.
- Actively monitoring your cloud and on-premises network for malicious threats.
- Taking swift action based on real-time analysis, often stopping active attacks before they cause significant harm.
- Providing on-site incident investigation and evidence collection and reporting, often negating the need for engaging additional support during times of crisis.
Along with safeguarding your organization from external threats, more robust security monitoring also can better protect your business from malicious actions by internal staff, including intellectual property theft and unauthorized access. Several monitoring solutions also take real-time screenshots and videos of the alleged illicit act and store the materials in an encrypted digital format so they can be used later in HR proceedings or courtroom litigation. Proactive monitoring is an affordable, enterprise-grade level of security that keeps a watchful eye on all your systems and devices around the clock.
Additionally, law firms should put in place measures to control access to data so only the attorneys and staff who need to access specific types of data – or are under similar court-entered protective orders – are given access to only that data. Law firms should avoid putting data onto firm-wide accessible network platforms. Firms also can adopt relatively simple, but highly effective measures, like requiring two-step authentication or six-digit (as opposed to four-digit) access codes before being able to access data remotely.
Prepare So You Don't Panic
Emergency responders and elite military units are some of the world's best students at planning for the worst possible outcome and rehearsing the contingency plan, over and over. Have a plan for how your firm or business will respond to a cyber attack or digital disruption.
Following guidance from the National Institute of Standards and Technology (NIST), some main points of an incident response plan include:
- Preparation |
- Are there policies and procedures in place to address a cyber emergency?
- Do you have effective tools and training to handle the incident?
- Communication plans – what is the message you need to send to your clients and employees?
- Detection |
- What security tools are in place to detect an attack?
- Who is in charge of validating the threat and declaring an incident?
- Containment |
- Do you have the ability to identify and isolate the threat?
- Are there procedures in place to address evidence handling?
- Investigation |
- Who will handle the actual investigation into root cause of the incident?
- Are they qualified?
- Remediation |
- Who will handle the repair of affected systems and devices?
- Are there regulatory reporting requirements?
- Do you have qualified personnel who can handle the post-mortem incident reporting and documentation?
- Recovery |
- Who will lead the overall analysis of the incident and incorporate lessons learned into future incident response planning?
With the above framework in place, it also is extremely important to rehearse, or at the very least, make others aware of the plan. Cooler heads will always prevail if everyone in the organization is prepared for the extreme disruption a cyber incident can cause.
Part of having a plan is reviewing the firm's insurance coverages – both malpractice liability policies and general commercial liability policies – to see if their policies cover liability for data breaches. If your coverage doesn't include claims from clients which could arise if the network is breached, or coverage that applies to things like business interruption/disruption which can occur if the firm's email or network systems are compromised, consider purchasing cyber insurance. Some cyber insurance companies offer discounts if you already have strong security protocols or procedures in place.
Cybersecurity Is In Your Hands
Today's business landscape has seen a dramatic shift in just the past 10 years, from how information is stored to how data is monetized. Gone are the days of all client data being printed on reams of paper and housed safely in a banker's box.
To keep up with the pace of their clients and global business trends, modern-day law firms have shifted using digital assets, which comes with notable efficiencies as well as potential pitfalls. Momentum within our tech-savvy world continues, so it is important to become equally cybersecurity-savvy. And remember the human element is always the weakest point in any organization's security model. Education, planning and execution of the plan are key, as we all bear the responsibility of protecting our data and our clients.
JEFF ECKERT is a Director with Pathway Forensics; his email is [email protected]. STEVEN N. WILLIAMS is a Shareholder, Munsch Hardt Kopf & Harr, P.C.; his email is [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Virtue Begets Virtue': Tips for Practicing Law (and Living) Ethically
7 minute readLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250