More Than 100 Law Firms Have Reported Data Breaches. Is Your Firm Next?
Unfortunately, these rules do not include any specific technical requirements that attorneys can reference. This puts attorneys in the difficult position of trying to determine what is sufficient when it comes to cybersecurity.
February 13, 2020 at 01:15 PM
8 minute read
Kevin Baker, Marcum.
According to a Law.com analysis, more than 100 firms have reported data breaches. The American Bar Association's Model Rules of Professional Conduct and ethics opinions state that attorneys have a duty to take reasonable steps to protect their clients' data. Unfortunately, these rules do not include any specific technical requirements that attorneys can reference. This puts attorneys in the difficult position of trying to determine what is sufficient when it comes to cybersecurity.
Even if the ABA provided technical specifications, the challenge is that cybersecurity is dynamic and continuously evolving. What was considered reasonable yesterday is not reasonable today, and today's standards will be obsolete tomorrow. Also challenging is that reasonableness itself changes based on specific circumstances. What is reasonable for a large firm may not be reasonable for a small practice and vice versa. However, one thing is true across all practice sizes: cyber criminals are attacking professional service firms in order to access their client data, and cybersecurity is a critical part of any modern practice.
Every practitioner needs basic cybersecurity systems such as firewalls and antivirus software, but that is no longer enough. Every day, cyber criminals find new ways to bypass these security systems. However, the most common point of failure is not the technology, but the user. This is true of attacks on firms of all sizes.
|Common Cyber Attacks
Phishing, where an email is sent to numerous recipients with an inducement to click on a malicious link or attachment, is the most common type of attack used to infiltrate a network. Another common variant is spear phishing, where an attacker targets a specific individual, using readily available information to create a credible email that makes it more likely the victim will act as requested. For example, someone on the finance team may receive an email purportedly from a vendor with an invoice attached, requesting immediate payment. Or an engagement partner may receive an email purportedly from a client, with a link to a so-called important document. Considering the amount of publicly available information on the internet—corporate press releases, LinkedIn profiles, news reports and more—it is not surprising that cyber criminals are successful in deceiving people by easily forging legitimate-looking and personally relevant emails.
Once a victim opens a malicious link or attachment that infects their computer, a cyber criminal has access to the network and is able to invade in any number of nefarious ways. In a ransomware attack, for example, files on a computer are encrypted by the invader and can only be re-accessed by the legitimate owner with a decryption key after a ransom is paid. Paying the ransom is a risk, as it does not always result in a response from the attacker. The encryption used is enterprise grade and cannot be "cracked" or defeated without the specific decryption key. At other times, malware is installed to collect data such as usernames or passwords and provide remote access to an attacker so they can further infiltrate the network and compromise other systems.
Although a single computer being compromised is dangerous, the biggest risk to a firm is that once an individual computer and user account are compromised, an attacker can use that access to attack other systems on the network. This is why you see headlines about entire companies being taken offline because a ransomware attack that started with one computer successfully propagated to all of the firm's computers and servers. It is also this lateral movement that allows cyber criminals to collect significant amounts of sensitive data, possibly over long periods of time after a computer has been compromised.
|Practical Cybersecurity Practices
The single best data security practice that professionals can incorporate into their practice is to be very cautious with any email that contains a link or an attachment. Any time you receive a link in an email, before clicking on it you should hover over it (place your mouse over the link without clicking), to reveal the link's true destination. To identify fraudulent links, find the first "/" in the address and look to the left to determine if the link is safe. For example, "http://microsoft.com.infected.com/index.html" goes to infected.com, not Microsoft. Also, be on the lookout for clever obfuscation, such as "http://nnicrosoft.com" or "http://micros0ft.com," where characters are substituted in order to appear as a legitimate domain. If you do not recognize the website, do not click on the link.
Similarly, it is also very important to confirm that attachments are safe before opening them. If you are unsure of the source of an attachment, verify it with the sender before you open it. It is common for cyber criminals to reference orders, invoices and shipment tracking documents in fraudulent emails. Just because you placed an order with Amazon, had packages delivered by FedEx, or used Chase Bank, does not mean you should open an attachment that appears to be from them. Keep in mind that in today's environment, companies rarely send sensitive information as an email attachment. If you receive an email with an attachment, go directly to the company's website and review your account information there.
Gone are the days of poorly written emails from far-flung royals looking for a U.S. checking account in which to park sovereign funds. Today's cyber criminals use Ph.D. psychologists to create credible emails that are extremely effective at getting users to click.
At the same time, today's e-commerce systems have matured and are incredibly efficient and accurate. It is much more likely that a cyber criminal is trying to exploit human nature than that an order has been placed in the wrong name or a shipping mishap has caused a package not to be delivered. Be aware of any email that is specific enough to get your attention, but too vague to communicate required details without opening an attachment. If you are ever in doubt, do not open the attachment and either confirm its authenticity or ask for assistance in scanning the file for malware.
We all make mistakes. If you accidentally open a malicious attachment or link, it is very important to immediately report it to your information technology department and take steps to determine if your computer was infected. If you are in doubt about being infected with malware, shutdown your computer until it can be properly analyzed. The minutes after a computer is compromised are critical. The sooner the computer is turned off or disconnected from the network, the less time available for malware to cause damage and propagate.
Another important practical security step for attorneys, no matter their practice type, is proper password management. After cyber criminals compromise a website or network, they steal all of the available passwords and sell them. Other cyber criminals buy the passwords and try to use them to compromise additional sites. When you reuse passwords, you expose yourself to this type of attack.
At a minimum, there are certain rules you should always follow for password protection. Always use a unique password for each email system. Email systems contain a treasure trove of sensitive data. If you use the same password at cheapgolf.com and for your email account, a cyber criminal who compromises cheapgolf.com (which is likely far easier to penetrate than your email server) can then use your password to access your email. Any system that has client data also needs to have a unique and complex password. The most secure solution is to use a password manager that generates unique complex passwords for each system, but this solution can be challenging if you access many systems from multiple locations.
There are some additional steps you should take to help secure your data. Follow the guidance of your IT department or security professional. Turn on two-factor authentication, which sends you a code for each login via a text message or authentication app, for any websites or systems that support it.
|Next Steps
If you want to see how often data breaches occur, go to https://haveibeenpwned.com/ and enter your email address. This site will show you all of the known data breaches containing your email address. You will find that many of them include your password and other personal information.
There is no one-size-fits-all solution to cybersecurity. It is your duty to take reasonable steps to protect your clients' and your firm's data. This includes fundamentals like firewalls and antivirus software, but today it also includes many more measures. From training and written policies to professional cybersecurity advisers, it is important to take cybersecurity seriously and make it an integral part of your practice. Our clients rely on security assessments, penetration tests, social engineering tests and many other services to ensure appropriate cybersecurity. Implementing proactive, preventative, and well-documented security measures is important for your data security to be effective and defensible.
Kevin Baker is an advisory services director in Marcum's Philadelphia office and head of the digital forensics practice. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Federal Judge Sides With FedEx in Arbitration Dispute Over 'Transportation Worker' Definition
5 minute read
QVC Veteran Promoted to GC of Parent, Will Help Lead Turnaround Effort
Trending Stories
- 1Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 2Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 3NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 4A Meta DIG and Its Nvidia Implications
- 5Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
