Many attorneys feel overwhelmed by cybersecurity issues, stick their heads in the sand, and do nothing to protect their firm’s information. Part 1 of this article covered the reasons why law firms need to be concerned about cybersecurity, and why they need to actively protect their firm’s information. A few of those include federal and state laws, common law, legal ethics requirements, and the fact that law firms have become a favorite target of hackers (who see firms as one-stop shops for sensitive and valuable information). And of course, data breaches can have serious consequences for law firms.
Now, part 2 will cover key elements of how law firms can address those concerns, and thereby: (1) decrease the odds of a cybersecurity incident or breach, and (2) increase the firm’s ability to detect, respond, and recover from one when (not if) it happens. While entire books have been written about law firm cybersecurity, this article will cover several of the basics, and serve as at least a starting point for improving existing law firm cybersecurity practices.
Every law firm, from the biggest global firm to the solo practice, has sensitive information that it must protect- information about its clients, employees, and even third-parties (such as information obtained in discovery from opposing parties). And, as discussed in part 1 of this article, every law firm must take reasonable measures to protect this information.
Written information security program (WISP)
While what is considered “reasonable” may vary depending on the circumstances (e.g., the sensitivity of the information, the likelihood of disclosure without additional safeguards, and cost), every law firm should, and under some laws must, have a written information security program (WISP) and a designated individual responsible for it.
Before developing a WISP, law firms should:
- Take stock: The first step towards securing your law firm’s information is conducting an inventory of the firm’s information assets. This includes determining what information the firm has (not only on computers or servers, but also mobile devices, flash drives, and cloud services), identifying the types of information, where it is located, who has access to it, and how it moves in and out of the firm.
- Determine applicable laws and other legal obligations: Once the firm has completed its inventory, it must then use the results to determine what laws and standards apply to the firm. For example, is the firm subject to the security requirements of a federal law such as HIPAA or the Gramm-Leach-Bliley Act? Or, does the firm represent a client that is a resident of Massachusetts, and therefore need to comply with that state’s stringent information security requirements (which include having a WISP)? Is the firm contractually bound to meet certain information security requirements? For example, law firms that accept credit cards must, by contract with the credit card companies, adhere to the security requirements of the Payment Card Industry Data Security Standards (PCI DSS).
- Perform a risk assessment: The next step is risk assessment. Identify the threats (both internal, such as firm employees, and external, such as hackers) to your firm’s information. Rather than re-creating the wheel, there are several frameworks available to help firms with this assessment process, including one provided by the National Institute for Standards and Technology (NIST).
Once those three steps are completed, a law firm can then use the results to develop, implement, and maintain a WISP that is tailored to the firm’s unique needs. A WISP should include administrative, technical, and physical safeguards for information. Key elements include, but are certainly not limited to:
Administrative policies and procedures
- Password requirements: require strong passwords (the longer and more complex the better) on all devices.
- Email and internet use: watch for phishing attempts (don’t open hyperlinks or attachments in suspicious email); forbid downloading any unapproved applications or software (they could contain malware).
- Remote access: make sure your firm’s remote connections are encrypted, and public computers (e.g. hotel business center computers) are not used.
- Information collection: collect only the minimum information you need for business purposes- if you don’t collect it, it can’t be lost or stolen.
- Information retention: keep information for only as long as you reasonably need it for business purposes or legal compliance, and then securely dispose of it.
- Mobile devices: in addition to strong passwords, require encryption and restrict WiFi use to secure connections.
- Third-party vendor management: conduct due diligence prior to engaging third-party vendors and require contractual security requirements (with regular monitoring) consistent with the firm’s WISP.
- Audits and testing: ensure compliance and test the effectiveness of the program.
- Encryption: Encrypt data at rest (on desktops, laptops, servers, clouds, mobile devices, etc.) and in transit (when data is being sent from one person to another).
- User authentication: require two-factor authentication.
- Firewalls: protect your information while connected to the internet by using properly configured firewall software to block hackers from accessing firm computers.
- Cybersecurity software: utilize cybersecurity software, such as data loss prevention (DLP) and anti-malware, and keep it updated.
- Whitelisting: only allow downloads of previously approved software or applications.
- Data Backups: data backups may be the only thing that can save you from a ransomware attack or natural disaster. Backup your sensitive and critical data as often as you can.
- Logging and monitoring: keep track of activity on the firm’s network and monitor incoming and outgoing traffic for suspicious activity or signs of a data breach (e.g., multiple log-in attempts, traffic at unusual times of day, an unexpected increase in data transmissions to an unknown user, etc.).
- Mobile device management (MDM): centrally manage use of mobile devices and push controls to devices that will limit risks (e.g., requiring strong passwords, remote-wipe capability, and preventing users from altering security settings).
- Software updates: software companies don’t release security updates (or patches) until they learn about vulnerabilities, and unfortunately they often learn about vulnerabilities the hard way- by hackers exploiting them. Any software updates should be implemented as soon as possible.
- Locking doors and file cabinets: store portable devices (laptops, backup drives, etc.) and documents with sensitive information in a locked room or file cabinet.
- Lock computers and devices: computers and devices should be locked when unattended.
- Secure destruction and disposal: Ensure that old computers, devices, and documents are securely destroyed or recycled so that the information they contained are no longer accessible.
The greatest WISP in the word will be useless if those who are supposed to follow it have not received regular formal training on it. Law firms should require mandatory training, at least annually (and as otherwise needed based on evolving technology and risks) and require employees to acknowledge their completion in writing. Training should include not only what is covered in the WISP, but also highlight threats to the firm’s information, such as phishing and social engineering.
Incident response plan
In 2012, then FBI Director Robert Mueller, III said “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” In the five years since that statement, the cyber threats have only increased.
Following a WISP will reduce the odds of a cybersecurity incident or breach, but law firms still need to have an incident response plan in place for when it does happen. Incident response plans cover not only data breaches, but also lesser “incidents,” such as attempted breaches, lost devices, and receiving phishing emails.
Having an incident response plan will help the firm determine what steps should be taken, how to go about investigating the incident, and how to remedy the problem. And, it will allow for a faster, more organized, and more comprehensive response, which may help preserve evidence and mitigate the damages of an incident.
Like a WISP, the plan should be tailored to the firm’s needs. Larger firms will likely have larger and more complex plans, and a solo a practice firm’s plan might be as simple as a good checklist. Common elements of any plan include:
- Identify internal personnel responsible for implementing each part of the plan.
- Identify outside counsel who specializes in cybersecurity law that can manage the response and lead the investigation while also preserving attorney-client privilege.
- Identify the firm’s insurance provider, which should be contacted as soon as possible after an incident is detected.
- Identify a digital forensics consultant who can help investigate, and possibly mitigate the effects of, the incident.
- Identify the legal, ethical, and contractual information security requirements (such as those relating to breach notification) that the firm must comply with, and how they will be complied with.
- Determine what information may have been improperly accessed or breached, and whether or not it was encrypted (many cybersecurity laws exclude encrypted information from breach notification requirements).
Lastly, many general liability and malpractice policies do not cover cybersecurity incidents or breaches. Given the high risk and serious potential consequences of a cybersecurity breach (covered in part 1 of this article), law firms should seriously consider purchasing cyber insurance.
While cybersecurity incidents and breaches present a growing threat to law firms, implementing a reasonable cybersecurity program for your law firm will significantly improve the firm’s ability to prevent, detect, respond to, and recover from them.