Periodically, the heat is turned up on the Legal Industry and recently the New York Times reported on the concept of information sharing between Wall Street Banks and Law Firms. This came to mind as I had breakfast with one of the policy architects of public/private initiative which led to the creation of the NIST Framework for Improving Critical Infrastructure Cybersecurity. One of the major goals of the information sharing initiative is to open up across industries. For example, the FS-ISAC, or Financial Services – Information Sharing and Analysis Center, has been embraced by major financial services firms, and we see adoption among a variety of both public and private money management firms. The link between the legal and financial services industry is undeniable and begs the question: what are law firms doing to protect their clients’ data?
The regulatory push for Due Diligence of critical third-party vendors, which arguably includes law firms, suggests that the internal privacy and information security requirements of financial services firms should be extended to their legal counterparts.
Law Firms, of course, are subject to their own panoply of both Ethical, Statutory, and State considerations to protect client information. This, in itself, is a lengthy discussion, but a clear understanding of such issues is the starting point for providing a targeted approach to cybersecurity for the legal industry.
The FBI, dating back to 2009, had warned law firms via an alert of the potential for targeted cyber-attacks via phishing campaigns. This is fascinating as, more than five years later, it appears that the JP Morgan/Chase breach of 2014 was caused by an employee’s give-up of credentials via a phishing email. In other words, the human threat and response remains a very clear issue which needs to be addressed across industries, financial, legal, or otherwise via continuous training.
While law firms do not fall under the category of “critical infrastructure providers” as defined by the Presidential Policy Directive (PPD-21), this is clearly an industry built upon the protection of confidential information in which business and reputational risk is paramount. We have recently seen such risk elucidated in other non-infrastructure industries, such as the Sony breach, which in combination with preceding PlayStation mishaps and corresponding class action lawsuits, is estimated to cost SPE above $120 million.
Excellent resources are emerging for the legal industry as the American Bar Association has begun to address cybersecurity in a comprehensive manner. The National Law Journal has also published several key articles covering cybersecurity.
As the legal industry continues to enhance cybersecurity practices, we would recommend the following steps to consider or evaluate your firm’s readiness:
- Open up communications on cybersecurity and make sure defined threats and vulnerabilities are included in your firm’s Risk Management process. Management, Operational Personnel, and Partners should understand their role in protecting assets and information:
- High-level IT personnel should have understanding of specific ethical, regulatory, State, and other requirements. Such knowledge is the starting point for “data classification” and corresponding controls and information practices;
- Laptops and mobile devices utilized by Partners, attorneys, and employees with access to sensitive data should be encrypted and maintained with central administrative controls;
- At times we have found that structure at firms can be relatively flat, with Partners and attorneys having broad access to client information. Consider rigorous segregation of data as feasible, but also with the notion of a specific Partner or attorney being compromised. What is the extent of “travel” or access that can occur if a single person is successfully attacked? While many firms are putting in place sophisticated MSSP and APT solutions, your basic controls will make the difference in the event of breach.
- Similar to well-considered segregation policies, access and authorization methods must be improved across industries. Two-factor authentication must be put in place, not only for firm personnel but also for third parties accessing networks and systems. Two-factor won’t prevent the theft of credentials, but it will help stop the fraudulent re-use of those credentials. Again, this is a critical control for limiting damage in the event that a user or users become compromised.
There are many other considerations for law firms such as clear policies and procedures for protecting data, the Written Information Security Program (WISP), including Response and Recovery protocols for IT Security Events. I am also concerned that the knee-jerk reaction to protect law firms may be to put in place the most complex and onerous IT security standards, which does not make much sense from a cost-effective and perhaps risk reduction standpoint. Cybersecurity is a common sense, collaborative, and ongoing effort, especially for industries with considerable business risk.
The most obvious starting points, even based upon recent and sophisticated attacks, are communication and training.
I have included a link for an article currently posted on the ABA’s website. The NIST Framework is a viable and cost-effective solution for Law Firms. Please also consider downloading our article “5 Reasons” concerning the Framework.
Contact Artemis for further discussion of best practices and methods for mitigating business risk. We pride ourselves on helping you determine custom solutions for the size and scope of your business.