Law Firms Must Step Up Cybersecurity

A recent article in the New York Times underscores the demand clients are requiring of their law firms to step up their cybersecurity. Financial institutions, including some Wall Street banks, are asking their outside counselors to answer questionnaires of up to 60 pages, which probe the firm’s cyber security measures. Other types of corporations are also asking their legal firms to allow for internal and/or external Information Technology (IT) firms to do an audit.
Clearly these institutions are interested in keeping their own secrets and confidential client information safe from the growing threat of Black Hat Hackers. These secrets and confidential information could be used by hackers for their own financial gain or even shared with other organizations.
The corporate auditors want to know if steps are being taken to guard against the potential compromise of sensitive information. This includes: protecting against online intrusions, requiring corporate email encryption, elimination of data walking around on thumb drives, prevention of sending email or documents to unsecure iPads and other mobile devices, and more.
If these companies do not feel that a law firm is taking the appropriate precautions, it would follow, legal work may be withheld from firms which are either unprepared or uninterested in stepping up their cyber security. In addition, firms may be required to purchase Cybersecurity insurance in addition to their already existing Errors and Omissions (E&O) or legal malpractice policies.
Research by FireEye, a cybersecurity firm, estimates that 95% of all organizations are vulnerable to attacks. In its report titled: “Law Firm’s Survey 2013 – Executive Summary” FireEye says, “Information Security is a key area of focus across all law firms, but over one-quarter of respondees to our survey have yet to carry out a security risk assessment covering both Information Security and Physical Security.”
Law enforcement is concerned as well about the vulnerability of American law firms to online attacks. The FBI recognizes that law firms are a rich repository of corporate secrets, business strategies and intellectual property. These secrets, once discovered, could be used by potential hackers to manipulate a transaction or to financially gain from a deal before it is announced.
According to reports, the FBI began to meet with the managing partners of top law firms in the United States as early as 2011. The meetings stressed the need for cyber security in such large firms. They especially expressed concern for law firms with offices in foreign countries like China and Russia.
The push from corporate clients may just be the catalyst which causes law firms to tighten up their security. It is one thing if law enforcement encourages you to take cybersecurity seriously, it is another if a corporate client indicates that failure to do so will affect your bottom line. Encouragement can also come in the form of an example. One such example is Target’s breach at the end of 2013, when the retailer says that at least 40 million credit and debit card accounts were compromised.
Pressure from the Security and Exchange Commission (SEC) appears to pushing the financial institutions into tightening their security, which in turn is pushing the law firms. SEC financial regulators are requiring banks to make sure the vendors they rely on, such as law firms and other service providers, are vigilant when it comes to dealing with cybersecurity.
“The public and private sectors must be riveted in lock step in addressing these threats,” Mary Jo White, the Chairwoman of the SEC. She made this comment at a round-table discussion, held in late March 2014, on the obligations of public companies to disclose online attacks.
It is likely that some law firms, like most organizations, have been hacked and don’t know it. It is not unusual for organizations which have had an intrusion to be completely unaware for months or years.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.