OM Feature Operations Management

Protection Under the Law

You owe clients more than strong representation — you owe them strong security for their data.

Eric Butterman

Early on, anyone interested in the law learns about client-lawyer confidentiality. But it isn’t just an overly friendly staff member’s loose lips that are cause for worry — it’s also loose security.

Tucked away within the hard drives and servers of law firms throughout the world is something as valuable as currency: information. So how do you protect your client beyond your professional obligation to keep a secret? How do you make your firm as tech-savvy as it is trustworthy?

GETTING DEFENSIVE

Gary Salman, Chief Executive Officer of Black Talon Security, LLC, has worked with his share of firms from mergers and acquisitions to intellectual property. He knows how vulnerable and valuable a firm’s data can be.

“Hackers are adapting a relatively new methodology for extorting data and networks,” he says. “We call it Ransomware 2.0. In this scenario, hackers gain access to your network (often without you knowing), steal your data and then encrypt it. They then typically make two ransomware demands. The first demand is to pay them to turn over the decryption keys so you can unlock your encrypted files. The second is to prevent them from publicly publishing the data for everyone to see. Basically, they are holding you hostage twice.”

But there are things you can do to protect sensitive data. First, implement a multilayer approach when it comes to potential vulnerabilities.

“So often firms, their attorneys and staff, aren’t trained properly,” he says. “They have click risk. Employees receive emails from known or unknown individuals that contain malicious links or attachments. These links or attachments, when clicked on, can cause a cyberattack resulting in data being stolen and firm being extorted. Having a comprehensive cybersecurity awareness training program is an almost must.” Salman says you must educate and empower everyone in your firm so they can make good decisions when it comes to using the internet and email.

“Vulnerability management and knowing what vulnerabilities exist within a computer or network are key. Usually it’s out-of-date software and software and/or improperly configured protocols. At its core, it’s a lack of being prepared.”

“So often firms, their attorneys and staff, aren’t trained properly. They have click risk. Employees receive emails from known or unknown individuals that contain malicious links or attachments. These links or attachments, when clicked on, can cause a cyberattack resulting in data being stolen and firm being extorted.”

Melissa Ventrone, an attorney and Leader of the Cybersecurity, Data Protection & Privacy team at law firm Clark Hill, says her firm often has a different training program around every month or every other month. “Most incidents or exposure of data have some kind of personnel interaction in it, whether reaction to a phishing email, giving their credentials or some other kind of response. Law firms work so much with email and data and are responding to people all the time. We see even the tech-savvy falling for these scams.”

Vulnerability management on devices and firewalls is critical, Salman says, noting that if you don’t configure firewalls properly, you may be exposing your network and data to threat actors.

“When we test firewalls, about 60% of them are not properly configured,” he says. “We utilize sophisticated testing, vulnerability management and penetration testing to see if we can get at the data.” He says this type of analysis, called a penetration test, is designed to simulate a hacker trying to break into your network. Once this this testing is complete, they can turn the findings over to the firm’s IT company or internal tech support department so they can mitigate the findings.

For vulnerability management, you install a piece of software on everyone’s device, and it mines the computer for known vulnerabilities. Salman notes there are approximately 20,000 document vulnerabilities.

The patch management end of a data policy plan should be managed by the server. “Don’t allow individuals such as an attorney or an assistant to make those decisions,” Salman says. “What if they don’t want to do this update tonight and they want to do it next week or maybe a month from now? Now your computers potentially are vulnerable and could be weeks out of date.”

Multifactor authentication is also an important factor. This means using a minimum of two ways to identify yourself in order to get into something, such as email or your firm’s cloud service. This can be done with a password and a number from a device on your keychain. Or the second authentication could come over your phone. The key is to make it a difficult hack.

“Taking that next step for it means having it in place when it comes to any kind of vendor, IT support, help desk, any employee and any staff,” Ventrone says.

WHEN A BREACH OCCURS

But a data policy isn’t just about preventing a breach but also having a plan for if it happens — because even a well-thought-out policy isn’t a 100% guarantee.

“For every breach response we’ve been involved in, it seems hardly anyone has had a plan in place for dealing with this type of loss,” Salman says. “Whatever your plan, it can’t involve a person who won’t deal with it until Monday morning if it happens on a weekend. You have to have a plan that deals with many aspects of an attack, such as legal, PR, business continuity, recovery, etc.”

“We measure to make sure that our employees are being responsible from a security standpoint and that includes everything from password management and access to downloading applications. You need to have a clear policy, and it must be taken seriously.”

Ventrone, who is also a Certified Informational Privacy Professional, recommends having a cyber insurance policy in case of a breach.

Andrea Markstrom, Chief Information Officer at Taft Stettinius & Hollister, says her firm takes a proactive and responsive philosophy, with a managed service provider in place to help monitor 24/7.

“On the security policy side, we made sure to have an information security policy in place that meet our clients’ requirements — along with our outside counsel guidelines — where we could know our clients’ data is constantly being monitored. We measure to make sure that our employees are being responsible from a security standpoint and that includes everything from password management and access to downloading applications. You need to have a clear policy, and it must be taken seriously.”

The bottom line is that if a firm is going to have a strong data policy, it comes down to having one before disaster strikes, not after.

“Everyone sees the importance of it after the fact,” Salman says. “But the reality is, with a little due diligence beforehand, you have a much better chance of saving yourself from a nightmare later on.”