Cybersecurity Basics for Pennsylvania Law Firms

Most Pennsylvania law firms either misunderstand cybersecurity [computer and network security] or significantly underestimate the threat of data breaches at law firms. Successful “hacks” can result in the loss of client confidential data or even losses of escrow funds. Considering the November 2013 updates to the Pennsylvania Rules of Professional Conduct, data breaches might now lead to ethics problems—see Pennsylvania’s New, Technology-related, Ethics Rule Changes for Lawyers for a discussion of the recent, information technology-related changes to the ethics rules.

Lawyers in firms of all sizes must start taking cybersecurity seriously. Lawyers should both 1) seek advice on information security compliance from skilled legal-technology experts and 2) perform a law firm security “audit” or law firm information security assessment to see where the firm stands on information security.

Understanding the Reality of the Cybersecurity Threat

Many lawyers labor under outdated perceptions of computer security—”no one would hack me, we are too small of a law firm, we have anti-virus (I think), my nephew looked at that, etc.” Ten years ago, a current anti-virus program, good backup, and perhaps a basic firewall might meet minimal data protection standards. At that time, “computer viruses” were inconvenient but fairly straight-forward to detect. Similarly, a basic and properly configured firewall might have kept many cyber-attackers from improperly accessing law firm computer systems and networks (or at least make attacks harder and encouraging attackers to move on to lower-hanging -fruit).

No more. Cybercrime now rivals the illicit drug trade for criminal activity—with one estimate placing cybercrime costs at $400 billion per year. [See, e.g, Ericka Chickowski, Worldwide Cost of Cybercrime Estimated at $400 Billion, Dark Reading (June 9, 2014)] And law firms are specific targets due to the sensitivity of the data a law firm handles.

Well-established black and grey markets in data now exist and drive today’s cybercrime because data itself has value. These data-markets eagerly pay for social security numbers, bank account information, health care information, credit card data, “social” media information (to target spear-phishing attacks) and a myriad of other data types about anyone. Thus, the new data-markets change the nature of cybersecurity risks.

Cybercriminals no longer just want to smash-and-grab data, steal a credit card to make purchases, or “hack” a law firm’s website (although these types of attacks still occur). The cybercrminals now deploy longer-term and stealthy malware infections that siphon valuable data out of your systems over long periods of time. The latest reports indicate that data breaches, because they are so insidious, now take over 7 months to detect (and that is considering organizations who have information security teams).

Extremely sophisticated and often targeted malware now replaces yesterdays primitive “computer viruses.” The new malware may siphon data from compromised (pwned) systems for months or longer before detection—raising a serious issue for lawyers who must assure the confidentiality and integrity of evidence. To emphasize how bad out-dated advice is, the iconic, anti-virus industry company, Symantec, recently admitted that anti-virus programs alone are now ineffective, [see, e.g., Dan Goodin, Antivirus pioneer Symantec declares AV “dead” and “doomed to failure” ArsTechnica (May 5,2014)], and cybersecurity professionals apply new techniques to avoid dependence on outdated “anti-virus” products [See, e.g., Legacy cybersecurity products failed to protect 97% of organizations, Help Net Security (May 21, 2014)].

Also, recent malware (called ransomware) encrypts the user’s data and then the cybercriminal demands a ransom to unlock the oftentimes not-backed-up data. [See, e.g., Bree Sison, Swansea Police Pay Ransom After Computer System Was Hacked, CBS Boston (Nov. 18, 2013) ] This poses serious issues for law firms falling victim who may lose control of their client’s data—think Rule 1.15 Safekeeping of Client Property issues

Finally, cybersecurity threats now arrive not just from laptops or desktops but also from a myriad of consumer-grade mobile devices—tablets, “smart” phones, and even automobiles—which lawyers are eagerly integrating into law practice without considering the implications.

The take-away here is simply: the game has changed significantly (and continues to change) so don’t rely on ten-year-old assumptions about computer security or underestimate these threats.

General Cybersecurity Guidance for Lawyers

Cybersecurity must be taken seriously but should not breed fear or hopelessness. Generally, law firms and lawyers should think about the following when evaluating information security risks in an organization.

  1. Know-that-you-don’t-know (this can be hard for some lawyers). Cybersecurity issues are complex and should be taken seriously and handled professionally. Old-rules-of-thumb or out-dated “insights” may lull an attorney into a false sense of security. [UPDATE: See Jen Miller, How the Target Breach Has Affected Small Business Data Security, CIO Magazine(July 9,2014)(simple description of how the security threatscape has changed for small businesses).]
  2. Each legal organization, no matter how small, should be analyzed for security issues. The analysis should include a law firm information technology security assessment which can reveal your risk envelope and identify preliminary remediation methods such as an incident response plan, appropriate security procedures, disaster recovery, data retention, and backups policies. (Some refer to law firm security assessments as law firm security “audits” even though an audit presupposes data security policies and practices—which is rarely the case. The preliminary analysis is properly called an assessment and not an audit.)
  3. Information security is a distinct field in computing and requires special skills to do well—skills including technical, business, direct industry expertise, data classification techniques, and compliance. Relying on advice from the first-lawyer-in-town-with-an-iPad (as somehow demonstrating technology competence), your nephew who is a real “computer whiz,” or that corner “computer shop” might be a costly mistake (and with the November 2013 changes to the Pennsylvania Rules of Professional Conduct, might also lead to ethics issues for the firm). Get professional help.
  4. Cybersecurity also implicates other critical areas such as law firm data backups, disaster recovery plans, data retention policies, mobile device (BYOD) policies, computer-use policies, outsourced vendor vetting, data compliance, “cloud” computing, lawyer ethics, and state or federal laws (such as Pennsylvania’s Breach of Personal Data Reporting Act). The point here is that just a sign-off from a “computer person” is not good enough—as the 2013 changes to the Pennsylvania Rules of Professional Conduct imply (see Rule 1.1 and 1.6 and new comments to these sections which require the lawyer, not the delegated third-party, to have competence in these issues or that the lawyer seek a ethically competent associate to assist).
  5. Firms should understand that the current cybersecurity best-practices mentality no longer focuses on keeping the cybercriminals out, as was the case ten years ago, but on taking reasonable actions to mitigate such breaches assuming they occur. This will force law firms to take a “hard look” at their data integrity practices to include correct use of encryption, intrusion detection or intrusion prevention systems, layered-defenses, minimization of data exposed on systems (by adopting legally defensible data retention policies), active firewalls, malware detection systems, limited administrator rights, VPNs for all data connections (including from “smart” phones and mobile devices), proper patch and upgrade management, encrypted email connections (and possibly even emails themselves), limiting outside vendor access to internal systems, and re-evaluating “cloud” computing (which might not be the “deal” that it seems).
  6. Do a thorough hardware and software “inventory” at the organization. Threats can easily originate from what-you-didn’t-know was still lurking at your office. The organization cannot take reasonable actions if the organization doesn’t know what it has. That old WI-FI router, out-dated Windows XP computer (which, in my opinion, is a serious, per se ethics violation if still used in a law firm today), new iPad, or the dusty server sitting in the closet may unknowingly be exposing you to data loss.

In summary, awareness that a data security problem exists is the first step for many lawyers—but only a first step. After recognition, Pennsylvania lawyers can take reasonable steps to better protect both client confidential information and law firm data. While those steps may be alien to some attorneys because they involve technology, those steps have quickly become standard practice for law firms (and businesses).