Stephenie Yueng, Schnader Harrison Segal & Lewis[/caption] It is no secret that cyberattackers consider law firms to be rich sources of valuable data. Escalating risks and client expectations mandate that midsize and smaller firms, with fewer than 200 attorneys, treat cybersecurity as a core element of their legal practice. Like their larger counterparts, midsized and smaller firms must comply with rules of professional responsibility to take reasonable steps to prevent the inadvertent or unauthorized access to or disclosure of information relating to client representation. Moreover, smaller law firms must contend with many of the same cybersecurity challenges and threat actors as larger firms. With ransomware attacks and data breaches constantly in the news, clients increasingly demand and expect their vendors—law firms included—to take steps to improve and ensure data security. In this evolving landscape, it is no longer reasonable for any firm, large or small, to treat cybersecurity as solely an information technology issue. How much protection you need depends on the state of your technology systems, legal considerations such as applicable ethical rules, government and industry regulations, data protection laws, and client security requirements. It is also crucial for management and IT to consider and strike the appropriate balance between security and operability. Although cost is certainly a factor, many essential steps are scalable and affordable for all firms. This article will focus on 10 practical steps that will enable the smaller firm to identify its risks, take appropriate action, and protect its systems and clients.
Know what you have and how data flows.
The first step toward building a cybersecurity program is to understand your systems and data. Start with an inventory of your hardware—computers, servers, printers, smart devices—including the model and serial numbers of the devices that are connected within your office network and the internet. Next, catalog the software you have installed on your systems. Because software is subject to periodic updates, you should determine which version they are and record when they were last patched. Compile a list of the online services that the firm uses including, for example, legal research, document review, file transfers, or email. Armed with this information, one can assess the security implications of each device, software, or service. The same inventory process and analysis should be done for your data to understand how data flows within your firm. Identify the type of data you have, who creates it, where it is stored, and how it is shared with external parties. Note in particular if any of the data is subject to any legal regulation such as HIPAA or other sectoral data protection laws, or outside counsel guidelines. Improving your understanding of the data you have and how it flows within your system will allow you to better identify the types of data you hold and understand their value and vulnerability to internal and external threats.
Assess the security of your firm’s systems.
Working with your IT resources, whether within the firm or a consultant, investigate and evaluate the security of your devices and software. Is access to your systems controlled on a need-to-know basis? Is access to your computers or smart devices encrypted with passwords? Is a record of these passwords kept in a secure file? Have you employed two-factor authentication for access to your enterprise network? Do you have the most current anti-virus software and firewalls in place? Consider other intrusion prevention systems (IPS) or intrusion detection systems (IDS) as well—enterprise products that monitor network traffic and evaluate it against patterns or signatures known for suspicious activity, blocking or alerting for malicious or anomalous incursion and exfiltration. As you evaluate the security of your systems, consider whether a data loss prevention (DLP) software solution would be a helpful investment. DLP software performs both content inspection and contextual analysis of data sent via email and messaging applications, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or in cloud applications and cloud storage. DLP products use business rules to classify and protect confidential and critical information so it cannot be accidentally or maliciously disclosed. For example, if an employee tried to forward a business email outside the corporate domain or upload a corporate file to a consumer cloud storage service like Dropbox, the employee would be denied permission. While clients may not require a DLP solution be in place in their outside counsel guidelines, increasingly their questionnaires and audits ask questions that make clear a DLP is required to take on the work.
Assess the security of your vendors.
Just as you need to assess the security of your firm systems, you need to assess the security of your vendors. For cloud services, find out if they are operating their own server farm or if they are, in turn, using another service such as Amazon, Microsoft, or Oracle. In either case, review the provider’s security certification and look into whether the provider has put in place sufficient security measures—including periodic testing—for its systems. The firm’s litigation support vendor holds a particularly valuable set of client data. In addition to understanding the vendor’s security measures, make sure that either you have executed a confidentiality agreement with the vendor, or that confidentiality provisions are present in the vendor contract. Does any of the data being stored by your vendor or being reviewed on the vendor’s document review platform contain personal data from European data subjects? If so, the EU’s General Data Protection Regulation may apply and a data processing agreement may be necessary. Are there provisions in your statement of work that address the vendor’s return or destruction of the data at the end of hosting, as well as the certification provided attesting to such disposition?
Establish cybersecurity-related policies and train your employees.
A recent study found that 50 percent of all breaches stem from social engineering attacks (e.g., phishing emails) and insider errors. It’s not surprising that a major step toward a good cybersecurity program is to have policies and procedures in place to tell employees what they should or should not do with firm assets, and to train everyone so that awareness of cybersecurity becomes a culture of the firm. Craft a firm computer use policy to set forth how an employee may use a firm computer. The policy should address rules requiring strong, periodically renewed passwords, the use of two-factor authentication, and whether employees are allowed to send files to their personal email or to use removable storage devices. Restricting access for employees and vendors, rules around shadow IT (i.e., unsanctioned software installed on the employee’s computers), and email best practices should also be addressed. As you prepare the policy, do so with an eye toward balancing perfect compliance with reality. For example, firms may strictly prohibit personal use of computers and simultaneously require the employees to report promptly any suspicious activity. It may be unrealistic to expect compliance with both: employees may be reluctant to report activity resulting from their illicit computer use. Decide which behaviors you would like to encourage and frame your policy accordingly. Identify the stakeholders in your firm who have a formal role to play in the event of a data security incident. Prepare an incident response plan and identify any third parties that you may need to retain to assist in your response. Hold table-top exercises using different scenarios of system failure, ransomware attack, or data exfiltration so that the key stakeholders can run through their response and continue to refine the response plan.
Use secure methods to handle your data.
Ensure that your data is secure both while it is at rest and in transit. For example, require the use of an encrypted email service or encrypted file sharing sites when sharing data with external sources. If you have not engaged such encrypted services, zip your files with compression software that allows you to secure the file with a password. Similarly, if your firm allows the use of mobile storage devices such as thumb drives, ensure that they are password protected or otherwise encrypted. If the firm allows employees to use their own devices to access firm emails and files, consider using software that will allow remote wiping of the device should it become stolen or lost.
Have a reliable backup system.
How long can you afford to have your systems be down? Work with your IT team to understand your disaster recovery needs. Invest in a good backup system so that you can recover quickly in the event of a mechanical failure, security incident, or physical disaster. Duplicates of key data should be kept on an online backup site.
Establish a records management policy and enforce it.
A records management policy should set forth the rules and procedures for handling, filing, and returning or destroying client data, whether in electronic or paper format. Implement a data classification system so that data is tagged at the point of creation and at intake through, for example, metadata tagging or stamping. With the data category clearly and visibly stated, the firm can more easily implement its records management policies, in addition to any client specific requirements. Employ access restrictions so that only those with the need to know can access certain categories of information. Update the firm’s data retention plan and, more importantly, enforce it. Everyone in the firm should be cognizant of their confidentiality obligations and the rules of attorney-client privilege. The policy should reflect a good information governance perspective— retain only what has business value or what is necessary to the firm. Data hoarding increases the risks of security breaches and data loss. Be mindful of the client data that is in the firm’s litigation support environment, whether it is stored on the firm’s servers or hosted at a vendor, and work with your litigation support team to mount, protect, and remove data used in litigation. If you are using file share sites, make sure that all team members are aware of and properly use security settings, and promptly remove unnecessary data.
Consider cyberinsurance.
Will your professional liability insurance provide coverage for your losses from a security incident? Is the coverage adequate? Cyberinsurance can fill the gap between those insurance policies, and may cover expenses necessary to address a data privacy or security incident. Covered expenses may include the cost of a forensics expert, breach counsel fees, fees for a public relations/crisis management firm, consumer notification and credit monitoring expenses. Depending on the policy, cyberinsurance could also provide coverage for business interruption due to a network security failure or digital asset loss, and cyber extortion coverage. As with any insurance policy, it is imperative to understand the triggering events and the details of the coverage provisions. Be sure to understand, in advance, what services the insurer will provide to assist you in recovery from a breach, and if there are any restrictions on which vendors the firm may work with in its recovery and remediation efforts.
Require secure mobile access.
Discourage firm employees from using unsecured networks at cafes, restaurants, or hotels. Instead, provide secure Wi-Fi router devices or allow tethering to the employees’ mobile phone. Make sure employees only log in with additional security measures, such as use of a virtual private network (VPN), to shield and encrypt their communications.
Revisit the firm’s cybersecurity plan periodically.
Rapidly changing technology and modes of attack demand that lawyers keep abreast of developments on these issues. Regularly revisit cybersecurity practices with firm management and the IT team and update the firm’s policies, practices and technological solutions to adjust to the changing landscape. Stephenie Wingyuen Yeung, a partner at Schnader Harrison Segal & Lewis, is the co-chair of the privacy and data security practice group, leading the firm’s work in counseling clients on issues of data privacy, including preparing privacy policies and procedures, and cross-border data transfers. Contact her at syeung@schnader.com or 215-751-2277.
