Law Firm Data Security

Bomb with lit fuseLaw firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.”  This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments.  IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.

But all this convenience comes at a price.  IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls.  An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.

Let’s look at some vulnerable IoT devices commonly found in today’s law firm:

IP-Connected Security Systems and Infrastructure.  Think of cameras, smart meters, and HVAC controls.  Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.

Smart Video Conference Systems.  This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet.  Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.

Printers & Phones.  Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge.  Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.

Light Bulbs?  Yes, light bulbs!  According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks.  “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.”  The more nodes, the more avenues for entry into a system without being on the network.
Continue Reading

Sunshine Breaking Through the CloudsYes, with a troubling threat environment and unique vulnerabilities, law firms indeed have data security challenges.  But there are strategic opportunities too.  When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for stronger client relationships, lower and better-controlled expenses, and higher revenue.

As always, context matters. The legal services industry has changed dramatically in the last decade, with private practice law firms facing:

  • increased competition from nontraditional providers and technology-driven service models;
  • the Internet-driven dissolving of historic barriers to remote service delivery;
  • the post-recession tightening in companies’ outside legal spend;
  • the ongoing shift of work from outside counsel to in-house legal staff;
  • the continued consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and
  • the resulting pressure on mid-sized firms to scale/merge up or to specialize/boutique down.

It’s a more competitive world than ever for attracting and retaining clients. There still will be winners and losers, but now the margin of difference is more slim.  That’s why strategic improvement in a law firm’s data security posture can make a big difference.

Here are three key examples of how better data security is a strategic win for law firms:
Continue Reading

Lightning Strike in ThunderstormSecurity risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  Law firms also have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Results of the 2018 ABA Legal Technology Survey reveal a bleak picture for law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of a law firm’s security posture:  computer acceptable use policy (41%); remote access policy (37%); personal technology use/BYOD policy (21%); incident response plan (25%); disaster recovery / business continuity plan (40%).
  • Only 53% of the firms have a formal policy or process to manage retention of data held by the firm, and as of 2017, only 40% have an official records retention schedule.
  • 31% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 46% of the firms have file encryption tools, only 38% have email encryption capabilities, and only 24% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

In the midst of a troubling threat environment, why are so many firms still behind the curve in their data security safeguards?  Here are ten factors to consider:
Continue Reading

Threatening dark clouds covering the skyJust another day at the firm.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?

Business email compromise (BEC) is a growing threat for businesses generally.  Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.

But BEC is only one of many potent threats to law firm data security.  Here are some high-profile examples from the news:
Continue Reading

Depressed employee with laptopMost people have elevated stress during the holiday season — work, travel, family, money, time.  And holiday stress can make people inattentive, tired, frustrated, and willing to take short cuts, especially when it comes to computer and Internet use.  This is when mistakes happen.  It’s when we decide to evade policy by emailing work home or by using the unsecured airport Wi-Fi because our plane is delayed.  It’s also when malicious acts of information theft, sabotage, and fraud can more easily occur and go undetected.

According to a recent survey, insider threats — as opposed to outside actors — can account for nearly 75% of cyber incidents.  These incidents occur because of the actions of employees, suppliers, customers, and previous employees.  Law firms are not exempt, particularly small to medium size firms.  In fact, smaller firms typically have fewer resources to devote to cybersecurity and use more outside suppliers.

End-of-year activities for law firms also make them especially vulnerable to insider threats, whether inadvertent or malicious: the push to bill and collect for more hours, time-sensitive legal matters that must be resolved before the end of the calendar year, attending to year-end tax accounting, case and client review, bonus calculations.  Lawyers and their staff feel the strain of extra hours, looming deadlines, and sometimes contentious clients at the same time we all feel holiday pressures at home.

What is at risk?
Continue Reading

Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about?
Continue Reading

Empty SafeLast week’s post explored why law firms need data security policies.  Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.

What does a records retention schedule have to do with data security?  Simply this – keeping data without a legal or business reason exacerbates data security exposures.

Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose.  This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.

It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.

But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right?  Actually, far too few firms do.
Continue Reading

Bare feet of muddy childrenYou’d think, among all types of businesses, that law firms would be at the front of the pack in having a data security policy.  After all, law firms regularly tell their clients how important it is to have effective policies in place for legal compliance and risk management.  And law firms certainly possess large volumes of valuable data, such as confidential client information and individual’s personal data, and are subject to a daunting array of security threats.  But as the saying goes, all too often the cobbler’s kids have no shoes.

How shoeless?  Results from the  2017 ABA Legal Technology Survey are grim.  Less than half of the responding law firms have the following policies and plans, which are crucial to a firm’s security posture:

  • computer acceptable use policy (48%);
  • remote access policy (45%);
  • disaster recovery/business continuity plan (42%)
  • incident response plan (26%); and
  • personal technology use/BYOD policy (24%).

This is astounding, especially given the compelling reasons for law firms to put data security policies in place.


Continue Reading

White hatTesting for technical vulnerabilities is a key part of security risk assessment.  To get the straight scoop on technical vulnerabilities, and how they’re exploited, why not ask a hacker?

Dave Chronister is an ethical hacker, a Certified Information Systems Security Professional, and the co-founder and managing partner of Parameter Security.  To borrow from the Farmer’s Insurance commercials, Dave knows a thing or two because he’s seen a thing or two.  He started early – Dave wrote his first computer program before age 8, and as a teenager he ran a large networked bulletin board system, through which he first experienced war dialing and the underground world of hacking.

Dave and his Parameter Security team perform technical security assessments (ethical hacking penetration services, code & device reviews, and social engineering exercises), post-incident forensic investigation, and training.  Dave regularly appears as a cybersecurity expert on CNBC, CNN, Fox Business, and MSNBC, and he writes and speaks internationally on hacking and system security.

I recently asked Dave for his thoughts on the current hacking landscape, and especially on why technical vulnerability testing is crucial to an overall security risk assessment. Here’s what he shared:
Continue Reading

ChecklistWould you take a deposition by solely following a template of standard questions, without assessing the unique issues and circumstances of the case?  Or conduct transaction due diligence by simply marching though a generic punch list, without assessing the unique aspects of the company, the deal, and the industry?  Of course not.  Your law firm’s data security posture is no different – you need a security risk assessment to understand your firm’s unique vulnerabilities to security threats, and to identify which security controls are already adequate for your firm and which other safeguards are needed.

But assessing security risks is more than merely a good idea.  Conducting a security risk assessment is also a compliance requirement under virtually every U.S. regulatory data security regime and security standard.  Some of these risk assessment requirements apply directly to lawyers and firms, such as rules of professional conduct and, for firms that are business associates of HIPAA covered entities, the HIPAA Security Standards.  Other such laws directly govern the firm’s clients, which in turn increasingly require them of their law firms as service providers.  And taken together, these statutes, regulations, and standards requiring security risk assessments have coalesced into general expectations for what constitutes reasonable data security.


Continue Reading