Bare feet of muddy childrenYou’d think, among all types of businesses, that law firms would be at the front of the pack in having a data security policy.  After all, law firms regularly tell their clients how important it is to have effective policies in place for legal compliance and risk management.  And law firms certainly possess large volumes of valuable data, such as confidential client information and individual’s personal data, and are subject to a daunting array of security threats.  But as the saying goes, all too often the cobbler’s kids have no shoes.

How shoeless?  Results from the  2017 ABA Legal Technology Survey are grim.  Less than half of the responding law firms have the following policies and plans, which are crucial to a firm’s security posture:

  • computer acceptable use policy (48%);
  • remote access policy (45%);
  • disaster recovery/business continuity plan (42%)
  • incident response plan (26%); and
  • personal technology use/BYOD policy (24%).

This is astounding, especially given the compelling reasons for law firms to put data security policies in place.

Continue Reading Law firms, data security policies, and cobblers’ kids

Ignorant DoctorIf you had a choice between doctors to perform surgery on you, which would you pick:  a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?

The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.”  It’s a check-the-box response to regulatory compliance or client demands.   Sign everyone up for an on-line phishing exercise and you’re done.  Yet the consequences of ineffective training can be dire.  You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.

This is not to say that awareness is unimportant.  But raising awareness is just the first step in effective cybersecurity defense.  Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them.  In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets. Continue Reading How to gain assurance against human security vulnerabilities

Hacker at work with Russian flag on backgroundThe indictment filed last Friday by Special Counsel Robert Mueller explains how Russian military intelligence officers hacked into computer systems of the DNC, the DCCC, and Clinton Campaign employees during the 2016 presidential race.  With sweeping, specific details that have compelled unanimous confidence among Americans (except apparently our President), the 29-page indictment is a textbook on sources and methods.  No, not intelligence-gathering sources and methods, which are of course highly classified.  Instead, the indictment catalogs the sources of data that were stolen, and the methods used by the GRU intelligence units to methodically hack into the targeted systems, exfiltrate the data, evade detection, and weaponize the data through publications timed to inflict maximum impact.

The lessons to be learned from the indictment’s allegations, summarized below, are useful to any organization serious about data security and prevention, detection, and response to hacking, whether state-sponsored or otherwise.

Continue Reading The latest Mueller indictment – what we all can learn about sources and methods

Person hiding head in the sandI keep getting asked about Cambridge Analytica and Facebook.  And no one seems to like my response – I’m frankly amazed that this all took so long to blow up.  How long?  How about since 1973.  That’s when the U.S. Department of Health, Education, and Welfare first articulated the Fair Information Practice Principles (FIPPs or FIPs) in its report Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data SystemsThe FIPPs went on to become bedrock global privacy principles, and central to them are the principles of notice and consent.

As the FTC later explained in Privacy Online: A Report to Congress:

1. NOTICE/AWARENESS
The most fundamental principle is notice. Consumers should be given notice of an entity’s
information practices before any personal information is collected from them….

2. CHOICE/CONSENT
The second widely-accepted core principle of fair information practice is consumer choice
or consent. At its simplest, choice means giving consumers options as to how any personal
information collected from them may be used….

These mechanisms – notice and consent – are what make a self-governing privacy system work.  If someone (such as Facebook) is going to obtain and use our personal data, they should first give us notice of how they will use it (such as provide or sell it to others), and then we make a choice – we either consent and provide our data, or we don’t.  The government may enforce these representations and choices under fair trade practices laws, such as FTC Act Section 5, but the rules themselves are made in the marketplace.

There has to be some source of governance.  The alternative to self-governance through notice and consent is governance by government, with legislators and regulators making the rules for how our data is handled.  There’s quite a bit of that in the EU and elsewhere, but in the United States, outside of specific sectors such as healthcare (HIPAA), education (FERPA), and financial services (GLBA & FCRA), there’s little such regulation here.  In the U.S. we’ve made a policy decision to largely self-govern the privacy of personal data.

Fast forward from 1973 and, especially in our Internet-driven, U.S. self-regulatory environment, we’ve got a large, smoking crater – precious little government regulation, and even less personal responsibility.  Let’s face it.  We don’t actually pay attention to privacy policies and terms of use, and we don’t actually make informed choices on our consent to data practices for our personal information.  Under our self-governing privacy system, look in the mirror.  The enemy is ourselves.

Continue Reading (But wait, I didn’t) notice and consent

White hatTesting for technical vulnerabilities is a key part of security risk assessment.  To get the straight scoop on technical vulnerabilities, and how they’re exploited, why not ask a hacker?

Dave Chronister is an ethical hacker, a Certified Information Systems Security Professional, and the co-founder and managing partner of Parameter Security.  To borrow from the Farmer’s Insurance commercials, Dave knows a thing or two because he’s seen a thing or two.  He started early – Dave wrote his first computer program before age 8, and as a teenager he ran a large networked bulletin board system, through which he first experienced war dialing and the underground world of hacking.

Dave and his Parameter Security team perform technical security assessments (ethical hacking penetration services, code & device reviews, and social engineering exercises), post-incident forensic investigation, and training.  Dave regularly appears as a cybersecurity expert on CNBC, CNN, Fox Business, and MSNBC, and he writes and speaks internationally on hacking and system security.

I recently asked Dave for his thoughts on the current hacking landscape, and especially on why technical vulnerability testing is crucial to an overall security risk assessment. Here’s what he shared: Continue Reading So, I asked a hacker about technical vulnerabilities …

ChecklistWould you take a deposition by solely following a template of standard questions, without assessing the unique issues and circumstances of the case?  Or conduct transaction due diligence by simply marching though a generic punch list, without assessing the unique aspects of the company, the deal, and the industry?  Of course not.  Your law firm’s data security posture is no different – you need a security risk assessment to understand your firm’s unique vulnerabilities to security threats, and to identify which security controls are already adequate for your firm and which other safeguards are needed.

But assessing security risks is more than merely a good idea.  Conducting a security risk assessment is also a compliance requirement under virtually every U.S. regulatory data security regime and security standard.  Some of these risk assessment requirements apply directly to lawyers and firms, such as rules of professional conduct and, for firms that are business associates of HIPAA covered entities, the HIPAA Security Standards.  Other such laws directly govern the firm’s clients, which in turn increasingly require them of their law firms as service providers.  And taken together, these statutes, regulations, and standards requiring security risk assessments have coalesced into general expectations for what constitutes reasonable data security.

Continue Reading Security risk assessment is not just a good idea – it’s a compliance requirement

Driver looking under the car hoodI had a nagging worry that something was wrong with my car, so I finally decided to take it to the dealer.  I couldn’t exactly describe my concern, except there was an intermittent, “funny noise” coming from somewhere in the front end.  An unscrupulous dealer would have taken me down a long path of parts replacement, beginning with tires, then wheels, then tie rods, and on and on, perhaps never fixing the real problem.  Fortunately, my dealer was honest and performed diagnostics, ultimately discovering that the rack and pinion was failing.  The part was under warranty, so the repair cost me nothing and my funny noise is gone.

Was my worry constructive?  Yes.  It also went hand-in-hand with my own risk assessment.  What were the chances that the noise foretold a failure that would cause an accident?   Would I or others be hurt in the accident?  As it turned out, a failure could have been catastrophic.   In this scenario, I could prudently act on my worry because I had a basic understanding and control of the situation.  But it’s not always easy to act on worries—particularly if you don’t understand the issues or potential risks.

It’s reasonable these days for everyone, particularly lawyers, to have a nagging worry about information security.  That’s where independent risk assessment comes in.  Most lawyers know just enough about accounting and finance to help them profitably manage their firms, calling in experts when needed.  The same should be true for information security.  An independent security risk assessment not only identifies risk, it also helps to educate regarding likely threats and vulnerabilities. Continue Reading Security Risk Assessment: You can’t fix what you can’t see.

Bear Chasing MenAs explored in last week’s posts, the bad news for law firms is their challenging data security threat environment.   On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.

Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.  Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.

Why are law firms so vulnerable?

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture:  computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
  • Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
  • 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

Why are so many firms behind the curve in their data security safeguards?  Here are ten factors to consider (warning – some of the below is not sugar-coated): Continue Reading Understanding law firms’ unique security vulnerabilities – the key to turning bad news into good news

Sunshine Breaking Through the CloudsLaw firms face significant data security threats.  But there’s good news for law firms on data security.  When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for higher revenue, lower and better-controlled expenses, and stronger client relationships.

As always, context matters.  The legal services industry has changed dramatically in the last decade, with private practice law firms facing (a) increased competition from nontraditional providers and technology-driven service models; (b) the Internet-driven dissolving of historic barriers to remote service delivery; (c) the post-recession tightening in companies’ outside legal spend; (d) the shift of work to in-house legal staff; (e) the ongoing consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and (f) the resulting pressure on mid-sized firms to scale/merge up or specialize/boutique down.  There’s no viable “let’s simply wait it out” option in the face of these trends.  In short, it’s now a far more competitive world for attracting and retaining clients.  There will continue to be winners and losers, but now the margin of difference is more slim.

And this is the “there must be a pony in here somewhere” epiphany – in this highly competitive environment, strategic improvement in a law firm’s data security posture can, more than ever before, make a huge difference.

Here are three examples of how better data security is a strategic win for law firms: Continue Reading Good news on law firm data security

Threatening dark clouds covering the skyIt all seemed so routine, so straightforward.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials? Continue Reading Bad news on law firm data security