Bomb with lit fuseLaw firms, like most businesses today, have embraced the convenient but usually hidden technologies known as the “Internet of Things.”  This extension of internet connectivity into everyday objects and physical devices offers everything from constant video monitoring, to automatic locks, to dynamic heating and cooling adjustments.  IoT devices look, listen, transmit, and record trillions of data points, and a report by ForeScout Technologies suggests that the number of connected devices will reach more than 20 billion by next year.

But all this convenience comes at a price.  IoT devices are particularly vulnerable to compromise because they are relatively invisible to routine patching (if they allow patches), often do not have any security safeguards, and do not always have access controls.  An infected device can, for example, open the backdoor to denial of service attacks, enable hacker control of locks and surveillance equipment, open opportunities for snooping and recording of phone calls, and generally create a gateway through which to launch spam campaigns, steal data, and change credentials.

Let’s look at some vulnerable IoT devices commonly found in today’s law firm:

IP-Connected Security Systems and Infrastructure.  Think of cameras, smart meters, and HVAC controls.  Hacks of these devices can cause problems ranging from spying via video and audio, to destruction or disabling of critical equipment to disrupt operations or to allow for physical break-in.

Smart Video Conference Systems.  This category includes smart TVs, as well as DVR devices, which are typically connected via Wi-Fi or Ethernet.  Compromise scenarios include real-time monitoring of communication, as well as use of the system as a launch pad to the network.

Printers & Phones.  Wireless printers can allow almost undetectable access to confidential information (real-time or stored jobs) or, if compromised generally could allow a hacker to obtain administrative passwords and create a network bridge.  Because VoIP phones are internet connected, their configuration settings may be compromised to allow call snooping or even to create outbound calls.

Light Bulbs?  Yes, light bulbs!  According to the above ForeScout report, smart lightbulbs operate on Wi-Fi and mesh networks.  “In a wireless mesh network, the network connection is spread out among dozens or even hundreds of wireless mesh nodes that “talk” to each other to share the network connection across a large area.”  The more nodes, the more avenues for entry into a system without being on the network.
Continue Reading

Depressed employee with laptopMost people have elevated stress during the holiday season — work, travel, family, money, time.  And holiday stress can make people inattentive, tired, frustrated, and willing to take short cuts, especially when it comes to computer and Internet use.  This is when mistakes happen.  It’s when we decide to evade policy by emailing work home or by using the unsecured airport Wi-Fi because our plane is delayed.  It’s also when malicious acts of information theft, sabotage, and fraud can more easily occur and go undetected.

According to a recent survey, insider threats — as opposed to outside actors — can account for nearly 75% of cyber incidents.  These incidents occur because of the actions of employees, suppliers, customers, and previous employees.  Law firms are not exempt, particularly small to medium size firms.  In fact, smaller firms typically have fewer resources to devote to cybersecurity and use more outside suppliers.

End-of-year activities for law firms also make them especially vulnerable to insider threats, whether inadvertent or malicious: the push to bill and collect for more hours, time-sensitive legal matters that must be resolved before the end of the calendar year, attending to year-end tax accounting, case and client review, bonus calculations.  Lawyers and their staff feel the strain of extra hours, looming deadlines, and sometimes contentious clients at the same time we all feel holiday pressures at home.

What is at risk?
Continue Reading

Last Piece of PuzzleWhew – we’ve survived yet another round of states enacting or amending their PII breach notification laws.  If a trial lawyer’s vacation is the time between her question and the witness’s answer, a data security lawyer’s vacation is when state legislatures are out of session.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  Now every state has followed suit, with the final two holdouts, Alabama and South Dakota, joining the other forty-eight states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands by enacting PII breach notification statutes.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications.

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. And differ and evolve they do:
Continue Reading

Bare feet of muddy childrenYou’d think, among all types of businesses, that law firms would be at the front of the pack in having a data security policy.  After all, law firms regularly tell their clients how important it is to have effective policies in place for legal compliance and risk management.  And law firms certainly possess large volumes of valuable data, such as confidential client information and individual’s personal data, and are subject to a daunting array of security threats.  But as the saying goes, all too often the cobbler’s kids have no shoes.

How shoeless?  Results from the  2017 ABA Legal Technology Survey are grim.  Less than half of the responding law firms have the following policies and plans, which are crucial to a firm’s security posture:

  • computer acceptable use policy (48%);
  • remote access policy (45%);
  • disaster recovery/business continuity plan (42%)
  • incident response plan (26%); and
  • personal technology use/BYOD policy (24%).

This is astounding, especially given the compelling reasons for law firms to put data security policies in place.


Continue Reading