Why Law Firms Are Juicy Pickings for Hackers, And What to Do About it

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dailyreportonline.com/id=1202667949075/Why-Law-Firms-Are-Juicy-Pickings-for-Hackers-And-What-to-Do-About-it?slreturn=20140725195912

No one expects to have his identity stolen, but it happens every minute of
every day. Attorneys and law firms never expect to get hacked either, but
the data confirms that it occurs with alarming frequency.

Unfortunately, when attorneys or law practices suffer a cyberattack, the
ramifications extend well beyond financial loss. Because attorneys and the
firms they work for are subject to an additional set of rules and
regulations requiring the protection of client confidences and secrets, the
implications can be serious. They can involve ethics grievances, legal
malpractice claims, and liability for lost trade secrets, financial
information and misappropriated funds.

For many years, law firms appeared exempt from cyberrisks because hackers
usually targeted the law firms' clients, such as banks, companies or
individuals. But experts agree that law firms are the next big target for
hackers. The reason: law firms possess valuable data about their clients,
third parties, their own finances and their own employees, but they rarely
have the same protections in place as a financial institution or others
with sensitive information.

It is no surprise that cyberattacks against law firms are on the rise.
According to the most recent data from the ABA, approximately 80 percent of
the 100 largest law firms in the United States were successfully hacked in
2011. Experts expect these numbers to increase. The ABA is considering a
resolution that would encourage "all private and public sector
organizations to develop, implement and maintain an appropriate security
program."

There are things attorneys and law practices can do to address these risks.
Here are some valuable tips.

Have a plan

Like an ostrich with its head in the sand, most firms (especially smaller
firms) simply ignore the risk until a breach occurs. Then it's too late.
Data have been exposed, confidential information has been compromised, and
the firm is in the headlines as the latest firm to get hacked.

Once a cyberattack has happened, it can be extremely difficult to identify
what needs to be done first and to implement a comprehensive plan to manage
the influx of information. Complicating all of this, law firms may have
reporting obligations, depending on what information was accessed.

It is critical that a firm has a plan in place before an attack happens.
This involves having a point person who would be in charge of the firm's
response upon a cyberattack. This person does not have to be from the IT
department, but it is helpful to have someone who is knowledgeable about
the firm's duty of confidentiality and can converse with others about a
technical response.

The point person is not in charge of formulating a response, however. Most
firms will assign a committee—to be overseen by the point person—that is
tasked with formulating a response plan to be implemented upon a
cyberattack. It is important to have this plan in advance because there
will be many distractions for the firm upon a cyberbreach. Having a plan is
good security.

Attorneys have a duty to maintain client confidentiality, which extends to
client materials stored by the attorneys. Thus, attorneys have to be
prepared not only to properly respond to a breach, but also to comply with
their ethical obligations to safeguard materials.

Protect mobile technology

The practice of law is in a new, wireless era. Attorneys can be connected
to their offices through their mobile devices, laptops and tablets. With
the swipe of a screen, an attorney can access confidential documents, send
emails from a unique email identification, and access confidential
materials from a secure server. Hackers have the ability to do the same
thing.

Lost laptops and mobile devices create some of the highest, and most
preventable, risks of a cyberattack. Once a hacker has a lost or stolen
device, the entire firm is at his fingertips. The hacker can use a trusted
email address—yours—to transmit viral emails throughout your firm, or use
your credentials to access a secure network.

The first thing law firms can do is require that any mobile device—whether
a smartphone, laptop or tablet—be secured by a password. A laptop that can
access a firm's inner network just by being turned on creates an
unnecessary vulnerability.

Second, users of mobile technology should have the ability to wipe a device
remotely. This way, the user does not have to have the device in hand to
ensure that the information it's carrying does not fall in to the wrong
hands.

Finally, professionals should keep track of their mobile devices. Report a
missing device as soon as it is lost, rather than wait and hope it turns
up. Be careful about loaning a device that has connectedness to a law firm.

Sometimes highly technical data breaches can be prevented with practical
approaches to security.

Be aware of often-targeted

sensitive data

The mistake some law firms make is in assuming they do not have any
information of value to hackers. However, hackers are targeting law
practices because attorneys have access to their clients' most confidential
materials. This includes draft patent applications, business plans or
information that could help a hacker navigate the market.

In addition, given the volume of materials produced in discovery in many
litigations, a law practice could find that it has a stack of medical
records belonging to a class, or the Social Security numbers of every
employee of a client company.

It is not just client records or files that are at issue. Law firms store
sensitive data relating to their own employees too. The key is to be aware
of what the firm's sensitive points are and to guard them effectively.

Screen vendors

Firms can sometimes do everything right but still have a cyberbreach.
Hackers target the path of least resistance to breach a target. Sometimes
this happens through a third-party vendor, particularly if the vendor has
access to the information of multiple law practices.

Remember, if a vendor has direct access into a firm's network or databases,
the firm's defenses are only as good as those of the vendor.

This is a step that many firms overlook. Instead, they fortify their own
defenses and forget the doors to which their vendors have a key. Many firms
screen vendors to ensure that these vendors have as substantial a security
system as the firms themselves do.

Hire experienced professionals

Certainly, there are cyberprofessionals who know much about securing
systems. And there are attorneys who are familiar with the ethical and
legal obligations of attorneys. The key is to find and retain professionals
at the intersection: experienced in both cybersecurity issues and attorney
ethics and legal obligations. There is too much at risk to do anything less.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!