A lax attitude towards data security could leave law firms in the lurch

At least 80 percent of the nation’s 100 largest law firms have been affected in some way by a data breach, according to data security software company Digital Guardian. Worse, just under half of all of those firms have taken any measures to handle data or information security risks. Law firms may be only the seventh-most vulnerable industry to cybersecurity threats but the valuable information often held and processed by these organizations is becoming a much more attractive target for hackers.

Law firms are coming under growing scrutiny for a lack of effort in addressing hacking concerns or even coming clean with the threats which they have faced. A cybersecurity report released in February of this year by Citigroup Inc. (NYSE:C) lambasted law firms for being at high risk for cyber intrusions, alarmingly the industry standard for cybersecurity remains much lower than for other industries. Data security practices which have been suggested for law firms in material published online by the American Bar Association includes complete data encryption for files stored on computers or smartphones as well as the designation of a chief information officer (CIO) for oversight of a firm’s data policies and practices.

Law firms who deal with incredibly valuable intellectual properties should be acutely aware of the risks that they face from hackers, especially those from overseas. Patented technologies have been the target of international hackers in recent months. Just this May, the U.S. Justice Department charged six Chinese nationals with stealing IP related to wireless technologies developed by a couple of American companies. Trade secrets were stolen from Avago Technologies (NASDAQ:AVGO) and Skyworks Solutions Inc. (NASDAQ:SWKS) and siphoned to China’s state-controlled Tianjian University under Chinese joint venture rules. As we’ve reported before here on IPWatchdog, China’s joint venture regulations require foreign companies to engage in tech transfer agreements with domestic companies to enter the Chinese market, a stipulation which goes against rules instituted by the World Trade Organization, of which China is a member state.

An August 2015 white paper entitled Securing IP with Cloud Based Technology published by HP Cloud, a report that we at IPWatchdog were able to obtain a copy of, points out various places in the network flow of patent processing where law firms may be vulnerable. Between a corporation filing a patent application, the law firm processing the application and the outsourced legal services for illustration and proofreading, there are many points of entry which could be manipulated to gain access to sensitive information. Specific security points of focus noted in the HP report include e-mail and document servers, WiFi networks, stolen devices or copies of the same document on multiple work machines.

A Chase Cost Management study released in August, entitled White Price Peace? Key Expense Management Strategies for Law Firm Data Security, found that the typical law firm spends about $6.9 million, or 1.9 percent of gross annual revenues, on information security initiatives. These numbers were derived from responses to a survey of information technology personnel attending the fifth annual Thomson Reuters Law Firm CIO/CFO/COO Forum. Further, none of the survey’s respondents felt as though they had too much budget while half of the respondents felt as though their information security budget was too small. The report did also find that 21 percent of law firms are strengthening their in-house security skills.

[Hack]

Some firms are being faced with the cold reality of finding out the hard way that their cybersecurity measures were not as secure as they should have been. One California firm was victimized this January by a virus known as Cryptolocker, a piece of ransomware that encrypts sensitive data and makes it unreadable so that hackers can demand a ransom fee. In some industries where protecting sensitive data is a top concern, an inability to protect data records adequately has led to some significant fines from regulators. For instance, an investment advisory firm from St. Louis was fined $75,000 by the U.S. Securities and Exchange Commission in late September after a data breach compromised the data records of 100,000 individuals.

A resolution passed by the American Bar Association’s House of Delegates in August 2013 called for appropriate government sanctions on those engaging in illegal intrusions into a law firm’s computer networks while encouraging law firms to improve safeguards for client information. A couple of articles published here on IPWatchdog this summer discussed the evolving reality of cybersecurity for law firms, including issues involving access management and e-mail security measures. In a summer 2013 issue of Law Practice Magazine, an article by Global Cyber Risk CEO Jody R. Westby argued that a law firm should budget effectively for an enterprise security program (ESP) which involves a robust set of activities including establishment of a cross-organizational security team, setting high level policies for cloud services or mobile devices as well as keeping a detailed inventory of software systems and data used by the firm.

Although some firms may be under the impression that cyber attacks are more likely to target much larger organizations than theirs, the truth is that smaller firms are increasingly coming under the crosshairs of data breaches. Despite major hacking events at Sony, Target and Neiman Marcus grabbing media headlines in the past year or so, 62 percent of all cyber attacks are directed towards small and midsize companies, which typically have fewer resources invested in data and information security. Creating an effective ESP may seem a difficult task but the only thing more arduous is having to clean up from a data breach, dealing with both the loss of sensitive accounts as well as the fallout with customers, many of whom may lose trust in the company.

A 2012 report by PricewaterhouseCoopers on cybersecurity at law firms noted how hackers were finding ways of getting around firewalls by using e-mail to target personal workstations, attempting to trick unwary employees into enabling access to a firm’s network. Consistent updating of spam filters helps a firm stay ahead of intercepting any suspicious e-mail activity. Breaches of e-mail accounts could result in malicious communications being sent to a firm’s clients, which again could be very damaging to its reputation.

In response to enhanced cyber and data security threats, many in the legal industry are taking cover under the cloud. Work product management software company iManage, which serves 1,800 law firms and 400 corporate legal departments worldwide, has seen new users increase by 272 percent over the past year. A new cloud computing scheme for hosting documents and providing case management systems has been implemented by one law firm from the British county of Lancashire. Woodcocks Haworth and Nuttall, which operates seven offices across England, partnered with hosted and managed IT support service provider Converge Technology Specialists and legal case management software provider Eclipse Legal Systems to develop the system. The security upgrades allows legal professionals from Woodcocks Haworth and Nuttall to work remotely with greater security while reducing the time spent on completing administrative tasks. Document and e-mail management cloud solutions were also deemed a secure choice for Buchanan Ingersoll & Rooney PC, a Pittsburgh-based firm which recently implemented the software-as-a-service (SaaS) platform provided by NetDocuments of Lehi, UT, for the delivery of legal documents to clients in accordance with current standards for encryption and data security.

A new data services platform known as the Legal Services Information Sharing and Analysis Organization (LS-ISAO), a project of the Financial Services Information Sharing and Analysis Center (FS-ISAC), The organization will serve law firms by enabling them to anonymously share information on cybersecurity threats in a forum and will also alert firms to potential vulnerabilities. LS-ISAO subscribers will gain access to a list server for actionable threat alerts, a monthly highlight report, a monthly member call, crisis notification and coordination as well as a list of participating law firms.

Cyber liability insurance is also becoming a more viable choice for law firms who are concerned about the legal consequences of a breach of sensitive data. Cyber risk insurance policies first started appearing in the 1990s but have of course become more popular as more attention has been placed on high-profile hacking scandals. Annual premiums for cyber liability insurance range from $40,000 to $75,000 for large firms seeking $5 million to $10 million in coverage; smaller firms can find policies ranging from $1 million to $5 million in cybersecurity protection for annual premiums ranging from $3,500 to $7,000.

There are a number of cybersecurity standards currently developed to help organizations build better defenses against potential data breaches. An executive order issued in February 2013 led the National Institute of Standards and Technology (NIST) to develop a voluntary framework for businesses to help them identify threats and recover from attacks. Cybersecurity standards are also developed by the International Organization for Standardization (ISO) for enhanced safety measures in payment transactions and personal information exchanges. It’s very unclear whether most law firms have been able to adopt these measures. The Chase Cost Management study cited above found that only 28 percent of law firm respondents had implemented any ISO measures and more than half didn’t respond to questions regarding any implementation of an information security framework at their firm.