NEW YORK — The growing and constant threat of cybersecurity breaches is something law firms need to address urgently and forcefully; but increasingly, they are falling behind on investment and commitment to create and maintain adequate privacy and data protection, according to several legal and cybersecurity experts.
The comments came as part of a panel on cybersecurity entitled, “Rumor of War: Regulation, Revelations & the State of Cybersecurity in 2017” at today’s Thomson Reuters’ Legal Executive Institute’s 7th Annual Law Firm CFO/CIO/COO Forum.
“The threat of cybersecurity breaches is the most significant threat this country, its business and its law firms face,” said panelist Timothy Murphy, President of Thomson Reuters Special Services, adding that in many cases, companies and law firms are outgunned by the sophistication of some hostile cyber-actors and are hamstrung by using outdated protections and inadequate resources. “Law firms, especially because of the data they hold, have to take this threat seriously,” Murphy urged. “They have to get engaged and stay on top of it.”
Panelist James L. Quinn, Head of Security Architecture at Infotecs Americas, agreed. “Law firms are holding some of the most sensitive data you can have, and that should make them realize how important it is to invest in adequate security,” he said.
“Law firms, especially because of the data they hold, have to take this threat seriously. They have to get engaged and stay on top of it.”
Of course, there are certain hurdles unique to law firms, such as the partnership hierarchy, that makes addressing and funding non-income producing initiatives such as cybersecurity and data protection more difficult than in other enterprises, said another panelist, Nicholas Barone, Director and Co-Head of the Cybersecurity Practice at Eisner Amper. “One of the main challenges at law firms is getting cybersecurity paid for by the partners,” noted Barone, who is also an IT Forensics Expert and Data Breach Responder, adding that this challenge carries with it issues of determining allocations of costs, encouraging firm-wide training, and measuring levels of adoption by partners and staff.
Panel moderator Daniel Garrie, Managing Partner of Law & Forensics and Partner & Co-Head of the Cybersecurity practice at Zeichner, Ellman & Krause, asked panelists to describe what happens within a law firm when it is breached in a cybersecurity attack.
Cybersecurity attacks on law firms are compound by the very real problem of the firm holding so much of their outside clients’ data, which is often the target of the attack itself, said Gabriel Taran, Assistant General Counsel for Cyber and Infrastructure Programs at the U.S. Department of Homeland Security. “When client information is compromised or taken, it immediately brings issues of attorney/client privilege and theft of trade secrets — it’s really a snowballing of risk.”
Once breached, the firm has to decide — either on its own or with an outside cybersecurity expert — whether or when to report the breach to authorities even if the firm doesn’t know at the time the full extent of the hack or what data has been stolen or destroyed.
Indeed, the chaotic time of a breach is not the time to try to be making far-reaching decisions and often clearly shows the importance of pre-planning. “You have to know what you’re going to do before the breach,” said Infotecs Americas’ Quinn. “It’s very difficult to make good decisions in a reactive mode.”
Garrie, who is also a Neutral & Special Master for JAMS, agreed, adding that these issues can spread quickly in a global law firm as all parts of it can come under threat all over the world.
So, what’s a law firm to do?
One thing is to re-examine your firm’s or business’s current cyberplan, or even determine if it has one. Eisner Amper’s Barone said law firms and businesses have to examine four core areas: Testing, Training, Patching and Policy.
Barone explained that, not surprisingly, a firm’s people are certainly the biggest risk — since it is often their behavior that can open the door for cyberhackers — but too often those people are operating in an environment where there is no guidance or policies in place.
“If you have just two takeaways from this panel. They should be: use good passwords and keep patching as needed.”
Other panelists said law firms would be wise to look into or participate in public-private partnerships that share information and join together to fight cybersecurity breaches; another suggested created layered defenses within the firm, giving the most protection to the most sensitive material. Of course, that would necessitate inventorying and identifying all your data to see what should be designated the highest priority, he said.
Other panelists were more blunt: “If you have just two takeaways from this panel,” said Barone. “They should be: use good passwords and keep patching as needed.”
For all its well-deserved fear, cybersecurity hacks and breaches are a reality in today’s environment, and which are, at their core, a business risk, concluded Garrie. “Of course, it’s a risk to the bottom line of your business,” Garrie said, adding that it is vital, even as a first step for law firms and businesses to ask themselves certain questions, such as Where’s our data? What’s our cost if we go down? and What’s our plan?