In the ever-changing landscape of data security, it is increasingly clear that law firms of all sizes, from the one-lawyer shop to the 1,000-lawyer megafirm, are being targeted by hackers. As the methods used to gain access to computer systems become more and more sophisticated, law firms must adapt their cybersecurity practices to keep pace. This article highlights one critical aspect of cybersecurity: controlling access to a law firm’s computer systems.
Why Hack Law Firms? Because That’s Where the Data Is.
When asked why he robbed banks, Willie Sutton once famously quipped, “Because that’s where the money is.” A modern-day computer hacker might have a similar response to the question, Why do you target law firms? The legal industry is waking up to a fact that hackers have known for years: law firms are high-value targets. A recent study estimated that 66 percent of law firms had experienced a security breach of some type, although few firms are willing to divulge the details. See Logicforce, Law Firm Cybersecurity Scorecard (“Logicforce Study”), at 7, available at www.logicforce.com/reports (registration required). These incidents range from high-profile incidents like the hacking of Cravath, Swaine & Moore LLP in mid-2015, in which hackers obtained pre-publication earnings reports for use in stock trading, to localized spear-phishing or ransomware attacks that don’t make the headlines.
It’s not hard to imagine why hackers would target Cravath, which has 450-plus attorneys and represents clients in IPOs and large-scale mergers or acquisitions. But small-firm lawyers shouldn’t breathe a sigh of relief, because hackers are just as content to go after the trove of information that every law firm has, such as credit card and bank account numbers, or personal information of employees or clients, for example. In the case of a ransomware attack, the intrinsic value of information is less important than the fact that the hacker controls it, and won’t give it back until the ransom is paid.
Law Firm Cybersecurity Is Lacking.
Even though law firms are increasingly likely to be targeted, law firm cybersecurity practices are behind the curve. A study of 200 law firms conducted in 2016-2017 revealed that 53 percent had no plan for responding to a data breach. See Logicforce Study, at 4. The same study showed that, across the legal industry, 79 percent of firms are not using multifactor authentication, and 75 percent are not using full-disk encryption—which means that a lost or stolen laptop may result in disclosure of highly sensitive information. And, since only 34 percent of law firms have cybersecurity insurance, the cost of remediating the breach, which averages $4 million, will have to be borne by the firm.
Hackers Love It When You Change Your Password …
Just as the threats posed by cybercrime are ever-evolving, law firm cybersecurity practices must change to meet those threats. The use of passwords is but one example. The conventional wisdom is that passwords should be complex and frequently changed. It is now becoming clear, however, that the conventional wisdom may actually increase a firm’s vulnerability. In July 2017, IT security firm Thycotic surveyed 250 hackers on what works, and what doesn’t, in cybersecurity. See https://thycotic.com/resources/black-hat-2017-survey/. Survey respondents described traditional protections, like antivirus software and firewalls, as “irrelevant” and “obsolete.” These days, hackers are more likely to get into a network by accessing a privileged account—in other words, by obtaining the login and password of someone who can access the law firm’s computer systems. Frequent password changes would seem to be a logical response to this threat. In reality, however, frequent password changes can result in users taking shortcuts, such as using the same password for multiple accounts or reusing old passwords, or relying on crutches, such as writing the new password on a post-it stuck to the user’s monitor for all the world to see.
… But They Hate Multifactor Authentication …
When the same survey asked hackers what cybersecurity measures are the hardest to defeat, 38 percent answered, “multifactor authentication.” There are three types of authentication factors: something you know (like a password or PIN), something you have (like a key card), and something you are (like a fingerprint). Multifactor authentication relies on the principle that while hackers might be able to get your login and password, they probably don’t have your key card or (heaven forbid) your finger. Multifactor authentication increases the likelihood that you are the person using your login and password (a single factor) by requiring a second factor to verify the first. When you put your debit card (something you have) in the ATM and type in your PIN (something you know), you are using two-factor authentication. One method of two-factor authentication used by law firms sends a signal to an app on the user’s cell phone (something the user has) when the user’s password (something the user knows) has been entered. The user simply taps the “approve” option on the app, verifying that the laptop and the user (and the user’s cell phone) are in the same location, making it more likely that the person accessing the system is authorized to do so.
… And They Are Not Very Fond of Encryption, Either.
One-third of survey respondents identified encryption as the biggest barrier to system access. In fact, some of the most notorious data breaches—Anthem Healthcare, Sony, and the Democratic National Committee, to name a few—were made possible, at least in part, by unencrypted data.
Whether, and how, data can be encrypted depends on the data’s status at any given time. “Data in use”—the discovery responses you’re currently editing, for example—must be unencrypted, for obvious reasons. At the other end of the continuum, all “data at rest”—those same discovery responses after you have saved and closed the document—can be encrypted, provided it is saved in a location covered by your firm’s encryption software (in other words, you probably shouldn’t save work product to your desktop).
Data is most at risk when it is “in transit,” i.e., when it is being sent from one user to another, whether via email, FTP server, or USB drive. Highly sensitive information (such as account numbers, trade secrets, or privileged communications) should be protected by end-to-end encryption. Data transmitted without encryption is not secret. As Google puts it, an unencrypted email transmission is about as private as a postcard.
Hey, You, Get Off of My Cloud.
No discussion of encryption would be complete without some mention of “the cloud.” Cloud services like Dropbox or Box are increasingly used by lawyers to store, transmit, or receive large volumes of data. A number of state ethics advisory opinions have been issued specifically addressing whether the use of cloud storage is compatible with a lawyer’s ethical duties. The opinions generally approve of the use of cloud storage, provided reasonable precautions have been taken to protect confidentiality.
Even if a cloud storage site is secure, human error can lead to serious consequences, including waiver of privilege. In February 2017, a magistrate judge in the Western District of Virginia ruled that the attorney-client privilege was waived by sharing information on Box.com. See Harleysville Ins. Co. v. Holden Funeral Home, Inc., 2017 WL 1041600 (W.D. Va. Feb. 9, 2017). 2017 WL 4368617 (W.D. Va. Oct. 2, 2017). In that case, an insurance company’s claims investigator uploaded a video to a folder on Box.com, then emailed a non-expiring link to the folder to a third-party vendor. Some months later, the investigator uploaded the claims file, containing privileged information, to the same folder and sent the link to outside counsel. In the course of the litigation, counsel for the insureds subpoenaed the vendor, which produced the email containing the link to the folder. Insureds’ counsel used the link to access the folder, downloaded the claims file, and reviewed it. When the insurer’s counsel moved to disqualify insureds’ counsel, the latter contended that the privilege had been waived. The magistrate judge agreed, concluding use of a non-expiring link that did not require an additional password was not a reasonable precaution against disclosure under Virginia law.
Earlier this month, the district court overruled the magistrate judge’s “reasonable precautions” ruling. See Harleysville Ins. Co. v. Holden Funeral Home, Inc., 2017 WL 4368617 (W.D. Va. Oct. 2, 2017). The court noted that “the Box Folder was not searchable through Google or any search engine, nor was it searchable on the Box, Inc. website.” Id. at *7. Further, the court found that the link—made up of “32 randomly generated alphanumeric characters”—was the functional equivalent of a password. Id. Finally, the court observed that the claims investigator (who was new to using Box.com) believed he had generated a unique link to the folder, and that the privileged materials were conspicuously marked as such. Id.
It’s easy for cybersecurity to drop down the list of a busy lawyer’s priorities, especially when it involves understanding, implementing, and adapting to new security protocols. But, the Willie Suttons of the world are still out there—they’ve just traded their Tommy guns for computer keyboards.