Photo Credit: © turbomotion046 - stock.adobe.com
It was recently reported that 1.2 million email addresses of top-tier U.K. law firms were sitting in file dumps on the Dark Web. The addresses were likely obtained from breaches carried out on popular third-party websites, such as LinkedIn and Dropbox. Among the addresses, passwords were also found, implying that any overlap between firm credentials and those collected from third-party sites could directly expose firms to risk.
Access to stolen credentials can place a firm at increased risk for a variety of social engineering schemes, including phishing attacks, which are all too common in the current threat landscape. As previously noted in my article regarding a phished New Jersey law firm, wherein a firm employee approved a wire transfer to a hacker, these attacks are happening across law firms of all sizes. For law firms and other custodians of data, the rise in security risks is driving an overall heightened standard of care in managing that risk. When it comes to responding to cybersecurity threats and breaches, the standards of what is considered reasonable and negligent are changing at light speed. If firms do not devote adequate time and resources to security controls (such as employee awareness training to address both phishing and social engineering risks, strong passwords and/or deploying some form of active threat monitoring technology), they cannot expect to be spared from cyber-attacks.
LAW FIRMS- SPECIFIC RISKS AND SPECIFIC OBLIGATIONS
Law firms, in particular, cannot be anything less than vigilant in assessing and improving their cybersecurity postures. While no specific statute, law or regulation expressly requires law firms to perform such an assessment or explicitly mandates certain controls, it’s clear that attorneys have the ethical and professional obligations to implement both.
For example, the ABA Model Rules provide that a fundamental hallmark of the attorney-client relationship – the duty of confidentiality – requires that the lawyer must not reveal information related to the representation. Additionally, an attorney’s duty of competence has essentially been redefined to require attorneys to be well versed in emerging technologies and to keep abreast of changes in the law and its practice (see ABA Model Rule 1.1, comment 8). To comply with these duties, law firms must apply these concepts to the reality of our modern-day threat environment, where the frequency, sophistication and volume of attacks have never been greater.
Some firms have undertaken this exercise, but many have not. Some, like DLA Piper, a prestigious global law firm with a purported cybersecurity law practice group, have reacted slowly and predictably suffered the consequences. Other prestigious and even iconic law firms – such as Cravath, Swaine & Moore and Weil, Gotshal & Manges – have admitted they were breached and acknowledged the secretion of what appears to be privileged client information.
However, some forward-thinking firms are choosing to tackle this issue by transforming their cybersecurity risk management posture from a weakness to a strength. A robust cybersecurity program (see our article "Crucial Elements of an Effective Security Operations Program")has become a differentiator for these firms and their clients. These firms are the outliers of their kin, but ahead of the curve nonetheless and are unsurprisingly benefiting from it. These firms reject the old-world perception that cybersecurity is a lose/lose for law firms, or a game of “gotcha”, and that any acknowledgment of cybersecurity risk management principles will lead to an admission of wrongdoing or negligence. Cybersecurity risk management is certainly NOT an exercise in self-condemnation or exposing deficiencies. Expert after expert has agreed that virtually every organization has already been breached, whether they know it or not.
Accordingly, finding and acknowledging prior breaches is not fatal in any cybersecurity review, examination or self-assessment. A better litmus test is whether you have:
- Made a declaration to design and implement a cybersecurity risk management program that’s appropriate for your size, scope and industry;
- Taken a phased, methodical approach to prevent attacks; and
- Demonstrated that you are capable of responding to them
Certainly, in the realm of cybersecurity, standards are evolving, technologies are emerging and certain best-practices seem to be moving targets. But clearly, if you’re running a law firm from Dropbox or a similar application, lacking adequate security measures, chances are the cybersecurity train has already left the station.
If you are seeking advice from cybersecurity experts, Align CybersecurityTM offers tailored, advanced solutions including Vulnerability Assessments/Penetration Testing, Cybersecurity Risk Management as a Service (Align Risk CSR), Customized Cybersecurity Programs, Third Party Management, Managed Threat Protection with Align Guardian, Cybersecurity Training and more.