This article originally appeared on Law Journal Newsletters.
As 2017 came to a close, the American Bar Association opened the next chapter in cybersecurity awareness with the release of the second edition of its ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals. The new edition comes nearly five years since the first edition made its rounds.
Following the 2012 formation of the ABA Cybersecurity Legal Task Force, the first edition of the handbook was a brave move to enlighten both attorneys and law firms to cyber risk, and the evolving interpretation of professional obligations to protect clients’ confidentiality as the playing field moved from physical records to easily pilfered electronic documents. At the time, the FBI advised law firms about shoring up cyber defenses, as criminals considered law firms “the soft underbelly of American cyber security.”
At the time, I was working with law firms to expose the risks associated with the types of information they controlled. Of course, five years ago, most public coverage circled around major banks, based on the Willie Sutton quote about robbing banks “because that’s where the money is.” At the time, several financial regulators were swinging their “Eye of Sauron” toward the elements of their sector they deemed most vulnerable. As a result, we’ve seen half a decade of cyber sweeps, recommendations, and requirements through the Security Exchange Commission (SEC) and other financial regulators.
A lot has happened in five years. I’ve grown from my early experiences at LegalTech, where, as one of three security vendors, I was lost in a sea of document management and sexy e-discovery vendors. The legal community has come under fire, been the victim of a multitude of public attacks, and learned its lessons the hard way. And the second edition of the ABA Cybersecurity Handbook reflects a more seasoned approach to cybersecurity and client obligations. Jill D. Rhodes reprised her role as editor and was joined by Robert S. Litt.
The handbook is organized into four major sections: 1) cybersecurity background information; 2) an overview of legal and ethical obligations; 3) specific considerations of different legal practices; and 4) incident response and cyber insurance. The book is a must-read for attorneys, but also senior level security personnel in law firms, or those officers responsible for risk and compliance oversight. In fact, it provides a deep dive into the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight that frames out the fiduciary responsibilities of board and executive officers. The reality is that it’s not just about protecting your reputation or your client’s information. Today, the stakes are much higher and the damage associated with cybercrime is far reaching with a high risk of material damage to the affected business.
The ABA Cybersecurity Handbook contains noticeable depth and exploration of cybersecurity risks, drawing from a plethora of anecdotes, findings, and post-breach outcomes with which to frame the risks facing law firms. The exploration of threats, such as social engineering, ransomware, and business email compromise (BEC) demonstrates that both sophisticated and non-technical attacks continue to plague law firms (as they do across most industries). Data from eSentire’s security operations center (SOC) shows two significant trends.
The first trend is that over five years, law firms have improved their cybersecurity hygiene and practices, which has reduced the overall number of successful attacks and even eliminated much of the background radiation type of threats. In fact, in 2017, law firms saw up to 10% less of these attacks compared to businesses in finance, healthcare, energy and others.
Unfortunately, law firms saw over 30% more malicious code attacks, which aligns with other industries that have strong cybersecurity practices, such as financial institutions. So, what does this mean? As an industry, the majority of unsophisticated criminals give up and look for easier prey, but that leaves us with the talented criminals who continue to prowl for valuable confidential information.
The handbook also explores how to address these threats and considers the risks associated with the critical technologies that now pervade law firms. The book provides greater depth around regulatory requirements and international legislation and explores when and how counsel should initiate a conversation with the client about cybersecurity (let’s hope most are proactive and not reactive, in the event of a breach). More often than not, the client initiates the conversation based on the nature of their business, the sensitivity to reputational or intellectual damage, or presence of a regulator in their market.
Those who have heard me speak on this topic know the client is the new regulator. And for those who haven’t, I’m certain you shudder at the words “cybersecurity due diligence.” This information forms the basis from which attorneys, administrators, and clients must consider inherent risks, eliminating some, mitigating others, and accepting the risks that cannot be removed. At a minimum, this information serves to establish a level of protocol across the law firm, no matter an individual’s role.
The second key trend explored in several chapters of the second edition reveals the specific sensitivity of the varying, yet potentially damaging information controlled in different types of practices. And this is the critical message: No matter your practice, you still have unparalleled access to critical, potentially business altering, client information. Law firms are privy to myriad confidential information that can be used to front run trades, evade prosecution, or perhaps topple governments (at least select politicians).
Last year’s attack on Wall Street law firms Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP demonstrated how stolen information, such as FDA filings and press releases, could be used to front run trades. The Paradise Papers represents the next evolution of the Panama Papers. Even tax law information can be monetized or weaponized by (self-proclaimed) ethical hackers. Even an off-the-radar law firm in a tropical paradise could house the type of information that can destabilize a government or ruin the career of elitist politicians and socialites. It’s a privilege to be exposed to the fuel that drives our economy, but it’s also a responsibility. No one practice is the same. And the specific nature of your firm should be taken into consideration when developing a risk assessment that will serve as the compass used to map out your cybersecurity programs.
Of course, the type of practice is one element that helps frame a sound cybersecurity practice, but the size of the firm often sets the budgetary tone. A small law firm cannot afford the security technologies and practices adopted by their larger peers. And it’s not unreasonable to think that the standards, to which a large law firm is held, are not the same as those that a small firm can manage. There is no one-size-fits-all when it comes to establishing standards of reasonable care. To this end, the second edition offers guidelines for both large law firms and “the little guy.”
Ransomware doesn’t prejudice by size of firm. It just locks files and demands payment. All too often, smaller firms have no back-up mechanisms in place and fall victim to such extortion; whereas larger firms use multi-level back-up services to weather these kinds of attacks. The book contains a resource-right-sized approach with a 12-point checklist that smaller firms can use to build a simplified cybersecurity program.
For larger firms, the recommendations are more strenuous and strike a tone of requirement rather than “nice-to-have” or “try-your-best.” The recommendations are aligned to industry best practices and reflect the core tenants of other security frameworks, such as NIST and HIPAA for healthcare firms. This section of the handbook lacks in practice guidelines and establishing “must-haves” compared to more aspirational goals in a cybersecurity program. And like NIST, such a program should start with an analysis of its current state to determine the gaps that need closing to reach the desired state.
This is where related organizations, such as ILTA, could do more to publish these sorts of findings and help build a subjective standard of care. As in “this is what most firms of similar size are doing.” The recommendations also include guidelines such as, “firms should log and monitor network access and deploy data loss prevention tools to monitor where data is going and to flag or block unusual file transfers.” Such guidelines are high-level and, to some degree, outdated. That is not to say firms should not employ logging or data loss prevention systems, but it ignores the cost and complexity of such systems. And it does not include other systems, such as endpoint protection and real-time detection and response services that are growing in adoption. Nonetheless, this second edition takes many good steps forward in its thoroughness and recommendations. For more details, I would refer to the aforementioned NIST and HIPAA frameworks that provide greater detail.
The second edition of the ABA Cybersecurity Handbook is a must read and should have a place on the desks of any attorney and firm’s cybersecurity leaders. The book does an excellent job of outlining what to do to improve firm and attorney cybersecurity practices. With that said, the one future improvement I would like to see is for the ABA to suggest the how. That is, a framework that is tailored to law firms, with specific critical, important, and “nice-to-have” services based on firm size. The point here is not to be prescriptive for sake of control. It’s more about setting a collective industry bar (pardon the pun) that establishes a standard of care to which all firms can aspire and better protect their reputation and clients.