ILNews

Law firms should be concerned about cybersecurity

Back to TopCommentsE-mailPrintBookmark and Share
Indiana Lawyer Focus

When cyber thieves hacked into the computer system of retail giant Target, consumers were stunned at the amount of personal financial information that was pilfered.

But on the black market, stolen credit card and pin numbers do not bring much money per number. The real dollars are paid for inside details about possible mergers and acquisitions, new public policy, and information about cutting-edge technology. In short, the kind of private, confidential information that many law firms hold in their client files.

apb_jeffkosc_il03_15col.jpg Describing himself as a “bit geeky,” attorney Jeffrey Kosc has always included cybersecurity issues in his legal practice. The Benesch Friedlander Coplan & Aronoff LLP partner said hackers are constantly trying to breach computer networks to get confidential information.(IL Photo/Aaron P. Bernstein)

Increasingly, cyber thieves are attacking law firms, and while large firms are the prime targets, firms of any size can be hit. Hackers can enter a system through a link in a phishing email or by a virtual backdoor in the software.

The bad news is the hackers will come. Law firms should no longer be asking what they should do if their network is breached, but rather they should ask what they will do when they get hacked.

The worse news is law firms may not know when a breach has occurred. Cyber thieves can break into a system and remain there, undetected, for a significant period of time.

“It’s the world we live in,” said Jill Rhodes, attorney and cyber expert who served on the American Bar Association’s Cybersecurity Legal Task Force. “It’s just the way we live now. No one is going to protect us but ourselves.”

Verizon’s 2014 Data Breach Investigations Report found 63,437 security incidents based on data submitted by 50 contributing organizations covering all sectors of the economy. Of those incidents, the professional sector, which includes lawyers, suffered 360 breaches.

The report found that the professional category of businesses was most hit by denial of service attacks which are intended to compromise networks and systems. The second most common mode of attack was cyber-espionage or unauthorized access with motive for spying.

rhodes-jill.jpg Rhodes

Based on Verizon’s methodology, 87 percent of the actors committing cyber-espionage were affiliated with a nation state while 11 percent were from organized crime and 1 percent was linked to competitors. Forty-nine percent of the incidents were attributed to entities in East Asia while 21 percent were in Eastern Europe.

Ten years ago, hackers were breaking into systems and doing things like defacing websites to make a name for themselves. They wanted the public to know who they were and what they had done.

Now, hackers are more sophisticated. They look for ways to gain entry; then they work to breach the layers of security to get to as much data as possible for economic gain.

Nicholas Merker, attorney in the intellectual property and litigation group at Ice Miller’s Chicago office, explained today’s hackers do not want to get caught. They want to lie in the weeds for as long as they can and siphon information.

Protection

Cybersecurity has been part of Jeffrey Kosc’s practice since his first day on the job as an attorney. He had just been hired as in-house counsel for True Value hardware stores and accepted the task of reviewing a software agreement after the other attorneys confessed they were not too sure what software was.

Nearly 20 years later, Kosc, now a partner at Benesch Friedlander Coplan & Aronoff LLP in Indianapolis, said constant attacks are the trend.

Hackers are “always trying to get in and always trying to stay one step ahead,” he said.

Law firms are attractive to cyber thieves not only because of the type of confidential information harbored but also because attorneys tend to use their own devices. Lawyers who work out of the office accessing files on the cloud with their own tablets, laptops and phones can create an additional vulnerability in a firm’s network.

A hacker needs only hours or days to break into a system, while a business might take weeks or months to discover the breach. Protecting against attacks includes changing passwords, using encryption programs, limiting access to extremely sensitive documents and having the ability to wipe data from any phone or computer that gets lost.

Also, firms should negotiate security agreements with vendors to clearly spell out what the expectations and responsibilities are. The average consumer will not be able to negotiate the usage agreement for iTunes but, Kosc said, a law firm making a significant investment in programs will have leverage to change the terms to ensure greater security.

merker Merker

There is no magic bullet to protect against all cyberattacks, said Scott Shackelford, attorney and fellow at the Indiana University Center for Applied Cybersecurity Research.

Defending against breaches, Shackelford continued, requires constant vigilance and starts even before the new computers arrive at the office. Devices can be purposefully contaminated with viruses at the factory so law firms, just like any business, should be working with vendors to ensure the supply chain is safe.

The weakest link in the protection chain is people. A 2011 test of cybersecurity by the U.S. Department of Homeland Security proved this. The agency tossed disks and flash drives in parking lots of other federal offices and contractors and found that employees picked up the items and inserted 60 percent of them into their computers.

Technology alone will not fix the problem, Merker said. Law offices have to change their cultures and implement training, policies and procedures for employees. The attorneys and staff need to know what to be leery of and how to avoid attacks.

Still, even with all the protections, Rhodes, vice president and chief information security officer for Trustmark Cos., believes a costly, high-profile attack is inevitable.

“I think there will be at some point – if not already – a significant lawsuit related to some sort of breach that resulted in a client losing a case,” she predicted.

Bottom line

A hacking incident in 2010 in which Canadian law firms were breached and sensitive information about a potential corporate takeover was accessed has been highlighted as an example of how vulnerable law firms are and the type of information available on a firm’s computers.

Indeed, in late 2011, the FBI met with New York’s Top 200 law firms to warn the attorneys of attacks and provide them with ways to prevent breaches.

Mounting and maintaining a defense against hackers does create a new line item in a law firm’s annual budget. However, law firms that skimp on protection now will actually start building what has been called a security debt. The longer the firm delays putting needed resources into cybersecurity, the bigger the debt grows until finally a breach occurs and the debt comes due, potentially making the cost to mitigate much higher.

Most states have data security laws regulating businesses and agencies. Indiana requires database owners to “maintain reasonable procedures to protect and safeguard” the personal information of Hoosiers. If a breach occurs, database owners must make notification without “unreasonable delay.” Failure to disclose the breach is a deceptive act that could bring a civil penalty of up to $150,000 per act.

The bigger consequence is the loss of client goodwill. Firms could have their reputations damaged and lose current and future clients. While customers tend to forgive when a store loses their personal financial information, Merker is not sure if clients would forget a breach at a law firm. The stigma of breaking clients’ trust and not keeping their information safe could be hard to erase.•

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT
Subscribe to Indiana Lawyer
  1. Do I have to hire an attorney to get co-guardianship of my brother? My father has guardianship and my older sister was his co-guardian until this Dec 2014 when she passed and my father was me to go on as the co-guardian, but funds are limit and we need to get this process taken care of quickly as our fathers health isn't the greatest. So please advise me if there is anyway to do this our self or if it requires a lawyer? Thank you

  2. I have been on this program while on parole from 2011-2013. No person should be forced mentally to share private details of their personal life with total strangers. Also giving permission for a mental therapist to report to your parole agent that your not participating in group therapy because you don't have the financial mean to be in the group therapy. I was personally singled out and sent back three times for not having money and also sent back within the six month when you aren't to be sent according to state law. I will work to het this INSOMM's removed from this state. I also had twelve or thirteen parole agents with a fifteen month period. Thanks for your time.

  3. Our nation produces very few jurists of the caliber of Justice DOUGLAS and his peers these days. Here is that great civil libertarian, who recognized government as both a blessing and, when corrupted by ideological interests, a curse: "Once the investigator has only the conscience of government as a guide, the conscience can become ‘ravenous,’ as Cromwell, bent on destroying Thomas More, said in Bolt, A Man For All Seasons (1960), p. 120. The First Amendment mirrors many episodes where men, harried and harassed by government, sought refuge in their conscience, as these lines of Thomas More show: ‘MORE: And when we stand before God, and you are sent to Paradise for doing according to your conscience, *575 and I am damned for not doing according to mine, will you come with me, for fellowship? ‘CRANMER: So those of us whose names are there are damned, Sir Thomas? ‘MORE: I don't know, Your Grace. I have no window to look into another man's conscience. I condemn no one. ‘CRANMER: Then the matter is capable of question? ‘MORE: Certainly. ‘CRANMER: But that you owe obedience to your King is not capable of question. So weigh a doubt against a certainty—and sign. ‘MORE: Some men think the Earth is round, others think it flat; it is a matter capable of question. But if it is flat, will the King's command make it round? And if it is round, will the King's command flatten it? No, I will not sign.’ Id., pp. 132—133. DOUGLAS THEN WROTE: Where government is the Big Brother,11 privacy gives way to surveillance. **909 But our commitment is otherwise. *576 By the First Amendment we have staked our security on freedom to promote a multiplicity of ideas, to associate at will with kindred spirits, and to defy governmental intrusion into these precincts" Gibson v. Florida Legislative Investigation Comm., 372 U.S. 539, 574-76, 83 S. Ct. 889, 908-09, 9 L. Ed. 2d 929 (1963) Mr. Justice DOUGLAS, concurring. I write: Happy Memorial Day to all -- God please bless our fallen who lived and died to preserve constitutional governance in our wonderful series of Republics. And God open the eyes of those government officials who denounce the constitutions of these Republics by arbitrary actions arising out capricious motives.

  4. From back in the day before secularism got a stranglehold on Hoosier jurists comes this great excerpt via Indiana federal court judge Allan Sharp, dedicated to those many Indiana government attorneys (with whom I have dealt) who count the law as a mere tool, an optional tool that is not to be used when political correctness compels a more acceptable result than merely following the path that the law directs: ALLEN SHARP, District Judge. I. In a scene following a visit by Henry VIII to the home of Sir Thomas More, playwriter Robert Bolt puts the following words into the mouths of his characters: Margaret: Father, that man's bad. MORE: There is no law against that. ROPER: There is! God's law! MORE: Then God can arrest him. ROPER: Sophistication upon sophistication! MORE: No, sheer simplicity. The law, Roper, the law. I know what's legal not what's right. And I'll stick to what's legal. ROPER: Then you set man's law above God's! MORE: No, far below; but let me draw your attention to a fact I'm not God. The currents and eddies of right and wrong, which you find such plain sailing, I can't navigate. I'm no voyager. But in the thickets of law, oh, there I'm a forester. I doubt if there's a man alive who could follow me there, thank God... ALICE: (Exasperated, pointing after Rich) While you talk, he's gone! MORE: And go he should, if he was the Devil himself, until he broke the law! ROPER: So now you'd give the Devil benefit of law! MORE: Yes. What would you do? Cut a great road through the law to get after the Devil? ROPER: I'd cut down every law in England to do that! MORE: (Roused and excited) Oh? (Advances on Roper) And when the last law was down, and the Devil turned round on you where would you hide, Roper, the laws being flat? (He leaves *1257 him) This country's planted thick with laws from coast to coast man's laws, not God's and if you cut them down and you're just the man to do it d'you really think you would stand upright in the winds that would blow then? (Quietly) Yes, I'd give the Devil benefit of law, for my own safety's sake. ROPER: I have long suspected this; this is the golden calf; the law's your god. MORE: (Wearily) Oh, Roper, you're a fool, God's my god... (Rather bitterly) But I find him rather too (Very bitterly) subtle... I don't know where he is nor what he wants. ROPER: My God wants service, to the end and unremitting; nothing else! MORE: (Dryly) Are you sure that's God! He sounds like Moloch. But indeed it may be God And whoever hunts for me, Roper, God or Devil, will find me hiding in the thickets of the law! And I'll hide my daughter with me! Not hoist her up the mainmast of your seagoing principles! They put about too nimbly! (Exit More. They all look after him). Pgs. 65-67, A MAN FOR ALL SEASONS A Play in Two Acts, Robert Bolt, Random House, New York, 1960. Linley E. Pearson, Atty. Gen. of Indiana, Indianapolis, for defendants. Childs v. Duckworth, 509 F. Supp. 1254, 1256 (N.D. Ind. 1981) aff'd, 705 F.2d 915 (7th Cir. 1983)

  5. "Meanwhile small- and mid-size firms are getting squeezed and likely will not survive unless they become a boutique firm." I've been a business attorney in small, and now mid-size firm for over 30 years, and for over 30 years legal consultants have been preaching this exact same mantra of impending doom for small and mid-sized firms -- verbatim. This claim apparently helps them gin up merger opportunities from smaller firms who become convinced that they need to become larger overnight. The claim that large corporations are interested in cost-saving and efficiency has likewise been preached for decades, and is likewise bunk. If large corporations had any real interest in saving money they wouldn't use large law firms whose rates are substantially higher than those of high-quality mid-sized firms.

ADVERTISEMENT