Law firms subject to same cyber risk as others, but is compliance required?

Law firms are handling some of our most sensitive and private information but how are they doing?

law attorney
Credit: Thinkstock

Happy New Year to all our readers. I’m not a lawyer but I play one on TV. But seriously!

This is an article I have been meaning to write ever since we performed an IT audit for a large law firm a year or so ago. The firm was responding to the HIPAA law that requires all third-party vendors working with healthcare organizations to have a Risk Assessment. This further proves my point that most businesses won’t do much in the area of cyber security or compliance, not even an IT risk assessment unless required by law.

It’s hard to believe that even at this stage with countless breaches over the past few years Target, Sony, Anthem, OPM, Yahoo and so on. It’s no longer a matter of if you will be breached, but rather a matter of when or have you already been breached and you just don’t know it. Every person, SMB or large corporation that has an internet connection is vulnerable. So every connected device on the internet must meet minimum compliance standards and that’s just the tip of the iceberg.

It’s no longer acceptable to just be backward looking legalistic IT compliant, organizations must design in security privacy architectures and have plans in place to proactively detect and respond to incidents.

So all connected enterprises have about the same risk just by being connected to the internet, but more specifically each sector is at one time or another more targeted. Like healthcare is more targeted than retailers now because credit cards don’t pay out that much anymore, but stealing ones complete identity and medical insurance is.

Let’s look at some specifics about the legal sector: ALM Legal Intelligence has reported the following facts on the legal sector.

  • Nearly 10% of firms have not performed a formal information security and privacy assessment.
  • Approximately one-third of firms do not hold cyber liability insurance policies.
  • More than 55% of firms have either already established a cybersecurity practice or have plans to form one.
  • A whopping 98% of law firm respondents to the ALM intelligence law firm survey believe that the legal industry is increasingly a target for attacks.
  • 22% of law firms don’t have a data breach plan in place
  • Only 50% of law firms have a cybersecurity team in place
  • 87% state they train users on basic security practices yet only 47% conduct drills
  • Most view cybersecurity as an IT issue vs the reality, It’s a business issue 
  • 71% of law firms have performed a formal information, privacy and security assessment
  • 70% of law firms have purchased cyber liability insurance.

Additionally Daniel Solove, professor at George Washington University Law School and organizer of the privacy + Security forum, said “On a scale of 1 to 10, the risks law firms are facing are an 11.”

Well that is the background evidence based on a trusted survey but what’s been happening lately?

First we have the Panama Papers: The New York Times April 4, 2016. The Panama Papers have exposed how some of the world’s most powerful people may have used offshore bank accounts and shell companies to conceal their wealth or avoid taxes. The papers — millions of leaked confidential documents from the Mossack Fonseca law firm in Panama — identify international politicians, business leaders and celebrities involved in webs of suspicious financial transactions. The revelations have raised questions about secrecy and corruption in the global financial system.

Daniel Solove, professor at George Washington University Law School

Consider this recent law firm hacking headline! SC Magazine reported the following on Dec. 28, 2016 "Chinese hackers of NY law firm charged": “After hacking their way into the networks of seven law firms and siphoning out data that was used in making $4 million profit in trades, three Chinese men were hit with charges and one was arrested.”

Somehow law firms have escaped being subject to the same legal compliance mandates that many other businesses must adhere to. The American Bar Association has certainly visited this issue and stated the following in 2013. Many firms are now asking, “What do we do to keep our systems and data safe? How can we keep this from happening to us?” There is a simple answer to this question: Hire a chief information security officer, give him or her a budget to hire the staff needed to build and maintain an enterprise security program (ESP), and exercise appropriate governance over the firm’s digital assets.

But do law firms have a security standard like FISMA, PCI DSS, HIPAA or SOX? Not really one specific compliance mandate for law firms. If they handle credit cards it's PCI DSS, if they handle HIPAA, then HIPAA third party kicks in. It’s a disconnected disjointed, patchwork of laws written by? Legal professionals. Add privacy laws to the mix. Forty-seven states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have all enacted statutes requiring companies to provide notification if a breach of personal information occurs.

“We live in a world where our national security is threatened by cyberterrorists, and where private enterprise is forced to respond to cyber theft of intellectual property on a daily basis. The ABA Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, lawyers will not stand on the sidelines," said Laurel Bellows, 2012-2013 President of the American Bar Association.

All law firms that don’t have a cybersecurity program in place should hire someone to do an IT risk assessment. The assessment should consider the types of data, and consider data security and data privacy as it relates to credit cards, intellectual property, government data, HIPAA and so on. Every type of data has different data security and data privacy laws to adhere to, and it will remain that way until we get better at blanket programs. Add on PCI DSS etc and then we are stuck with a confusing and siloed approach. All businesses could adopt the NIST cyber security framework, it works well with any business as it looks at technology, data and the risk associated with using it.

Once the risk assessment is complete, the consultant will be able to customize a program to fit the needs of the organization. The blue print for the NIST implementation will look something like this:

  • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Add the appropriate people, policies and technology to the NIST framework and you are on your way. Law firms need to put an information security program in place which includes hiring a CISO, security analyst, security manager and IT security experts or they need to outsource this to a consulting firm. Either way ignoring the problem won’t make it go away and only increases risk and the resulting lost reputation and credibility, all of which is priceless to a trusted law firm!

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
New Year's resolution: ‘I will eliminate passwords’ in 2017
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.