Lawyers need put cyber security policies in place

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20140618/ISSUE0401/140619806

Not surprisingly to some observers, law firms are among the worst offenders
when it comes to implementing a robust privacy and cyber security
protection program to manage their data.

One of the most critical components of a best-practices information
governance regime is the purchase of dedicated cyber, privacy and
technology insurance. Many — indeed, more than many — attorneys fail to
focus on the fact that they hold third parties' regulated personally
identifiable information and personal health information as well as
clients' confidential commercial information, among other sensitive data.

This is not to say that we necessarily ignore the associated risks and
exposures. Rather, in many cases, it is simply a function of the fact that
law firm decision-makers typically are too busy to think about it. But they
should.

A recent example of a law firm breach was disclosed by Edward Snowden, who
published a top-secret document that revealed that a global law firm based
in the U.S. had been monitored by the National Security Agency and its
Australian counterpart because the firm was representing the interests of
Indonesia in connection with trade negotiations.

Mr. Snowden's revelations are not unique to the extent they involve a
breach at a law firm. The cyber security firm Mandiant estimated that 80
major U.S. law firms were hacked as of 2011. And the number of firms that
have been breached since then reportedly has grown significantly.

Perhaps of greatest concern is the financial implications of a data breach.
The average of all costs associated with a cyber incident in 2013 was $3.5
million, according to the Ponemon Institute. Third-party litigation, lost
opportunity costs and, in many cases, a potentially significant hit to the
firm's bottom line would naturally follow a breach. In other words, the
reputational and financial risks of a data security breach can be
devastating.

Law firms are a preferred target of cyber criminals

While law firms can discount NSA surveillance as an anomaly, the threat of
a law firm privacy incident is far from hypothetical. The American Bar
Association recognized the risk in 2012 when it amended its ethics rules to
require attorneys to “make reasonable efforts” to protect client
information. In turn, the FBI has cautioned attorneys on their cyber risks
and exposures, having pointedly warned that hackers view them as a back
door to their commercial clients' confidential information.

Privacy related litigation can take many forms, whether or not a breach has
occurred. For example, in May 2014, a Pennsylvania collections attorney was
sued in a putative class action lawsuit alleging that he and his client had
included in a public court filing the named plaintiff's full Social
Security number rather than just the last four numbers. The complaint
alleges violation of the common law tort of invasion of privacy.

Even absent litigation, the financial and reputational costs of a privacy
incident can be incalculable. In March 2014, a significant international
law firm notified Maryland authorities that hundreds of employees' W-2 and
other information had been stolen when a vendor's database was compromised
allowing the hackers access to the law firm's servers. As a remedial
measure, the firm provided free credit monitoring to all affected persons,
numbering in the hundreds.

Entities holding client trust funds in particular appear be a favored
target of cyber fraudsters. For example, two Canadian law firms were
victimized in December 2012 when their trust accounts were accessed by
malfeasants. In the first case, $90,000 was stolen from an attorney who
succumbed to the widely known bad check collection scam where the attorney
sent a firm check to a purported client posing as a foreign national
seeking assistance in collecting on a fraudulent debt. Needless to say,
there was no errors and omissions coverage for the resulting loss.

The second case is more troublesome. There, an Ontario, Canada, firm
suffered a six-figure loss from its trust account when its system was
infected by a Trojan horse virus that tracked a computer user's keystrokes.
Through this mechanism, the fraudsters were able to gain access to
confidential passwords when the firm's bookkeeper logged into its trust
account. Trust funds were then serially wire-transferred to an overseas
account and never recovered.

One of the best known law firm breaches occurred in 2010, when China-based
hackers, looking to scuttle a $40 billion corporate takeover of the world's
largest potash producer by an Australian mining company, infiltrated the
secure computer networks of at least seven Toronto-based law firms
connected to the deal. Canada's Finance Ministry and its Treasury Board
also were hacked. The acquisition ultimately fell through, albeit
reportedly for unrelated reasons.

Law firm decision-makers should be particularly mindful of the fate that
befell a California escrow services company that had been breached by cyber
criminals who stole roughly $1.5 million from over 100 of the firm's escrow
accounts. Like the Canadian law firm, the escrow service had been the
subject of rogue Trojan horse malware. The stolen capital was then wired to
Russia and China.

The unauthorized accesses began in December 2012 and continued into January
2013. They were reported to regulators in February 2013. An investigation
ensued, pursuant to which the company was ordered to replace the stolen
funds within three days from the date of the order.

The escrow firm was unable to meet its financial obligations. As a result,
the California Department of Corporations filed a petition in state court
and subsequently appointed a receiver. In the end, the company was forced
to shut down and lay off its entire staff.

Then there is the risk — and almost daily real-life occurrence — of
improper document disposal. There have been a number of instances were
attorneys were found to have disposed of unshredded client records in
dumpsters.

In another case, a Texas law firm's laptops were found in a pawn shop,
notwithstanding the firm's policy of donating only those computers that
have been professionally scrubbed of client information. In yet another, an
employee stole 200 laptops from a Palo Alto, California, law firm. And we
all have heard the myriad stories or had first-hand experience involving
the negligent losses of laptops, cellphones, smartphones, etc.

The value of a robust information governance plan, including dedicated
cyber insurance

With these facts, statistics and warnings in mind, the solution is simple:
Information governance is a practical place to start. A cyber security and
risk transfer expert wielding associated legal privileges can assist a law
firm and other professionals in formulating and implementing practical and
reasonable steps to protect their clients’ and employees’ personally
identifiable information, personal health information and confidential
commercial information — and, by extension, the law firm’s financial health.

Given the magnitude of the costs inherent in remediating a privacy
incident, it is a relatively modest investment for a law firm to purchase
dedicated cyber, privacy and technology insurance. While various insurers’
policies differ on the scope of coverage provided, cyber insurance can
reduce the net expense of a material cyber incident by factors of the
premium paid. Indeed, it is comparatively cheaper to implement a strong
privacy regime with associated CPT insurance than to bear the entire net
burden of having to remediate a privacy event and potentially face
protracted litigation.

In the long run, a firm-specific information governance program developed
and deployed by an experienced, knowledgeable cyber risk transfer attorney
is both practical and virtually a necessity. More and more clients are
requiring their outside advisers to sign certifications that their
information governance systems include robust cyber security and privacy
policies and procedures. To the extent a law firm can not so certify, it
likely will not be considered for the proposed retention — or, most likely,
future retentions by other prospective or even existing clients.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!