Bloomberg Law
April 15, 2015, 12:17 PM UTC

The Data Threat Within Law Firms

Monica Bay
Stanford University, CodeX: The Stanford Center for Legal Informatics

Editor’s Note: The author of this post is a fellow at CodeX: The Stanford Center for Legal Informatics and a member of the California bar.

By Monica Bay, Fellow at CodeX: The Stanford Center for Legal Informatics.

As Big Law leaders tackle the hazards of cybercrimes, they face a chilling reality: the most dangerous miscreants may not be in obscure foreign outposts, but on the firm’s payroll.

Firm personnel — from the mail room to the managing partner — can create havoc accidentally or intentionally, say cybersecurity experts. “Some of today’s most high profile breaches apparently were enabled by the actions of employees,” said Judy Selby , a partner at Baker & Hostetler.

Exposures can be triggered by all levels of personnel, she said.

A few examples: • A low-level employee clicks on a phishing email. • An IT staffer fails to appropriately segregate and protect sensitive data. • A lawyer stores passwords in a file named “passwords.” • A manager overseeing vendors that handle corporate data—or have access to corporate networks—fails to properly monitor the process.

Two areas are particularly vulnerable within Big Law firms, which are hot targets because they routinely have highly-sensitive documents in litigation matters, mergers and acquisitions, and highly regulated areas, such as health care and finance.

Phishing is a pervasive problem for firms of all sizes, experts say. “All it takes is one click on one link in a bogus email and a law firm’s systems could be compromised,” said Chris Romano , CIO at Ward and Smith, in New Bern, N.C . “Network infrastructure can protect against state-sponsored terrorism, but the uneducated user compelled to open every email and click on every link or attachment is what keeps most CIO’s up at night.”

The explosion of mobile devices and “The Internet of Things” (devices that can access the Internet without human intervention) have raised the stakes dramatically. Just about every worker now has easy access to mobile technology, and that profoundly complicates security.

“Employees have the greatest knowledge base and carry company-issued devices,” said Denver’s Shawn Cheadle, general counsel, military space at Lockheed Martin Space Systems Co. “Mistakes happen and data spills occur,” he said. “Intentional misconduct, however, is the greatest risks with employees and former employees because devices used are often not company-issued (e.g., thumb drives, external drives, email attachments) so tracking and access is limited.”

PREVENTION

Here are five steps to take to escalate your security:

1. Understand your security profile and risk, advises Chicago consultant Scott Christensen,former director of information technology-U.S. at Edwards Wildman Palmer. Your firm’s response to security threats should match its profile relative to its risks, he said.

2. Establish policies and procedures, coupled with vigilant employee training and retraining, said Selby. This can go far in preventing and mitigating the effects of breaches and can provide a compelling defense in litigation following a breach.

3. Educate and empower personnel. “Employees are often not well educated about areas of threat and risk,” said Judith Flournoy, CIO of Kelley Drye & Warren, and chair of the International Legal Technology Association’s Legal Information Security Council (LegalSEC). “They feel that security is someone else’s job. They can become disgruntled and become an internal threat,” said Los Angeles-based Flournoy. (LegalSEC Summit 2015will be held June 8-9 in Baltimore.)

“Employees are incentivized to do their job, not to manage security. As security often gets in the way of them doing their job, they are often motivated to avoid security, observed Houston’s John Tomaszewski, counsel at Seyfarth Shaw. “Any chain is only as strong as its weakest link. Employees are a lot of links in the cybersecurity chain; and they can be either the weakest, or strongest link in that chain.” That being said, he also sees a silver lining. There’s a bit of a paradox with employees who have the ability “to think outside the box. Like Newton’s third law, every potential for risk has an equal and opposite potential for reward. Employees can be a big cybersecurity risk, they can also be a big cybersecurity control.”

4. Monitor for Red Flags. Watch for changes in behavior, said Cheadle. “Employees leaving quickly for foreign jobs, or who are leaving under disgruntled circumstances are red flags that should trigger monitoring. Adds Flournoy: Keep an eye out for attendance, attitude, engagement, communication.”

Look for “click-happy users with administrative rights to their computers and broad access to server file shares are a bad combination,” said Phoenix-based Mike Lombardi, CIO of Vertigrate Inc. , a boutique legal IT consulting firm.

“It’s not possible, practical or even desired to monitor every activity of every employee at all times,” cautions Christensen. “That said, ‘exception monitoring’ is now realistic for many systems. Firms should be monitoring for suspicious activity such as an abnormal number of documents checked out of the document manage system, or an abnormal number of docments being emailed as attachments. Employees on ‘suspect’ lists should receive more attention and a higher level of monitoring as the specific situation warrants,” he said.

5. Establish strong perimeter protection(aka “castle walls”). It can go a long way to help keep out sophisticated hackers who employ elaborate social engineering techniques to fool employees into compromising systems, said Christensen. “So-called phishing attacks have moved beyond email links to phone calls and other means of solicitation. Increasing employee education on security awareness is hard, but is a necessary response to these threats,” he said.

Take a layered approach to security for a greater level of defense and detection, recommends Lombardi. If one defense fails, another may succeed or trip an alert. Some layers to consider: host- and network-based intrusion prevention and antivirus; patch management; proper configuration of servers and workstations; logging and monitoring of workstations and server events; and a plan to deal with different types of compromises as they occur, he said.

Lock down as much external email usage as necessary to prevent data escapes and implement strong safeguards to harden networks and protect against pervasive email threats, said Cheadle.

The bottom line: Law firms must understand that they are a target, take appropriate measures to mitigate risk, and properly incentivize employees to implement mitigation controls, said Tomaszewski. “But like the old adage that a lawyer representing himself has a fool for a client, lawyers need to hire cybersecurity professionals and not try to do this themselves. Get an expert and then let them do their job.”

Illustration by Rizchendy (Flickr/Creative Commons)

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.