The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part One

May 11, 2014

Cyber_security_wordsCybersecurity should be job number one for all attorneys. Why? Because we handle confidential computer data, usually secret information that belongs to our clients, not us. We have an ethical duty to protect this information under Rule 1.6 of the ABA Model Rules of Professional Conduct. If we handle big cases, or big corporate matters, then we also handle big collections of electronically stored information (ESI). The amount of ESI involved is growing every day. That is one reason that Cybersecurity is a hard job for law firms. The other is the ever increasing threat of computer hackers.

Chinese-cyber-warThe threat is now increasing rapidly because there are now criminal gangs of hackers, including the Chinese government, that have targeted this ESI for theft. These bad hackers, knows as crackers, have learned that when they cannot get at a company’s data directly, usually because it is too well defended, or too risky to attack, there is often a back door to this data by way of the company lawyers. The hackers focus their industrial espionage on the law firms that collect vast amounts of data from corporate clients as part of e-discovery and corporate due diligence. The hackers have found from successful intrusions that most firms are lax in cybersecurity, or as I have put it before: law firms are the soft underbelly of corporate cybersecurity. Best Practices in e-Discovery for Handling Unreviewed Client Data. Also see: China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012). According to Bloomberg’s 2012 article, cybersecurity experts estimated that at least 80 major U.S. law firms were hacked in 2011. Indications suggest the attacks have intensified since 2011. See eg. Law Firms Are Pressed on Security for Data (NYT, 2014); Big Law Firms Are Most Vulnerable To Hackers: ABA Panel (Law 360, 2013); Attacking the Weakest Link: BYOD in the Law Firm Culture (Huffington 2014).

Data_protection_Cyber-LiabilityThe legal profession needs to recognize this threat and take immediate action to defend against cyber intrusions of client data. One solution is the action that I recommend: outsource e-discovery data possession and cybersecurity of large collections of client data to trusted professionals. I follow my own advice on best practices. My law firm has outsourced e-discovery data possession and cybersecurity to trusted professionals, in our case, Kroll Ontrack.

FBI Warns Law Firms To Harden Their Cybersecurity

vmalware_wordsMary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office, is reported by Law Technology News as saying: “We have hundreds of law firms that we see increasingly being targeted by hackers.” Confidential client ESI can also sometimes be stolen by unethical competitors willing to engage in illegal eDiscovery by hacking. They may do so to try to crush a competing business, or even just to win a law suit. We have seen this ourselves in my firm and have successfully counter-responded in court. Foreign governments may also sponsor cyber attacks of a law firm to steal their clients’ trade-secrets that would help government backed business. Bloomberg’s Business Week quoted FBI agent Galligan as saying: “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012).

Outsourcing

Data_SecurityRealizing the seriousness of cyber crime today, my law firm has taken extraordinary steps in the last few years to significantly strengthen its cyber systems. The focus of our efforts has been on protection of client ESI because, like every other law firm in the world, that is our high value target. That is what the crackers want to steal. That is one of the reasons we outsourced our non-legal e-discovery services to Kroll Ontrack in 2012, and recently renewed again with them this month. Losey, R., Five Reasons to Outsource Litigation Support (LTN, Nov. 2, 2012); Going “All Out” for Predictive Coding and Vendor Cost Savings. The five reasons I wrote about in 2012 for outsourcing remain the same for our renewed in 2014, except that cybersecurity is now much more important.

The five reasons I described before for any law firm, or corporate law department, to outsource their litigation support department non-legal e-discovery functions are Competency, Complexity, Cost Savings to Firm and Clients, Risk, and Ethics. Here is a summary of these five showing how cybersecurity fits into each.

NIST_5_Functions1. Core Competency. You are a law firm, or law department of a corporation. You are lawyers engaged in the practice of law. That is what you are trained to do. That is what you are good at. That is your mission. Why should you own and operate a non-legal e-discovery business within your walls under the guise of a Lit-Support Department? Why own and operate a data hosting company? Why should you assume the risks involved with protecting large collections of client data?

Even in big-firm Lit-Support departments, most of the services provided are not legal review; they are non-legal services by techs. The non-legal services performed by litigation support departments include the processing of electronically stored information in various ways, ESI collections, forensic analysis, database creation, hosting, software configuration, management and non-legal expert advice of all kinds and varieties. It also includes the intake, storage and accounting of billions, if not trillions, of computer files that belong to law firm clients. It also should include, although truth be told often does not, cybersecurity infrastructure and experts to protect this information, to protect it from accidental loss and intentional theft. Is anyone in your tech-support department  an expert in the five basic functions of cybersecurity? Do they have a well funded plan to implement?

These are not the practice of law under anyone’s definition. No one contends that the five billion dollar a year e-discovery vendor industry is engaged in the practice of law. These are computer related technical services. EDRM type technical services are the core competency of e-discovery vendors. It is not the core competency of any law firm or law department.

CIA_triadTo be honest, with a few notable exceptions, most e-discovery vendors do not have cybersecurity expertise either. It is not within their wheelhouse any more than it is within a law firm’s. Most vendors can process and host all right, but can they protect? Do they even have a CISO, much less one with a PhD? What do they really know about the CIA, the holy trinity of cybersecurity? The CIA Cyber Security Triad and 9ec4c12949a4f31474f299058ce2b22a (e-Discovery team, 2014). Good e-discovery vendors know how to hash and dedupe, but do they know how to set up network segmentation, virus and intrusion monitoring, and the latest host-based intrusion detection technology. What speciality cybersecurity firms do they employ to guide their efforts? Have they had penetration tests done?

2. Complexity. Non-legal e-discovery services are difficult and complex to perform correctly. They require a high degree of special skills and training. This is not like making copies or performing other simple technical tasks. ESI processing and forensic work is very technical, and it is easy to make mistakes if not done properly. So is management of these tasks in large projects. The complexity and difficulty of this work is increasing daily.

NIST_function_categoriesThis is especially true when it comes to cybersecurity skills to protect against hackers. Again, is anyone in your tech-support department, or even your IT Department, an expert in the categories of the five basic functions of cybersecurity? Do they have a well funded plan to implement them? Do you even have a CISO? Have they studied the new NIST framework for cybersecurity that came out this year? National Institute of Standards and Technology Creates Cybersecurity Standards Framework. Do you have defined cybersecurity processes and an integrated risk management program? What is your Current and Target Security Profile? Do you have an action plan to address the gaps identified between the Current and Target Profile as NIST recommends? When is the last time you had penetration testing done on your systems? How did you do? Did it take more than an hour for the hacker team to take root control and own your system? Are you 100% sure there are no trap doors in your software?

We are living in an age of information explosion and rapid technology advancements. We are also living in the age of computer hackers where in 2013 there were an average of 315,000 new viruses released every day! The only norm in technology is constant change and increasing threats. For most law firms the review software they bought three years ago is now hopelessly obsolete, and so are the skills of their techs, unless they are constantly re-trained. The same applies to virus protection systems.

computer-virus-warning-signYou do not really think that buying a piece of malware detection software is adequate, do you? That is just one step in an overall cyber risk management program, and it is a minor one at that. See eg the May 2014 report in the Wall Street Journal, including a statement by Brian Dye, senior VP for information security at anti-virus pioneer firm Symantec, which supplies Norton AV software, that anti-virus “is dead, and “the era of AV-only is over.Also see Anti-virus is dead – but ghosts get chased (SC Magazine, 2014). An overall program is needed, beginning with assessment. National Institute of Standards and Technology Creates Cybersecurity Standards FrameworkYou need to constantly monitor and remove malware and other artifacts of intrusions, such as back doors and software defects. The virus detection and removal process alone is complex, as the chart below indicates.

Response_Cyber_attack

An e-discovery business, especially one that includes effective cybersecurity, is simply too complex for most law firms or in-house law departments to run properly. Although I once met a lawyer who was a good businessman, most of us are not, which goes back to the core competency issue. E-discovery and cybersecurity are complex businesses, which, as lawyers, we are ill equipped to run. My advice to 98% of the lawyers and law firms in the world, stick to law and partner with the best experts in other fields that you can.

Data_breach_cost_impact3. Cost Savings to Firm and Clients. Lit-Support departments, like any business, cost substantial sums of money to properly set up and operate. This is especially true if state of the art cybersecurity protocols and infrastructure are included. In my experience significant cybersecurity protection is almost never included in a law firm lit-support department. In fact, it is even rare in e-discovery vendors. The reason for that is simple. Cybersecurity is very difficult to do properly, and requires significant expenditures in infrastructure and experts. Before you hire an e-discovery vendor, be sure to include cybersecurity issues in your due diligence, including the vendor’s cyber-liability insurance.

Few law firms are willing to invest substantial resources in new technology for their Lit-Support Departments. Yet, unless they outsource and thereby eliminate this expense entirely, they have no choice. Outsourcing is a cost-effective solution to the dilemma of constantly changing technology and ever growing threats of data theft. If you continue to keep your e-discovery work in-house, you have no choice but to keep writing big checks for the latest technology. You cannot give your lawyers yesterday’s technology and expect them to keep up and compete in the world of e-discovery. Your lawyers, and most importantly, the clients they serve, need the cost-savings benefits of the latest technology and software, including my personal favorite, search and review software power with predictive coding type search engines.

scary_skullIf you stay in-house, and hold your clients’ data, you also have no choice but to continue to pour hundreds of thousands of dollars, if not millions, into cybersecurity. Otherwise your clients data may be stolen by crackers. Cyber attacks are now a part of daily life – by a lone wolf, organized crime, and even governments, especially the Chinese (although some say the Russians are an even bigger threat). China Expands Cyber Spying (The Diplomat, 2014); Chinese Motivations for Corporate Espionage – A Historical Perspective (Mandiant, 2013). We live in very uncertain times. But one thing is certain, lose their data, lose the client.

Outsourcing is not the only solution to the technology change problem. You have a choice. You can get the latest tools, and keep your Lit-Support department business, if you decide to go all-in, instead of all-out like my law firm has done. You can spend more and more firm money to buy all of the latest toys for your lawyers and hire teams of cybersecurity experts. But, if you do that, you will have to pass those expenses on to the clients. Often the expenses charged by law firms to their clients for these non-legal services are far more than vendors. If you go all-out with one vendor like we did, you can leverage your mass buying power and negotiate a low rate for all of your clients who use that vendor. Outsourcing, if done right, can be win/win and result in cost savings for both law firms and their clients. It can also make your client’s data a whole lot more secure. That’s priceless.

_____________________

To be continued ….. Next weeks blog will complete this article. In the meantime, check out the many links in this blog, if you have not already. Also, please take a look at my newest web: eDiscoverySecurity.com.



Follow

Get every new post delivered to your Inbox.

Join 3,468 other followers