Cybersecurity should be job number one for all attorneys. Why? Because we handle confidential computer data, usually secret information that belongs to our clients, not us. We have an ethical duty to protect this information under Rule 1.6 of the ABA Model Rules of Professional Conduct. If we handle big cases, or big corporate matters, then we also handle big collections of electronically stored information (ESI). The amount of ESI involved is growing every day. That is one reason that Cybersecurity is a hard job for law firms. The other is the ever increasing threat of computer hackers.
The threat is now increasing rapidly because there are now criminal gangs of hackers, including the Chinese government, that have targeted this ESI for theft. These bad hackers, knows as crackers, have learned that when they cannot get at a company’s data directly, usually because it is too well defended, or too risky to attack, there is often a back door to this data by way of the company lawyers. The hackers focus their industrial espionage on the law firms that collect vast amounts of data from corporate clients as part of e-discovery and corporate due diligence. The hackers have found from successful intrusions that most firms are lax in cybersecurity, or as I have put it before: law firms are the soft underbelly of corporate cybersecurity. Best Practices in e-Discovery for Handling Unreviewed Client Data. Also see: China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012). According to Bloomberg’s 2012 article, cybersecurity experts estimated that at least 80 major U.S. law firms were hacked in 2011. Indications suggest the attacks have intensified since 2011. See eg. Law Firms Are Pressed on Security for Data (NYT, 2014); Big Law Firms Are Most Vulnerable To Hackers: ABA Panel (Law 360, 2013); Attacking the Weakest Link: BYOD in the Law Firm Culture (Huffington 2014).
The legal profession needs to recognize this threat and take immediate action to defend against cyber intrusions of client data. One solution is the action that I recommend: outsource e-discovery data possession and cybersecurity of large collections of client data to trusted professionals. I follow my own advice on best practices. My law firm has outsourced e-discovery data possession and cybersecurity to trusted professionals, in our case, Kroll Ontrack.
FBI Warns Law Firms To Harden Their Cybersecurity
Mary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office, is reported by Law Technology News as saying: “We have hundreds of law firms that we see increasingly being targeted by hackers.” Confidential client ESI can also sometimes be stolen by unethical competitors willing to engage in illegal eDiscovery by hacking. They may do so to try to crush a competing business, or even just to win a law suit. We have seen this ourselves in my firm and have successfully counter-responded in court. Foreign governments may also sponsor cyber attacks of a law firm to steal their clients’ trade-secrets that would help government backed business. Bloomberg’s Business Week quoted FBI agent Galligan as saying: “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012).
Outsourcing
Realizing the seriousness of cyber crime today, my law firm has taken extraordinary steps in the last few years to significantly strengthen its cyber systems. The focus of our efforts has been on protection of client ESI because, like every other law firm in the world, that is our high value target. That is what the crackers want to steal. That is one of the reasons we outsourced our non-legal e-discovery services to Kroll Ontrack in 2012, and recently renewed again with them this month. Losey, R., Five Reasons to Outsource Litigation Support (LTN, Nov. 2, 2012); Going “All Out” for Predictive Coding and Vendor Cost Savings. The five reasons I wrote about in 2012 for outsourcing remain the same for our renewed in 2014, except that cybersecurity is now much more important.
The five reasons I described before for any law firm, or corporate law department, to outsource their litigation support department non-legal e-discovery functions are Competency, Complexity, Cost Savings to Firm and Clients, Risk, and Ethics. Here is a summary of these five showing how cybersecurity fits into each.
1. Core Competency. You are a law firm, or law department of a corporation. You are lawyers engaged in the practice of law. That is what you are trained to do. That is what you are good at. That is your mission. Why should you own and operate a non-legal e-discovery business within your walls under the guise of a Lit-Support Department? Why own and operate a data hosting company? Why should you assume the risks involved with protecting large collections of client data?
Even in big-firm Lit-Support departments, most of the services provided are not legal review; they are non-legal services by techs. The non-legal services performed by litigation support departments include the processing of electronically stored information in various ways, ESI collections, forensic analysis, database creation, hosting, software configuration, management and non-legal expert advice of all kinds and varieties. It also includes the intake, storage and accounting of billions, if not trillions, of computer files that belong to law firm clients. It also should include, although truth be told often does not, cybersecurity infrastructure and experts to protect this information, to protect it from accidental loss and intentional theft. Is anyone in your tech-support department an expert in the five basic functions of cybersecurity? Do they have a well funded plan to implement?
These are not the practice of law under anyone’s definition. No one contends that the five billion dollar a year e-discovery vendor industry is engaged in the practice of law. These are computer related technical services. EDRM type technical services are the core competency of e-discovery vendors. It is not the core competency of any law firm or law department.
To be honest, with a few notable exceptions, most e-discovery vendors do not have cybersecurity expertise either. It is not within their wheelhouse any more than it is within a law firm’s. Most vendors can process and host all right, but can they protect? Do they even have a CISO, much less one with a PhD? What do they really know about the CIA, the holy trinity of cybersecurity? The CIA Cyber Security Triad and 9ec4c12949a4f31474f299058ce2b22a (e-Discovery team, 2014). Good e-discovery vendors know how to hash and dedupe, but do they know how to set up network segmentation, virus and intrusion monitoring, and the latest host-based intrusion detection technology. What speciality cybersecurity firms do they employ to guide their efforts? Have they had penetration tests done?
2. Complexity. Non-legal e-discovery services are difficult and complex to perform correctly. They require a high degree of special skills and training. This is not like making copies or performing other simple technical tasks. ESI processing and forensic work is very technical, and it is easy to make mistakes if not done properly. So is management of these tasks in large projects. The complexity and difficulty of this work is increasing daily.
This is especially true when it comes to cybersecurity skills to protect against hackers. Again, is anyone in your tech-support department, or even your IT Department, an expert in the categories of the five basic functions of cybersecurity? Do they have a well funded plan to implement them? Do you even have a CISO? Have they studied the new NIST framework for cybersecurity that came out this year? National Institute of Standards and Technology Creates Cybersecurity Standards Framework. Do you have defined cybersecurity processes and an integrated risk management program? What is your Current and Target Security Profile? Do you have an action plan to address the gaps identified between the Current and Target Profile as NIST recommends? When is the last time you had penetration testing done on your systems? How did you do? Did it take more than an hour for the hacker team to take root control and own your system? Are you 100% sure there are no trap doors in your software?
We are living in an age of information explosion and rapid technology advancements. We are also living in the age of computer hackers where in 2013 there were an average of 315,000 new viruses released every day! The only norm in technology is constant change and increasing threats. For most law firms the review software they bought three years ago is now hopelessly obsolete, and so are the skills of their techs, unless they are constantly re-trained. The same applies to virus protection systems.
You do not really think that buying a piece of malware detection software is adequate, do you? That is just one step in an overall cyber risk management program, and it is a minor one at that. See eg the May 2014 report in the Wall Street Journal, including a statement by Brian Dye, senior VP for information security at anti-virus pioneer firm Symantec, which supplies Norton AV software, that anti-virus “is dead, and “the era of AV-only is over.” Also see Anti-virus is dead – but ghosts get chased (SC Magazine, 2014). An overall program is needed, beginning with assessment. National Institute of Standards and Technology Creates Cybersecurity Standards Framework. You need to constantly monitor and remove malware and other artifacts of intrusions, such as back doors and software defects. The virus detection and removal process alone is complex, as the chart below indicates.
An e-discovery business, especially one that includes effective cybersecurity, is simply too complex for most law firms or in-house law departments to run properly. Although I once met a lawyer who was a good businessman, most of us are not, which goes back to the core competency issue. E-discovery and cybersecurity are complex businesses, which, as lawyers, we are ill equipped to run. My advice to 98% of the lawyers and law firms in the world, stick to law and partner with the best experts in other fields that you can.
3. Cost Savings to Firm and Clients. Lit-Support departments, like any business, cost substantial sums of money to properly set up and operate. This is especially true if state of the art cybersecurity protocols and infrastructure are included. In my experience significant cybersecurity protection is almost never included in a law firm lit-support department. In fact, it is even rare in e-discovery vendors. The reason for that is simple. Cybersecurity is very difficult to do properly, and requires significant expenditures in infrastructure and experts. Before you hire an e-discovery vendor, be sure to include cybersecurity issues in your due diligence, including the vendor’s cyber-liability insurance.
Few law firms are willing to invest substantial resources in new technology for their Lit-Support Departments. Yet, unless they outsource and thereby eliminate this expense entirely, they have no choice. Outsourcing is a cost-effective solution to the dilemma of constantly changing technology and ever growing threats of data theft. If you continue to keep your e-discovery work in-house, you have no choice but to keep writing big checks for the latest technology. You cannot give your lawyers yesterday’s technology and expect them to keep up and compete in the world of e-discovery. Your lawyers, and most importantly, the clients they serve, need the cost-savings benefits of the latest technology and software, including my personal favorite, search and review software power with predictive coding type search engines.
If you stay in-house, and hold your clients’ data, you also have no choice but to continue to pour hundreds of thousands of dollars, if not millions, into cybersecurity. Otherwise your clients data may be stolen by crackers. Cyber attacks are now a part of daily life – by a lone wolf, organized crime, and even governments, especially the Chinese (although some say the Russians are an even bigger threat). China Expands Cyber Spying (The Diplomat, 2014); Chinese Motivations for Corporate Espionage – A Historical Perspective (Mandiant, 2013). We live in very uncertain times. But one thing is certain, lose their data, lose the client.
Outsourcing is not the only solution to the technology change problem. You have a choice. You can get the latest tools, and keep your Lit-Support department business, if you decide to go all-in, instead of all-out like my law firm has done. You can spend more and more firm money to buy all of the latest toys for your lawyers and hire teams of cybersecurity experts. But, if you do that, you will have to pass those expenses on to the clients. Often the expenses charged by law firms to their clients for these non-legal services are far more than vendors. If you go all-out with one vendor like we did, you can leverage your mass buying power and negotiate a low rate for all of your clients who use that vendor. Outsourcing, if done right, can be win/win and result in cost savings for both law firms and their clients. It can also make your client’s data a whole lot more secure. That’s priceless.
_____________________
To be continued ….. Next weeks blog will complete this article. In the meantime, check out the many links in this blog, if you have not already. Also, please take a look at my newest web: eDiscoverySecurity.com.
Lawyers deal exclusively with information, and conversely, information management is at the core of what lawyers do. Putting the cross-hairs on litigation ESI because that’s what you do gives short shrift to situations where a firm does a substantial amount of formation, M&A, Patent, IP or other work that is equally the target of crackers for whatever reason (national security, industrial espionage, etc.)
The fact that your firm, and or past firms, were perhaps unequal to the task, should not set the standard or even common practice. There are many, many IT and other highly technical professionals working in law firms that are greatly slighted by your myopic perspective.
Every piece of ESI that comes across your firm’s IT gunwhales is still subject to theft, and in some instances more valuable in that it is often wrapped in the cloak of your work-product. Deposition, hearing and trial exhibits are the material, probative information that fits that bill. If I was looking for a honey pot, that’s the tree under which I’d sit. Intercepting slow moving batch print projects are easy targets, especially when the printer is web-enabled, attached to the net and overlooked by IT security. Put another way, the pipeline between your firm and your vendor has potential leaks of really valuable stuff. If you can adequatly protect that, you can protect the other, and the whole straw man burns up.
Every firm has valid reasons to consider in-sourcing or out-sourcing evidence management. Cybersecurity should not be one of them.
You could be in one of what I estimate are 2% of law firms that do invest sufficiently in cybersecurity and are adequately protected, and thus not realize the big holes that are out there. Or, I could be all wrong about cybersecurity weaknesses in the law profession, but if I’m wrong, then so is the FBI, and so are a host of other attorneys and security experts concerned about this, including Sharon Nelson, President of the Virginia Bar. She has been warning about this for years.
I have been in law firms as a technologist and practicing attorney for over 34 years now. I know what data they keep that is a target to hackers and what is not. The honey pot is not their own data, it is the massive amounts of client data that they hold. That is the high value target. It can be from transactions, as you correctly point out, or from litigation. Either way, it is not the firm’s own data. I flat out disagree with you on your contention that crackers are not after this data, instead they want attorney work product. An attorney’s work product is only of interest to opposing parties in litigation or transactions. Yes, it is important to protect this information, but it is hardly the kind of thing that criminal gangs are after, nor governments like the Chinese.
The pipeline you refer to between a firm and vendor contains only a small amount of flowing ESI. It is like a small stream, not the reservoir. Hackers are after the reservoir. Protect the pipeline stream too, but your main focus should be on protection of the reservoirs. That is why I want protection of the source delegated to the best experts I can find and to a company who has spent the funds necessary to build up a secure infrastructure.
To say cybersecurity should not even be a consideration in outsourcing is an over reaction, which I suppose is understandable since I appear to have offended you by my blog. My apologies if I have slighted you, again, you may be part of what I estimate are 2% of the law firms in the world who do have their act together, and do have adequately funded cybersecurity. The 2% number is just a guess on my part, of course, could be far less or far more. Part two of this blog will make this “concession” clearer.
Still, you might want to think again about what hackers might really want from your firm’s data stores. If you have millions, perhaps billions of client computer files, you might want to set up special additional security for this ESI. Also, I’d suggest hiring an outside firm to do a penetration test and see just how good your security really is. Hope you find the test results to be reassuring, but from my studies in the field, it is usually an eye opener. That is what I am trying to do here. Open eyes and get some attention paid to cybersecurity.
You may want to consider what you don’t know you don’t know. Working in a firm that does labor and employment in defense of management is but a keyhole view into what large firms must manage. And ESI is more than the rule 34 definition (or truth be told, lack thereof.) Think out of your box. Client information is more, in some firms much more, than litigation discovery data, raw, processed or produced.
Again, the IP, patent and M&A data held by a firm can be much more lucrative to a cracker then litigation discovery data. One of the most egregious hacks in the legal information space was earnings-call data uploaded to Thomson in the form of video and PowerPoint slides. Stolen the day before the call, the trades were made well ahead of the market, and the money offshored to eastern Europe. The FBI tells us routinely what crackers want from our firm’s data stores, and while very important, discovery data does not necessarily top the list.
The fundamental problem is not protecting ESI, litigation or otherwise behind the firewall – it’s human failure at the individual lawyer level. Sharing data in the clear on consumer-cloud file-sharing services. Using public Wi-Fi to send clients text messages or share data via MMS or unencrypted email. Kroll cannot solve that problem for you.
I agree there are many types of confidential ESI that a law firm may hold that hackers could profit by. Obviously you don’t know my background very well, as I was always with full service law firms before my present one. I have a pretty good idea of the range.
I also agree that human error is a very big factor, especially in law firms, and especially with lawyers. You would not believe the phone conversations I overhear on planes, for just one offensive example. I suppose they don’t suspect I’m a lawyer as I usually travel informally dressed. I often feel like pretending I’m with Morgan & Morgan and introducing myself to the usually braggadocio, loud, careless lawyer when he or she finishes their “private” phone call. Yes, Kroll can’t stop that, which I note in the last para in my blog. Suggest you read that and you will see your point was already made. I just think the petabytes of client data a firm like yours holds is a high value target.
Lawyers need training, and both attorneys and techs in law firms, both yours and mine, need to be very careful and not be over confident about their cybersecurity systems. I’d do a penetration test if I were in your big firm shoes. With four foreign offices, and ten domestic, that is a lot of ground to cover. But like I said before, my guess is that 2% of the firms in the world do it right, and yours may well be one of them. My fundamental point is that law firms should be concerned with cybersecurity, and I think you agree with that, do you not?
Reblogged this on The eDiscovery Nerd.
I agree with the premise that very few vendors operating around the eDiscovery space have deep domain expertise related to information security. If you look around LegalTech or ILTA they can be counted on one hand.
But, in looking at penetration, you need to pull the number apart. The number is significantly higher than 2% when it comes to having the basic firewall, AS/AV, and related investments to detect the well understood forms of viruses/malware that those technologies were designed long ago to address. Penetration is lower when it comes to the newer class of targeted, malicious, and polymorphic threat that looks different to each recipient and has done its damage before it has been detected. Blogs such as Threat Insight provide a good picture of how these are delivered, how often, what the resulting organizational impact is. The Symantec comment points out not only is a full program needed, but more importantly, vital steps must occur before the “Confirm Infection” phase – otherwise, the damage has been done. Standard AV technology does not do this.
Given the fluid nature and evolving methods that cyber threats are delivered by today, information security features offered by those without clear focused investment, in-house expertise, and proven tools in this area is rarely good enough.
[…] recently came across an interesting article titled “The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part ….” The author, Ralph Losey, suggests […]
[…] This is part two of this article. Please read part one first. […]
Ralph: your 2 posts are judicious, and your timing excellent given the DOJ indictment yesterday of 5 members of the Chinese military for cyber crimes against the U.S. The DOJ action is useful if only as a way to educate the public about the growing espionage threat. The vast extent of China’s cyber spying against the government and private U.S. targets is well known within the government. And the targets themselves have long known they were in China’s sights.
But alas much of the American public … and the law firms that you are warning in your post … still doesn’t comprehend the magnitude of the cyber assault against U.S. private industry, and in that sense the indictment will be instructive. I have attended 4 security conferences this past year, 2 of them by Interpol and 2 by security firms tasked with tracking/protecting against cyber attacks on behalf of corporate clients. There is a saying in the cyber security community: there are only two kinds of companies in the U.S. today: those who’ve been hacked, and those who don’t know they’ve been hacked.
And having spoken to many IT “experts” at Big Law firms I find them to be just too arrogant and far too delusional to think they are safe. The systems they employ to be “safe” are ludicrous.
I do not know how much space I will have for this comment and it really merits a full post, but some points:
1. The DOJ indictment is merely the tip of the iceberg. There will be subsequent revelations, some involving law firms. We already know how Chinese agents sit in Starbucks, index all the wi-fi and VPN systems in an area, use “VPN tracker” software to recognize the type of device or the operating system it is running, etc., etc. From there you will be able to degrade an operating system to one exploitable. And the Chinese are the masters of exploit tools: publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems. There is already concern on the part of the US Cybercommand that tons of valuable info important to the Chinese (and others) in their honeypot collections of client data is easily accessible. I was recently at a law conference on M&A e-discovery reviews and I was amazed when several Big Law associates told me of the petabytes of client data on their systems. Which they access from home … or maybe a Starbucks because the firm “wants us to be relaxed, not pinned down at our desks”.
2. And it is not as if the U.S. is sitting around doing nothing. We know from the Right Reverend Edward Snowden that U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control, using sophisticated malware transmitted from far away, in computers, routers and firewalls.
3. The Chinese and U.S. position is of no surprise. U.S. economic and military power depends so heavily on computers. As do, now, the Chinese. The policy debate has moved so that offensive options are more prominent now.
4. But the Chinese. Oh, the Chinese. They are the masters of Remote Access Tools (RATs) that attackers use to gain control of compromised machines. As you know, last year I was invited to a DARPA event on cyber warfare and I wrote about the Chinese navy and how it uses elite hacking crews. They start with open-source intelligence collection. They find out who the key people are at the tech companies they’re interested in, and the Big Law firms that handle their legal work, and do a simple Google search. They get people, facilities, potentially who the company’s software vendors are, and what kind of security software they run. They get the jargon they can use to start crafting an attack. And if they can get access to you they will find out who your partners are and get access to them. It is all about exploiting a trust relationship. They can run all the names through social media — Facebook Twitter, LinkedIn — and map your personal relationships. They will get the information they need. And coupled with the exploit tools I noted above … GOTCHA!
5. One interesting point. At a DFI conference presentation we saw those Swiss AI polymaths … see, they aren’t all helping U.S. taxpayers hide money … demonstrate some new algorithms for digital forensics experts to aid investigators in their quest to collect evidence for cyber crimes. One assumes that digital forensics is an incredibly “cutting edge” process, with law enforcement agencies and investigators seamlessly sieving through hard drives and electronic records with technology so advanced that we probably won’t even know it existed for years to come. Unfortunately it’s actually quite the opposite, and still involves a great deal of old-fashioned human grunt work. The AI guys are trying to help.
I will have more. But excellent post. I know it is hard to get a stone wall to pay attention 🙂