The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part Two

Attorney_client_data-protectionThis is part two of this article. Please read part one first.

4. Risk. Risks of error are inherent in Lit-Support Department activities. What they do is often complex and technical, just like any e-discovery vendor. So too are risks of data breach. There is always a danger of hacker intrusions. Just ask Target.

Do you know what your exposure is for a data breach? What damages could be caused by the accidental loss or disclosure of your client’s e-discovery data? How many terabytes of client data are you holding right now? How much of that is confidential? What if there is an ESI processing error? What if attorney-client emails were not processed and screened properly?

_data_breach_cost_by_typeMistakes can happen, especially when a law firm is operating outside of its core competency. What if an error requires a complete re-do of a project? What will that cost the firm? You cannot bill for that. Are errors made in non-legal services covered by a firm’s malpractice insurance? Is it insured in any way whatsoever? How much cyber-liability insurance do you have? Is it enough? Do you have an agreement with the client regarding the provisions of these services? Is there any limitation on liability, or are these services rendered under a lawyer client fiduciary relationship? Is the risk priced into your charges, into your fees? Is that fair to your clients who might not use these non-legal services as much as others, if at all?

5. Ethics. There are a host of ethical issues involved in a law firm’s rendering of non-legal e-discovery services.  These are likely to be treated as “law-related” services, and, as the Comment to ABA Model Rule of Professional Responsibility 5.7 says: “When a lawyer performs law-related services or controls an organization that does so, there exists the potential for ethical problems.”  If such services are offered by a law firm, absent special disclosures and consents, the full gamut of professional responsibility rules apply, even though the work is largely performed by non-lawyers. There are even more general issues regarding whether a law firm should be engaged in a side-business at all? The ethics on protecting the confidentiality of client data is clear. More on that in a minute.

Outsourcing is not the only answer, but, in my opinion, the only viable alternative to outsourcing is for a firm or corporate law department to invest significantly in their litigation support departments. For any firm large enough to be in AmLaw 100, like my firm, that would require millions to do right. Just having a specialist attorney like me to attend to legal issues is not enough. One way or another, either by investing big and going All In, or by going All Out, like I did, every law firm needs to have a cybersecurity program focused on client data. Law firms should not only take appropriate steps to protect the privacy of their paper documents, and their voice communications, but also their cyberspace, including emails, and especially including their clients’ ESI for discovery.

Cyber Theft Risks Are Growing

Keyboard_hacker_skullThe problem of cyber theft is intensifying each year as cyber criminal activity increases and the amount of confidential information stored in computers increases. In large cases today attorneys must often search all of the emails and other communications of top corporate executives. These communications are usually filled with business trade-secrets. ESI subject to discovery also often contains highly confidential financial records, employee records, and customer information. It may also contain protected personal information, including health care information and credit card numbers. All of this confidential information has value to criminal hackers.

Any law firm that does not realize that it is subject to cyber attack is naïve. The best firms today are very aware of these threats and proactive in protecting their computer systems, especially their clients’ confidential data. I know I am very paranoid about this and hyper in insisting that proper protocols be followed.

Protection of client ESI in litigation can be a daunting task. The amount of ESI that attorneys must search to find critical evidence grows exponentially every year. This is not because the scope of legal relevance has expanded. It has not. If anything, it is shrinking out of practical necessity. This problem was not caused by lawyers. The problem comes from clients. It comes from the ever growing amount of data that corporations store in their IT systems. It is the dark side of Big Data. For this reason it is not uncommon in large cases today for attorneys to have to search through millions of their client’s confidential records. This key evidence needed to defend or prosecute a case is often hidden in plain view in a mountain of other ESI.

Cybersecurity is an Ethical Imperative

Top-Secret-ClassifiedFinding the relevant evidence is a procedural duty under the Rules and ethical duty of competent representation. All attorneys are trained in this. For instance, my firm has an extensive training program and an e-Discovery liaison program in place. I have been training the attorneys in my firm for years now. I also do training for the law departments of many of our clients. But an even higher duty exists, the ethical duty under Rule 1.6 of the ABA Model Rules of Professional Conductto prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

That is why I am hyper about clawback agreements and orders. If mistakes do happen, I want the client to be protected. That is also why I am focused on cybersecurity. I want to make sure no one steals my clients’ data from me.

As a side note, to be sure I am not misunderstood, I should emphasize that if information must be disclosed in discovery, then this duty of disclosure trumps the duty of confidentially. You can set up protective agreements and orders, but you must still produce, confidential or not. The only way around that is to make the case go away. If you are the plaintiff, you can dismiss the case. If defendant, pay the damages. Settle before disclosure is required. In my thirty plus years of litigation practice I have done this several times. I have also produced smoking gun type documents a few times, as part of large productions, and the other side never even noticed them. Some opposing counsel are lazy or careless. You can still settle the case before disclosure of confidential information causes too much damage to the client.

Moreover, there is no rule requiring you to put the hot documents on top, or first, in a production. (Although I did have one opposing counsel do that for me once, much to his chagrin. His vendor did it by mistake. He is an expert in e-discovery, a reader of this blog, and a friend, so I will not name names!) You never have to label documents as “Hot” in your production, even if that is how you privately categorize them. The difference between relevant and highly relevant is clearly protected from disclosure by work product.

Specialized Non-Legal Computer Skills Are Needed for Cybersecurity

cyber_words300Fulfillment of a law firm’s duty to maintain client confidences in today’s world of cyber attacks requires much more than legal knowledge and legal skills. It requires sophisticated computer knowledge and skills far beyond the purview of legal practice. That is why cybersecurity experts should be used to assist in any law firm’s client data protection efforts. A team approach is necessary. That is one important reason why my law firm outsources holding of client data for e-discovery to its trusted partner with special expertise and cybersecurity infrastructure, Kroll Ontrack.

Conclusion

Ralph and some of his computers at one of his law officesMy law firm does not hold large amounts of client data. Kroll Ontrack does this for us. Most of the time the attorneys in my firm never even need to become a link in the chain of custody. It is clean, quick and efficient that way. Most of all, it is secure. My attorneys typically only handle and hold the evidence, the actual productions, which is a small fraction of the total data searched. That is one reason I sleep well at night, in spite of the FBI warnings, in spite of hackers from China and elsewhere who would like to steal our clients data from us. We have outsourced the protection of our crown jewels to professionals. Kroll’s reputation in security, including cybersecurity, is very well known, and has been for years.

Unless a law firm is ready and willing to spend the money it takes to set up and maintain proper cybersecurity to protect terabytes, or for larger firms today, petabytes, of high-risk client confidential data, they would be well advised to outsource.

Still, there is more to cybersecurity than just outsourcing. Even when your high value targets are protected, your clients’ data, you must still remain vigilant about securing the information that you still hold and possess, including your emails to clients. Training in security, including cybersecurity, should be a part of every lawyers eduction. It is especially important for lawyers who do electronic discovery. For that reason I have created a new educational resource on cybersecurity that is designed for lawyers. It is found at eDiscoverySecurity.com. It can also be accessed by the Security button on the top right of this blog. It not only contains a collection of essays on cybersecurity relevant to attorneys, but also FAQs on Data Breach. I have also put together a collection of favorite books on cybersecurity, including many fictional works, and another page on favorite YouTube cybersecurity videos.

3 Responses to The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part Two

  1. Ralph: your 2 posts are judicious, and your timing excellent given the DOJ indictment yesterday of 5 members of the Chinese military for cyber crimes against the U.S. The DOJ action is useful if only as a way to educate the public about the growing espionage threat. The vast extent of China’s cyber spying against the government and private U.S. targets is well known within the government. And the targets themselves have long known they were in China’s sights.

    But alas much of the American public … and the law firms that you are warning in your post … still doesn’t comprehend the magnitude of the cyber assault against U.S. private industry, and in that sense the indictment will be instructive. I have attended 4 security conferences this past year, 2 of them by Interpol and 2 by security firms tasked with tracking/protecting against cyber attacks on behalf of corporate clients. There is a saying in the cyber security community: there are only two kinds of companies in the U.S. today: those who’ve been hacked, and those who don’t know they’ve been hacked.

    And having spoken to many IT “experts” at Big Law firms I find them to be just too arrogant and far too delusional to think they are safe. The systems they employ to be “safe” are ludicrous.

    I do not know how much space I will have for this comment and it really merits a full post, but some points:

    1. The DOJ indictment is merely the tip of the iceberg. There will be subsequent revelations, some involving law firms. We already know how Chinese agents sit in Starbucks, index all the wi-fi and VPN systems in an area, use “VPN tracker” software to recognize the type of device or the operating system it is running, etc., etc. From there you will be able to degrade an operating system to one exploitable. And the Chinese are the masters of exploit tools: publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems. There is already concern on the part of the US Cybercommand that tons of valuable info important to the Chinese (and others) in their honeypot collections of client data is easily accessible. I was recently at a law conference on M&A e-discovery reviews and I was amazed when several Big Law associates told me of the petabytes of client data on their systems. Which they access from home … or maybe a Starbucks because the firm “wants us to be relaxed, not pinned down at our desks”.

    2. And it is not as if the U.S. is sitting around doing nothing. We know from the Right Reverend Edward Snowden that U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control, using sophisticated malware transmitted from far away, in computers, routers and firewalls.

    3. The Chinese and U.S. position is of no surprise. U.S. economic and military power depends so heavily on computers. As do, now, the Chinese. The policy debate has moved so that offensive options are more prominent now.

    4. But the Chinese. Oh, the Chinese. They are the masters of Remote Access Tools (RATs) that attackers use to gain control of compromised machines. As you know, last year I was invited to a DARPA event on cyber warfare and I wrote about the Chinese navy and how it uses elite hacking crews. They start with open-source intelligence collection. They find out who the key people are at the tech companies they’re interested in, and the Big Law firms that handle their legal work, and do a simple Google search. They get people, facilities, potentially who the company’s software vendors are, and what kind of security software they run. They get the jargon they can use to start crafting an attack. And if they can get access to you they will find out who your partners are and get access to them. It is all about exploiting a trust relationship. They can run all the names through social media — Facebook Twitter, LinkedIn — and map your personal relationships. They will get the information they need. And coupled with the exploit tools I noted above … GOTCHA!

    5. One interesting point. At a DFI conference presentation we saw those Swiss AI polymaths … see, they aren’t all helping U.S. taxpayers hide money … demonstrate some new algorithms for digital forensics experts to aid investigators in their quest to collect evidence for cyber crimes. One assumes that digital forensics is an incredibly “cutting edge” process, with law enforcement agencies and investigators seamlessly sieving through hard drives and electronic records with technology so advanced that we probably won’t even know it existed for years to come. Unfortunately it’s actually quite the opposite, and still involves a great deal of old-fashioned human grunt work. The AI guys are trying to help.

    I will have more. But excellent post. I know it is hard to get a stone wall to pay attention 🙂

  2. […] A few weeks ago, I posted an entry about whether lawyers should outsource security.  In that post, I referenced part one of an article written by Ralph Losey.  Mr. Losey posted part two of his thoughts on “The importance of Cyber Security to the Legal Profession.” […]

%d bloggers like this: