Column: Law Firms & Cyber Security

August 30, 2017

Chris Garrod Bermuda July 2017[Opinion column written by Chris Garrod]

Hello Hackers

My veterinarian was recently hacked. Someone wanted to extort money from them as ransom for private information they held. On dogs… and cats. And of course, more realistically, their clients.

It was dealt with and they beefed up their software and data systems.

But, to me, it was a telling example of the way cyber attacks now play a risk in our cyber society. If you collect sensitive or personal data in any way from clients or third parties, you are exposed to the potential risk.

When you think of cyber risk or cyber security, one might instantly think that banks or financial institutions are mostly the firms at risk. And not vets.

So, where do law firms rank?

Law firms rank up there to banks and financial institutions. And many — if not most — law firms don’t realise it.

The advent of cyber risk

I get the odd email every so often from my firm’s IT department. Often it says that an email has been circulating around regarding something or other with an attachment and to please don’t open it, as it contains malware and the email is a phishing scam.

That is simple cyber security. It is now constantly evolving.

Cyber risk is an issue for any organization where client data is collected and is incredibly sensitive. Trade secrets. Client transactions with third parties. The importance of cyber security ranks extremely highly amongst financial institutions, banks and many businesses in general . It is still relatively new to employ a “Chief Digital Officer” or “Chief Information Officer” to have responsibility for oversight of cyber risk but it is on the rise —research firm Gartner predicts 90% of large organisations will have a chief digital officer role by 2019. And the CDO or CIO role is increasingly becoming a core role within a firm’s management.

There have been a number of cyber breaches so far involving law firms, the most well known being attacks against Cravath, Swaine & Moore, Weil Gotshal & Manges, DLA Piper and Mossack Fonseca [the latter being the “Panama Papers” leak].

Law firms are not immune from cyber risk. In fact, they are easier targets — and that is because, broadly speaking, the levels of data security are far lower than other companies and therefore they are easier to access by potential hackers.

The cyber risk to law firms

So why have law firms traditionally been not as sophisticated in ensuring that they are protected from cyber risk?

The simple answer is that it costs a great deal of money to ensure cyber risk is controlled. and firms have not been particularly keen on investing in protecting against it. That is however now changing, as a result of the new cyber risk climate.

Ransomware Bermuda Aug 2017

So what can firms do?

1. One first easy and inexpensive way of improving cyber security involves raising awareness and training staff. Use outside consultants if needed. Simple things would obviously range from the standard “Don’t click on suspicious links” or “Add passwords to mobile devices”. But the training should be regular and constantly updated, just as the cyber risk itself evolves. I’m pretty educated now about not responding to phishing emails — but it only takes one mistake by a single employee to cause a huge breach of security and allow hacker access.

Some security measures can be a result of insider breaches — i.e. staff who are unhappy and want to leak data to outsiders and inflict revenge on their employer in some way. In some ways those breaches can be difficult to control [other than to try to ensure your staff remain content], IT Departments should always be vigilant to rouge employees who may cause such misconduct and take measures to implement whatever protective measures are available.

All of these are very basic and easy to implement measures. A number of others are not as easy — and not inexpensive. They require investment.

2. Cyber security insurance is one. Law firms must ensure that their insurance policies cover cyber risk. Clients may even soon want to ensure that the firm they engage has cyber security explicitly referenced as part of their malpractice or general liability insurance policies. Cyber risk is now becoming increasingly common in the insurance marketplace — and with more ransomware and similar attacks, that will be a continuing trend.

3. Network segregation in some way should be implemented. Where is data stored, how is it stored and how easy is it able to be accessed? Does it need to be accessed “on site”? The use of off-site, high level encrypted archives should be considered as a means to protect sensitive client data that isn’t required locally.

4. Operating systems and applications. How up to date is your version of Windows? Or the programs which you use on your desktop PC — are they up to date with the most recent security measures implemented by their programmers? If not, why not? Is it simply because such upgrades on a firm wide basis involve expense?

The fallout and how to deal

And then what if a breach does occur?

First, law firms should ensure that they have a response plan in place. If your firm is hacked, what is your management’s plan to address it? That response plan applies to the firm’s staff, to the media, to cyber security firms, the firm’s insurers and by far, most importantly, to its clients. Damage control is vital, as reputation is everything to a law firm. Is the firm’s management prepared? Does it have a head of IT who understands the risk, or a Chief Digital Officer — depending on the size of the firm. Does its Chairman or CEO understand the risk? Does its senior management even understand the risk? Do its partners?

Test cyber security programs. Use experts. Do it regularly. Ensure that it passes and your data is safe. If not, update it. Spend the money to do it.

I now have clients who request that the data and information which we obtain from them is “theirs”, and is retained by them or deleted after our engagement is terminated and the matter is finished. Having seen large law firms breached by ransomware attacks in the last few years, I expect that trend to continue.

Hackers and cyber criminals are smart. They prod and probe and will look for weak spots in any firm’s cyber defences. And hackers evolve. “Ransomware” was not even a term used a few years ago. Now it is commonplace.

And law firms are — indeed — viewed by them as easier to hack.

Law firms can only do what they can to minimize risk. But in 2017 and heading into 2018, cyber attacks will likely no longer make headline news like they do now. And firms which take a “see no evil, hear no evil, speak no evil” approach to cyber risk by not investing and making cyber security a top priority take a huge risk. While a data breach could be disastrous for a law firm’s clients, if not handled correctly, from a reputational and client retention standpoint, the firm itself which is breached may also ultimately lead to its downfall.

Chris Garrod is a Bermuda insurance attorney with opinions on AI, legaltech, insurtech, IoT and fintech.


20 Most Recent Opinion Columns

Opinion columns reflect the views of the writer, and not those of Bernews Ltd. To submit an Opinion Column/Letter to the Editor, please email Bernews welcomes submissions, and while there are no length restrictions, all columns must be signed by the writer’s real name.

click here banner lawyers & law firms

Read More About

Category: All, Business, News, technology