Cyberlaw Primer: Part I. Cyber-risk

Cyberlaw Primer: Part I. Cyber-risk

Regardless of their area of practice, every attorney must have some fundamental knowledge of Cyberlaw.

A little etymological history

The prefix “cyber” comes from the word “Cybernetics” which was coined by the famous mathematician and scientist Norbert Wiener shortly after World War II, i to characterize self-regulating mechanisms. His book laid the theoretical foundation for servomechanisms, automatic navigation, analog computing, artificial intelligence, neuroscience, and reliable communications
While the philologists argue over whether the prefix cyber should be treated as a descriptive adjective, an adverb, or even a noun, and whether it should be connected to an associated word with a hyphen or whether the hyphen can be omitted, attorneys must still make the effort to master at least some of the basic elements of Cyberlaw.
Cyberspace
Cyberlaw begins with cyberspace — the place where you practice Cyberlaw. Cyberspace is where the Internet or World Wide Web (www) exists. Depending on your mathematical view of topology, cyberspace is either n-dimensional or dimensionless.
Attorneys enter cyberspace through a computer on their desktop, a laptop, a tablet, a cell phone, or some other electronic device which connects them to the Internet or uses the Internet to connect them with other human beings or to access materials which used to be found in on-line virtual libraries.

Cyber-risk

Cyber-risk is the possibility that computer data will be obtained by unauthorized parties who might use the data in a way that is harmful to the owner of the data.
Following a data breach, attorneys and law firms may face fines and penalties, but they definitely will incur costs to repair or replace damaged data and systems. The greatest damage to attorneys and law firms, however, comes from business interruption and loss of client trust and confidence.
Every attorney faces cyber-risk!
If you or your firm electronically stores or transmits data which is either per se confidential or about which there is a reasonable expectation of privacy, you and your firm are already at risk.
The emerging Internet of Things represents a security challenge that can only grow more significant as devices found in every law office, e.g. copiers and scanners, VOIP telecommunications system, access the Internet and connect to each other.

Email Accounts and Personal Devices as portals for hackers

We have become used to the idea of hackers committing cyberattacks on businesses and the government, but many incidents now involve professionals such as attorneys, accountants, and health care providers who either take data from a secure environment and place it in a less secure environment, or initially create an unsecured environment where they hold confidential information. Many attorneys who are expected to stay connected 24 hours a day have vulnerable email accounts. Attorneys who access work-related documents from any location or who access cloud storage from personal mobile devices may become easy targets for hackers.

Cyber-risk management

Cyber-risk, particularly from cybercrime is a risk management issue. When your records contain sensitive information about which there is a reasonable expectation of privacy, you have a serious cyber risk to manage.
After identifying critical assets and the data and information which must be protected, you must determine what level of risk you are willing to personally accept and then properly insure the remaining risk. The word “insure” in this sense means more than purchasing an insurance policy. Determining who will actively manage security for you and your firm and become the “dedicated” security manage is just as important as determining what exactly that management entails.
Traditional risk management focuses on managing safety and assuring financial recovery from losses resulting from occurrence of a peril. A hazard is any condition that makes it more likely for a peril to occur. Fire is a peril; using candles is a hazard that increases the chance of fire. Basic risk management addresses hazards and insures against losses from the actual occurrence of a peril.
Cyber-risk management is not a technology problem
With an ever-increasing number of cyberthreats and a bewildering array of security solutions available, individual attorneys and even large law firms find it difficult to determine where to begin. Cybersecurity is a complex issue. The search for simple answers can easily lead to confusion and frustration.
Cybercrimes are crimes of opportunity.
Cybercrime has become a global industry extending far beyond “phishing” emails and run-of-the-mill malware.
Except for targeted hacks, cyber crime is a crime of opportunity. Large organizations as diverse as Forbes, Match.com, and Google have all been used as mules to carry advertising-enabled malware —malvertising — to their visitors and users. Legitimate websites can get hacked so that malicious code is served up from them. Almost constant phishing campaign attacks simulate outreach from banks, retailers, or government agencies. Victims are not targeted because of where they work but just because they are vulnerable.

Cybercrime and cybercriminals

Sophisticated cyberespionage gangs now routinely steal data either as a service to another client or to monetize it themselves through insider trading. They represent a threat to any lawyer or law firm with access to proprietary and confidential business information.

Cybersecurity

The most important element of cyberlaw which every attorney must add to their body of arcane knowledge is cybersecurity.
The problem of cyber security is particularly acute for attorneys whose clients must believe that their information is safe once it has been delivered and entrusted to their attorney. Confidential information includes more than financial and medical records, business plans, employment information, trade secrets and intellectual property information. The list of confidential information for which attorneys are responsible is only limited by the concerns and expectations of their clients.
The duty of confidentiality is personal and non-delegable! You should not even attempt to delegate it to a computer which you did not design and build and software which you did not write and about which you may have very little knowledge.
Cybersecurity is a complex and rapidly evolving field and it is easy to get overwhelmed. You cannot afford to simply purchase the latest technology and believe that all of your security problems will then disappear.
Cybersecurity requires a holistic approach, including multiple layers of protection based on an assessment of data value and vulnerabilities, dynamic network monitoring and detection systems and incident response planning.
Cyber security requires people, process, technology, and most of all commitment.
You should begin with a complete assessment of your cybersecurity and establish a cybersecurity program that:
accounts for the relative value of various categories of your electronic data;
segregates and limits access to each category appropriately;
effectively implements password, firewall, encryption and other technical defenses;
adopts employee practices—from written policies to the firm culture—that demonstrate the importance of cybersecurity to the you and your clients;
recognizes network anomalies and detects breaches; and
includes a data-breach response.
Cyberaudits are critical elements of any Cybersecurity program
Cyberaudits must include gathering information about how and when everyone with access to confidential information creates, accesses and stores that information.

Review, Iterate, and Repeat

In the rapidly evolving world of cybersecurity, the status quo is seldom secure. Security cannot be approached as a one-and-done activity. It requires an ongoing, active, and iterative approach. Every day, new attacks are discovered and new vulnerabilities exposed. You need to adopt an incremental and iterative approach that provides you with regular opportunities to learn, adjust, and improve.
(To be continued)

This article appeared in the April 2016 issue of Cyberlaw: A Primer, Part I”, The Suffolk Lawyer, www.scba.org, Vol 31 No. 9, April 2016, pp. 10, 27