Cyberlaw Primer: Part II—cybersecurity
- Legal Counsel & curbstone Advice
- Crisis Management
- Trials & Litigation
- Technological competence: Ethical obligation
- Cyberlaw primer I. Cyber-risk
- Introduction to E-Discovery
- Cyberthreats and Cybersecurity
- Are you aghast over hacks at “top” law firms?
- Due diligence and cyber risk
- Negligence liability for datasecurity breaches
- breach logs
- Email is a hacker portal
- Cyberinsurance coverage terms
- Cyberinsurance and the SAFETY Act
- Data analytics, bribery and corruption
Total cybersecurity is not possible.
Every attorney must prepare for the almost inevitable data breach.
Every attorney and the managing partner of every law firm must establish a culture of cybersecurity throughout their firm. Unless a culture of cybersecurity exists, maintaining cybersecurity is all but impossible. Inspiring everyone involved in your practice to participate in maintaining cyber security will yield the greatest return on the investment in cyber security technology and services.
Be careful not to base your cybersecurity planning and budgeting entirely on what others are doing. One size does not fit all. You cannot make an informed decision about any security solution or approach until you know what it is you are supposed to secure and how secure it has to be. That knowledge will determine just what technologies and services are truly necessary. Don’t waste your money on buying technology; invest in technology. Spending isn’t what makes you secure.
Addressing the Problem
You cannot just ask the question, “What cybersecurity product should I buy?” until you have determined
• What hardware am I trying to secure? Desktop computers? Laptops? Tablets? Mobile phones?
• What information must be secure? Case files? Client documents and information? Firm information and documents?
• What will happen to me as an attorney and the firm with which I am associated if there is a data breach?
• Can I buy insurance to cover a data breach?
• Will my cyberinsurance cover all the damages sustained by my clients? By my firm? By me personally and professionally?
• Will my cyberinsurance cover all the costs associated with repairing the data breach and restoring my professional reputation and that of my firm?
Lawyers and law firms present relatively small attack surfaces when compared to the larger attack surfaces of large businesses with thousands of customers.
Your personal or firm attack surface or vulnerabilities map is a diagram showing all of the different points that expose your computer systems and the data and information they contain to an attack, including, but certainly not limited to open ports, web applications, and multiple users with access credentials beyond their needs. The more complex the functions your computer system is called upon to perform and the greater the number of users with access to your system, the larger your attack surface becomes.
The majority of cybersecurity systems are expensive; but you cannot avoid the need for cybersecurity and do nothing. Unfortunately, even purchasing an expensive packaged cybersecurity “solution” without having someone with the time and skills to manage it is not enough.
The shortage in cybersecurity talent has sent demand soaring with median salaries rising to over $97,000 in 2015. Not having sufficient cash flow to support a cybersecurity employee just means you are personally responsible to do the job.
It is often most cost-effective for attorneys and small law firms to outsource at least some aspects of their cybersecurity to managed security service providers (MSSPs).
Do not even consider outsourcing, however, unless you can clearly articulate your cyber security goals; have clearly identified the assets, data, and information you need to secure; and have someone ready to manage and become responsible for the outsourcing relationship. The worst thing you can say to a managed cybersecurity service provider is, “I don’t know where to start.”
Outsourcing due diligence
The due diligence you must complete before contracting with a managed security service provider (MSSP) includes
• Determining whether the MSSP has worked with comparable attorneys and firms, and then checking their references.
• Reviewing the stated standards, policies, and procedures of the vendor.
• Assuring that all performance and service requirements and responsibilities are documented in service level agreements and/or statements of work.
• Identifying your personal account representative and agreeing upon just how accessible that individual will be.
• Establishing clear performance milestones to checkpoint progress.
• Understanding what access the vendor requires to the internal resources of the firm and making sure those resources are available when the vendor arrives for their first day of work.
• Requiring full disclosure of any reseller agreements that the vendor is a party to or beneficiary of. Read them carefully.
Check out the vendor financials and have a well-considered, well-defined exit strategy for moving on from that vendor to another vendor or simply terminating their services.
To succeed with cybersecurity outsourcing requires a considerable amount of planning, discussion, and building trust.
You are ultimately responsible for your own cybersecurity and the cybersecurity of your firm. This is a non-delegable responsibility. If a data breach occurs, it will be your name in the news not your service provider. You must define your goals and understand what you are doing before you start writing checks.
The most popular cybersecurity solutions are antivirus software; security incident and event management systems (SIEM); identity and access management systems; encryption or tokenization of data at rest; encryption of data in motion; and web application firewalls.
Following is a list of common, generally accepted cyber security solutions and how effective they actually tend to be in practice, their relative cost, and some simple pros and cons.
Anti-Virus (A/V) keeps dangerous software off your systems; is relatively inexpensive; easy to use; works well on known viruses;, and can be operated with little security experience. A/V, however, provides limited protection due to its reliance on signatures of known attacks, and it is frequently criticized for slowing down user systems.
Encryption keeps your data obscured from everyone who lacks the authority to see it. It is relatively inexpensive and keeps information obscured from unauthorized viewers at rest and in transit. However, encryption is only as strong as the user authenticating information and the integrity of the systems on which it runs. When either the user information or user system is compromised, encryption is effectively disabled on that system.
Firewalls create a gateway to separate internal networks from external traffic, and to block threatening network actions. They are moderately expensive but assure good baseline security to create a logical perimeter for monitoring and access control. They provide a good information source about inbound attacks and outbound data theft. Firewall logs, however, become “noisier” as traffic flows increase, and increasing encrypted traffic flows can impede the ability of firewalls to “see” inbound attacks. Firewalls are also less useful against custom-crafted and browser-based attacks which deliver fragmented attacks or use of a “dropper” or “downloader.” Firewalls also cannot protect mobile or remote user systems when they are used outside the firewalled network.
Security Information & Event Management (SIEM) identifies unauthorized or destructive behavior across your network. It is expensive but provides a broad view of security across an enterprise and stronger breach detection capability across multiple systems. SIEM tooling is costly to purchase and more costly to staff. The volume of data and complexity of the information provided requires experienced analysts and there are multiple examples of attacks going undetected.
Identity & Access Management (IAM) enables only authorized access to systems and services, and ties the identity of individuals to those accesses. It is expensive, but provides strong access protection and audit with the knowledge of who touched what and when. While single user sign-on is relatively user friendly, it is difficult to maintain IAM integration across new apps and among the changing roles of users. IAM also requires logging, as user authenticating information is under threat from credential theft attacks and keystroke loggers.
Remember that these technologies are all simply tools. Used incorrectly or without integration they can create only an illusion of security.
Every lawyer and law firm should understand that their computer systems will inevitably be breached and they must be prepared to defend their security practices in the ensuing litigation.
Assessing ‘Reasonable’ Security Measures in Court
Since there is no escaping the “reasonableness” standard for cybersecurity, it is “reasonable” to argue that the accepted definition of “secret” under the Uniform Trade Secrets Act (UTSA) will apply to “confidential” in the case of cyberlitigation.
According to the UTSA, data is “secret” if it (A) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (B) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
The established concepts of “reasonableness” in securing electronic data relating to trade secrets provide a useful perspective on what to expect in other cyberlitigation.
Password protection for sensitive data is an industry standard and certainly works in favor of finding reasonable efforts unless passwords are literally shouted across the office or written on postIt notes attached to office computers. Passwords themselves, however, must be secure.
Courts favorably considered firewalls, encryption, and effective network monitoring as “reasonable” and segregated data and segmented networks were particularly helpful in several cases.
In addition to technical measures, your personal and firm policies can often become critical measures of “reasonableness.” Most compelling to the Courts have been those restricting data access, both internally and externally, on a need-to-know basis. “Need-to-know” access should be of particular concern to those attorneys who represent banks, mortgage companies, and health care providers as well as attorneys who practice inludes matrimonials, debt collections, bankruptcy and claims involving access to medical and employment records such as personal injury, workers compensation, and social security disability.
Courts favored policies on remote access and use of personal devices that included controlling setup of any remote access; training on removing confidential information from laptops, tablets and other mobile computers; annual reviews of confidentiality policies; requiring acknowledgement of confidentiality with each access to the computer system; and requiring that data be encrypted before copying to laptops, mobile devices or transportable storage devices such as memory sticks.
Evaluating potential solutions to limit your risk
Improving Anti-Virus (A/V) programs and services, change management, and endpoint protection are ways to improve cyber defenses at low cost.
Encryption is the heart of authentication, secure transmission, and secure storage of data and also provides protected channels through which confidential or high-integrity data will be fed to the SIEM. Firewalls also gain additional value when used as a point of terminus for encrypted connections and VPNs (Virtual Private Networks) from trusted external sources.
Firewalls offer increased efficiency for local security by stripping attachment file types, and doing A/V scanning at the gateway. . Firewalls keep external connections from forging internal access credentials and can be configured to increase privacy by only allowing encrypted traffic to leave the network to certain destinations. By limiting traffic flows, they can also decrease the glut of traffic monitored by the SIEM
Security Information & Event Management (SIEM) software provides a “bird’s-eye” view of system security and when attacks are discovered, automatically limits inbound access through the creation of firewall rules. An SIEM can associate expected behaviors with individual users and identify offending user accounts when it encounters malicious or even unexpected behavior. SIEMs can also be used to identify unexpected traffic or requests from infected systems.
Identity & Access Management (IAM) software integrates firewall-based perimeter access control and auditing inbound and outbound traffic, essential for understanding the behavior on your network.
Can anything be done?
Confidential information must be restricted to protected accounts on protected devices. Millions of smartphones and tablets are lost or stolen each year. Any data on them must be encrypted and otherwise protected from unauthorized access. The best protection, however, is to never store sensitive data on personal devices!
No attorney can afford to put their non-delegable duty of client confidentiality at risk just for personal convenience!
This article appeared in the May 2016 issue of “Cyberlaw: A Primer, Part II”, The Suffolk Lawyer, www.scba.org, Vol 31 No. 9, May 2016, pp. 1, 21