Cyber threats
Thomas Berman of Berman & Associates comments on how to address the new internet security issues facing law firms
The past two decades have been spent making computers faster, more reliable and less expensive. The goal has been to concentrate information in one place so that it is accessible to everyone who needs it. On top of that are rapidly-emerging mobile devices using newer operating systems which allow for information to be available in ways never seen before. Laptops, iPads and so forth give us mobile desks from which to carry out assignments (or watch movies). Integrated systems allow us to have complete client files at our beck and call. The world is our oyster!
Well, maybe not. Data hacking and lost or stolen laptops can cause confidential client information to be compromised. These threats are unfortunately all too real and an emerging concern to the safe practice of law around the world. Along with the shift to more concentrated and accessible databases comes the unwelcome potential for real disaster. There are ‘bad guys’ out there who would do you harm, there is always the possibility of human error and perhaps, worst of all, there is the disgruntled employee who wants to get back at his firm for doing him/her real or perceived harm.
The potential for human error is controllable to some extent, but if a laptop is left in the screening area of an airport (where thousands of laptops are in fact left each year), a potential disaster awaits. Many people write down their passwords and keep them with their laptops. If the computer is stolen or lost, then the chances are that the passwords will fall into the hands of a stranger and you will be at their mercy. Unless encrypted effectively, the data in the computer will become available to anyone with only a modicum of technical know-how. Personal data, passwords, bank accounts and social security numbers are made available. Then, depending upon the availability of data from the office server or the client information located on the laptop’s hard drive, the real damage begins.
In most states today, the standard requirement is to notify anyone and everyone whose information may be compromised (lost or stolen). That leads to all sorts of unhappy, damaging and generally expensive alternatives, including the strong possibility of lawsuits and even possible actions to be taken by the state bar.
The other categories, including malware attacks or internal security breaches, are a good deal more complicated and difficult to police and control. There are some basics which a law firm needs to address to increase cyber security.
The five steps
There are five fundamental steps which are needed to address computer security issues within a law firm.
1. Implement processes and procedures to authenticate or verify users on the network. This may include various techniques or a combination of efforts.
2. Review computer deployment with security in mind. Manage systems and equipment to know exactly what hardware, operating systems and software are in use. Implement best practices and do not use default security settings.
3. Train all employees on the need for computer security and ensure that security is factored into choices pertaining to hardware and software.
4. Develop a capability for immediate response to incidents, repairing damage, recovering systems and data, investigating and capturing forensic evidence and working with law enforcement bodies. Ensure you have emergency access an expert in this area.
5. Create a regular process to assess and monitor the vulnerabilities of your computer network. Develop automated processes for assessing and reporting vulnerability, patching, and detecting both internal and external threats. Ensure there are periodic internal and external security audits to supplement these efforts.
Insurance coverage
Think you’re covered for such losses? Think again. There is very likely no coverage for such disasters in either general liability policies or in attorneys’ errors and omissions policies.
Unless the firm procures a special (probably separate) cyber security policy, the costs of notification to those potentially affected, the costs attached to actual damages sought by individuals whose data has been compromised (e.g. under the Health Information Portability and Accountability Act), and the expense attached to rebuilding or re-securing the firm’s database must be borne alone.
At the end of the day, it is up to the individual law firm to protect itself. Senior management must fully address this issue so that their firms don’t end up in the untenable position of sharing privileged and confidential information with the rest of the world.
– tberman@bermanassociates.net