This article, the third in this series on cybersecurity, answers two questions often asked by law firms about cyber risks: What specific steps can be taken to protect data, and what can a firm do if hackers obtain the firm’s confidential information?
There is no one-size-fits-all solution for firms, and policies for effective cybersecurity will vary by firm. However, many approaches include the development of a cybersecurity plan that is composed of two parts: (1) a Cyber Risk Management Plan to reduce the risk of a cybersecurity problem before it happens, and (2) a Cyber Incident Response Plan that includes protocols and practices for addressing a cybersecurity breach after the fact.
Cyber Risk Management Plan
The best time to take steps to reduce the risk of a breach is before a cyber breach happens. After all, once the toothpaste is out of the tube, so to speak, it is too late. By focusing on the issues implemented by a risk management plan, firms may additionally reduce the likelihood of an incident occurring.
A cybersecurity plan can also focus on physical security issues (such as safeguarding the location of physical servers or requiring access cards to enter certain records areas) in addition to cyberspace issues.
Another example of a step that law firms can take to minimize the risk of a data breach is to develop protocols to protect information on mobile devices, like smartphones and laptops. These devices are easy to lose and can provide access to confidential information to anyone with the mobile device in hand. Thus, law firms may want to limit access to such devices by requiring passwords that are changed regularly. Another option is the use of remote-wiping, which allows a firm to remove all data or confidential information on a device that is lost or stolen.
There are other policies that work for some firms, but do not make sense for others. For example, some firms have adopted a policy banning BYOD (“bring your own device”) such that any computer or mobile device used for personal purposes may not also be used to access work email or programs. Others implement special procedures for the use of laptops or mobile devices by personnel traveling to foreign countries the firm has identified as “high-risk” zones for hacking. Still other firms require security scanning of storage devices, such as a thumb drive or a CD, before they are used on law firm systems. Whether implementing these policies makes sense depends from firm to firm.
Another important risk management tool relates to third-party vendors. Third-party vendors that have access to a firm’s systems can provide a conduit for hackers. Because law firms routinely use third-party vendors for litigation support, human resources and more, many firms will require those vendors to agree to and comply with the firm’s own security requirements. Firms may also require vendors to notify the firm of a breach or assist with the investigation and resolution.
Cyber Incident Response Plan
If a law firm is unsuccessful in preventing a cybersecurity breach, having a breach response plan already in hand will be immensely helpful. Even firms that devote significant resources to preventing breaches can be prepared to respond should a breach occur.
Often, law firms believe that cyber incidents should be reported to the head of IT so that the IT team can handle the incident as they deem appropriate. However, a firm addressing a potential breach of confidential data may have obligations under the Rules of Professional Conduct, federal, state or European Union regulations, common law, contract or client engagement agreements.
A firm’s incident response plan, often written by counsel in conjunction with the IT department, typically includes several aspects.
First, a plan may identify the person within the law firm to whom a potential incident should first be reported (often the general counsel). In firms without a designated GC, a breach can be reported to someone with authority to contact and engage outside counsel. The plan may also designate the chain of command for making real-time decisions.
The plan also may contain information regarding the firm’s computer networks and servers, including their physical locations and the types of information stored on them. That information will facilitate immediate implementation of an internal investigation, which will help determine the scope of the breach and appropriate remedial steps. The plan can also consider how best to conduct an investigation in a way that will preserve evidence and protect any privilege. Others many include a policy addressing whether to involve law enforcement to assist in the investigation or pursue criminal charges against the hackers.
The plan may also include notification and reporting policies for deciding whether to disclose the incident to affected firm employees, firm clients, and other individuals whose personal information was accessed, as well as to state and federal regulators. Identifying whom to notify and when depends on several factors, including, what data was accessed, who was affected, where the affected parties live and what type of breach occurred. It may also necessitate the involvement of public relations or media specialists.
Finally, the plan may address whether to hire outside counsel to handle the internal investigation and provide advice. This is a common approach, as outside counsel provides credibility, serves to cloak discussions in the attorney-client privilege and protect them from disclosure, and can assist in the event of a claim alleging a failure to adequately safeguard client data or appropriately respond to the cyber incident.
Cybersecurity is an issue that all firms need to consider and address. A good defense is the best offense to help ensure that firms protect themselves, their clients and their employees.
Shari L. Klevens is a partner at Dentons and serves on the firm’s US Board of Directors. She represents and advises lawyers and insurers on complex claims and is co-chair of Dentons’ global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.”