Risk Update

(Security Week) Breach Edition — Anatomy of One, Fading Law Firm Cloud Concerns

Ending yesterday’s update with a note about an actual breach, today we pull back to get a quite interesting big picture perspective published by the ABA: “The Anatomy of a Data Breach: An overview of the actors, roles and impacts of a cybersecurity breach” —

  • “Breaches come in many variants, far too many to cover in a single article. But there is a general flow to a breach. Since we make a living investigating breaches and remediating the vulnerabilities that caused them, let us take you on an anatomical tour of the common elements of a typical breach.”
  • “To make the reading more fun, we have offered up ‘quotes’ from the players typically involved in a breach. Many are taken from real life incidents.”
  • “If the point of the breach is to purloin data, hackers will use their malware to move laterally across your network and ‘pwn’—hackerspeak for ‘own’—everything they can. Imagine the value of data in a mergers and acquisition law firm. The hackers could sell the data to others or use it themselves to get rich in the stock market. State-sponsored hackers can give their countries a competitive advantage against the U.S.”
  • “If the law firm has an Incident Response Plan, it’s the first resource for those in charge of handling the breach. They begin by picking up the phone to call the regional office of the FBI; then their insurance company, data breach lawyer, digital forensics company and bank; and the list goes on. All 50 states have data breach notification laws, so carefully determine if a report (or reports) must be filed, and by when.”
  • “Rarely, if ever, does a law firm notify clients at this early juncture. In most breaches, it isn’t immediately known what data was compromised, and there is natural reluctance to tell clients anything until the investigation is well underway. When the breach goes public, however, there’s little choice but to talk to clients.”
  • “The cyber insurance world remains the Wild, Wild West… Buffett’s views are reflected in more and more cyber insurance policies, which often include requirements for security audits and include language about conforming to industry cybersecurity standards. The quintessential ‘we don’t cover stupid’ case is Columbia Casualty Co. v. Cottage Health System. There are now more cases where insurers are saying that the insured did not take the reasonable security steps required by the policy.”

With a complex threat landscape, and more of a track record to rely on, law firms are increasingly looking to shift some of the responsibility and risk for information security to their vendors in the cloud: “Lawyers And Cloud Computing: It’s Not So Complicated Anymore” —

  • “Cloud computing is a concept that most lawyers are familiar with in 2019. But it wasn’t always that way.”
  • “[b]eginning in 2010, cloud ethics opinions were issued quite frequently, with as many as three or four being handed down by various jurisdictions in some years. But beginning in early 2017, after the Illinois opinion listed above (Opinion No. 16-06), there was a noticeable lull, with no opinions being issued to the best of my knowledge until Texas addressed the issue a full year and a half after the Illinois opinion.”
  • “I would suggest that the reason for this is simple: cloud computing is now an accepted, trusted technology. As a result lawyers are comfortable using it, and thus don’t feel the need to submit inquiries to their bar associations’ ethics committees regarding whether it’s ethical to do so. In fact, according to the latest ABA Legal Technology Survey report, the majority of lawyers (55 percent) have used cloud computing software tools for law-related tasks.”

For example, several firms have cited security as a key driver in adopting cloud based document management solutions. Here’s a recent one from Anthony Garza Sr. Director of IT at Dickinson Wright, quoted: “What really changed the game for us was NetDocuments’ commitment to security and their willingness to help the firm navigate our cloud-based security challenges.”