Between April 1, 2020 and June 25, 2020, cybercriminals managed to steal personal health information (PHI) and personally identifiable information (PII) from over 36,000 patients at the University of Pittsburgh Medical Center (UPMC). The hackers did not, however, obtain this information by hacking into UPMC. In 2020, hackers managed to access the email of one of UPMC’s law firms, Charles J. Hilton and Associates, an eight-member firm focused on billing-related services. The hackers have allegedly generated over $2,000,000 in fraudulent financial transactions. There is now a large class action lawsuit hitting both UPMC and the law firm regarding the breach. The lesson: Law firms that lack good cybersecurity hygiene create cyber risk for corporate legal departments and their companies.
Law Firms Are Soft Targets
Hackers are not dumb. They go after soft targets, and increasingly that means law firms. According to Fitch, professional services firms are the recipients of 1 of every 4 ransomware attacks; over twice as much as the next industry. And the reason is obvious: cybercriminals perceive these firms to be lax in their approach to cybersecurity. The recent spate of serious breaches in the legal industry – to both law firms and their vendors, such as eDiscovery service providers – proves them correct. And Chief Legal Officers are concerned: the 2021 ACC CLO survey results show that cybersecurity is the number one area of concern for CLOs.
Breach Response: Who is really accountable?
In a recent webinar on this topic, we asked attendees – who worked in a broad spectrum of legal operations roles – where does information security fall as a concern for your legal department? Well over half were “very concerned,” with the remainder being “concerned.” Further, when asked which department was responsible for managing security risk related to law firms, 86% said Information Technology/Information Security was responsible, NOT legal operations.
But we all know who will be held accountable if one of your law firms has a breach.
Today’s Approach: Cyber Risk
It is often a fool’s errand to try and generalize approaches to information security. Most organizations that take information security seriously (if yours does not…call me and read our recent post “What Your CISO Wishes You Knew: Avoiding Information Security Mistakes“) include vendor security assessments as part of their overall program. The vendor assessments are usually questionnaires meant to catalog a vendor’s overall security posture as it relates to the organization. It can be brief or comprehensive, but typically it is generated by the IT/IS department and based on the business’ own information security policies. It’s a sensible strategy based on the IT/IS viewpoint and their assessment approach.
Further, the engagement agreement with outside counsel will also reflect the corporation’s posture, if not in the agreement itself, then in supplementary guidelines provided to outside counsel. These agreements should, at a minimum, contain language outlining the organization’s expectations in terms of confidentiality and level of care, as well as a right to audit. More often than not, this language is dropped into the agreement from the boilerplate used in every other agreement within the organization.
Legal Departments: Unique Vendor Security Requirements
But Legal is not like any other department in at least two critical respects. First, much of the data is derivative. That is, this data is derived from information proprietary to the organization, and includes data used in matters or activities, such as a filing or contract, and data for draft or discussion purposes. By way of example, let us consider a suit against a former employee. As part of the process, outside counsel may prepare documents related to different tactics for the settlement or case. Further, let’s consider two approaches – one softer and more conciliatory and the other harsher and more confrontational. Only one approach may be used. But if a hacker gets access to the firm’s system, both document libraries may end up on Wikileaks.
Second, the Legal department has unique, layered confidentiality requirements. While an organization’s overall employee pool is subject to confidentiality requirements regarding corporate information, if an inspection of outside counsel were to occur, does the law department want the IT/IS staff reviewing its data stores at outside counsel or outside counsels’ vendors? And since most law departments do not have many stray hours to do a deep dive into outside counsel’s network and systems (and probably do not have the technical acumen to do so), the specter of an audit is minimal.
In summary, though the framework of ensuring that outside counsel takes due care of proprietary and confidential information exists, it is an unfortunate reality that there is often little to no verification.
Vetting Law Firm Cyber Risk: A Modern Approach
The new trend in legal operations is to take a page from the consumer data privacy playbook and demand that your vendors manage and treat your data like they would an individual consumer. While not perfectly analogous, we have found that a few obvious adjustments can create the proper framework for understanding and managing the data security of your information under their custody.
There are five fundamental questions that legal operations (or any department or organization) needs to address to understand your vendor risk:
- What do you consider “confidential data?”
- Where does your data reside?
- Who is responsible for the data?
- Who has access to that data?
- How long is that data retained?
A Critical Difference: Confidential & Derivative Data
With near certainty, your organization has a clear set of guidelines regarding the confidentiality of information. Such data includes the usual “personal” information in the organization’s possession – names, addresses, social security numbers, credit card numbers, and the like – but also will include contracts; trade secrets and other intellectual property; corporate transactions and other non-public information; and other information critical to your business.
But vendors, such as law firms, take this primary data and create documents and other information for legal purposes. The extent of this “derivative” data is often unknown to the corporation but still constitutes a significant amount, perhaps even a majority, of your data a law firm possesses. Despite the derivative nature of the data, you have an extraordinarily high interest in making sure the integrity and privacy of that data remains.
So, the information exposed when a law firm is breached is not necessarily the data you know and understand, but it will also be this derivative data that they have produced on your behalf.
Identifying Data Stores
To manage your data, you must have a clear understanding of where your data is stored. That means, does your law firm have a clear account of the location of that data? What systems contain your data? Are they internal systems, that is, within the four walls of the firm? Are they external? Are they cloud-based? Does your data reside in external systems such as eDiscovery or document management systems? How are those third (or fourth) parties protecting your information in their platforms?
Are there old copies of your data in legacy systems? Legacy systems are important because they are often not kept up to date in terms of software patches and security patches. That makes them especially vulnerable to hackers. Any data in a legacy system needs to be a very, very high priority to understand where it is, how it’s being protected, and potentially migrating that information out of the legacy system — either to a more modern system or destroyed if the data is no longer necessary.
Controlling Data Management: Ownership
When we talk about data ownership, the owner is not necessarily mean the lawyers, paralegals, or staff on the matter. In this case, you want to know who is accountable for ensuring the proper management of the data. Typically, that decision is made within the administration of the law firm. Regardless, you want to make sure that you know who is accountable for managing your data to a minimum of your requirements and be comfortable that individual is capable and proactive in doing so.
Controlling Use and Visibility: Access Rights
The next question to ask concerns access rights: Who has access to your data? Matters start, matters evolve, and multiple individuals are needed to create documents, review documents, perform tasks, or otherwise provide representation to you. These are lawyers, paralegals, staff, and consultants, but understanding who has access to that data is crucial.
- Is your information generally accessible to anyone in the firm?
- Or is the matter locked down to only identified individuals within that firm necessary for the matter?
- Do you understand what “necessary” means, and are you comfortable with the law firm’s provisioning of access rights?
- To get comfort, ask yourself: Do these individuals have a legitimate purpose or need to access your data?
In our experience, we see a lot of information access given for convenience. Those decisions may or may not be proper or acceptable. You want to have clear visibility into which individuals have access to your data and then how these access rights are assessed as the matter continues. Personnel shifts occur. People leave a firm or join a firm. People may be needed to work on a matter for limited purposes. How actively are the access rights assessed? Finally, once a matter is closed, are access rights adjusted appropriately?
Retention and Deletion
We lawyers are notorious data hoarders. But you want to maintain rigorous retention policies at your law firms. You want to make sure that only the information that is necessary for future work is retained. Anything other information should be disposed of in a manner consistent with your internal policies. “Necessary,” of course, is subject to interpretation, but any data that remains is vulnerable.
Interested in taking the first step in evaluating the information security practices of your law firms? Start with our downloadable worksheet, 20 Fundamental Questions to Ask: Evaluating Information Security Practices.
Hackers see professional services firms as easy targets and consequently, the cybersecurity environment is getting worse for law firms every day. We have seen numerous legal industry companies – firms and vendors – suffer serious attacks in the past 18 months. And while no defense is perfect, legal operations and law departments must ensure that their law firms secure the organization’s data to the maximum extent possible.
Looking for strategies to assess law firms’ information security readiness, ensure confidential information integrity, and lower your organization’s risk of cyberattacks? Explore the second half of this blog post series:
EXTEND Resources helps organizations like yours secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats — including law firm and vendor risk. Contact us to learn more.