LAW FIRM CYBERSECURITY: COMMENSURATE WITH CAPITAL
by Benjamin Bolin[1]
In an age of digital crime, law firms are looking for solutions to protect their client’s data. However, traditional conversations on law firm cybersecurity have failed to recognize the solutions necessary are commensurate with a law firm’s size. Current standards for attorney client privilege explain lawyers must take reasonable measures determined by the amount of resources available. Neglecting to recognize the relationship between resources and solutions can lead to liability and inefficient spending. This comment discusses a full picture of the cybersecurity landscape for law firms, explicitly acknowledging the expectations, requirements, and threats to law firm cybersecurity. Then, the piece concludes by dividing new and old cybersecurity solutions by the size of a law firm. This comment projects to establish a new standard in cybersecurity discussions.
I. INTRODUCTION
Ironically, in the first story to coin the term “cyberspace,” the author imagined a world of cyber attackers. In 1981, when the internet was still in its infancy, William Gibson recognized the silent struggle of companies seeking to protect their data, and the hackers motivated by money.[2] In Burning Chrome, Gibson introduced the first and last line of defense to hackers, Intrusion Countermeasure Electronics (ICE). ICE is the science fiction equivalent to modern day cybersecurity. Today, his stories come to life as industries struggle to keep their data secure from foreign threats. Attacks can come from governments, companies, or even individuals like Gibson romanticized. As former Secretary of Defense Leon Panetta warned in October of 2012, everyone’s data is set for an impending “cyber Pearl Harbor.”[3] As awareness of this threat grows in industries across the globe, intruders are looking elsewhere.
Today, law firms are becoming the new target for theft of intellectual property, business secrets, and confidential information. Cyber attackers realize law firms can house significant stores of sensitive client information. These same attackers have also discovered the legal community generally has weak cybersecurity. These threats pose significant challenges for law firms, as they seek to keep client information confidential but accessible. The basic challenge to law firms includes compliance with “reasonable measures” of security as demanded by statute. However, no one solution fits every law firm. Resources vary depending on a law firm’s size, and reasonable security measures vary depending on their total risk. Discussions of solutions for law firms need to keep this essential fact in mind. The problem is, no discussion of law firm cybersecurity discusses both the full picture of cybersecurity and solutions departmentalized by the size of the firm.[4]
In an attempt to fill this void, this piece will present and intersect four sets of knowledge: first, what the current standards are for law firms including their professional responsibility requirements and statutory obligations; second, who attacks law firms and why they are attacked; third, the liability law firms face; and fourth, solutions for law firms. The first three sections present the full picture of cybersecurity from hacker to statute. The conclusion, the fourth section of this piece, presents a breakdown of cybersecurity solutions for small, medium, and large law firms, using current standards, hacker motivations, attorney liability, and resources available as a guide for digital protection.
The current stage of cyberspace is full of hackers. By tailoring solutions for law firms, this comment may help improve the legal community’s modern day ICE.
II. CURRENT STANDARDS: A SUMMARY
In general, the problem with the word “cybersecurity” is it implies a single standard or set of laws. However, data-security standards for law firms are an aggregate of many distinct but related standards.[5] In order to better understand the liability and the solutions law firms face, it is necessary to understand each set of requirements. Requirements set by professional responsibility, state law, federal law, and common law combine to govern this field. Industry certifications are optional and expensive, but also contribute to the standards set for some attorneys.
A. Professional Responsibility
Professional responsibility expects lawyers to keep client information confidential while adopting new technology. However, the requirement data be secured by “reasonable measures” leaves much to be desired.
The American Bar Association (ABA) Model Rule 1.6 requires confidentiality of information.[6] Subsection (c) requires reasonable measures to prevent unauthorized access.[7] Factors considered to be reasonable measures include the sensitivity of the data and the laws that seek to protect it.[8] A client may require even further standards or consent to poor security communication methods.[9] As a lawyer tries to meet these expectations, Model Rule 1.1 requires attorneys provide competent counsel to their clients.[10] This competence can extend to “the benefits and risks associated with relevant technology.”[11] And, if confidential data is breached, Model Rule 1.4 mandates attorneys tell their clients.[12]
Many states have weighed in on the cybersecurity requirements set by the ABA Model Rules by various means. In North Carolina, for example, the rules have been amended to require lawyers to stay up-to-date of “the benefits and risks associated with the technology relevant to the lawyer’s practice.”[13] North Carolina then uses similar language to ABA Model Rules requiring attorneys make reasonable efforts to prevent unauthorized data breaches.[14] Florida, instead of making changes to its rules of professional conduct, supplements them with an advisory opinion to stress the importance of cybersecurity.[15] Many more state bar associations have issued similar comments and opinions.[16] Other states rely on progressive interpretations of the already existing language; for example, Missouri has none of the language from Model Rule 1.1.[17] It may, however, be read into the rule because it requires knowledge and skill in changes of the law and its practice.[18] Like the states above and the ABA Model Rules, the Missouri Model Rules also require reasonable precautions to ensure confidentiality.[19] Each of these rules and opinions display at least a common requirement of reasonable measures for data security.
In sum, many states and the ABA require attorneys to embrace new technology and take reasonable measures to ensure data security. The reasonable measures standard calls upon lawyers to balance the sensitivity of the client data against the laws in place to protect the information.[20] This balance can be difficult and subjective because the line between reasonable and unreasonable can be blurred. For example, an attorney has “Class A” and “Class B” security provisions for case data. Class A security is used for high-risk cases, so the data is encrypted and access by phone is prohibited. Class B security is used for low-risk cases, so the data is unencrypted and may be accessed on any device. Where do medium-risk cases go? Using Class A security, medium-risk measures receive more protection than they deserve; but using Class B they do not enough. Perhaps the ABA professional standards want attorneys to be conservative with protection of user data. The example also displays how an attorney is forced to compare risk and make a subjective determination as to what level of security is appropriate. There are many more situations in which the line between using different security measures would be unclear.
B. State Statutes
In addition to professional responsibility requirements, some state statutes have more stringent requirements. For instance, some states require notification within short timeframes if client data is breached.[21] While a minority of states require specific data security measures, some states’ requirements can include encrypting all records and training employees.[22]
Forty-seven states have statutes governing data breach notification, which apply to law firms who store client data. California enacted the first notification law in 2002, and many states followed suit.[23] California, like most other states, requires entities who hold personal information about their clients to notify them upon discovery of a data breach without unreasonable delay.[24] Although most states require notification, many statutes vary widely on issues such as the timeframe in which you must notify affected persons, civil or criminal penalties, and notification of law enforcement.[25] Some states impose strict liability for failure to notify.[26] Additionally, some states set a capped penalty for failure to notify, while others use a calculation.[27] States like Missouri have created a “safe harbor” for data breach notification if the data was encrypted.[28]
A handful of states have enacted laws requiring data security standards to protect personal information.[29] These state laws protect against data breaches and require businesses to implement and maintain reasonable security measures similar to the requirements set for attorneys by the ABA model rules. For example, Massachusetts data privacy regulations are very comprehensive.[30] The statute requires every “person” or entity holding or processing Massachusetts resident’s data to: develop a written policy, encrypt all records, and train employees on compliance with data security policies.[31] Rhode Island, Oregon, California, and a few others have passed similar legislation.[32] Others, like Missouri, are trying to pass only specific protections, such as security for student data.[33]
C. Federal Law
More than 50 federal statutes focus on various issues in cybersecurity but there is no nationwide standard for data breach notification.[34] Efforts have been made to pass a nationwide standard for data breach notification, but Congress has yet to pass anything.[35]
There are, however, several relevant statutes necessary to understand the scope of data security standards for firms. The Health Insurance Portability and Accountability Act (“HIPAA”) for example, requires health care providers to maintain high security standards to protect medical data.[36] Health Information Technology for Economic and Clinical Health extended HIPAA requirements to “business associates” who handle health information, including law firms who deal with such data.[37] There are many similar federal laws for banking, student data, and more.[38]
D. Common Law & the FTC
The FTC and common law set only a few limited standards for law firms to abide by; but as litigation multiplies, attorneys cannot afford to miss the requirements set by the FTC and future common law cases.
The FTC has the authority to act as both the prosecutor and advisor when it comes to data privacy. In 2014 and 2015 the FTC has filed more than 50 general privacy lawsuits.[39] In 2014, the FTC filed a complaint against the hotel chain Wyndham Worldwide Corporation and three of its subsidiaries were sued for misrepresenting security measures and for failing to safeguard client information.[40] Wyndham lost, but it appealed on the basis the FTC does not have the authority to sue for alleged failure to protect consumer data.[41] However, that argument did not succeed, and on August 24, 2015 the US Court of Appeals upheld the FTC’s authority.[42] Thus, with the authority to litigate against companies, the FTC’s standards have become common law. Failure to comply with these standards can result in litigation by the FTC and damages.
The standards set by the FTC include controlling access to data, requiring passwords and authentication, addressing vulnerabilities as they arise, and securing devices and paper.[43] Each of these standards extends to law firms. The solution section of this paper reflects these requirements.
The litigation for cybersecurity breaches is mostly imposed by the FTC because of the difficulty plaintiffs face in showing sufficient damages, which is a required element for a class action case to be litigated. Since the Supreme Court’s decision in Clapper v. Amnesty International, courts have traditionally dismissed claims for lack of standing where victims of data breach had not alleged actual misuse of the data.[44] However, with the recent In Re Adobe decision, plaintiffs may find it easier to meet the damages requirement and make claims against corporations and firms.[45]
It is difficult to assess damages because of the digital medium. Many questions remain unanswered when security is breached, such as: What information was stolen? What reputation damage resulted to the victim? Who was attacked? Answering these “damages” questions is difficult for plaintiffs—resulting in little litigation against law firms and other corporations outside the FTC’s crusade. But, with In Re Adobe as a recently set precedent, higher accountability standards for data breaches are on the rise and litigation will be available to more plaintiffs.
E. Industry Certifications
Industry certifications set an optional and expensive set of standards. These certificates are not required by statute or common law but some firms are finding them important to stay competitive. For example, ISO/IEC 27001 certification is part of a growing family of standards created by the International Organization for Standardization.[46] The standard for security was published in 2013 to provide requirements for establishing, implementing, maintaining, and continually improving an information security management system.[47] In 2015, John Anderson, CIO at Shook, Hardy & Bacon said his IT team spent 18 months and $60,000 to reach the certification.[48] Another optional standard for businesses is NIST SP 800-53, a government publication of guidelines for executive agencies.[49]
F. Current Standards: A Conclusion
Laws governing cybersecurity for businesses and firms vary widely. Law firms balance numerous requirements from professional responsibility rules to the common law. The resounding requirement is to take “reasonable measures” in security as determined by the state laws and model ABA rules. These measures must account for the liability of the data provided. In other words, the common requirement is a risk analysis for each set of sensitive information. Notification laws are a second layer of requirements for law firms. However, each state has different deadlines and provisions. Specific measures as set by the FTC range from encryption and passwords to particularized security software. Finally, industry certifications are an optional and expensive solution some law firms are beginning to implement.
Keep these standards and certification options in mind for the solutions section discussion. However, before getting to the solutions section and with this important background in mind, it is paramount to understand who commits cyberattacks on firms in order to draw more defined security solutions.
III. CYBER ATTACKERS: A SUMMARY
Individuals, organizations, and state actors serve as a combined threat to a law firm’s valuable data. They are typically motivated by economic gain for themselves or for their country.
“Nearly two-thirds of organizations are potential targets for nation-state cyber-attacks.”[50] Cyberattacks are often thought as Hollywood espionage against foreign governments;[51] and, countries spying on one another is certainly a problem. However, strong motivation for nation-states to perform industrial or corporate espionage exists as well. For example, in China, weak intellectual property enforcement is used to favor Chinese competitors.[52] Nation-state sponsored hackers are the most well-funded and difficult-to-defend-against hackers.[53] These state-sponsored groups break through defense contractors, newspapers, Fortune 500 companies and more through various methods.[54]
Non-state organizations are the second largest threat and can be more dangerous because of their focus on economic gains.[55] Traditional methods include malware, viruses, and vulnerability exploits.[56] More advanced options for small organizations include advanced persistent threats (APTs). APTs take advantage of vulnerabilities in software that are known but not yet patched to infiltrate networks undetected.[57] These intrusions can be undetected for years, giving hackers a foothold into a company’s network.[58]
Individuals are the last group, which are typically less sophisticated and have weaker motivations. Some individual hackers are called hacktivists, which are hackers seeking political or social change.[59] Hacktivists typically target other individuals, companies, and governments.[60] Script kiddies are another subset of individual hackers. Script kiddies are hackers who utilize easy to use malware, spam, ransomware, and pre-made scripts to gain access and vandalize sites.[61] Script kiddies and hacktivists typically do not spend time learning to hack in novel ways. Because this group relies on pre-made and known malware, traditional security prevention may be effective.
IV. LAW FIRM LIABILITY: A SUMMARY
After identifying the standards for law firms and who cyber attackers are, the next and greatest challenge is to acknowledge the liability present in law firms. Law firms are prime targets because they tend to have the weakest security measures for very valuable and personal information. Moreover, liability for cyberattacks will only increase as insurance coverage falls.
A. Why Law Firms?
Cyber attackers target law firms because of the high volume of data and the low level of security. Law firms do not have the same level of resources that large companies have to secure client data, making firms the weakest link in the information security chain. Figuratively speaking, law firms have become the low-hanging fruit for hackers. This situation is a result of the balancing act inherent to the practice: weighing security against adoption of new technology.[62]
Hackers attack law firms for their valuable information. As established in the previous sections, a hacker’s main motivation is economic or political. These motivations carry over in the attack of law firms—especially given the amount and type of sensitive information in their networks.[63] A law firm inherently deals with sensitive and personal information. Attorneys are also privileged with non-public information from businesses—whether that be a lawsuit, merger, or business secret. Much of this personal information is stored digitally in a network. A firm’s network may contain information about a very large number of clients. Hackers seek non-public information on mergers and acquisition deals to get an advantage on the stock market.[64] State actors seek the information to undermine America’s long-term competitiveness.[65] Inherently, law firms are a digital treasure trove of valuable client information.
Unfortunately, law firms are also at a disadvantage in protecting important client information they hold. Current standards for law firms are not comprehensive; instead, they are a hodgepodge of many different standards,[66] which can lead to conflicting requirements. For example, the Model Rules of Conduct set by the ABA and the modified versions adopted by many states, compel an attorney to take reasonable measures to keep client data secure—while embracing new technology systems to stay competitive and communicate effectively.[67] However, the adoption of new technologies with the expectation of maintaining security of data comes with inherent problems. Introducing new technologies without proper risk assessment can create major liabilities. For another example, the use of personally owned smartphones to perform law-related work increased to seventy percent according to the 2016 ABA Legal Technology Survey.[68] While smartphones are a convenient and efficient medium for work and communication, they are very insecure, especially when personally owned.[69] Thus, there is a conflict between adopting new technologies like smartphones, which offer better communication, and confidentiality, which would require conducting business through more secure means that personally owned smartphones. Hackers may recognize this conflict and are target law firms accordingly.
Law firms are further disadvantaged by their lack of available resources. Often, law firms are more vulnerable than their clients when such clients tend to be large companies with more resources to invest in securing data.[70] Law firms are the biggest liability in any company’s cybersecurity strategy.[71] The law firm’s identity as the weakest link may be the result of partner stalwarts with respect to making changes in technology. For example, “enhanced network passwords requires intense partner debate and discussion rather than simple acceptance.”[72] As Mary Galligan, a previous head of the FBI explained, law firm security is poor: “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much, easier quarry.”[73]
G. Recent Attacks: Examples
A discussion about recent data breaches may help put into perspective why law firms are attacked. At least 80 percent of the top U.S. law firms have had their security breached by cyber attackers.[74] According to a 2012 report analyzing 137 events from 2009-2011, the average cost of a data breach was $3.7 million.[75] A Ponemon Institute report displayed the average cost of cybercrime for retail stores in 2014 was $8.6 million per company, which represented a double in cost from the previous year.[76]
The following true examples of cyberattacks illustrate why the liability law firms face is paramount. In 2010, the law firm Gipson Hoffman & Pancione saw their employees were receiving social engineering emails that were coming from spoofed email addresses carrying malware that could compromise the firm’s security.[77] It was later discovered that the attacks emanated from China.[78] The cyberattacks implemented—the spoofed email addresses—are known as “spear phishing,” which is a common way to gain access to a network.[79] Spear phishing uses emails that intentionally appear to be coming from colleagues but are actually fake. Fortunately, in this case, technology-aware attorneys recognized the emails as potentially dangerous and the malware was not released.[80]
Another more recent attack was on Ziprick & Cramer. The small firm in California faced a new kind of Cryptolocker-type virus around the date of January 25, 2015.[81] Cryptolocker is a type of ransomware, where an unwanted program encrypts files on a network and then denies access to the files, without paying money to restore the information.[82] As the ABA Legal Technology Guide proclaims, “[y]ou can rest assured ransomware will continue onward until law firms recognize the importance of having backups that are not connected to the network as a drive letter!”[83] Griesing Law suffered a similar attack in July of 2016 as featured in the ABA Journal.[84]
Law firms must be prepared for the attacks they could likely face. A great majority of law firms are facing or have faced some kind of cyberattack. However, as seen in the Gipson Hoffman & Pancione case, technology-aware lawyers can thwart some of these attacks.
H. Law Firm Liability: A Conclusion
Law firms are liable for data breaches now more than ever. As described in previous sections, law firms are often the weakest link in a company’s data security chain. Breaches can can cause average money damages in the millions. For cyber attackers motivated by either economic or political gain, the vast amount of information law firms hold is the metaphorical low-hanging fruit. Cybersecurity must be taken seriously to protect clients and firms. After analyzing the standards law firms must abide by, who the cyber attackers are, and the liability law firms face, it is necessary to turn to the solutions.
V. SOLUTIONS: A NEW PERSPECTIVE
The problem with traditional papers, articles, and discussion on cybersecurity is that they fail to particularize security provisions by the size of the firm.[85] It’s no secret that cost is the biggest barrier to entry for cybersecurity solutiomns.[86] Generally, a firm’s resources reserved for security measures depends on the size of the firm. To make a loose division, firms can be divided into small (boutique), medium, and large sizes. No further definition of “large firm” versus “small firm” is provided, mostly in the interest of brevity.[87]
For small firms, they lack both the institutional knowledge to recognize how far they must go to secure their data and the financial resources to implement such solutions. Further, small firms have no guide on what cybersecurity solution is the minimum. For example, if a small firm grows from 5 to 10 attorneys, how does their cybersecurity requirements change? Medium firms are the in hardest spot when it comes to cybersecurity. They may have key pieces of data on a large corporation and therefore a high level of threat. However medium firms lack the resources available to protect the data like a large firm. Medium firms are also more likely to deal with clients who want constant access to their sensitive data. If law firms are the low hanging fruit to sensitive data, medium firms are the weakest link. Large firms may have it the easiest, despite being constantly bombarded with attacks and threats, large firms have the knowledge base and finances to secure data. Once more, large firms can more easily rest assured they are meeting the current standards for their client’s data security.[88]
In the following section, solutions are articulated determinative of the size of the law firm. If a firm is capable of more provisions, however, it is encouraged that the firm adopt tools and steps outside any defined zone. For example, if Firm A is a small firm and fulfills or is fulfilling all the measures dignified here and has resources to fulfill a medium or large firm provision, all the better for Firm A. Each of the provisions described scale up to larger law firms. Thus, medium firms should fulfill everything a boutique (small) firm does and medium firm provisions. Large firms ought to complete everything in their descriptor plus medium and boutique size provisions. Therefore, the discussion begins with small firms, describing all the requirements set by the current standards section of this paper, and how to begin to meet those requirements. The discussion ends with big firms, describing large scale measures over current standards that could and ought to be completed to protect client data. Note that not included in this discussion is the obvious minimum requirements: those set by clients, but only if the client requires more than the minimum standards described herein.
VI. SMALL FIRMS: AN INTRODUCTION
A small firm is in a pickle. Every day cybercriminals pump out about 250,000 novel variants of viruses and malware.[89] These threats are a major issue for big firms. Yet, small firms are exposed to the same attacks as large firms, but with limited resources available.[90] The Gipson attack may not have gone as smoothly for a firm the size of Ziprick & Cramer. However, troubles like the spear phishing attack at Gipson Hoffman & Pancione was resolved by tech savvy lawyers, not expensive technology. Often simple, cheap solutions can effectively quell modern day problems.
The proposed set of solutions for small firms keep this goal in mind; simple, cheap solutions for firms without many resources at hand. Within each section is a short description of how the solution complies with one or many of the current standards discussed above.
Small firms should keep in mind the risk of the data they handle. Even though a firm is small does not mean only a multimillion dollar case deserves comprehensive solutions. Rather, even for small law firms, the bigger the risk a data breach poses, the more a firm should focus on their security.
A. Training
Training can prevent many cyber threats. In fact, the above discussion of the Gipson Hoffman & Pancione breach showed how training can be the last line of defense for a firm. In that situation, malware was prevented from entering the firm’s system when trained lawyers identified dangerous materials. Past any or all security measures the firm may have had, well trained lawyers stopped the threat. Trained attorneys can also help halt internal threats. During the ABA Techshow in 2014, security experts highlighted a survey that forty-one percent of IT security professionals regard “rogue” employees as a major security threat.[91] A study by Verizon found that a company’s legal department is much more likely to open phishing emails than all other departments.[92] As established in the Recent Attacks section, these social engineering tactics are a mainstay of hackers. Ransomware is another malicious program that requires similar social engineering of employees. Despite how important training can be to the security of a law firm, in the 2016 ABA Legal Technology Survey, thirty percent of respondents believed their employers offered no technology training.[93] Hardly better than the 2015 Legal Technology Survey.[94] For small firms specifically, training is even less likely. Forty-five percent of solo practitioners and thirty five percent of law firms with 2-9 attorneys have no technology training program.[95] The solution to many threats both internal and external, is training. The ABA Cybersecurity Handbook asks firms to foster a culture of training.[96]
1. Educate attorneys on the current cybersecurity threat environment.
Trained attorneys will be on high alert for malware, spear phishing, and pesky social engineering tactics. Educate attorneys on protective measures in place to prevent attacks. Attorneys are already required to provide competent counsel, extending to benefits and risks in technology.[97] This requirement includes internal firm standards not to use external USB drives, or how the security software at the firm actively prevents cybersecurity breaches. The ABA Cybersecurity Handbook believes awareness of company policy and security measures can help attorneys negotiate contracts against unreasonable data security language.[98]
2. Educate attorneys to use strong unique passwords.
Attorneys should also be trained-if not required-to change their passwords to email, their computer, and their phone frequently. Having an ineffective password on devices can leave someone dangerously exposed.[99] The passwords created should use combinations of symbols and letters or even phrases.[100] If firm employees cannot remember their password, train them to use programs like KeyPass, Password Safe, or other password programs, some of which are free.[101] Further, passwords and authentication are a standard set by the FTC for companies handling client data. If attorneys use no form of authentication, FTC guidelines require they change or face litigation.
Educate attorneys to update their computers. Non-state and individual hackers make use of security exploits in older versions of software. Updating software and applications closes those security holes!
Education extends past attorneys to include secretaries, contractors, and anyone employed by the firm. Any weak link in the chain of cybersecurity can cause a breach of data. To ensure the awareness is comprehensive and complete, firms must require new lawyers, and established attorneys, to complete data privacy and data security training programs.[102] The American Bar Association now offers a series on cybersecurity which comes with its own certification at the end of the program.[103] Alternatively, small firms can look for free resources and videos online.[104]
B. Security Software
Security software is the biggest protection a small law firm can have. The 2015 Solo and Small Firm Technology Guide recommends internet security suites that give much more functionality at a lower price than individual software recommendations.[105] The book does not recommend targeted protection, such as antivirus software, claiming it is not sufficient to keep systems protected.[106] Enterprise versions of security software suites can be the best protection against an individual hackers tools: spam, viruses, malware.[107] The tools in these suites can include firewall management and secure file sharing (like Workshare). Most software, like Kaspersky, even includes functions to change settings on laptops once an employee leaves with the device.[108]
Security provisions should also be implemented on mobile devices such as phones. At minimum, phones should have a password, and have some means of remotely wiping the data.[109] The FTC requires devices, even cellphones, be secured.[110] Both iPhone and Android have either built in software or apps to wipe and track these devices. It is also recommended firms use more secure phones, like Android and Blackberry, which are more capable of using security software.[111]
C. Notification Laws
Small firms must also ensure their compliance with state data notification laws. Forty-seven states have laws governing data breach notification.[112] Despite state data breach notification laws, the Model Rule 1.4 mandates attorneys tell their clients if data is breached.[113] The only question to a small firm therefore is, when must I notify my client? Small firms can easily research their state standard and adopt policies accordingly.
Firms could also add the notification law to their education provisions. A firm should be aware of not only the timeline in which notifications must be made, but also the level of data breach necessary in order to justify notification. If a small firm has clients across multiple jurisdictions, a firm can more easily adopt the most restrictive standards.[114]
D. Encryption
Encryption is probably the most inexpensive and effective form of protecting client data. Encryption is a formula that transforms computer data anyone can read, into data only those with a password can read.[115] Both Windows and Mac computers with enterprise licenses have built in encryption software. Once implemented, hardware like laptops, hard drives, USB drives, and more can only be accessed by those that know the password. Encryption can also be used to protect data in motion, such as over wired or wireless networks, including the internet.[116] Firms can encrypt their phone lines too, making conversations with their clients secure and confidential. Encryption is so powerful that the FBI Director James Comey has been lobbying to gain “backdoor” access to encrypted data.[117] However, encryption is only as effective as the password used, so firms should push for training their employees on effective password management.
Encryption is also available on phones. The 2015 Solo and Small Firm Technology Guide recommends using Android or Blackberry because their software architecture is much more conducive to encryption mechanisms.[118] Smartphones are always with us and susceptible to being lost or stolen. Encryption is one effective mechanism to protect the history of phone calls made to that client, and the search on LexisNexis for that case.
If client data is compromised, encryption provides a “safe harbor” in some states.[119] If a state has “safe harbor” laws, then so long as the data is encrypted, law firms do not have to notify their clients of the breach. However, Model Rule 1.4 requires notification regardless.
E. Bring Your Own Device Policies
For a small firm, bring your own device can be both a blessing and a risk. Bringing your own device allows attorneys to use software and services their firm does not provide for them. However, an attorney can expose a firm to a host of new malware and viruses when they bring their device within Wi-Fi signal of the firm.[120] But attorneys want and sometimes need to take their materials home or away from the office.[121]
Bring your own device policies need to be managed to account for the added risk. Current standards resoundingly ask for “reasonable measures” for a firm, accounting for the risk of the material. The risk phones pose to personal information is great, but is it enough to outweigh the benefits? The best provision would be to eliminate bring your own device provisions and present attorneys with dedicated devices for work. Such a provision would allow a firm to implement specific security measures on all devices, and ensure compliance with policy. However, this can be a major expense for small firms.
F. Written Plan & Policy
If a firm does not have a plan for security breaches, or a written policy on computer use, get one. A written policy for a small firm can provide guidance to attorneys and prevent potential problems. A written policy can be more effectively taught to other attorneys in the firm. It also provides a standard to which everyone is held accountable. If one employee creates a cybersecurity threat for breaking the written policy, they may be reprimanded accordingly. A plan also requires the firm to consider potential threats proactively, bringing cybersecurity to the forefront of a firm’s mind. A written plan further helps a firm comply with FTC standard of addressing security vulnerabilities.
G. Small Firms: A Conclusion
Small firms are in a tough spot when it comes to cybersecurity. They face the same threats as a large firm, but with less resources. Solutions like encryption, written plans and policies, managing bring your own device provisions, notification and training are simple, and mostly inexpensive solutions to a firm’s needs. This starting point for small firms provides nearly comprehensive protection from threats and liability.
VII. MEDIUM FIRMS: AN INTRODUCTION
Medium firms are hard to present security provisions to that would not fit into either the large firm or small firm categories. Medium firms have substantially more resources than small firms to devote to cybersecurity, but not as many resources as a large firm. Medium firms must meet the standards set by small firms. Because medium firms have more resources than small firms, medium firms should implement strict bring your own device policies.
Medium firms ought to hire information technology expertise and purchase cybersecurity insurance. Combined, these provisions will offer tailored advice on how to better secure client information and protect a law firm’s bottom line from liability.
A. Information Technology Expertise
Medium firms should seek out information technology expertise. Law firms are already mining for cybersecurity lateral hires, in the wake of clients seeking better security protection.[122] Whether a firm chooses to hire, contract, or consult an information technology specialist, the expertise they can offer is incredible. More than this paper can offer, an expert in the field can make specific assessments of risks and solutions for any size firm. However, these services usually come at a high rate, and may be precluded from some medium firms.
B. Cybersecurity Insurance
Cybersecurity insurance is an effective but expensive solution for medium-size law firms. As law firms become increasingly liable for data breaches, owning cybersecurity insurance would protect against losses from the inevitable cyber incidents, including business interruption, network damage, and data breaches.[123] For now, cybersecurity insurance can be obtained–in some cases–with few requirements, perfect for a medium firm. Currently, premiums and limits are determined using traditional point-in-time risk assessments.[124] However, this method may change as insurance companies strengthen their minimum cybersecurity standards.[125]
VIII. LARGE FIRMS: AN INTRODUCTION
Large firms have more more employees and data to secure. They are expected to not only monitor the security of all of their attorneys in many departments, but also store their data effectively. No wonder the “likelihood of data breach increased to 50% among companies with more than $4 billion dollars in revenue.”[126] Large firms, however, have more resources for cybersecurity solutions. They can afford premium security suites, professional technology training, and can spend more time planning for the inevitable cyber breach. In total, law firms are spending as much as 1.9% of their gross annual revenues–seven-million dollars per year–on information security.[127]
For large firms, the previous sections look very similar but with more effective means. Large firms can conduct training with professionals, video recordings, or the firm’s IT specialist. Notice can be a difficult subject for large firms, as they must reach clients in multiple jurisdictions with different laws. In those cases, where jurisdiction is across multiple states or countries, large firms should follow the lead of large corporations and comply with the most stringent standards.
Large firms may go above and beyond small and medium firm provisions to keep secure their clients’ data. The term “may” is used here willingly, as no amount of policy or statute can demand the provisions below. Rather, the provisions described are more ethical obligations, or good practice, than mere compliance with broad standards. However, clients may expect–or demand–the following provisions.
A. Cybersecurity Alliance
Large law firms have the new opportunity to join a cybersecurity alliance. A cybersecurity alliance is a venue for firms, banks, and other companies to share information about cyber threats and develop defenses and best practices to prevent them.[128] In fact, 82% of businesses with high performing security practices collaborate with other businesses to grow their cybersecurity protection.[129] Corporations in the Midwest have created their own alliance called the Midwest Cyber Security Alliance (MCSA).[130] It recently held a micro-conference in Saint Louis, Missouri, bringing in IT experts, attorneys, government agents, and more to collaborate on this tough subject.[131] There is also the National Cyber Security Alliance (NCSA), composed of many businesses from across the nation.[132] Security alliance membership is a great venue for large firms to meet, share, and learn best practices to defeat cyber threats.
Recent legislation aims to aid such alliances. The Cybersecurity Information Sharing Act (CISA), passed by the U.S. Senate in October of 2015, allows the government to share its security indicators in these discussions.[133] The legislation also allows big companies to share cyber threat data with their competitors without antitrust litigation.[134]
B. Full Reports
Large firms should explore paying information technology specialists to proactively prevent attacks. Wall Street banks already pay information technology specialists to dig into shadowy online forums to see how their brand and information is abused.[135] For instance, banks hire companies like Black Cube that search the “deep web” for data on their client.[136] The company essentially befriends potential enemies before a cyberattack.[137] Black Cube then shares the cyber attackers’ intent, information, and means with their client.[138] Sometimes, once Black Cube has enough information, they turn in the hacker to the authorities.[139] Another company, Fox-IT, was even able to get the source code to a new malware program from similar work and share it with their clients.[140] For a law firm, paying for the information available on the deep web can provide a full picture of cybersecurity and proactively prevent future attacks.
C. Standardized Certification & Frameworks
Large firms could also seek out standardized certification and frameworks. In recent years, several standardized certifications have been passed that allow a firm to stand out from its competitors. As clients continue to recognize the importance of cybersecurity at their law firm, these certifications are a great way to prove a firm is meeting a certain standard of security. However, these certifications require time, money, and expertise not usually available for small or medium firms. The below is a framework and certification to consider.
The National Institute of Standards and Technology for Cybersecurity Framework (NIST) is one type of standardization framework that is possible for law firms.[141] The NIST framework is great for large firms that are still making big strides to secure their information. The framework divides cybersecurity protection into four tiers. The tiers can be used to identify where a business is in terms of security, and where they can go.[142] Major provisions of the standard include assessing major threats, continuously monitoring those threats, and implementing certain provisions to correct each threat. An added benefit of the NIST framework is it highly encourages collaboration between other participants. As a result, a firm can learn from others who have attained the certification.
The International Organization for Standardization (ISO) has its own set of standards called ISO 27001 Certification. As described above, Shook, Hardy, & Bacon recently attained this certification.[143] The certification is designed to assess risks for businesses and divert assets to protect the most risky information. Once the requirements of the certification are complete, companies are entitled to market their firm as ISO 27001 Certified.
Because the certificates above push security provisions based on risk assessment, the reasonable measures standard can likely be met by firms who attain these certifications.
D. Lobby for Standards and Laws
Large law firms should also lobby for more effective and efficient laws to combat cyber attackers and educate lawyers. The government’s statutory laws need the input of law firms in order to better address cybercrimes and set a comprehensive standard for the legal community. One statutory solution to combat cyber criminals is to increase the punishment for cybercrimes. The EU in 2013 assigned harsher penalties to cybercriminals.[144] The US sought to do the same with the Deter Cyber Theft Act of 2014.[145] However, harsher penalties for cybercrimes have done little to deter cyber criminals.[146] Large firms should instead lobby for a more effective means to discourage cyber criminals.[147] Large Firms should lobby for solutions that give law enforcement more tools to find and arrest criminals, including funding to promote such programs.[148] Large firms could also educate lawmakers on the legal industry’s relationship to cybersecurity, as the American Bar Association Cybersecurity Handbook recommends.[149] Being a part of the conversation on these laws can ensure that firms can take reasonable measures to secure their data.[150]
Large firms can also lobby the American Bar Association House of Delegates to pass more strict and uniform standards for attorneys. The ABA House of Delegates did attempt to make more concrete cybersecurity requirements on August 12, 2014.[151] However, the passed resolution is unabashedly vague. The original legislation required all law firms, big and small, to come up with cybersecurity standards that complied with national and international requirements.[152] The legislation was largely rejected by small firms.[153] However, such a requirement could do wonders for the legal industry. For small and medium firms, understanding how “reasonable measures” would apply to the data they store can be difficult. Large firms should take the lead on establishing requirements that are much clearer for firms of all sizes. Although more defined requirements for law firms may push some firms to spend more resources on security, it is a necessary evil. One firm that has ineffective security might create a bad reputation for the legal profession as a whole. For example, if a client presents very sensitive information to their attorneys, and that information is leaked due to weak cybersecurity, that client may reconsider disclosing sensitive information to any firm in the future. It is important that clients feel protected at any law firm to some extent. Therefore, the culture of attorney client privilege is a motivator for large firms to lobby these changes.
E. Large Firms: A Conclusion
Large law firms have more resources to devote to cybersecurity, but also have more responsibilities. Large firms must keep track of more employees who handle a greater quantity of precious client information. However, large law firms can implement the provisions in this section to increase their cybersecurity, and raise the whole culture of law firm data security.
IX. CONCLUSION
In an attempt to improve the legal community’s cybersecurity, this piece presented remedies for law firms based on their size: small, medium, and large firms.
Conversations on cybersecurity for law firms need to recognize that solutions are related to the size of the law firm. Discussions must recognize small, medium, and even large law firms have limits and unique cybersecurity problems. Further, conversations must recognize causes of these threats, the requirements lawyers must strive to meet, and contemplate the liability for failure to address such attackers. The full picture of the cybersecurity landscape is necessary for any size firm to truly recognize why and to what extent each solution is needed. The threats may be the same for each type of firm, but for smaller firms more simple and cheap solutions are preferred. While for large firms, simplicity may be traded for higher security.[154]
When the internet was in its infancy, William Gibson imagined hackers trying to break cybersecurity boundaries. Gibson recognized decades ago the reality of today; industry locked in a battle to protect their data. However, hackers are currently moving away from hacking the industry, and are now attacking law firms. Law firms are the metaphorical low hanging fruit for cyber criminals, due to their low security standards and abundance of sensitive information. Therefore, it is important for law firms to get a full understanding of the cybersecurity landscape. With this knowledge, firms can work efficiently and effectively to shield themselves from liability and data breaches. Unfortunately, current discussions of cybersecurity for law firms have failed to both acknowledge the full picture of cybersecurity and tailor solutions by the size of the firm. This paper displayed many avenues that bring a law firm up to the current required standards and beyond.
Like the ICE envisioned by Gibson, this piece introduced several modern day methods to protect a client’s private digital information. In total, this paper hopes to change the cybersecurity discussion, for solutions to recognize their target audience and their needs.
[1] University of Missouri Kansas City Law School, candidate for JD, 2018, learn more at benjaminbolin.com. The author wishes to thank Professor Paul Callister, Director of the Leon E Bloch Law Library and Professor of Law at the University of Missouri Kansas City Law School.
[2] William Gibson, fiction writer, essayist, Phillip K. Dick Award recipient.
[3] Secretary Panetta on Cybersecurity to the Business Executives for National Security, Leon Panetta, Sec’y of Def., U.S. Dep’t of Def., New York, NY (Oct. 11, 2012), http://archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136.
[4] See Alan W. Ezekiel, Hackers, Spies, and Stolen Secrets: Protecting Law Firms from Data, 26, Harv. J. L. & Tech 649 (2013) (discussing the growing pains of cybersecurity in law firms but advocating law changes and general increase of security); Erin F. MacLean and Deborah M. Micu, Protecting Yourself from Cyber Threats, Internal Office Practices can Make or Break Law Firm’s Cybersecurity, 41, Mont. Law. 16 (2015) (making various comparisons to other fields and only one solution); Timothy J. Toohey, Beyond Technophobia, 21, Rich. J.L. & Tech. 9 (2015) (discussing the ethics, risks, and obligations of various technologies but not discussing causes nor identifying threats); but Cf. Carrie A. Goldberg, Practicing Law in the Age of Surveillance and Hackers, 38 Am. J. Trial Advoc. 519 (2015) (recognizing small firms face different criminals than large firms and even advocating solutions tailored to small firms, but failing to discuss the full gamut of troubles and solutions for firms of all sizes).
[5] See Lorelei Laird, Cybersecurity Laws Are a Worldwide But Evolving Patchwork, ABA Journal (Mar. 18, 2016, 10:52 AM), http://www.abajournal.com/news/article/cybersecurity_laws_are_a_worldwide_but_evolving_patchwork (describing the large body of diverse law between nations and states).
[6] See Model Rules of Prof’l Conduct r. 1.6 (Am. Bar. Ass’n 2015) (“A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent”).
[7] See Id. r. 1.6 (c) (2015).
[8] See Id. r. 1.6 cmt. 19 (2015).
[9] See Id.
[10] See Model Rules of Prof’l Conduct r. 1.1 (Am. Bar Ass’n 2015) (“In determining whether a lawyer employs the requisite knowledge and skill in a particular matter, relevant factors include. . .”).
[11] Id. r. 1.1 cmt. 8 (2015).
[12] See Model Rules of Prof’l Conduct r. 1.4 (Am. Bar Ass’n 2015) (requiring attorneys keep clients reasonably informed on the status of their case).
[13] N.C. Rules of Prof’l Responsibility r. 1.1 cmt. 8 (2016), https://www.ncbar.gov/for-lawyers/ethics/rules-of-professional-conduct/rule-11-competence/.
[14] See Id.at r. 1.6(c) (2015), https://www.ncbar.gov/for-lawyers/ethics/rules-of-professional-conduct/rule-16-confidentiality-of-information/.
[15] Compare Fla. Bar Prof’l Ethics, Advisory Op. 10-2 (2010), http://www.floridabar.org/DIVEXE/RRTFBResources.nsf/Attachments/566CF30AE3172CF385257D5B006CB4D1/$FILE/Ethics%20Opinion%2010-02.pdf with FlA. Bar Code Prof. Resp. D. R. 4-1.6(e) & R. 4-1.6(e) cmt. (2016) (Florida rule broadly requires reasonable efforts and advisory opinion urges lawyers to keep abreast of technology that can be a threat to confidentiality).
[16] Compare State Bar of Ariz. Ethics, Formal Op. 09-04 (2009), available at http://www.azbar.org/Ethics/EthicsOpinions/ViewEthicsOpinion?id=704 (explaining attorneys must take reasonable measures to defeat unauthorized access to client data) with Ariz. R. of Prof’l Conduct, r. 1.6(e) & 22-23 (2016); Also compare N.J. Bar Ass’n Advisory Comm. on Prof’l Ethics, Formal Op. 701 (2006) http://njlaw.rutgers.edu/collections/ethics/acpe/acp701_1.html with N.J. R. of Prof’l Conduct, r. 1.6(c) 2016 (the rules state protection must be granted as “reasonably necessary” to prevent substantial economic harm, while the opinion calls for to use “reasonable care” to protect client data from cyber-attacks); Compare N.Y. Bar Ass’n Comm. on Prof’l Ethics, Op. 842 (2010), http://www.nysba.org/CustomTemplates/Content.aspx?id=1499 with N.Y. R. of Prof’l Conduct, r. 1.6(c) cmt. 17 (2016) (both requiring reasonable measures and the opinion explicitly guiding attorneys to protect sensitive client data).
[17] Compare Mo. Sup. Ct. r. 4-1.1 cmt. 6 (2007) with Model Rules of Prof’l Conduct r. 1.1 cmt. 8 (Am. Bar Ass’n 2013).
[18] Mo. Sup. Ct. R. 4-1.1 cmt. 6 (2007).
[19] Mo. Sup. Ct. R. 4-1.6 cmt. 16 (2007).
[20] See Model Rules of Prof’l Conduct r. 1.6 cmt. 19 (Am. Bar Ass’n 2013).
[21] Gina Stevens, Cong. Research Serv., R42475, Data Security Breach Notification Laws 7 n.35 (2012).
[22] See Cal. Civ. Code § 1798.81.5 (2015) (stating data security requirements to be used broadly), 201 Mass. Code Regs. 17.04 (requiring encryption of personal information), Nev. Rev. Stat. § 603A.040 (2015) (stating data security requirements to be used by business who accept payment cards), N.J. Stat. § 56:8-197 (2015) (stating data security requirements to be used by health insurance carriers).
[23] Gina Stevens, supra note 23, at 1.
[24] See Cal. Civ. Code § 1798.82(a) (2015); See generally Model Rules of Prof’l Conduct r. 1.6 cmt. 19 (Am. Bar Ass’n 2013).
[25] See Cal. Civ. § 1798.82 (premising breach notification on the “legitimate needs of
law enforcement”); Mo. Rev. Stat. § 407.1500.2(8) (2015) (requiring the attorney general be notified Kan. Stat. Ann. § 50-7a01(g)(3) (2015) (“[P]ersonal information does not include publicly available information that is lawfully made available to the general public from . . . government records.”)lable information that is lawfully made available to the general public from . . . government records.”).
[26] Reid J. Schar & Kathleen W. Gibbons, Complicated Compliance: State Data Breach Notification Laws, 12 Privacy & Security Law Report 1381, 1382 n.9 (2013) (California, Illinois, Massachusetts, and Washington).
[27] Id. at 1384 nn.30-31
[28] Mo. Rev. Stat. § 407.1500.1(9), 2(1) (2015).
[29] See Cal. Civ. Code § 1798.81.5 (2015), Md. Code Ann., Com. Law § 14-3501 (2008), Nev. Rev. Stat. § 603A.210 (2006), Or. Rev. Stat § 646A.622 (2015), 11 R.I. Gen. Laws § 11-49.2-2 (2016),
[30] See generally 201 Mass. Code Regs. §§ 17.00-.04.
[31] Id.
[32] See Cal. Civ. Code § 1798.81.5 (2015), Md. Code Ann., Com. Law § 14-3501 (2008), Nev. Rev. Stat. § 603A.210 (2006), Or. Rev. Stat § 646A.622 (2015), 11 R.I. Gen. Laws § 11-49.2-2 (2016),
[33] See H.B. 1240, 98th Leg., 1st Sess. (Mo. 2015) (seeking to protect student data, currently pending); See also H.B. 16-1423, 70th Gen. Assemb., 2d Reg. Sess. (Co. 2016), H.B. 331, 188th Gen. Ct. (Mass. 2013) (seeking to protect student data, currently pending).
[34] Eric A. Fischer, Cong. Research Serv. R42114, Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and Proposed Legislation i (2012); See generally Intl. Business Publications, U.S National Cybersecurity Strategy and Programs Handbook, 173 (vol. 1 2013) (illustrating legislation along a timeline of evolving technology).
[35] See Taylor Armerding, Final Attempt to Pass Cybersecurity Legislation Appears Doomed, CSO Online (Nov. 14, 2012, 7:00 AM), http://www.csoonline.com/article/2132553/malware-cybercrime/final-attempt-to-pass-cybersecurity-legislation-appears-doomed.html (explaining the failed effort of the 2012 Cybersecurity Act and the subsequent executive order Obama had drafted).
[36] Health Insurance Portability and Accountability Act (HIPAA) of 1996 § 1173(d)(2), 42 USC § 1320d-2(d)(2) (2010).
[37] See American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, § 13402(b) (2009), 42 USC § 17932(b) (2010).
[38] For brevity, this article does not explore the individual requirements of many federal laws. These laws typically target specific clients, and provide too many exceptions and requirements to categorize solutions based on law firm size. In fact, entire papers are written discussing compliance with just one federal law.
[39] See Privacy and Data Security Update (2015), FTC (January 2016) https://www.ftc.gov/reports/privacy-data-security-update-2015 and 2014 Privacy and Data Security Update, FTC (2014), https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2014/privacydatasecurityupdate_2014.pdf (listing detailed information about cases).
[40] FTC v. Wyndham Worldwide Corp., 10 F.Supp.3d 602, 607 (D.N.J. 2014), aff’d 799 F.3d 236 (3d Cir. 2015).
[41] Wyndham, 799 F.3d at 240
[42] Id. at 259. (by upholding FTC’s authority, the court effectively gave the FTC “more teeth”).
[43] See generally Richard Bergsieker, Richard Cunningham & Lindsey Young, The Federal Trade Commission’s Enforcement of Data Security Standards, 44 Colo. Law. 39 (2015) (further discussing the FTC’s de facto law and standards of care).
[44] Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 185 (2013) (holding the fears were “highly speculative” and based on a “highly attenuated” chain of possibilities that did not result in “certain impending injury”); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14 (D.D.C. 2014) (dismiPolanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013) (same). Supp. 2d 451 (D.N.J. 2013) (same).
[45] See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (stating similar claims in Clapper are sufficient to show damages).
[46] ISO/IEC 27001 – Information Security Management, Int’l Org. for Standardization (last checked May 20, 2016), http://www.iso.org/iso/home/standards/management-standards/iso27001.htm.
[47] ISO/IEC 27001:2013(en), Int’l Org. for Standardization (last checked May 20, 2016), https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en.
[48] Susan Hansen, Cyber Attacks Upend Attorney-Client Privilege, Bloomberg (Mar. 19, 2015, 1:56 PM), http:// www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security.
[49] Barry Williams, Information Security Policy Development for Compliance, IX (2013).
[50] Warwick Ashford, Nation-state Cyber Attacks Could Target Most Organizations, Comput. Wkly (Aug. 17, 2015 4:30 PM), http://www.computerweekly.com/news/4500251856/Nation-state-cyber-attacks-could-target-most-organisations-survey-shows (study was conducted during Black Hat USA 2015 from over 200 attendees).
[51] See Ellen Nakashima, U.S. Said To Be Target of Massive Cyber-Espionage Campaign, Wash. Post (Feb. 10, 2013), http://articles.washingtonpost.com/2013-02-10/world/37026024_1_cyber-espionage-national-counterintelligence-executive-tradesecrets (Cyber attacks were once viewed “as a concern mainly by U.S. intelligence and military”).
[52] Chet Nagle, China is Stealing American Property, Daily Caller (Sep. 24, 2015 2:40 PM), http://dailycaller.com/2015/09/24/china-is-stealing-american-property/ (2013 report cited in the former CIA agent’s article states that China is the largest source of the hundreds of billions per year in international theft of American IP).
[53] See Masters of the Cyber-Universe, The Economist (April 6, 2013), http://www.economist.com/news/special-report/21574636-chinas-state-sponsored-hackers-are-ubiquitousand-totally-unabashed-masters (pointing to how China’s government is the perpetrator to the largest attacks on US businesses).
[54] See Id.
[55] James Carafano Ph.D., Fighting on the Cyber Battlefield: Weak States and Nonstate Actors Pose Threats, Heritage (Nov. 8, 2013), http://www.heritage.org/research/commentary/2013/11/fighting-on-the-cyber-battlefield-weak-states-and-nonstate-actors-pose-threats (describing how non-state actors are geared to accumulate wealth and seek to disrupt).
[56] Johan Sigholm, Comment, Non-State Actors in Cyberspace Operations, 4 J. Mil. Stud. 1, 1-15 (2013), http://ojs.tsv.fi/index.php/jms/article/view/7609/pdf_1 (listing the methods of various cyber attackers).
[57] Jill D. Rhodes, Vincent I. Polley, A.B.A. Cybersecurity Handbook 13 (2013).
[58] Id.
[59] Sigholm, supra note 56, at 15.
[60] Id. at 13.
[61] Id.
[62] See discussion supra Section II A.
[63] See Law Firms Prime Targets of Cyber Attacks, A.B.A. (Feb. 05, 2012, 9:30 AM), http://www.americanbar.org/news/abanews/aba-news-archives/2013/08/law_firms_prime_targ.html (quoting highlights from the Standing Committee on Law and National Security).
[64] Michael Riley, Sophia Pearson, China-Based Hackers Target law Firms to Get Secret Deal Data, Bloomberg (Jan. 31, 2012 3:37 PM), http://www.bloomberg.com/news/articles/2012-01-31/china-based-hackers-target-law-firms (discussing how China has worked to get secret deal data from American companies).
[65] See Foreign Spies Stealing US Economic Secrets in Cyberspace, Off. of Nat’l Counterintelligence Exec., 9-10 (2009-2011), http://www.ncsc.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf (describes how foreign attacks against the United States seek in part economic information to undermine the nation’s prosperity).
[66] See discussion supra Section II. Current Standards.
[67] See David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012), http://www.americanbar.org/content/dam/aba/publications/law_practice_today/cyber-security-for-attorneys-understanding-the-ethical-obligations.authcheckdam.pdf (discussing the duty to provide services across all platforms and the inherent rules of confidentiality; note the revisions discussed have since been adopted in the current A.B.A. Model Rules).
[68] Mobile Technology, americanbar.org/publications/techreport/2016/mobile (last visited April 5, 2017).
[69] See generally The Cost of Insecure Mobile Devices, Ponemon Inst. L.L.C. (2014), http://www.ponemon.org/local/upload/file/AT%26T%20Mobility%20Report%20FINAL%202.pdf (discussing the costs and threats of using mobile devices in the workplace).
[70] See generally David Mandell, Karlas Schaffer, The New Law Firm Challenge, A.B.A. (Mar. 2012), http://www.americanbar.org/content/dam/aba/publications/law_practice_today/the-new-law-firm-challenge-confronting-the-rise-of-cyber-attacks-and-preventing-enhanced-liability.authcheckdam.pdf (law firms generally spend less on securing their systems than other businesses).
[71] See Daniel Garrie, Attacking the Weakest Link, Huffington Post (Sep. 10, 2013 5:40 PM), http://www.huffingtonpost.com/daniel-garrie/attacking-the-weakest-lin_b_3862354.html (after several hypotheticals discusses how the weakest link can be pinned back to law firms’ devices).
[72] Information Security — Are Law Firms “The Weakest Link”, Law Risk Mgmt. Blog (Apr. 2, 2012), http://www.lawfirmrisk.com/2012/04/information-security-are-law-firms.html (highlighting Rupert Collin’s report on law firm security).
[73] Michael Riley, Sophia Pearson, China-Based Hackers Target law Firms to Get Secret Deal Data, Bloomberg (Jan. 31, 2012 3:37 PM), http://www.bloomberg.com/news/articles/2012-01-31/china-based-hackers-target-law-firms.
[74] Stuart Poole-Robb, Law Firms Are a Hackers Treasure Trove, IT Pro Portal (Mar. 3, 2015), http://www.itproportal.com/2015/03/30/law-firms-hackers-treasure-trove/#ixzz3VruQlKmI; Hannah Bender, Do As I Say, Not As I Do, Property Casualty 360 (Jan. 16, 2015), http://www.propertycasualty360.com/2015/01/16/do-as-i-say-not-as-i-do-most-law-firms-lack-adequa (the study was completed in 2011 from the cybersecurity firm Mandiant).
[75] Experts Warn Law Firms to Protect Themselves Against Cyberattacks, A.B.A. (Feb. 18, 2014 11:43 AM), http://www.americanbar.org/news/abanews/aba-news-archives/2014/02/experts_warn_lawfir.html.
[76] See Riley Walters, Cyber Attacks on U.S. Companies in 2014, Heritage (Oct. 27, 2014), http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014#_ftn2.
[77] See Michael Riley, China Mafia-Style Hack Attack Drives California Firm to Brink, Bloomberg (Nov. 27, 2012 5:01 PM), http://www.bloomberg.com/news/articles/2012-11-27/china-mafia-style-hack-attack-drives-california-firm-to-brink.
[78] See Ashby Jones, China and the Law: Did Chinese Hackers Attack LA Law Firm, Wall St. J. (Jan. 14, 2010 9:36 AM), http://blogs.wsj.com/law/2010/01/14/china-and-the-law-did-chinese-hackers-attack-la-law-firm/.
[79] See generally Kim Zetter, Hacker Lexicon: What are Phishing and Spear Phishing, Wired (April 7, 2015 6:09 PM), http://www.wired.com/2015/04/hacker-lexicon-spear-phishing/ (discussing the dangers of phishing and spear phishing).
[80] See Stacy Berliner, Hackers Are Targeting Law Firms: Are You Ready, A.B.A. (Aug. 27, 2013), http://apps.americanbar.org/litigation/committees/womanadvocate/articles/summer2013-0813-hackers-are-targeting.html.
[81] See Susan Hansen, Cyber Attacks Upend Attorney-Client Privilege, Bloomberg (Mar. 19, 2015, 1:56 PM), http:// www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security.
[82] Id.
[83] Sharon Nelson, John W. Simek, Michael Maschke, Solo and Small Firm Legal Technology Guide 333 (2015).
[84] Julie Sobowale, Managing Cyber Risk, ABA J., Mar. 2017 at 34.
[85] See supra, note 4.
[86] See supra, note 84 at 36 (“Each person quoted in this article mentioned cost as a major factor for why law firms are lagging in preparing for cyberattacks”).
[87] Defining small firm versus large firm is difficult and largely irrelevant to this piece. A 30 attorney firm may be a small firm in California, but in Missouri some would call it a medium firm and expect high cybersecurity. This piece also seeks to establish a new standard in cybersecurity discussions, where authors recognize their solution may not be affordable to all firms. General divisions make these discussions much more approachable. A separate piece could be written on hard line divisions for the size of a law firm and its cybersecurity requirements using the arguments here.
[88] This comment could be an argument for the survival of big firms. Big firms are much more capable of handling cybersecurity threats than smaller firms because they can afford the time and resources necessary to prevent cyber intrusions. Small and medium firms may need to grow to large firm size if they want to stay competitive and offer high levels of cybersecurity. This section explains the advantage big firms have over their peers.
[89] See Mark Ward, Why Small Firms Struggle with Cyber Security, BBC News (Feb. 6, 2015), http://www.bbc.com/news/technology-31039137.
[90] See Id. (quoting Maxim Weinstein, security advisor at Sophos a security firm).
[91] See Mark Hansen, 4 Types of Employees Who Put Your Cybersecurity at Risk, and 10 Things You Can Do To Stop Them, ABA Journal (Mar. 28, 2014 5:45 PM), http://www.abajournal.com/mobile/article/war_stories_of_insider_threats_posed_by_unapproved_data_services_and_device.
[92] See Frank Strong, Infographic: Cybersecurity Stats for Legal Tech, Business of Law Blog, LexisNexis (Aug. 21, 2015), http://businessoflawblog.com/2015/08/cybersecurity-legal-tech/.
[93] Technology Training, mericanbar.org/publications/techreport/2016/training.html (last visited April 5, 2017).
[94] Technology Training, americanbar.org/publications/techreport/2015/Training.html (last visited April 5, 2017).
urvey I-XIII note 37 (Am. Bar Ass’n 2014).
[95] Supra note 93.
[96] Rhodes, supra note 57, at 145.
[97] See Model Rules of Prof’l Conduct r. 1.1 & cmt. 8 (Am. Bar Ass’n 2015)
(“In determining whether a lawyer employs the requisite knowledge and skill in a particular matter, relevant factors include. . .”).
[98] Rhodes, supra note 57, at 145.
[99] Brian Krebs, Spam Nation 282 (2014).
[100] Id. at 282.
[101] Id. at 283.
[102] Rhodes, supra note 57, at 134.
[103] ABA Cybersecurity Series, Am. Bar Ass’n (accessed Nov. 14, 2015), http://www.americanbar.org/content/ebus/events/ce/cyber-security-core-curriculum.html?sc_cid=CECSEC-A1.
[104] See generally Stop. Think. Connect. Small Business Resources, Homeland Security (accessed Nov. 17, 2015), http://www.dhs.gov/publication/stopthinkconnect-small-business-resources (Homeland Security offers several one page or several page documents on how to stay secure while traveling or for general reference).
[105] See Sharon Nelson, John W. Simek, Michael Maschke, Solo and Small Firm Legal Technology Guide 105 (2015).
[106] Id.
[107] See Id. at 106-10.
[108] See Id. at 109.
[109] See Nelson, supra note 83, at 185.
[110] See Bergsieker, supra note 43.
[111] Id.
[112] See Stevens supra note 21.
[113] See Model Rules of Prof’l Conduct r. 1.4 (Am. Bar Ass’n 2015) (requiring attorneys keep clients reasonably informed on the status of their case).
[114] See Jon Frankel, California Amends Data Breach Notification Laws – Other States to Follow?, ZwillGen (Oct. 17, 2015), http://blog.zwillgen.com/2013/10/17/california-amends-data-breach-notification-law-states-follow/; See also State Data Breach Notification Chart, Midwest Cyber Security Alliance (Sep. 1, 2015), http://www.midwestcyber.org/wp-content/uploads/2015/09/QB-State-Data-Breach-Notification-Chart-09.01.2015.pdf.
[115] David G. Ries, John W. Simek, Encryption Made Simple for Lawyers, Am. Bar Ass’n (2012), http://www.americanbar.org/publications/gp_solo/2012/november_december2012privacyandconfidentiality/encryption_made_simple_lawyers.html (also discussing the general need for encryption, discussing data breaches were attorneys have left valuable USB drives on trains and buses).
[116] Id.
[117] Dina Temple-Raston, FBI Director Says Agents Need Access to Encrypt Data to Preserve Public Safety, National Public Radio (July 8, 2015 7:32 PM), http://www.npr.org/sections/thetwo-way/2015/07/08/421251662/fbi-director-says-agents-need-access-to-encrypted-data-to-preserve-public-safety.
[118] Nelson, supra note 83, at 185.
[119] Compare Mo. Rev. Stat. § 407.1500.1 (2015); with 2016 Tenn. Pub. Acts 9168 (Missouri provides a safe harbor for encryption, while new law in Tennessee removes the safe harbor).
[120] Rhodes, supra note 57, at 108-09.
[121] Id.
[122] See Strong, supra note 91.
[123] See Cybersecurity Insurance, Homeland Security (Dec. 2, 2015), http://www.dhs.gov/cybersecurity-insurance.
[124] See Jon Oltsik, The State of Cyber Insurance, Network World (Nov. 16, 2015, 8:12 AM), http://www.networkworld.com/article/3005213/security/the-state-of-cyber-insurance.html.
[125] Id.
[126] Id.
[127] Chase Cost Management, AMLAW 200 Firms Spending As Much As $7 Million on Information Security, PR Newswire (Aug. 27, 2015, 8:45 AM), http://www.prnewswire.com/news-releases/amlaw-200-firms-spending-as-much-as-7m-per-year-on-information-security-300133976.html.
[128] See Allison C. Shields, Simple Steps: Guarding Against Cyber Attacks and Other Security Breaches, 41 Frontline 5, 16 (Sep. 2015).
[129] See Why You Should Adopt the NIST Cyber Security Framework, PWC (May 2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf.
[130] See Jennifer L. Rathburn, Midwest Cybersecurity Alliance Launces, Marks Cybersecurity Awareness Month, Quarles and Brady L.L.P. (Oct. 5, 2015), http://www.quarles.com/news/%E2%80%8Bmidwest-cyber-security-alliance-launches-marks-cyber-security-awareness-month/.
[131] Id.
[132] See generally NCSA (May 21, 2016), https://www.staysafeonline.org/about-us/.
[133] S. 754, 114th Cong. (2015).
[134] See Shannon Young, US Senate Passes CISA, a “Cybersecurity” Bill that Critics Say Will Expand Mass Surveilance, Truthout (Oct. 30, 2015), http://www.truth-out.org/news/item/33460-us-senate-passes-cisa-a-cybersecurity-bill-critics-say-will-expand-mass-surveillance.
[135] See Brian Krebs, Spam Nation, X (2014), for details on how hackers cooperate, manipulate, and attack big businesses.
[136] See generally Black Cube, http://www.blackcube.com/cyber-intelligence/ (last visited August 7, 2016).
[137]Orr Hirschauge, Ex-Spies Join Cybersecurity Fight, The Wall Street Journal (Sept. 15, 2015, 2:29 PM), http://www.wsj.com/articles/ex-spies-join-cybersecurity-fight-1442341771.
[138] Id.
[139] Id.
[140] Id.
[141] See generally supra note 49.
[142] See generally Why You Should Adopt the NIST Cyber Security Framework, PWC 2 (May 2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf.
[143] See discussion supra Section E. Industry Certifications.
[144] See Dara Kerr, EU Increases Penalities for Cybercriminals and Hackers, CNET (Jul. 4, 2013, 3:58 PM), http://www.cnet.com/news/eu-increases-penalties-for-cybercriminals-and-hackers/.
[145] Deter Cyber Theft Act, S. 884, 113113th Cong. (2013-2014).
[146] Brian Krebs, Spam Nation, 14 (2014).
[147] See generally Merideth Levinson, Why Law Enforcement Can’t Stop Hackers, CIO (Nov. 15, 2011, 7:00 AM), http://www.cio.com/article/2402264/security0/why-law-enforcement-can-t-stop-hackers.html (“The problem is that hackers rarely serve maximum sentences . . . Because the evidence against them is usually so incriminating, hackers often enter plea agreements with prosecutors… While plea bargaining has its benefits . . . it weakens the deterrent effect that prison sentences are intended to have.”).
[148] Id. (“. . . law enforcement doesn’t have the resources to investigate and prosecute all of these cybercrime cases . . . .”).
[149] See generally Jill D. Rhodes, Vincent I. Polley, ABA Cybersecurity Handbook, Am. Bar Ass’n 135 (2013)
[150] Id.
[151] American Bar Association [ABA], House of Delegates Res. 109, at 1, ABA Doc. (Aug. 12, 2014), http://www.americanbar.org/content/dam/aba/events/law_national_security/2014annualmeeting/ABA%20-%20Cyber%20Resolution%20109%20Final.authcheckdam.pdf (passed).
[152] Supra note 148 at 333.
[153] Supra note 148 at 334.
[154] An alternative argument could be that cybersecurity solutions and requirements should be presented based on the size of the client. Some boutique firms handle larger clients that expect and demand high cybersecurity solutions. In these cases, law firms should bargain for enough resources to ensure client data is protected.