Citi memo stirs debate over law firm data security
By David Gialanella, From New Jersey Law Journal
An internal Citigroup report recently made public—criticizing law firms for what it characterized as a reluctance to report cyberattacks—has fueled the debate over whether firms are properly protecting against and responding to threats.
“The reason why they’re high-value targets … is because of who their clients are,” said Michael Nelson, managing partner of information technology and security firm DFDR Consulting, which is based in Philadelphia and has a Moorestown office. “The better the clients they have, the better info they have.”
DFDR partner Ken Pyle said he’s “worked with some law firms and legal services companies that are very much on the ball,” but they “typically don’t like to update things,” such as software, he added.
“The way they share info is often insecure, and they don’t even know it,” he said.
The New York Times last month reported that an internal report from a Citigroup cyberintelligence panel said law firms were generally unwilling to report or even acknowledge cyberattacks.
“‘Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise,’” the February report said, according to the Times.
The Citigroup report added that firms are at high risk and “‘continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications,’” the Times reported.
Nelson and Pyle, who count law firms among their clients, said the report raises fair points.
The nature of law practice, according to Pyle, is such that the frequent exchange of information within and outside firms creates a “pretty large attack surface.”
Even lawyers publicly sharing their emails is “a really bad idea,” he said: it can help facilitate a phishing attack, whereby the firm receives emails with links that, if accessed, would lead to a phony website that extracts user information.
What’s more, documents routinely changing hands can contain unencrypted metadata revealing user names and passwords, as well as what operating system and software the firm utilizes, Pyle said. Even emailed résumés sent to firm marketing or human resources staff can contain embedded programs or malicious software—a favorite tactic used by Pyle during penetration testing, he said.
“Your users are the most insecure part of your environment,” Pyle said. “I call it hacking the human firewall. It’s their last line of defense, and often the weakest.”
Even if it’s a matter of negligence, he added, “most fraud cases occur internally … or have some kind of internal component.”
Gideon Lenkey, co-founder and president of Milford-based information-security firm Ra Security Systems, said, “it’s not just this report. … It’s implied in other reports” that law firms are not only vulnerable, but loath to acknowledge security issues.
“The best way to describe it is … most lawyers approach this issue as if they can lawyer it away,” according to Lenkey, who does consulting and incident-response work for firms. “What they don’t realize is, these hackers aren’t playing by the rules.”
“Law firms are just different,” he added. “They have a very powerful tool on the belt, and that’s how they like to approach life.”
To be fair, Lenkey said, it’s likely that firms are largely unaware of any cyberattacks that occur—as are retailers and other types of businesses, who are outed only because the customers whose credit cards numbers are compromised contact law enforcement.
“That sort of nexus isn’t likely to happen at a law firm,” according to Lenkey.
Still, there are limitations. Most smaller firms “are not capable of running their own security programs,” while even large firms lack encryption capabilities in many cases, he added.
An obvious avenue of vulnerability, Lenkey agreed, is the exchange of documents—with document-management services, for instance.
“It is a big attack surface, and it doesn’t end at the corporate boundaries,” he added. “Given the type of data that law firms handle, do you think they’re not getting attacked?”
Pyle agreed, saying, “Corporate espionage is a lot bigger than anybody would like to admit.”
But William Hughes, a former federal prosecutor who heads the cyber risk management practice at Cooper Levenson in Atlantic City, said the perception that law firms are behind the curve and insular about data security is “an unfair and overly simplistic view.”
“Many law firms, like Citibank, are trying to adapt to a new environment,” Hughes said. “That reputation is not earned. This is a fast-moving, fast-evolving area of crime and vulnerability.”
Hughes also challenged the idea that firms make likely targets—because they’re not storing the credit card and Social Security information that the typical hacker is out to get.
A compromise of that personal information, “is what triggers a reporting requirement under most of the 48” state laws that exist, he said.
“For a law firm … you’re talking about client files; for a transactional law firm, you’re talking about pending deals,” Hughes added. “Law firms aren’t a high-value target when it comes to … personal identifying information.”
The ethical duty, in case of a breach, would be to the client, and to the extent there were any requirement to report to law enforcement or another third party, attorney-client privilege becomes an issue, according to Hughes.
“Then you have to sit down with the client and go over exactly what they want to share with law enforcement,” he said.
Hughes said firms “generally are sensitive about” cybersecurity, and do avail themselves of encryption technology and other safeguards.
“We keep track of all that, and we’re just a small firm in South Jersey,” Hughes said.
For more on this story go to: http://www.njlawjournal.com/id=1202723103583/Citi-Memo-Stirs-Debate-Over-Law-Firm-Data-Security#ixzz3WvYE7BaH