After Barnes & Thornburg learned that an unauthorized person accessed some of the firm’s emails in April 2018, the firm told state officials it had taken steps to minimize the breach—and to prevent another one.
The Am Law 100 firm said it began an investigation with “a leading computer forensic firm” and notified affected residents in letters, offering them one year of credit monitoring and identity theft protection. It was also “redoubling its ongoing efforts to educate and train employees on how to recognize phishing emails,” the law firm said in a data breach notification form to Indiana state officials.
It was a common response for law firms hit by data breaches, according to more than 100 notification letters obtained by Law.com as part of an investigation into law firm data security.
The legal industry has poured significant resources into cybersecurity, leading to huge leaps in progress in the last decade, said security consultants, data privacy lawyers and chief security officers at law firms. But they also pointed to areas where large and small law firms can do much better in preventing and reacting to data breaches. And they cautioned that the legal sector may risk falling behind other industries.
That’s partly because hackers are learning how to circumvent law firm security systems, they said, leading to a continuous game of cat and mouse.
“I don’t think the state of law firm security is getting worse—the sophistication and the number of attacks are getting worse,” said Jon Washburn, who worked in a security role for law firms for about 15 years and is now the chief information security officer at Stoel Rives. “We can’t be complacent.”
The Human Element
Law.com contacted more than a dozen large firms that reported data breaches to state officials in the past decade. A few declined to comment, but others said they have implemented or expanded response measures to ensure the safety of their client or firm information. The measures included hiring forensic experts to determine the scope of a breach, encrypting more data, training staff on preventative measures and obtaining certification on cybersecurity.
In Barnes & Thornburg’s case, the firm said in a statement that when it detected suspicious email activity, it put a response plan in motion and “worked promptly to identify and correct a vulnerability that was narrow in scope and duration.” Barnes & Thornburg said it notified affected individuals, who were nonclients.
“We are confident in the measures taken and remain committed to training colleagues to be vigilant against such modern cyber threats,” Barnes & Thornburg said. “We take very seriously our duty to protect private and confidential information.”
Just as Barnes & Thornburg told state officials after the incident that it was educating employees to better recognize phishing emails, many law firms say they are ramping up training to detect sophisticated email threats.
Attackers are increasingly targeting law firm personnel through people they already know—by hacking email inboxes of established contacts, such as vendors, personal contacts or even clients, Washburn said. That way, hackers can send emails from trusted sources that won’t necessarily be blocked by the law firm’s security systems.
The emails will ask a user to click on a link, open an attachment, type in credentials or download a malicious file, he said.
“We rely on our security awareness and training program to train the user to spot things that look suspicious,” Washburn said. For instance, he said, “why would a former client, after two years, ask me to open this attachment?”
Several law firm partners emphasized the amount of employee training their firms undertook to detect threats, targeting what is often referred to as the “weakest link” in cybersecurity.
Michael Rhodes, global chairman of Cooley’s cyber and internet practice groups, said the firm’s security department sends out weekly notices to keep employees updated on the latest scams. “It’s not the hardware you worry about. It’s the mistake that someone makes that inadvertently gives a bad actor access,” Rhodes said.
At Jones Day, partner Mauricio Paez said the firm has spent significant time educating its lawyers and staff on phishing scams, and has been successful in preventing attacks because it has increased the level of employee awareness. “What I see as the most pressing issue,” said Paez, “is what we call the human element of cybersecurity.”
Room for Improvement
While hackers are getting smarter, it’s also the case that some law firms aren’t keeping up with security guidelines developed inside the industry and in other professional fields, according to legal industry surveys and interviews with security consultants and law firm leaders.
Austin Berglas, former head of the FBI’s cyber branch in New York, said he would rate law firm cybersecurity as “middle of the road” now, as firms juggle the competing interests of access and security.
“Lawyers still want ease of access to information when they’re traveling. They want that information to be readily available. They don’t want to log into VPN or have another password they’ve got to use,” said Berglas, now global head of professional services at cybersecurity company BlueVoyant. “So a lot of IT staff at law firms are frustrated. They’re trying to implement good security procedures, but they get a lot of pushback from partners.”
Indeed, a common problem, at large and small firms alike, is lack of a “culture of security,” said Frank Gillman, a former chief information security officer at Lewis Brisbois Bisgaard & Smith who is now a consultant at Vertex Advisors. Security standards aren’t always applied to the most senior management, including rainmakers, he said.
“Those people oftentimes are the ones who are actually touching the most sensitive things,” he said. “You’ve got a security framework, but the very top of that food chain isn’t always part of that culture.”
Consultants and law firm officials also point to specific areas where some law firms are behind companies in other industries, such as those in financial services and health care.
For instance, more large firms should move toward a “zero trust” environment, where internal personnel are subject to the same kinds of enhanced authentication technologies as outsiders, said one chief information officer at an Am Law 100 firm who spoke anonymously in order to speak candidly on where firms are falling behind. “We are moving toward it, but I don’t think anyone has accomplished it,” the information officer said.
Preliminary results from a 2019 survey by the International Legal Technology Association show some law firm progress in the last four years on various cybersecurity measures. For instance, 68% of law firm respondents were conducting phishing tests, up from 38% in 2016, according to an executive summary of the survey, which heard responses from 537 firms, from Big Law to small practices.
ILTA also noted advances in other areas, such as firms adopting two-factor authentication for external access, up 23 percentage points over four years to 72% of survey respondents. In multifactor authentication, users need to identify themselves through another step beyond a password, such as a text message, a measure that has been reported to block most automated attacks.
But within the legal industry, there is also wide disparity in cybersecurity. Logicforce, an IT law firm consulting company, surveyed midsize law firms and found that the industry “remains very vulnerable to cyberattacks.” The company surveyed more than 200 law firm IT decisionmakers, such as chief operating officers or administrators in small and midsized firms with under 200 attorneys.
According to the results of that survey, fewer firms in 2019 compared with last year’s survey reported implementing prevention techniques such as multifactor authentication and data loss prevention technology, which can scan and block the transmission of personally identifiable information.
Overall, Logicforce gave the legal industry a 60% score, up from 54% last year, for overall cybersecurity health.
“It’s not pie-in-the-sky ideas,” said Gulam Zade, CEO of Logicforce, referring to security steps such as formal policies, training, and insurance. “These are all things that organizations outside the legal industry are doing.”
Based on his observations of midsize firms, their annual budget for their IT demands, including servers, networks and cybersecurity, can be about 3% to 6% of their annual revenues, Zade said. “A lot of times, we see firms underspend from that number. We’ve seen firms spend as little as 1%,” Zade said.
Ethics laws require lawyers to keep pace with technology to protect client information. Still, some observers point to a slow pace of budding ethics rules on cybersecurity questions.
Jeff Brandt, chief information officer at Jackson Kelly, said cybersecurity standards in law firms may be less rigorous than in other regulated fields because ethics codes are not as explicit. Some ethics rules on cloud computing, for instance, “boil down to, do your due diligence,” Brandt noted.
Push by Clients
While acknowledging room for improvement, some security officers at law firms and data privacy lawyers said law firms, particularly larger firms at the urging of corporate counsel, are vigorously implementing security measures.
Law firm security has “improved significantly in the last 10 years, at least at firms with a culture that prioritizes strong security and good information governance,” said Stoel Rives’ Washburn.
Many law firms now regularly respond to client audits and agree to stronger physical, technical and administrative controls from their more sophisticated clients, he said.
Requirements for controls such as “need to know” access, comprehensive encryption and two-factor authentication are a baseline in many outside counsel guidelines and representation agreements, Washburn said.
“Many of those agreements will require that we enforce these same requirements with any third parties we contract with to access/process/store/transport confidential information,” he added.
Some law firms, again pushed by their clients, have met certification standards for cybersecurity, with the most common for firms being the ISO 27001 certification, which certifies that firms have a management system that meets an international standard for securing information.
In addition, top law firms in 2015 formed an organization to share threat information between one another. The group, called the Legal Services Information Sharing and Analysis Organization, or LS-ISAO, now has about 142 law firms among its members. Around 2,000 threat incidents are shared each year among members, said Bill Nelson, CEO of Global Resilience Federation, which partly oversees the law firm organization.
Security professionals in law firms also participate in the ILTA LegalSEC community, in which they exchange information on best practices for security, privacy and information governance and hold a conference each year, Washburn said.
Darin Bielby, senior managing director at Ankura Consulting, who is often brought in by insurance companies to help firms handle a data breach incident, said both large and small firms have “woken up” to cybersecurity. Security has improved in recent years as more law firms are investing, hiring professionals and IT departments, and implementing technologies to mitigate the risks, he said.
And following their clients’ footsteps, more law firms have obtained cybersecurity insurance to help recover the financial losses from a data breach incident. Some clients may even contractually require that their lawyers carry cyber insurance.
According to Lisa Sotto, who chairs the privacy and cybersecurity practice at Hunton Andrews Kurth, cyber insurance will typically cover the cost of a forensic investigation and the legal fees associated with required notifications. Such costs can range from $20,000 to $20 million, she said.
“Law firms are really now understanding that they have very significant amounts of data,” she said, “and they need to take extra precautions to protect that data.”
This article is the third in a Law.com series focused on law firm data breaches.