If you have been paying attention to this summer’s headlines, then you know that reports about data breaches are now nearly as common as daily horoscopes and baseball box scores.
From the massive data breach of the U.S. Office of Personnel Management that will affect the lives of more than 25 million people, to the 37 million adulterous individuals whose private information was compromised on Ashley Madison, to a fraudulent email scheme that swindled Omaha Scoular Co. out of $17.2 million, to the recent white-hat-Jeep hack that was reported in Wired magazine, to the Seventh Circuit’s July 2015 ruling in which it adopted a significantly more liberal standard that gives data breach victims standing to sue businesses without having sustained a tangible, pecuniary loss,[1] one thing is clear – cybersecurity and data breach concerns are here to stay and attorneys need to be on guard.
The question that each and every modern law practitioner needs to ask themselves is: What should I do about it?
As with many complicated questions, when the answer escapes you, start identifying what you know you should not do. For instance, you know you cannot ignore this problem. You know that hiding your head in the sand is a sure recipe for disaster. And for those of you out there who think there is no way your law firm could possibly be a cybersecurity target, you are sorely mistaken. You cannot forget that you are a gateway to more high profile information targets: your clients.
The very real threat this trend poses to New Jersey attorneys – from solos to large firm practitioners – was demonstrated in an alert that was issued by the Morris County Prosecutor’s Office on December 17, 2014. The alert describes a scheme that has been targeting real estate lawyers, realtors or title agencies, and attributes the wrongdoing to an organized overseas group. Through the scheme, hackers infiltrate and monitor unsecure email accounts and, shortly before a real estate closing, pose as a participant in the transaction by initiating instructions for a fraudulent wire transfer. Once the fraudulent wire is complete and the parties begin to realize something is wrong, it’s generally too late. Real estate buyers, sellers, their attorneys and their insurance companies are left to clean up the pieces.
Just a few months ago, I personally observed a Chancery Division oral argument involving the effect of this scheme on a run-of-the-mill real estate transaction. The bad guys sent fraudulent wire transfer instructions to the seller’s attorney, who in turn sent them to the closing agent. No one caught it, which caused six figures of the real estate sale proceeds to be fraudulently wired into the bad guy’s account. The seller then sued his or her attorney, the closing agent and the buyer. At the motion hearing, the buyer was successful in dismissing the seller’s claims. Although the buyer was dismissed, the attorney for the seller and the closing agent both remained in the case, left to litigate and spread the blame amongst them.
Notably, in July of 2014, this same type of scam was orchestrated on a much larger scale against an executive of Omaha Scoular Co., when he was conned into wiring $17.2 million of the company’s funds into unauthorized overseas accounts.
When considering this type of large and small-scale activity, it is no wonder that FBI Director James Comey recently clarified that “there are two kinds of big companies in the United States. There are those who’ve been hacked . . . and those who don’t know they’ve been hacked.”
If this kind of cyber-threat can bring well-funded government institutions and even Fortune 500 companies to their knees, what can, you, an attorney for a small or medium-sized firm, do about it? Obviously, unplugging from the Internet is not a viable option; it runs counter to client expectations and the dramatically increased business and personal efficiencies that the Internet provides.
First thing’s first – you need a plan. Benjamin Franklin warned, “if you fail to plan, you are planning to fail.” And in the words of Yogi Berra, “If you don’t know where you’re going, you’ll end up somewhere else.”
In developing your plan, focus on both cyber intrusion prevention methods and cyber breach mitigation and recovery efforts; assume a cyberattack is inevitable, as opposed to a mere possibility. There are also publications and vendors out there to help. A good starting point for researching prevention methods is a study issued by the National Institute for Standards and Technology (NIST) in 2014, entitled “The Cybersecurity Framework.”[2] For mitigation and recovery efforts, see the United States Department of Justice: Best Practices for Victim Responses and Reporting of Cybersecurity Incidents, V. 1 (April 2015).[3]
In developing a prevention, mitigation and recovery plan, best practices generally require attorneys to investigate and implement the following:
- An efficient and effective team of internal IT champions and outside vendors.
- Defense-in-depth strategies that emphasize multiple, overlapping and mutually supportive defense systems. This includes the deployment and regular updating of firewalls and gateway antivirus, intrusion detection or protection systems, website vulnerability with malware protection and web security gateway solutions throughout the network.
- Understand that antivirus and malware protection on endpoints is not enough and comprehensive endpoint security products with additional layers of protection must be deployed and used.
- Secure websites against attacks and malware infection.
- Protect your private keys, encrypt sensitive data, and implement a secure information transmission platform.
- Monitor for network intrusion attempts and vulnerabilities.
- Ensure all devices on company networks, especially mobile ones, have adequate security protections, and that the company has a workable minimum security profile for all bring-your-own devices (BYODs).
- Implement a removable media policy that restricts the use of authorized and unauthorized devices like thumb drives and external hard drives that can introduce malware and facilitate data breaches, both intentionally and unintentionally.
- Aggressively update, patch and discontinue outdated and insecure browsers, applications and browser plug-ins while keeping virus and intrusion prevention definitions updated. Also automate your patch deployment processes.
- Implement and enforce a strong and effective password policy.
- Restrict and monitor email and email attachments.
- Limit access to your shared network by using a multi-layered authentication system and restrict users’ ability to download software.
- Educate users on basic security protocols, including email and social media.
- Develop and implement post-infection detection capabilities to identify infected systems.
- Make sure regular data backups are secure and available.
- Develop and implement effective incident response procedures and disaster recovery plans: What will you do? Who will do it? Who will you contact? How will they be contacted? Who will contact them? How will you respond to the media? What else needs to be done? And who will do it?
- Investigate and purchase appropriate cyber security and liability insurance policies.
The above framework may seem like a lot, but in order to thrive as a lawyer in the modern world, it is imperative to understand these issues, develop a plan, and start to intelligently and cooperatively implement these best practices.
The question remains: How can you possibly get this all done?
You have to change your mindset, and you have to change the culture. It all starts with people.
The most critical aspect of IT security is the way in which your people interact with your IT system. This requires a firm understanding of these IT interaction points, as well as planning and implementing the best and most pragmatic ways in which we can set up processes – both automated and manual – that will help us from inadvertently (or even intentionally) creating a data breach scenario.
[1] See Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015).
[2] The NIST Cybersecurity Framework is available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
[3] The USDOJ’s Best Practices for Victim Responses and Cybersecurity Incidents is available at:http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents2.pdf