How Small Law Firms Can Improve Cybersecurity to Prevent Data Disasters

By Josh Taylor, Smokeball

CybersecurityInsufficient data security practices lead to devastating consequences for small law firms. Breaches can inflict irreversible damage to a firm’s reputation, finances and client relationships. So why aren’t they taking cybersecurity seriously?

A recent American Bar Association survey uncovered this lack of concern, finding that only 42% of firms took action to increase digital security measures last year. Of these, 27% did so to better protect client or contract data. While lawyers spend their time looking out for clients’ risks and liabilities, the data suggests this diligence doesn’t extend to internal matters.

Exactis’ 2018 data leak shows how small business security lapses balloon into a much larger crisis. This breach exposed the personal information of over 230 million people and 110 million businesses, demonstrating that even smaller-scale businesses store massive amounts of sensitive data and face a constant threat as their data pool grows.

While small law firms may not have a long roster of big-name clients, they store a significant amount of personal details and business information. Clients trust them to protect sensitive business information like proprietary data, financial details and confidential deals. Leaks and breaches have severe ramifications, causing clients to walk out, IT headaches, financial worries and regulatory violations.

An accident or technical error may have created the breach, but innocent causes don’t render firms immune from serious business consequences. Each law office is responsible for preventing and quickly responding to leaks or attacks. Technical aspects of cybersecurity may overwhelm some small firms, but improving data protection and online safety practices doesn’t have to be complicated. Law firms bolstering digital security can start by keeping in mind a few simple tips:

Make Security People Powered

Small law firms don’t often face the organized cyber threats that plague larger organizations. Their risks tend to lie within the firm itself, stemming from workers that lack the technological savvy to sidestep malicious schemes. Ransomware and phishing scams rely on human error, and untrained employees open the door for them to poach important private records.

Implementing regular training for all employees assists organizations in avoiding personnel-caused breaches. This way, staff stay updated on how best to protect themselves and the firm from nefarious email schemes and other tactics cybercriminals use to siphon off personal data. Additionally, law offices should cultivate channels for quick information distribution to allow employees to respond quickly during data leaks. Training programs may increase costs and responsibilities up front, but pay off later on by warding off detrimental security issues.

Invest In Updated Tech

The phrase “small law office” doesn’t typically conjure up images of futuristic operations and state-of-the-art technology. But more than hurting firms’ reputations, this digital sluggishness produces security risks. Offices running on inconsistent operating systems, outdated software and unsecured Wi-Fi networks take on a higher vulnerability. Fortunately, these technology issues are easily fixed. Scheduling regular hardware and software updates and frequently changing the internet password helps fortify firms’ defenses.

Though it may seem obvious, it’s worth noting the large role passwords play in ensuring smaller firms’ security. One weak link opens the floodgates to your entire database of client information. Keep login information for sensitive data on a need-to-know basis, and consider using a password manager for all employees. Frequently changing passwords, though a small step, provides another line of protection against cyber threats.

Reduce In-Office Risks

Traditional, lock-and-key security is an easy concept to grasp, but digital security is a hazier concept. Fortunately for firms not familiar with technology-driven data protection, the two share some common ground.

Some believe that on-site servers make data safer, but this is a misconception. Seeing storage equipment physically in the office may be reassuring, but centralizing this information just compounds the risk. For example, burglars breaking into a small law firm could then take much more than basic office hardware. Backing up and housing data in the cloud lowers this hazard for organizations, removing important data from the risks inherent in physical spaces.

Another seemingly innocuous practice that poses security issues is carelessness with paper documents. More firms are adopting digital document software, but paper remains popular at many small firms. These documents also expose confidential information if left in plain view or accidentally included in social media photos. Just like with digital risks, reminding employees of security best practices helps suppress future issues.

Just like any business entrusted with sensitive data, law firms must commit to shielding themselves and clients from data breaches. Leaks at small offices quickly expand into a big problem. As data storage demands continue growing, firms can introduce simple technology and security improvements that protect client information and preserve their reputation.

 

 




2 U.S. Law Firms Lost Over $117K to International Cybercrime Network, Indictment Alleges

FBIA law firm in Washington, D.C., and a law office in Wellesley, Massachusetts, are among the victims of malware attacks by an overseas cybercrime network, according to an ABA Journal report.

A Department of Justice press release announced the dismantling of the cybercrime network in an international law enforcement operation. The release did not identify the law firm or law office, other than to reveal their locations.

“The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust,” the press release states.

Read the ABA Journal report.

 

 

 




Understanding the New California Consumer Privacy Act

Duane Morris will present a webinar titled “Understanding the New California Consumer Privacy Act: Why The CCPA Applies to You and Practical Steps You Can Take Now to Comply.”

The event will be Thursday, May 23, 2019, beginning at 1 p.m. Pacific time.

The firm said the California Consumer Privacy Act (CCPA) of 2018 is the strictest privacy law in the United States and has national impact for anyone doing business in California. The new law takes effect January 1, 2020, and gives consumers greater control over their personal information, including the right to:

•Be informed which categories of their data will be collected by a business before it is collected;
•Opt out of the sale of their personal information;
•Delete their data from a business’ database;
•Be informed of any changes to categories of their data a business collects;
Know the categories of the third parties with whom their data is being shared;
•Know the categories of sources of information from whom their data is acquired;
•Know the business purpose for collecting their data;
•Be aware of all their data a business has collected (annually and free of charge at the consumer’s request).

Enforcement of the CCPA will be through consumer lawsuits for data breaches, along with enforcement action by the California attorney general, who can impose fines of up to $2,500 per violation or $7,500 per intentional violation of the CCPA.

Led by an interdisciplinary team of Duane Morris attorneys, the California Consumer Privacy Act of 2018 Webinar Series offers a discussion and analysis of the CCPA, along with strategies to prepare a business for compliance with this complex rule.

The first session will discuss:

•Understanding the CCPA
•How this law affects your business
•What steps can a business take to ensure compliance?

Register for the webinar.

 

 




Webinar: The Role of In-House and External Counsel in Managing Open Source

WebinarFlexera will present a complimentary webinar discussing the role of in-house and external counsel in managing open source software in the business environment.

The event will be Thursday, April 18, 2019, at 9 a.m. PT / 11 a.m. CT / 12 noon ET.

“Having some best practice guidelines that more clearly define your role and help you guide companies through license compliance and risk management only reinforces and bolsters one of your most important responsibilities as a legal advisor,” the company says in its invitation.

Speakers will be Amy Chun, partner in Knobbe Martens, and Marty Mellican, vice president and associate general counsel of Flexera.

Register for the webinar.

 

 




Hackers Shut Down Boston Legal System for Weeks, Seeking Payment in Bitcoin

A cyberattack on the agency overseeing Boston public defenders has caused a weekslong slowdown, disabling e-mail systems, delaying some hearings, and hanging up payments for the private attorneys who represent clients, reports The Boston Globe.

“The Committee for Public Counsel Services has been cleaning up for two weeks after a ransomware attack locked up its servers, with the culprits demanding that a ransom be paid in bitcoin,” writes the Globe‘s Andy Rosen. “The agency refused to pay, because it has backup files it can use to restore the system.”

A similar attack hit the Jackson County, Georgia, government internal network recently, forcing most of the systems offline, according to ZDNet. In that case, the county paid $400,000 to cyber-criminals week to get rid of the ransomware infection and regain access to its IT systems.

Read the Globe article.

 

 




Download: The Changing Face of In-House Legal Departments

Zapproved has published a new guide titled “The Changing Face of Legal: Preparing Your In-House Team for Tomorrow,” which includes key distillations from a PREX18 session, on how to reinvent an in-house legal team.

The guide can be downloaded from Zapproved’s website at no charge.

Corporate legal departments are under fire, the company says on its website. From expanding data volumes and data types to increased budget pressures and new data privacy regulations — not to mention unchecked data security risks — in-house legal teams find themselves needing to adapt to unprecedented demands.

The guide includes advice from Jen Warner, Vice President of Legal and Deputy General Counsel for Columbia Sportswear, and Brian Corbin, Executive Director, Assistant General Counsel at JPMorgan Chase.

Download the guide.

 

 




Facebook Fine Could Total Billions if FTC Talks Lead to a Deal

The New York Times is reporting that Facebook and the Federal Trade Commission are discussing a settlement over privacy violations that could amount to a record, multibillion-dollar fine, according to three people with knowledge of the talks.

Sources told the Times that the company and the FTC’s consumer protection and enforcement staff have been in negotiations over a financial penalty for claims that Facebook violated a 2011 privacy consent decree with the agency, according to reporter Cecilia Kang.

“The F.T.C. began its investigation into Facebook’s mishandling of data after The New York Times reported in March 2018 that the information of 87 million users had been harvested by a British political consulting firm, Cambridge Analytica, without their permission,” writes Kang.

Read the NY Times article.

 

 




Judge in Yahoo Data Breach Case Criticizes ‘Unreasonably High’ Attorney Fees

A federal judge in San Jose, California, refused to approve a class action settlement in litigation over a series of Yahoo data breaches, citing a lack of transparency and the possibility of “unreasonably high” attorney fees, according to the ABA Journal.

The plaintiffs had proposed a $50 million settlement fund, but the proposed notice to class members did not disclose the costs of creditor monitoring services or costs for class notice and settlement administration, U.S. District Judge Lucy Koh said.

She also found problems with the plaintiffs’ lawyers’ fees:

“Specifically, the court finds that class counsel prepared limited legal filings with numerous overlapping issues, and that class counsel completed limited discovery relative to the scope of the alleged claims. Moreover, class counsel fails to explain why it took 32 law firms to do the work in this case.”

Read the ABA Journal article.

 

 




Lawyer Sues Apple, Says FaceTime Bug Allowed Secret Recording of Deposition, Caused Emotional Trauma

AppleCourthouse News Service reports that an attorney in Houston filed a lawsuit claiming he was conducting a deposition with a client when he encountered Apple’s latest bug that allowed others to access his iPhone’s microphone without him answering a FaceTime call.

The New York Times explains how the bug worked:

“By adding a second person to a group FaceTime call, you can capture the audio and video of the first person called before that person answers the phone, or even if the person never answers.”

The Houston lawyer, Larry D. Williams II, seeks punitive damages against Apple and unknown parties for claims of product liability, negligence, warranty and fraudulent misrepresentation.

CNBC reports that Williams claimed the experience caused “sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future” and that Williams “lost ability to earn a living and will continued to be so in the future.”

Read the Courthouse News Service article.

 

 

 




‘The Dark Overlord’ Didn’t Hack Systems, Husch Blackwell Says

Cybersecurity - hacking - hackerA hacker group calling itself “The Dark Overlord” threatened to release documents relating to insurance litigation over the Sept. 11 attacks on the World Trade Center that it stole from Husch Blackwell, but now the firm says its systems weren’t hacked.

The group says it has 18,000 documents that include emails and nondisclosure documents sent and received by two insurers and a Husch Blackwell predecessor firm, according to a report in the ABA Journal. The group is seeking a ransom paid in bitcoin.

In a statement, Husch Blackwell said: “After a thorough review, Husch Blackwell can confirm that no documents were obtained from Husch Blackwell, and that there was no unauthorized access to Husch Blackwell systems, client files, documents or data.”

Read the ABA Journal article.

 

 

 

 




Natalie Friend Wilson Promoted to Langley & Banack Shareholder

Natalie Friend Wilson has been promoted to shareholder at Langley & Banack, Inc. and will lead the firm’s cybersecurity practice, as well as continue to practice in bankruptcy and litigation.

The firm said Wilson represents debtors, creditors, and bankruptcy trustees in complex insolvency proceedings, including related litigation and appeals. She also counsels clients on privacy and data protection, data breach response, cybersecurity and general cyber-contracting matters, as head of the Firm’s Cybersecurity, Data Protection and Privacy Practice Group.

Langley & Banack’s Cybersecurity team assists clients with drafting and implementation of cyber-security and general incident response plans and structures, enhanced compliance, and governance policies and protocols, the firm said in a release. They also advise financial institutions and industry clients in the drafting and negotiation of their website development, website hosting, SaaS agreements and other internet and data-based service agreements. As such, the practice group assists organizations to manage rapidly evolving privacy threats and mitigate the potential loss and misuse of information assets.

Wilson is active in the Military Spouse JD Network, a bar association for lawyers married to members of the armed forces. She is active in the local Air Force community and currently Key Spouse Mentor for the 836th Cyberspace Operations Squadron.

Wilson holds a B.A. from St. Mary’s College of Maryland, summa cum laude, and a J.D. from the University of Hawai’i, William S. Richardson School of Law, where she graduated cum laude.

She has been honored as a Professional “On the Rise” by Texas Lawyer Magazine (2018), San Antonio Business Journal’s 40 Under 40 (2016), and the Belva Lockwood Outstanding Young Lawyer by the Bexar County Women’s Bar Foundation (2014).

 

 




Download: 5 Future Tech Forces & Board Expectations

A new publication by the National Association of Corporate Directors examines the areas of technology that are “fundamentally changing the economic world.”

The article can be downloaded from the NACD’s website at no charge.

The areas discussed in the article include artificial intelligence, blockchain, cybersecurity, hyperconnectivity, and symbiotic systems.

J.T. Kostman, the author of the article and managing director of Applied Artificial Intelligence at Grant Thornton, provides real-world examples that illustrate the capabilities these technologies have enabled, the risks they pose, and why they are considered to be the driving forces of “the fourth industrial revolution.”

Download the article.

 

 




Lenovo $8.3M Spyware Class Action Settlement Gets Initial OK

Lenovo Group Ltd. can move ahead with an $8.3 million settlement to end a class action that its ad software exposed customer laptops to performance, privacy, and security problems, reports Bloomberg Law.

The federal court’s initial approval of the settlement comes four months after Lenovo and the consumer class filed with the court to end the spyware action. The SuperFish software, which Lenovo began installing in 2014, could access customer Social Security numbers, financial data, and sensitive heath information, the court said.

“Lenovo is set to pay $7.3 million to the settlement fund, and SuperFish will kick in another $1 million from a prior deal with consumers over the spyware issue,” according to Bloomberg’s Daniel R. Stoller.

Read the Bloomberg Law article.

 

 




Fewer Lawsuits for Corporations, But More Oversight on Data andTax Risk

Corporate counsel report a decrease in the number of lawsuits against their companies over the last year, but they face more regulatory proceedings and arbitrations in navigating increased cyber risk, data protection and tax issues.

Norton Rose Fulbright’s 2018 Litigation Trends Annual Survey polled 365 senior corporate counsel representing US-based organizations on disputes-related issues and concerns.

Two thirds of respondents report feeling more exposed in 2018 to cybersecurity and data protection disputes. The survey also found that the growing international nature of many business operations has caused a spike in conflicts related to countries’ differing discovery and data protection laws and regulations.

See the survey results.

 

 




Blockchain Alliance Reaches 100 Members

Steptoe & Johnson LLP announced that the Blockchain Alliance, a public-private forum to combat criminal activity involving cryptocurrencies and blockchain technology, has grown to include 100 industry and government agencies in 19 countries.

Founded in October 2015 by the Chamber of Digital Commerce and Coin Center and led by Steptoe, the Alliance is comprised of a broad coalition of companies and government agencies that work to make the blockchain ecosystem more secure through education and dialogue between government and industry. In less than three years, the Alliance has grown from 17 industry members and six U.S. federal agencies to a total of 100 participants all over the world, including not only cryptocurrency and blockchain technology companies but also regulatory and enforcement agencies on six continents, as well as international entities including Interpol and Europol.

Steptoe partner Jason Weinstein (former deputy assistant attorney general in charge of cybercrime investigations at the Department of Justice and a member of the strategic advisory boards of BitFury, Coin Center and the Chamber of Digital Commerce) serves as the group’s director. Steptoe of counsel Alan Cohn (former assistant secretary for strategy at the Department of Homeland Security and a strategic advisor to several blockchain startups) serves as counsel to the Alliance.

“The growth of this Alliance – with 100 members around the world representing industry and government – is remarkable and reflects the growth of the cryptocurrency and blockchain space as a whole,” Cohn said. “Our mission is to enable industry and law enforcement to jointly protect public safety and help create an environment where innovation can thrive, and it’s working.”

“The Blockchain Alliance is an important organization that furthers vital communication between blockchain-oriented businesses and government agencies to help strengthen their understanding of enforcement objectives and cooperation,” said Amy Kim, chief policy officer of the Chamber of Digital Commerce. “The group’s work is critical in fostering the development of properly functioning markets involving virtual currency in particular and is much needed at a time when policy makers continue to have questions about this space. Its efforts have been instrumental in aiding law enforcement to detect crime and prosecute wrongdoers.”

The Blockchain Alliance serves as a resource for law enforcement and regulatory agencies to benefit from the expertise of some of the brightest minds in the blockchain industry for technical assistance in response to challenges faced during investigations. The Alliance also serves as a platform for open dialogue among law enforcement and regulatory agencies and the blockchain community about issues of concern to make blockchain technology more secure and to deter its use for unlawful purposes.

Additionally, the Alliance provides education and technical assistance regarding cryptocurrencies and other applications for blockchain technology, including through a series of webinars that have reached almost 700 participants in more than 35 countries.

“We are proud of the meteoric growth of the Alliance in just three years. The companies in the Alliance are good corporate citizens, and they deserve the credit for their commitment to working proactively with governments around the world to promote a secure blockchain ecosystem – for the benefit of government, industry, consumers, and the public,” Weinstein said.

 

 




Access to Law Firm Data ‘Just Too Easy,’ Worrying Clients

Hacking - cybersecurity - phishingA cybersecurity scare at Foley & Lardner has drawn new attention to a debate over data security at top law firms, and some clients and outside organizations are taking matters into their own hands, according to a Bloomberg Law report.

Bloomberg’s Sam Skolnik writes that general counsels’ offices have been expressing renewed concern about whether even the biggest law firms are adequately protecting highly sensitive data.

“Cyber incursions into law firms clearly appear to be on the rise. According to a December 2017 American Bar Association legal technology report, just over a third of law firms with between 10 and 49 attorneys reported experiencing some sort of data-related security breach in the previous 12 months,” according to Skolnik.

Read the Bloomberg Law article.

 

 




Supreme Court Weighs Google Settlement That Paid Class Members Nothing

The U.S. Supreme Court heard arguments this week on whether it should place limits on class-action settlements in which the plaintiffs’ lawyers receive millions and their clients get nothing, reports The New York Times.

“The case arose from an $8.5 million settlement between Google and class-action lawyers who said the company had violated its users’ privacy rights,” writes Times reporter Adam Liptak. “Under the settlement, the lawyers were paid more than $2 million, but members of the class received no money.”

As a part of the settlement, Google agreed to contribute to institutions concerned with privacy on the internet, including centers at Harvard, Stanford and Chicago-Kent College of Law, and AARP.

“How can you say that it makes any sense?” Justice Samuel A. Alito Jr. asked a lawyer for the members of the class.

Read the NY Times article.

 

 




Chinese Company Charged With Stealing Trade Secrets From U.S. Computer Firm

NBC News reports that the Justice Department revealed Thursday that a federal grand jury has charged companies in China and Taiwan  and three individual Taiwanese nationals with a scheme to steal trade secrets from Micron.

China is “shamelessly bent on stealing its way up the ladder of economic development and doing so at American expense,” said John Demers, assistant attorney general for national security.

NBC reporter Pete Williams writes: “Federal prosecutors said one of the defendants served as president of a company acquired by Micron five years ago. The charges said he went to work for the Taiwan company, United Microelectronics Corporation, and orchestrated the theft of trade secrets from Micron worth nearly $9 billion.”

Read the NBC News article.

 

 




Foley & Lardner Hit With Cybersecurity Incident

CybersecurityBloomberg Law is reporting that Foley & Lardner LLP experienced a cybersecurity incident earlier this month, but said there was “no unauthorized access to client data.”

Jill Schachner Chanen, external communications manager at Foley & Lardner, told Bloomberg Law in an email that the incursion occurred earlier this month.

She said the firm has security safeguards in place designed to protect the IT system and data and that no client data was exposed to the cyber intruders.

Read the Bloomberg Law article.

 

 




3 Key Takeaways: How Blockchain Technology will Reshape Legal Contracting

A recent presentation at the ACC Colorado Fall Frenzy in Denver addressed how blockchain platforms are reshaping contracting, particularly how blockchain can be used to protect the security and integrity of contracts and automatically execute based on external conditions.

A post on the website of Kilpatrick Townsend expands on the three takeaways: Blockchains have important uses besides cryptocurrencies; smart contracts are already in use by companies; and the technology is in its infancy and several pitfalls exist.

Read the article.