Login | June 24, 2018

ABA reports law profession ill prepared for risk of cyber security threats

Special to the Legal News

Published: August 14, 2017

Most law offices are underfunding their efforts to counter cyber risks, according to a report in the American Bar Association Journal.

As cyber security evolves, one characteristic of it that remains the same is how much of a threat it is to any business.

Julie Sobowale wrote for the Journal that the risk to the profession is more than just a technology issue or an added clause in the retainer agreement. Rather, it's the biggest risk that law firms currently face. The problem is money, sources told Sobowale. To have an effective cyber risk program requires, at minimum, up-to-date software, which - for any size law firm - can be very expensive.

"We are a self-governing profession, and there hasn't been an environment to do cyber security," said Daniel Garrie, founder of Law and Forensics, a tech firm specializing in forensic investigations. "The economics of the practice of law doesn't allow for investment.

"Even in the biggest firms, there are only three or four people working on cyber security. There's not much investment in people, resources, and they can't pass the cost on to clients."

Client pressure, however, may be swaying the trend in the other direction.

According to the 2016 ABA Legal Technology Survey Report, 30 percent of all law firms and 62 percent of firms of 500 lawyers or more reported that current or potential clients provided them with security requirements, the piece noted.

"We review data guidelines and protocols on how to use, store and protect their data," Griesing Law COO Jessica Mazzeo said. "Many of our corporate clients evaluate cyber security performance for all outside vendors and notify if expectations have been exceeded or require improvement."

The Journal piece detailed Mazzeo's experience with malware infecting the firm's network about a year ago. The network had to be taken down and virus software was run on every computer in the 12-attorney office in Philadelphia. Once the virus' origin was located, the offending hard drive was wiped.

Mazzeo said the incident resulted in changes to the way the firm dealt with websites, emails and mobile devices. The firm began working on a cloud-based program, permitting users to send files securely online and employed a firm to quarantine suspicious emails, the Journal reported.

With some changes to the firm's firewall to block access to risky websites, the firm also initiated a new email policy: "If the source is unknown or if you're not expecting the email, don't open it."

The ABA's tech survey says only 17.1 percent of all law firms had an incident response plan in place to address a security breach, and only 50 percent of firms of 500 lawyers or more had such a plan in place, and a cyber security practitioner believes engagement of senior management is key.

"There needs to be senior management engagement in cyber preparedness, and senior-level accountability in this area is increasingly expected by regulators and courts," said Luke Dembosky, a cyber security and litigation partner at Debevoise & Plimpton and former deputy assistant attorney general for national security at the Department of Justice. "Certainly, some aspects of breach preparation and response are IT-focused, but when a major cyber incident occurs, other executives at the company will need to weigh in, for example, on disclosures to the media, regulators, law enforcement and others.

"Law firms have tended to be behind the curve on these issues, but many are working hard to catch up."

Copyright © 2017 The Daily Reporter - All Rights Reserved