EP 11: Cyber Risk and Law Firms
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
November 13, 2018
Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, on the need for law firms to have reasonable cyber security. They also discuss how law firms can provide Attorney Client Privilege (ACP) to their clients who conduct Cyber Risk Assessments.
Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.
Jake Bernstein: I'm Jake Bernstein, Cyber Security Counsel at the law firm Newman Du Wors.
Kip Boyle: This is the show where we help you become a better cyber risk manager.
Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities ...
Kip Boyle: ... and if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business such as; sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can for a fraction of the cost of hiring a single cyber security expert. You can find out more by visiting us at CyberRiskOpportunities.com and newmanlaw.com.
Kip Boyle: Jake, what are we going to talk about today?
Jake Bernstein: Thanks Kip. Today, we're going to talk about cyber risk management for law firms and what law firms need to be aware of in today's climate.
Kip Boyle: Okay. Law firms have a lot of things to do, why should cyber risk be a top agenda item for them?
Jake Bernstein: Well, the simple reason is that it is an ethical duty now in the state of Washington and many, many other states. It's rapidly approaching 40 states that have passed new ethical rules that require people to be reasonable when it comes to cyber risk management.
Kip Boyle: Okay. How should law firms be thinking about cyber risks since they need to presumably, elevate it on their agenda?
Jake Bernstein: Well, simply stated, the law firms have practical and ethical duty to practice excellent cyber risk management and to maintain proper cyber hygiene. Lawyers are in the trust business and if clients do not trust their attorneys to maintain the confidentiality of their sensitive information, they'll simply go elsewhere. In short, they must practice reasonable cyber security. For law firms, reasonable is going to mean a lot more than it would for many other types of businesses. Law firms need to be thinking of cyber risks as existential risks. The Panama Papers have already decimated one major international law firm. Similar attack on a AMWA 100 firm would be very likely to drastically change the landscape of big law here in the US. If you look, there's no shortage of data breaches in cyber attacks, already in today's headlines.
Kip Boyle: Yeah. That's true.
Jake Bernstein: Law firms make good targets.
Kip Boyle: Why? If I'm in a law firm and I just heard you say, "Law firms are great targets," and I'm in a law firm and I'm thinking, "Okay, all my stuff is boring. Who in the world would want to look at the stuff that I'm doing?" Why is it a great target?
Jake Bernstein: Look at some examples. You've got the MOSACC, FONSTACCA and the Panama Papers. They're a very famous data breach and a hack and they exposed hundreds of thousands, millions of documents related to offshore bank accounts. Apparently, offshore bank accounts are really interesting because it happened again, just in the last couple of months with Appleby and the Paradise Papers.
Kip Boyle: Right, the Paradise Papers. Did you know, it was the same investigative journalist that broke both of those?
Jake Bernstein: Yes I did. I'm apologizing, my internet connection is unstable.
Kip Boyle: Yeah. Well, you're still looking just fine over here on my side of the connection.
Jake Bernstein: All right. Well, we'll edit that part out. Another example would be just risk of having your business interrupted. An example of that would be DLA Piper and the Ransomware attack earlier this year as well. They had to shut down their business for about 5 days, and for a law firm that is, you know, the size of DLA Piper and is based on billing hours, there were literally signs in the offices that said, "Go home we can't work today."
Kip Boyle: Ouch
Jake Bernstein: That's gonna cost a lot of money. There are examples as well, in fact before the Panama Papers, just a few months before, the FBI did notify a number of AMWA 100 firms, specifically those involved in corporate mergers and acquisitions. What had happened was that hackers stole a bunch of information. Now that was never made public and that's because what the hackers wanted was to steal the insider information ad use it to conduct insider trading. So, obviously when you steal information for insider trading, the last thing you're gonna do is publicize it, that would be against the point of your attack.
Kip Boyle: Right
Jake Bernstein: But, none the less, that's still a valuable set of information that law firms have, especially corporate law firms.
Kip Boyle: Okay, if I was wondering, "Why am I a target?" That should clear it up, right, for just about anybody. This is why you're a target says Jake. Now having talked about how law firms should be thinking about cyber risk, what should they be doing about cyber risk?
Jake Bernstein: Specifically, law firms must guard against the "unauthorized access to or the inadvertent or unauthorized disclosure of information relating to the representation of a client." That comes from the Model Rules for Professional Conduct distributed by the American Bar Association. It's rule 1.6c. Here in Washington we have adopted that, it is now part of the Rules of Professional Conduct which are the Washington RPC's, RPC 1.6c and there's comments as well.
Kip Boyle: Our podcast is viewed by people in a lot of different states. How many different states have anything like that?
Jake Bernstein: Well, I believe the number is approaching 40. Basically the way these ABA model rules work is that they tend to sporadically spread across the country before, within a few years, they're adopted everywhere, and that's kind of what we're seeing here as well.
Kip Boyle: Oh, okay, so we can reasonably expect the remaining 10 states to pick this up?
Jake Bernstein: Yeah, I think so. It's just a matter of time.
Kip Boyle: That's kind of how law firms should be dealing with risk at a high level, right? But, what does that actually look like inside of a firm? What should they be doing?
Jake Bernstein: There's a lot of different ideas that you can use. There's lots of different security principles, lease privilege, limit access to information. But here's the thing, law firms need to remember that they are holding enormous quantities of highly sensitive information. Personal injury and medical malpractice law firms have private health information, which makes them susceptible to HIIPA violations. Corporate lawyers, as we've talked about, have useful valuable M&A information, and really lawyers, by definition, are holding clients secrets that frankly no client wants exposed to the public.
Kip Boyle: Right.
Jake Bernstein: So, what does it look like to deal with cyber risk, or what kind of guidance can you find, and the answer again is within the ABA. The American Bar Association promulgates opinions, in this case they published formal opinion 477. There's actually a revised version so it'd be formal opinion 477r is the most current version, and what it says is that while firewalls, password managers and encryption are all important, it's not so much the specifics of what you're doing but instead you need to have a process and the specific advice that they give is a quote from the ABA Cyber Security Handbook and it says that a fact specific approach to business security obligations really needs to look like, "a process to assess risks, identify and implement appropriate security measures responsive to those risks, you then have to verify that they are effectively implemented and ensure that they are continually updated in response to new developments." Though for my money, I see a process that has three main components.
Kip Boyle: Alright
Jake Bernstein: An assessment that looks at the types of risks you have, a mitigation plan that comes up with and implements appropriate security measures that responds to those risks, and then a kind of update and management over time of those risks. So assessment, mitigate and update.
Kip Boyle: So that kind of implies, I guess an on going leadership in order to do this because what you're not recommending is kind of a one time assessment. What I'm hearing you say is as a law firm you don't really want to do these snap shot efforts, you want to do something that's on going, so that kind of assumes that there's gonna be on going leadership. So, how would that work?
Jake Bernstein: So, you're correct. A snap shot is not a particularly effective form of cyber risk management or even a cyber risk assessment. If you look at all the data breaches that have occurred over the last couple of years, for example Target, the Target data breach, I have no doubt that Target was "compliant." They met their requirements under the PCI Guidelines. All of those compliance programs and compliance regimes are really looking at a snap shot, and the problem is is that you might be relatively secure when you're preparing for that snap shot to be taken and that security might last a month or so after the snap shot is done, but it doesn't motivate continual cyber risk management and good cyber hygiene, and that is what you need if you're going to be inaudible cyber security steps.
Kip Boyle: Right, so does that mean a law firm has to hire a chief information security officer or how are they going to put that on going leadership in to place?
Jake Bernstein: Well, large enough law firms absolutely should hire a chief information security officer. If you're in the AMLAW 100 and you don't have a CISO, you're probably negligent, but most law firms are not in the AMLAW 100 and what should those law firms do? I think that comes down to using outside service providers, just like you do when you want to outsource your IT issues, your litigation document management, I mean really law firms in general outsource an enormous amount of important business functions...
Kip Boyle: Right, services.
Jake Bernstein: ...Services, and cyber risk is no different. In fact I offer law firms and other clients, exactly the kind of fact specific approach to business security obligations that the ABA suggests.
Kip Boyle: One thing that I've heard in my work as a cyber risk manager is kind of the subjection to this whole process that you're talking about and the objection is, gosh, if we go in there and start tearing things apart and we find out what's really going on from a cyber risk perspective, then we're going to have to do something because if we know what's going on and we don't do something, for whatever reason, then that could look really bad, that could make us look really bad if we ever ended up in court, and so maybe it's just better that we don't look because then at least we can credibly claim that we didn't know what was going on. So how do you respond to that kind of an objection?
Jake Bernstein: It just fails. The simple fact is if your concern is that we'll look bad in court if we get this assessment and then don't fix it all, you're gonna look worse if you don't get an assessment and all you can say is, "I don't know." I don't know is more negligent than I don't know and we didn't do something. At least you could say I don't know, or we did an assessment and we didn't fix everything because it was took expensive. Then it becomes a factual question of well you know what, maybe that was reasonable under the circumstances. Someone might come in and do a cyber risk assessment and say it's gonna take you a million dollars to get secure, well most law firms aren't going to be able to instantly drop a million dollars on becoming "secure."
Kip Boyle: Right.
Jake Bernstein: We contrast that with burying your head in the sand which under no circumstances is a good defense, particularly for a law firm who should know better, particularly now that there is an ethical duty to know better.
Kip Boyle: So then a law firm is going to be held, it kind of sounds like, to a higher standard than different types of firms is that right?
Jake Bernstein: It is. What's reasonable for a law firm is going to be likely more than reasonable for a lot of other companies. And what's reasonable for many companies is not going to be nearly enough for a law firm.
Kip Boyle: Right, okay, so if I do the cyber risk assessment and then I learn that I've got all these issues, but I can't afford to address them all at once, okay so how do I work my way through that?
Jake Bernstein: Well my recommendation is that you conduct a cyber risk assessment with an attorney, with outside cyber security counsel, whether you're a law firm or any other type of company because your point is well taken which is, if I find all these vulnerabilities or these flaws, it's going to take me years to work up and pass my cyber risk assessment for lack of a better term. It doesn't happen over night and it seems like there's a vulnerability of knowing. Well if you work with cyber security counsel, you're going to be conducting all of those assessments and that process under attorney client privilege. That means that if something does go wrong, you can protect the information that you don't want to get out there into the public and that's going to work even in a lawsuit.
Kip Boyle: Okay, so law firms should have no trouble understanding your point about the advantages of attorney client privilege around this kind of information. If we have listeners who aren't working for law firms, they're not lawyers and they don't really understand it, you're saying they could use this too?
Jake Bernstein: Yes, I'm sorry you're going to have to repeat that question.
Kip Boyle: Oh, did we drop the connection a little bit there?
Jake Bernstein: Yeah it was really bad.
Kip Boyle: Oh okay, so what I was saying was lawyers will understand attorney/client privilege very well, but if we have listeners that are not attorneys, don't work at law firms, what you're saying is that attorney/client privilege can work for them too, is that right?
Jake Bernstein: Absolutely it can, yes. Attorney/client privilege is created anytime a lawyer gives legal advice to his or her client. Anything that is communicated as legal advice is mostly going to be privilege. It's one of the strongest privileges in the Anglo-American legal system.
Kip Boyle: That's actually really good. So we now have an answer to the question what if I do a cyber risk assessment and it comes up with all this stuff but I don't want anybody to know that I've chosen to accept certain risks or that I just can't deal with everything right away, so that's great. Okay, so Jake, where can folks who want to take law firms, where can they go to get more information about this stuff?
Jake Bernstein: They can contact me via email at email@example.com. They can and should visit cyberriskopportunites.com. The fact specific approach that I perform, it's a standards based, data driven cyber risk assessment that has a managed program component in conjunction with cyber risk opportunities. The entire goal of the managed program, which can be privileged, is to implement appropriate security measures that are responsive to your specific risks. And then the idea of the annual program component is that if you stick with it then you're by definition meeting that requirement to update and respond to new developments.
Kip Boyle: If you get hacked, then you're gonna have a credible story to tell in court essentially is what you're saying, right? You're gonna say look, we're a victim of a crime and we took reasonable steps to prevent that from happening, but it happened and so, you know, we're a victim.
Jake Bernstein: That's exactly right and there's questions about how much victim blaming that we should do. The FTC has been criticized for attacking companies, for investigating companies, for prosecuting them for being victims of cyber crime. The problem is that we are in an era where the clear requirement to take reasonable cyber security steps is just coming into focus for most people and yes, if you have taken reasonable steps, then the FTC will close it's investigation. A state bar association that's investigating a law firm for losing information would more than likely to close it's investigation if it find that the law firm did everything it reasonably could have done. What you want to avoid is doing nothing or being unreasonable about it. This is really no different than every other standard of care. You can insure yourself against cyber risks, in fact one of the components of any good cyber risk assessment is gonna look at your insurance policies. Are you insured against these risks? Does the insurance you already have adequately protect you, if not where can you go get new insurance? All of these things are going to be looked at. It's a very holistic approach.
Jake Bernstein: It's a mistake to think of it as an IT problem. It's a mistake to think of this as oh we've outsourced our IT to such and such a firm we think they're pretty good. And they might be very good, but they're not the ones with the affirmative ethical duty to have reasonable cyber security in place and really so much of cyber risk management is outside of IT that if you're only relying on your outsourced IT provider, you're simply not doing enough.
Kip Boyle: Right, cause your folks need to be trained, you've gotta have the right contracts, the right indemnity languages in case you have a vendor that mishandles the data and causes a data breach. You wouldn't expect your IT department to handle those things.
Jake Bernstein: Your IT department can't handle those things.
Kip Boyle: Right.
Jake Bernstein: It can't handle whether or not leadership is prepared for a breach. It can't handle whether or not people know who to call and when and what order. There's a lot of things that need to be done in advance to make a cyber attack far less damaging. Here's the reality, it's 2017, it's almost 2018, it's not a matter of if, it's a matter of when. Because of that, this thinking of well, I'm just going to ignore it until it becomes a problem is about the worst possible response because what it really means is, what it really shows is that you either don't care or don't understand enough to take the reasonable steps that are necessary and expected of you. For an attorney, again we sell trust, that's a terrible attitude, it's an irresponsible attitude and it's one that, I think, will be looked upon very negatively by bar associations and supreme courts going forward.
Kip Boyle: Got it, got it. Okay, well thank Jake very much. Today we've been talking with Jake Bernstein. He's an attorney at the law firm Newman Du Wors here in Seattle.
Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.
Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.
Kip Boyle: And managements goal should be to create and environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.
Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.