Attacking the Weakest Link: BYOD in the Law Firm Culture
By Daniel B. Garrie, Esq., co-authored by Valerie Strumwasser, Esq., Associate General Counsel at Law & Forensics
Law firm culture has long focused on the ability of its attorneys to bring a high level of thought and analysis to every legal case on its roster. However, similar care has not been spent by firms when it comes to data security. For many firms, hiring world class security engineers to work full time is seen as impractical. And, acquiring the right hardware and software solutions is too costly. What firms do not realize is that data security is essential to good client service. Without it, client's files may inadvertently end up on a file server somewhere like China, Brazil, or Russian.
Consider the following hypothetical:
A 500-attorney global law firm had a policy allowing employees to use their personal devices, including cell phones, tablets, and laptops, for work purposes. One senior partner used his smartphone for work email, viewing files, and remotely connecting to the law firm network to access client materials and to get documents stored in the Cloud. This senior cost-conscious partner chose to use his smartphone for both work and personal use, as no one brought to his attention the need to segregate data and users. One day, while driving his son to school, the senior partner lets his son use the smartphone to surf the Internet and download a new game. But, this game came with malware code attached to it, which accessed the smartphone data. More importantly, when the senior partner logged onto the firm's intranet, the malware program infiltrated the firm's servers. This silent intrusion allowed the malware to transmit back to the developer data, which includes bank account information, credit card information, and confidential information for high-profile clients, all available to the highest bidder.
Within days of the breach, the law firm was floundering to determine how their networks were hacked, how to stop the leak, how to manage their client relationships, and how to remedy the reputation fall out.
While the above hypothetical may seem like a doomsday scenario, a simplified copycat version of Stuxnet could easily do just that.
Most recently, two security researchers at the Georgia Institute of Technology unveiled a modified USB charger for the iPhone that cost approximately $45 to build. Quite an expensive cord (even by Apple standards!), but the real purpose of this charger is to hack into the iPhone without the user knowing. Not only does it hack the iPhone, it does it in under a minute.
So let's modify our hypothetical above. Our same partner goes on a business trip to Shanghai to meet with a new client. He stays in a fancy new boutique hotel that comes with USB ports built right into the wall. How handy! Except that on the other side of the wall was placed this same $45 device waiting to push malware onto any iPhone, allowing outside access to data on the phone. Now, the hacker on the other end has access to the attorney's linked email and cloud drive, where he keeps his clients' pending patent applications.
Like most enterprises, hacking is generally about making money. Whether you are a criminal stealing credit card information, or a sovereign nation stealing intellectual property or trade secrets, with the right amount of planning you can easily target business travelers who will inevitably hold a certain amount of unprotected valuable information at any given time.
Even without a direct link to the attorney's confidential client information, any other data on the phone can easily be bought and sold on the underground market. Take, for example, a personal email account. Within this account, our attorney friend has emailed his bank account information in 2007 to his brother so a transfer could be made (and never deleted the email from his Sent folder). Between 2005 and 2010, before his law firm bought laptops for attorneys, our attorney would often send himself client documents to work on from home; those files still sit in a Work Documents folder in his Yahoo! account. As a highly organized attorney, our friend keeps all copies of receipts from Internet transactions in a folder in his Gmail account. His photos are tagged with the latest geo-positioning information and a subject-line reading "Our new beach house! Too bad we only get to visit on the weekends." He is wise not to save his username on his mobile-banking and credit-card-payment app, but he does maintain an email in his Drafts folder with a list of all passwords for those less important sites like his mobile phone account, his iTunes account, and his Netflix account. Even a marginally savvy criminal with access to this information can withdraw funds from the attorney's bank account, impersonate the attorney in a number of situations, and gather enough information and access to use the email accounts to send spam. If the attorney is unlucky enough to lose his phone and the criminal is local, there is also an exact geo-position of his vacation home and a quick search in Gmail reveals an email to the attorney's sister telling her the key to the back door is under the jar of sea shells.
These examples are not meant as scare tactics, but merely an explanation of a few possible ramifications of a data breach. We all take calculated risks in our everyday lives, and now those risks must include how we handle our personal and business-related information online.
Our experience advising law firms and in-house legal departments on these issues has shown that there are cost-efficient methods that can dramatically improve a firm's data security both on local hardware and mobile devices.
While investing millions is not practical, if the law firm has a security-aware culture and has purchased and implemented one of the current solutions available in the marketplace, it can provide a secure and easy-to-use file transfer solution, a highly advanced email encryption service, an integrated malicious-code-detector for both the Internet connection and physical devices, a solution that manages and protects data in transit between mission critical system and security platforms, and technology that provides network protection from all outside threats.
The list of software discussed above seems long and complex, but these services can be found in a single solution and managed by in-house or third-party vendors. One such single-solution product is Safe-T, which offers manageable and easy-to-implement solutions for the entire scope of data security. There will always be criminals who find your cell phone and the data on it to be profitable. However, our entire hypothetical can be averted by some thoughtful pre-planning and a little amped up security (unless you're trying to keep out the NSA, of course).
Law firms have long been the vault for personal and corporate confidences. But the increasing number of hacks should leave clients questioning the strength and security with which their law firm protects their data. The simple principle of attacking the weakest link often may lead back to law firms' devices, as they often do not invest in the technology, people, and cultural awareness necessary to provide strong security.
A recent Wall Street Journal article lauded law firms as the first stop in cyber security response, praising the benefits of attorney-client privilege and knowledge of corporate disclosure laws. But simply knowing the law is half the battle - the physical hardware and software piece is equally critical. For a more tangible public example, one can turn to the article published by Bloomberg on January 31, 2012. This article details how Chinese hackers zeroed in on the Canadian law firms handling a $40 billion dollar acquisition. The article further details how the hack breached seven different law firms as well as Canada's Finance Ministry and the Treasury Board. While the acquisition fell apart for unrelated reasons, the incident illustrates the vulnerability of law firms. According to Mandiant, and in-line with our experience, an estimated 80 major U.S. law firms were hacked last year.
Unfortunately, neither individual nor state-sponsored hackers are deterred by the tenets of attorney-client privilege. Just as you would not put your money in a bank without a vault, you should not trust critical, sensitive, or material corporate data to a law firm with a weak "data protection vault."
Unlike the physical structure of a bank, the level of information security readiness and effectiveness is not readily apparent to law firm clients, especially to those that are not technically skilled. Thus, any company should require counsel to demonstrate that the law firm knows how to securely hold and manage an organization's data. This is particularly true in cases involving technology, trade secrets, or sensitive corporate data. In turn, law firms who know how to manage and secure technological assets should use that competitive advantage in marketing themselves to existing and potential clients.
Law firm's apparent lack of response to data threats prompted Jeff Brandt to create an essentially-viral campaign to promote internal discussion of law firm security measures. He created a fake email and internal memo that detailed circumstances surrounding a supposed breach due to lax security standards and a bring-your-own-device policy. It created quite the stir in certain circles before Brandt outed himself as a provocateur of digital security policy.
There are a few critical steps that law firms can take to simultaneously enter this new area of practice and ensure that their clients' data remains safe. The firm should create network data maps, monitor digital access logs, hire in-house and outside experts, acquire appropriate computer hardware and software, and create a culture that is security-centric. Often the weakest link is not the technology, but the people, so it is essential firms make sure ingrained in every employee's mind is the need to be security aware. These are a few of the preventive and prophylactic measures that are at the disposal of law firms. There is not a single solution befitting all firms, and the right solution will vary based on the size, geography, people, and systems a firm has deployed. That said, every firm should seek and employ the right solution for it and their clients.