Yes, but your clients will not see it that way and neither does the ABA.
In addition to the ethical requirements of competency, confidentiality, and transparency, the ABA’s Formal Opinion 483, issued in November 2018, makes it clear that “Data breaches and cyberthreats targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession.”
Why not just keep a data breach “our secret”?
Sadly, most law firms do. According to the American Bar Association’s TECHREPORT 2020, only 14% of law firms reported a data breach to law enforcement. Law firm clients fared even worse, being informed just 11% of the time.
States differ in their definitions of what constitutes a breach, as well as personally identifiable information that would necessitate notification. Nonetheless, under the ABA’s Model Rule 1.4, a law firm is required to disclose a breach to a client if the breach is likely to impact the result of that client’s case.
In other words, following your state’s disclosure statues doesn’t remove your ethical obligations.
We back up our data, so we don’t need to payout on ransomware
Yes, hackers have thought of that, so to insure against this scenario, cybercriminals download your data before they encrypt it. Then they can blackmail you with the threat of selling and/or publishing your information if you don’t pay the ransom.
Our cyber insurance will cover the damages
Not so fast. Insurance companies are increasingly litigating payouts. There are several reasons that a cyber claim, or portion of the claim, would be denied:
·Failure to implement necessary prevention practices
·Failure to document preventative measures
·The incident was the fault of a third-party vendor or contractor
·Exceeding the time period covered for interruption of service
I could face a malpractice claim?
Yes. Opinion 483, combined with the ABA’s mandate for technical competence per Model Rule 1.1, opens the door for malpractice, negligence, breach of fiduciary duty, or breach of contract claims from clients whose confidential information is compromised.
What are the costs of a breach?
Outside of the costs associated with a lawsuit, there are significant costs surrounding the cyber incident itself – both monetary and reputational.
Two years ago, the average ransomware demand was approximately $5,000. Now, the average is nearly $200,000, and that’s just the ransomware payment.
Other costs can vary widely depending on the depth of the breach and the number of clients involved. These include expenses such as:
·Forensic analysis to see what data was compromised and who was impacted
·Repair and/or replacement of hardware and software
·Business interruption/loss of billable hours
·Public relations advice
·Compliance with state/state’s notification laws
·Increased insurance premiums
·Increased targeting by hackers once a payment is made
·Loss of intellectual property
·Reputational damage/client churn
·Credit monitoring for clients whose financial information was stolen
What do we need to do?
Ultimately, you need to take cybersecurity seriously. Yes, an investment in security controls can be costly, but it outweighs the downside of a data breach, which can be severe…or even business-ending.
In our last blog, Why Are Law Firms an Attractive Target for Hackers?, we laid out the reasons why law firms get hacked – they are a one-stop-shop for valuable information and they are perceived to be an easy target, especially smaller firms with a less secure cybersecurity infrastructure. So how do cybercriminals break […]
It’s not difficult to fathom why law firms appeal to hackers. When you need groceries, you go to a supermarket and when you’re looking to redecorate your living room, you go to a furniture store. Sure, you could visit several stores buying a few things at each one, but that’s not efficient. Or, you could opt for a visit to Walmart, but your choices will be much more limited and skewed toward the lower end of quality.
So, if you’re a hacker and you want the most valuable data with the least amount of effort and the greatest chance of success, a law firm is your Land of Plenty.
The American Bar Association (ABA) says that one-in-four (26%) law firms has been the victim of a some sort of data breach, and an additional 19%, or one-in-five, firms was honest enough to admit they didn’t actually know if they had been breached or not.
So, for the remaining 65% of firms that report they haven’t been breached, it’s possible that some have been compromised without knowing it or simply decided not to report it. While all states have security breach notification laws, there are differences in harm thresholds, what constitutes personally identifiable information (PII), and even the definition of a breach.
When any one company’s network is hacked, it will likely provide access to PII about its employees and customers and maybe some trade secrets or useful financial information. But there is also a lot of useless data to cull through to find the good stuff.
ENTER THE LAW FIRM
A law firm has all of that good stuff tied up in a bow. Most of their data is confidential or sensitive information and can include embarrassing secrets or illegal activity that can damage a client’s reputation. Law firm files may also contain information that makes it easier to hack into a client’s network.
Consider all the confidential information that law firms have on intellectual property, trade secrets, contracts, business strategies and nondisclosure agreements, which represent valuable information for a company’s competitors…or for that matter, China. And let’s not forget the financial gain of a well-timed stock purchase or short. Law firms house all the nonpublic information that could impact a company’s stock price when that nonpublic information becomes public: information on mergers & acquisitions, research & development, investment plans, and pending legal or financial trouble, as a start.
LAW FIRMS HAVE A BAD REPUTATION IN THE CYBERSECURITY DEPARTMENT
Whether it’s true or not, hackers consider law firms to be easy targets and lagging in cybersecurity sophistication. What is true, however, is that lawyers tend to be continually time-pressured, which can lead to cutting corners on security practices.
Further, the ABA TECHREPORT 2019: CYBERSECURITY indicates that only 44% of law firms use file encryption, 38% use email encryption, and 22% use disk encryption. Local backups were made by a mere 27% of the survey’s respondents and only 23% performed vendor due diligence. Just last month it was reported that data from 193 U.K. law firms that had been uploaded to a legal software company’s database, was exposed.
This highlights another problem for law firms — data in motion is the data that is most vulnerable to attack, yet lawyers regularly communicate sensitive information to clients and third parties, mostly in electronic form, and frequently unencrypted and via unsecured channels.
MORE TO COME
The Grubman, Shire, Meiselas & Sacks hack highlights that law firms store valuable data. In this case it was 756 gigabytes of data, which is not insignificant. In our in our next blog, we’ll have some fun exploring what 756 GBs looks like.
We’ve got the DoD’s final certification standards, but a lot is still unknown
By Chris Sullins
February 12, 2020
The headline quote was from Katie Arrington, Special Assistant to the ASDA for Cybersecurity, at CMMC Impact On GovCon: Now and in 2020, an event hosted in late January by law firm, Holland & Knight.
It’s Not as Close as You Think
While September 2020 is the goal for implementation of the Cyber Maturity Model Certification Program (CMMP), Arrington said it was highly unlikely that any contracts containing CMMC requirements would be awarded before 2021. Certification is not required for a company to bid on a new contract, only to be awarded one. And, how many government contracts are awarded within three months of an RFP?
In practice, CMMC is expected to take five years to be fully implemented as existing contracts aren’t affected until renewal or modification. So, it will be FY26 before every Department of Defense (DoD) contract will have CMMC certification requirements.
The Roll Out Will Be Thorny…for the Regulators
Despite the presumed burden of CMMC compliance within the DoD supply chain, Arrington explains, “Level 1 will be on the bulk share of Department of Defense contracts.”
Level 1 consists of 17 basic cyber hygiene controls and essentially is equivalent to FAR 52.204-21. However, the larger obstacle to getting certified is more likely to involve difficulty locating and scheduling a qualified assessor than being prepared to pass the certification audit.
Why? The regulatory bodies have two staggering supply/demand-imbalance challenges ahead of them given the fast-approaching roll out of CMMC.
There will be a significant shortage of assessors
Self-certification, which was possible under NIST 800-171, is not an option with CMMC. The only avenue for certification is through a certified assessor at a credentialled C3PAO (CMMC Third-Party Assessment Organization).
But, there are no certified C3PAOs or assessors at this time. And, the requirements to become a C3PAO haven’t been established, nor has a training curriculum been developed for assessors.
Yet, training is slated to start this spring. Trainers are needed to run these classes, but they also need to be trained. Several iterations of training/feedback/tweaking are envisioned to determine what training is (and isn’t) successful in the curriculum.
The security clearance backlog is worrisome
Assessors will be required to have a security clearance to conduct CMMC audits, although the clearance level has not been defined. While the security clearance backlog has decreased substantially from the April 2018 peak of 725,000 to around 200,000 in January 2020, CMMC will add upwards of 10,000 assessors (over time) who need to be fast-tracked.
In addition to the backlog, there is processing time. While clearance processing times also are improving, they’re too long for the CMMC timetable. In 4Q19, it took 181 days on average to obtain a Secret clearance. As of this writing, September 1, 2020 is only 202 days away and 2021 starts in 324 days. (Again, clearance level hasn’t been specified).
But, Have Faith in Those Who Accepted the Challenge
During another presentation at the Holland & Knight event, Ty Schieber, Chair of the newly established CMMC Accreditation Board (CCMCAB), acknowledged the concerns.
“There is a lot of uncertainty and angst about what (CMMC) is or isn’t (due to) a lack of information or misinformation. And, a lot of the information that people want to know is still undecided,” he said. “The job of the Accreditation Board is to turn unknowns into knowns as soon as possible.”
The CMMCAB is keenly aware of the impending shortage of qualified, credentialled assessors and they expect the deficit to persist for the first six months to a year. As such, they are committed to mitigating the effects.
“We will come up with a system that allows prioritization for people who have contracts that they are planning (to bid) on, or contracts that they have bid on and are anticipating a possible award. We’re going to make sure that the system works, but we don’t know how yet. We’ll figure it out.” said Board member Mark Berman.
Of fundamental importance to the CMMCAB is ensuring that a contract earned by a cyber-ready company isn’t lost due to audit scheduling. “At the end of the day,” noted Berman, “the Accreditation Board cannot be the roadblock between a business and its contract.”
Likewise, the onerous hurdle created by the security clearance requirement for assessors is not lost on the CMMCAB or the DoD. Currently, the DoD is investigating ways to speed the clearance process for CMMC assessors, so it doesn’t become a chokepoint in the process.
Why the Rush?
It may seem that CMMC came out of nowhere and is moving at a rapid pace. In fact, several defense industry associations have urged the DoD to slow down. But, the CMMCAB contends that they are being deliberate and carefully considering decisions, while appreciating the sense of urgency.
Even so, Arrington says we’re running out of time. “Electronic warfare is not static” she said. “You solve one problem, the adversary finds another.”
For example, our adversaries exfiltrate about $600 billion a year from the U.S., which is nearly the size of the defense budget and costs taxpayers $4,000 per citizen…after tax.
What’s more, Arrington said that the next five years will bring the commercial availability of both Quantum computing and 5G. Together, these technologies have the potential to be catastrophic: Quantum computing breaks basic level encryption and 5G provides open access.
At that point, $600 billion could look like peanuts.
Be Part of the Process
The board views CMMC as a collaborative effort and wants input from the industry. The CMMCAB website provides a way to contribute with their “One Thing” question. It reads, “If you have experienced an audit or assessment from a regulating authority before, what is one thing that would have made it a better experience for your organization?”
Everything submitted on the website is read. Also on the website is a stakeholders section where you can subscribe for updates.
Like anything new, the introduction of CMMC could experience hiccups or require revisions. Nonetheless, it’s worth noting that everyone I’ve encountered who is involved in the development and/or implementation of CMMC is passionate about their mission and unwavering in the belief that the DoD and our industrial base must be secure.
Asked why he wanted to take on his role, Scheiber replied, When you look at the significance of this in terms of the threat to the nation, that’s why I get up every day.”.
“We have an opportunity here to change the world…to make this a safer country,” Berman added. He also shared his regret that his career path did not include military service. “This is my chance, that I didn’t take when I was in my twenties (to serve the country.)”
A troubling statistic in IT security is that 30% of IT managers do not know how many devices are on their networks, according to a 2018 LogMeIn report. Likewise, 10% of IT administrators surveyed by the Sans Institute said they didn’t know how many management servers they were using. Even more surprising, Gartner disclosed results from a survey of clients who found 60% more endpoints on their networks than they thought by using an automated IT asset management tool.
What’s behind the lack of visibility?
There are several trends that contribute to poor network visibility.
1.Decentralized networks. Companies with several locations increase the complexity of the network and introduce the potential for security gaps. For instance, almost half of participants in a 2018 survey by SANS Institute reported having at least six operating systems and 12% said they have at least 11.
2.Bring Your Own Device (BYOD). A 2018 report from Bitglass found that 85% of the companies surveyed allow BYOD to not only employees, but also contractors (27%), partners (25%), customers (22%), and suppliers (19%). And, many employees use multiple connected devices at work, which aren’t always authorized or known by the IT department.
3.Internet of Things (IoT). Many IoT devices are not added to the inventory list of connected devices so they’re not detected by network scans.
What’s the Risk?
Lack of network visibility is a critical issue facing IT managers given the inherent vulnerability of connected devices. According to IDC, 70% of breaches occur on endpoint devices. Research from Absolute Software found that 42% of endpoints are without security at any point in time. As a weakly protected path to the network, connected devices are an appealing target for cyber criminals.
Complicating this issue is the rapid growth of devices that connect to corporate networks. Statista estimates that there were 22 billion devices connected to corporate networks and the internet at the end of 2018. That number is expected to reach more than 30 billion by 2020 and over 75 billion by 2025. Consider also, that these devices have their own apps and software.
What to do?
IT departments must make device visibility a priority. It’s essential to know and inventory all devices on the network, when the devices are connected, who is using them, what is running on them, and what’s their security posture.
Keep in mind that it only takes one unknown or unprotected device to provide a gateway for hackers to infiltrate your network.