What Will You Do When Your Law Firm Is Breached?
Putting together an incident response plan.
Putting together an incident response plan.
Note that we did not title this article "What Will You Do If Your Law Firm Is Breached? The reason is simple: Experiencing a data breach is not an “if”—it is a “when.” Just ask the IRS or the U.S. Office of Personnel Management, both of which recently suffered data breaches partly due to their sloppy approaches to information security. Lawyers cannot ethically afford to have slipshod security when protecting confidential data.
Incident Response Plans
We have written about steps to securing your data, but this time we are stressing that it is imperative to be ready for a data breach. This means you need an incident response plan, which is often focused on data breaches but can also include responding to ransomware, attempted hacks, or an insider accessing data without authorization.
Most large law firms now have these plans in place, but many smaller firms do not. More and more, we are seeing clients and insurance companies asking to see IRPs. In the face of ever-escalating data breaches, now is a good time to come up with a plan. After all, football teams don’t get the playbook on game day.
Don’t go and search for an IRP template. No two law firms are set up exactly the same, and all have different business processes, network infrastructures, and types of data. You need a plan customized to fit your firm; the smaller you are, the shorter the plan is likely to be. While a book could be written about IRPs, we are going to give you a condensed and, we hope, digestible overview.
Elements of an IRP
Name the positions that will be responsible for the functions listed in the IRP. Don’t only use names because people come and go. No matter your firm size, you need a broad-based team that includes management, information technology, information security, human resources, compliance, marketing, etc. Have a conference call bridge line in case a breach happens at night or on the weekends, and include home/cell phone numbers as well as personal and work email addresses. This list will need to be updated regularly as people join or leave the firm.
Identify a data breach lawyer.
Many large firms now have whole departments working on data breach matters. Your data breach lawyer (if you selected a good one) will be an invaluable quarterback for your IRP team—and he or she may be able to preserve much of the information under attorney-client privilege.
Choose an insurance policy (that
darn well better cover data breaches).
List the insurer’s contact information because you are going to need to call your insurer as soon as you are aware of a possible breach.
Identify law enforcement.
Include the contact information for law enforcement officials, perhaps those at your local FBI office, who are often the first folks called in.
Identify a digital forensics company.
List the contact information for the company that you choose to investigate and remediate the cause of the breach. Generally, you will have been breached six months or more before you discover it. You’ll want to know if all data that should have been encrypted was indeed encrypted in transmission and in storage. If it was, this may lessen your burden. Determine if any personally identifiable information may have been compromised.
If you have intrusion detection or data loss prevention software, those logs should be preserved and provided to your investigators immediately. If you don’t already have these programs, you may want to think about implementing such software.
Identify the contact information
for your bank.
If your banking information has been compromised, you will need to notify your bank.
Identify the contact information
for a good public relations firm.
This is optional but often useful. If you are not required to make the breach public, you may not need to do this; if it does go public, you will probably need to do some quick damage control. Your insurance coverage may provide for this, in which case the insurance company will put you in contact with the appropriate firm.
Determine how to handle
clients and third parties.
Remember that you may wish to not “reveal all” and yet need to achieve some level of transparency. Be forewarned that this is a difficult balance. You will feel like the victim of a data breach, but your clients will feel as though you have neglected their trust. A data breach that becomes public can cause a mass exodus of clients so work through your notification planning with great care. Be wary of speaking too fast before facts are fully vetted; it is a common mistake to try to limit the damage but actually increase it as the scope of the incident turns out to be far greater than first known.
Determine how to inform employees.
How will you ensure that the law firm speaks with one voice and that employees do not spread information about the breach in person or online? How will your social media cover the breach, if at all?
Include information on your
state’s data breach notification law.
Almost all states have a data breach notification law. Put this in the plan along with compliance guidelines. You may be required to contact your state attorney general’s office. These laws vary widely, so be familiar with your own state law.
If you have potentially impacted data that is regulated by the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, or other laws, make sure the relevant data breach regulations are referenced in the plan and attached.
Determine if the breach requires
IT and information security policies
to be changed.
Does what you learned from the breach require that the IRP itself be revised? The IRP should mandate an annual review even without an incident.
Yes, you do want to rehearse for a data breach. Add and subtract various factors that can occur in reality. Add a terrorist threat, subtract key personnel who are on a cruise, yada, yada. This is most often done as a tabletop exercise that should take place at least annually.
You will find that your needs and responses to a breach may evolve over time. For instance, as ransomware saw a 4,000 percent increase in 2014, it became apparent that many backup systems needed to be re-engineered so that they wouldn’t be impacted by CryptoLocker, CryptoWall, and their many variants. The threats will no doubt morph over time—as will the defense
Make no mistake about it, the most successful attack against law firms is spear phishing—a targeted attack where the attackers have done some reconnaissance. They may know what cases you’re involved in, who the opposing counsel is, the nickname of a senior partner, etc. This makes it easy to send what looks like a “genuine” email, which in reality contains a malicious hyperlink or an attachment.
Training employees to be skeptical, to refrain from being click happy, and to think about the email in their inbox is invaluable. We’ve seen firms that have successfully avoided a breach simply because an employee had enough sense to question whether a very well-done phishing email was real.
If you are concerned about the money spent on training or the loss of billable time, stack those costs up against the financial damage of a data breach, and you’ll see the absolute need for annual training. According to the Verizon 2015 Data Breach Investigations Report, almost 30 percent of data security incidents were due to human error. Persuaded yet?
This could be the subject of an entire article, but just take our word for it. The security of third-parties that have “hooks” into your network is critical for you to understand. Just ask Target, which got compromised because an HVAC contractor was breached and it had administrator access to Target’s network. Make sure you understand vendors’ information security and don’t permit them to have access to any data they don’t need. A vendor management policy is now a key law firm policy. If you don’t have one, this too should be high on your priority list.
We recently read the white paper “Breach Preparation: Plan for the Inevitability of Compromise.” It occurred to us that lawyers are very resistant to that idea, are sometimes worried about cost, or maybe are just burying their heads in the sand and hoping that no bad guys zero in on them. While a data breach is indeed a nightmare, you are far more likely to survive it if you have a plan. This is not the time to be sanguine that you can survive hacking attempts when so many mighty entities have fallen victim to such plots. Complacency and inaction are not your friends. Lawyers love risk management. The surest pathway to data breach risk management is to be prepared.
SHARON D. NELSON and JOHN W. SIMEK are the president and vice president at Sensei Enterprises, a digital forensics, information security, and legal technology firm in Fairfax, Virginia. They can be reached at (703) 359- 0700 and email@example.com. This article was reprinted with permission of the authors.