Introduction

INEVITABLY, WHEN WE LECTURE on information security to lawyers, they describe themselves as being scared—usually because they had no concept that there were so many bogeymen to be afraid of. Sometimes, lawyers are frightened into absolute inertia and simply leave data security to whomever provides their information technology (IT) support.

We embarked upon this book hoping to make security a little more approachable. There need to be some technical explanations of course, but we’ve tried to keep the technical stuff to a minimum so that the average attorney can genuinely understand the security demons that are out there and how to defend against them. Forewarned really is forearmed.

This is not a DIY sort of project, especially if you’ve suffered a security breach. We make no attempt in this book to document the myriad steps that a professional information security expert would take. Our objective is to teach the data security basics in language that can be readily understood by lawyers. If you’re in over your head, you’ll hear us advise you again and again to seek professional help. Even among those who called themselves experts, there is often a shocking knowledge shortfall or a failure to keep up with current developments, which happen with dizzying speed!

One of the greatest difficulties of information security is that it is a moving target. The landscape changes so quickly that last year’s (and sometimes even yesterday’s) knowledge is woefully inadequate to combat today’s threats. “Eternal vigilance” is absolutely required for those of us who deal with data security issues.

Still, there are guiding principles that remain largely the same. We have tried to break information security down into digestible segments, knowing that some attorneys will pick up this book with concrete questions about specific security areas. Common questions we hear include:

1. What constitutes a strong password today?
2. How do I secure my smartphone?
3. Do I need to encrypt my laptop?
4. Can I safely use my laptop at Starbucks?

If your interests are narrow, you should be able to find what you’re looking for by scanning the Contents. We would urge lawyers, however, to take a broad interest in the security of data because they have, unlike the general public, a professional and ethical requirement to safeguard client data.

Although lawyers are all aware of ABA Model Rule 1.6 (and we have an entire chapter on an attorney’s duties to safeguard confidential data), the trick is how to keep client data secure in the digital era. It isn’t easy. The paper world was much simpler to lock down. Computer security is expensive—and it takes time to understand it—and you will never finish learning because threats and technology morph constantly.

Are lawyers abiding by their ethical duty to preserve client confidences? Our opinion is that many are not. Here are a few reasons we hold that opinion.

• Security expert Rob Lee, a noted lecturer from the security firm Mandiant, has reported to us that Mandiant spent approximately 10% of its time in 2010 investigating data breaches at law firms.
• Security expert Matt Kesner, who is in charge of information security at a major law firm, reports that his firm has been breached twice—and that he is aware that other law firms have suffered security breaches—and failed to report them to clients.
• We have never performed a security assessment at a law firm (or for that matter, at any kind of business) without finding severe vulnerabilities that needed to be addressed.

Why do many otherwise competent lawyers fail so miserably in their duty to maintain the confidentiality of client data? Here are some of the reasons.

• Ignorance—they simply need education.
• The “it can’t happen here” mentality. This is flatly wrong. Even the FBI issued an advisory in 2009 that law firms were specifically being targeted by identity thieves and by those performing business espionage—much of it originating from China and state sponsored, though of course the Chinese government has vehemently denied involvement in such activities. Matt Kesner, mentioned earlier as an expert, reports that the Chinese don’t bother using their “A-level” hackers to infiltrate law firms; their security is so bad that the rookie “C-level” squads are able to penetrate law firms.
• According to press reports, lawyers and law firms are considered “soft targets”; they have high value information that’s well organized and frequently have weak security.
• It’s expensive. And it is. Protecting the security of client data can present a big burden for solos and small law firms. This does not take away a lawyer’s ethical duty, however, and it is one reason the authors lecture so often on computer security. Once a lawyer sees the most common vulnerabilities, he or she can take remedial steps—or engage an IT consultant to do those things that are beyond the lawyer’s skill.
• The need for vigilance never stops. You cannot secure your data once and think you’re finished; the rules of information security change on close to a daily basis. Certainly, someone in the firm needs to keep up with changes on a regular basis or the firm needs to engage a security consultant to do periodic reviews. The standard advice is that security assessments need to be done twice a year. While that is desirable, it is in our judgment mandatory that assessments be conducted at least annually.

In the paper world, keeping client data confidential was easy and cheap. In the digital era, abiding by this particular ethical rule is often hard and expensive, but it must be done. We hope this book takes some of the “hard” away and also helps lawyers understand how many inexpensive steps exist to protect data without breaking the bank.

Often, this subject seems so dense and unapproachable that lawyers have the Ostrich Effect and simply bury their heads in the sand. Brian Ahern of Ahern Insurance Brokerage reported in 2011 that law firms are ranked ninth in terms of organizations with the highest risk of cyberexposure. As previously mentioned, even the Federal Bureau of Investigation warned law firms in November 2009 that they were increasingly becoming the target of hackers.

In the American Bar Association’s 2011 Technology Survey, 21.1% of large law firms reported that their firm had experienced some sort of security breach, and 15% of all firms reported that they had suffered a security breach (Appendix A).

You would think that the magnitude of those numbers would be a wake-up call to the legal industry, but security always seems to take a backseat at law firms. In part, law firms are not used to budgeting for information security, and yet that is clearly mandated in a world where technology rules us all. The crown jewels of law firms are their electronic files, and yet many law firms guard them sloppily.

For years, we’ve been warning lawyers that it’s not a question of whether law firms will become victims of successful hacking attacks; rather, it’s a matter of when. We pointed to incidents of dishonest insiders and lost or stolen laptops and portable media, but there were not disclosed incidents of successful hacking attacks. As the preceding examples show, we’ve now reached the “when,” and attorneys and law firms need to address it.

We have set out in this book to provide practical advice in a condensed format. We hope that sharing some of the infosec “war stories” by way of examples will serve to make a business case for genuinely focusing on information security on a regular basis and, depending on the size of your firm and your area of practice, making sure that sufficient funds and time are allocated to protecting your firm’s data.