The recently released United Nations Global Compact-partnered project report 'Global Opportunity Report 2017'1 has stated that in an ever more connected and digitized world, the threat of cybercrime is becoming increasingly important to address. Digital technologies are certainly providing great developmental prospects for our daily operations but are also increasing the threat of outside entities breaching secured and private systems and therefore highlighting the critical need for having a secure digital infrastructure in place.
Yahoo recently declared that hackers stole data on around 500 million users2, and in December 2016, The Wall Street Journal reported that hackers successfully targeted the computer networks of some of the world's most prestigious law firms.3 These security breaches have amplified the legal industry's vulnerability. Such incidents show no signs of stopping and may facilitate illicit activities, such as insider trading; affect public confidence in the profession; and, in some cases, spark allegations of misconduct.
The Law Firm Risk Profile
It is crucial that the legal profession understands and addresses cybersecurity risk. This means that cybersecurity cannot be written off just as an IT issue.4 Rather, it is a risk that requires attention and engagement at every level of a law firm's business.
The consequences of a law firm cybersecurity breach may be severe. Risks may include:
financial loss to the firm's clients, third parties and the firm; reputational damage to the firm's clients, third parties and the firm; damage to the reputation and standing of the legal profession; in some cases, damage to economic infrastructure or threats to national security; possible questions of professional misconduct or failure to meet the minimum statutory standards for data protection.
Law firms are attractive targets for those who would steal digital assets as they engage in high volume of concentrated, sensitive and valuable information. Law firms tend to store the most important and valuable client files. It is faster to find these files in a law firm than by searching through all of the information on the client's server.5 Law firms also offer the potential to access the valuable information of numerous clients at once. Law firms electronically store:
intellectual property, such as trade secrets or draft
financial account details;
inventories of assets;
IPO or M&A details;
a wide variety of personally identifiable information of clients or third parties.
What do lawyers/law firms need to know?
Lawyers and law firms must not entirely assume that their IT department will protect them from cybersecurity risk, or that their firm is too small to be attacked by hackers. As a start, lawyers should know:
what information their law firm stores;
where it is stored;
how information is separated out within the firm;
what technical, physical and administrative protections are in place;
what is required to maintain the integrity of those protections.
Most security breaches occur as a result of human error6 of some kind and therefore lawyers should have a sense of vigilance and an understanding of datasecurity risk. For example, lawyers should understand the risks of opening email attachments and using USB sticks, and ways to spot issues such as unauthorized access or a misbehaving infected computer.7
What do lawyers/law firms need to do?
For lawyers in management positions in medium and large firms or even solo practising lawyers, executing a suitable internal cybersecurity framework will involve activities such as:
a) preparing an inventory of the digital assets in the firm;
b) providing training and education to legal and administrative staff;
c) conducting periodic cybersecurity risk assessments;
d) developing security strategies and controls. This should include separating out information so that lawyers and staff can only access the information that they need to, thereby reducing the threat of current or former employees intentionally or otherwise breaching the firm's cybersecurity defenses;
e) developing an incident response plan, including understanding any reporting obligations;
f) implementing oversight of external business and thirdparty service provider arrangements;
g) conducting ongoing monitoring and analysis, which is required to maintain the level of security and detect breaches if they occur.
The 2013 Trustwave Global Security Report revealed that in 2012, nearly two-thirds of businesses that became aware that they had been the subject of a cyber attack took over 90 days to discover the breach, with nearly a fifth of firms taking over one year to discover the attack. The value that lawyers intuitively place on confidentiality and privacy will need to make room for monitoring and analysis of computer systems and communications.8
The protection principles – prevent, detect, react and deter – are always effective for incident management and timely communication of security events associated with information systems.
Scope and role of legal profession
The global legal profession needs sector-oriented assistance. Cybersecurity is an issue that calls for the profession to act collectively to raise awareness and provide education, training and other resources. It is essential for the legal profession to encourage lawyers and law firms to conduct a cyber-readiness test and ensure that a specific cyber-incident response plan is in place. A proactive approach is equally important for in-house counsel working in companies.
As an initial step, management must take a leadership role in promoting attention and vigilance at every level of a law firm's business. However, addressing this issue will be resource intensive, and many lawyers and law firms will benefit from assistance. Moreover, in many key jurisdictions (e.g. USA), lawyers' professional ethical obligations of confidence, competence and protecting property in their trust requires a risk management approach tailored to the legal profession.
It will be important for bar councils like the Bar Council of India and bar associations and perhaps international organizations such as the International Bar Association (IBA) to raise awareness and provide education, training and other resources to assist lawyers in their jurisdictions and practice settings to protect their valuable digital assets. There is a role for these organizations and statutory bodies to assist lawyers to achieve adequate standards of cybersecurity and to ensure that the unique position of lawyers is also accommodated in prospective legislative responses to this cyber-risk.
Footnote: 1. 'Global Opportunity Report 2017' released on 24 January 2017 in Oslo (Norway), available at http://www.globalopportunitynetwork.org/report-2017/. 2. Yahoo Security Notice 22 September 2016, https://help.yahoo.com/kb/sln28092.html. 3. 'Cyber Hack Exposes Law Firms' Weak Spots', The Wall Street Journal (29 December 2016), http://www.americanbar. org/content/dam/aba/images/law_national_security/Cyber Hack Exposes Law Firms’ Weak Spots - WSJ.pdf. 4. Solicitors Regulation Authority (SRA) England and Wales, Spiders in the web: The risks of online crime to legal business (March 2014), 3. 5. Ed Finkel, 'Cyberspace Under Siege' ABA Journal (1 November 2010) www.abajournal.com/magazine/article/cyberspace_under_siege. 6. Steve Ragan, 'Law firm says human error to blame for client breaches in 2014' CSO (18 May 2015) www.csoonline.com/article/2923023/disaster-recovery/law-firm-says-humanerror-toblame-for-client-breaches-in-2014.html; Blanchard and Blake, n 16 above. 7. Canadian Bar Association, 'Guidelines for Practicing Ethically with New Information Technology', a supplement to its Code of Professional Conduct (2014) www.cba.org/cba/activities/pdf/guidelines-eng.pdf. 8. Jill D Rhodes and Vincent I Polley (eds), The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (ABA Publishing 2013), 27.
Disclaimer - The views expressed in this article are the personal views of the author and are purely informative in nature.
Senior Legal Advisor, International Bar Association
Anurag Bana is a Senior Legal Advisor with the Legal Policy & Research Unit. He is a qualified lawyer from India with a postgraduate BCL from the University of Oxford. Anurag has previously undertaken a Supreme Court of India judicial clerkship with Justice N Santosh Hegde. He has worked as a legal practitioner in New Delhi in consumer and contract law matters. He has also worked with the Patents and Trademarks Department of Skoda Auto (Volkswagen Group) in Czech Republic providing legal advice on IPR matters in their product launch in India. At the UNCITRAL Secretariat, United Nations Office in Vienna, he contributed as a legal researcher on the Indian infrastructure and procurement laws as a part of a project drafting the Model Law on Public Procurement. He currently leads a pilot project for the Bar Issues Commission to optimise existing IBA legal instruments and resources with global bar organisations. In addition, he manages different international projects in the areas of social media law, digital identity law, information governance, international pro bono and regularly comments on the legal profession. In 2013, Anurag was appointed as the Chair of the IBA Social Media Working Group that developed the IBA International Principles on Social Media Conduct for the Legal Profession adopted by the IBA in 2014. He is a member of the informal expert group of the UNCITRAL Working Group IV (E-Commerce). He also represents the IBA at the UK Attorney General’s International Pro Bono Coordinating Committee meetings. Anurag has published and presented several specialist papers on digital assets, social media law, data security risks for the legal profession, online gambling, expropriation of IPRs in plain-packaging of tobacco products, and on international attorney-client privilege and confidentiality under the competition law of India. He is a founding member of the Chinese European Legal Association (CELA), a steering group member of the India Committee of the American Bar Association’s Section of International Law, member of the Commonwealth Lawyers Association and a life member of the Oxford Union Society.