According to a recent ABA opinion, every attorney is responsible for data security no matter who handles the IT at a firm. To find out just what that means, we spoke with John Verry, Managing Partner of PivotPoint Security. In our webinar, “Data Security Basics for Law Firms,” we answer some of the most commonly asked data security questions and concerns, along with tips on how to limit risk and ensure proper data protection.
Below is an excerpt from this webinar was an Ask Me Anything (AMA) format:
CosmoLex: So, we’re going to go ahead and jump right in and take our first question: what are some data security policies that all law firms should have in place?
John Verry: So, one that’s really more important than it used to be would be an incident response plan. This would be one of the first policies that I would recommend that a law firm looks at. That’s because as of last fall and ABA Opinion 483. As part of the ethical responsibilities of a shareholder or of an attorney is ensuring that an organization has a breach response plan in place to address that unfortunate incident that none of us want to actually have to occur. That would certainly be one place I would start if you have nothing in place.
The challenge with starting with an incident response plan is, ideally, you’d have a few other policies in place that an incident response plan is typically built off of. You might want to look at things like “acceptable use” to ensure that all of your attorneys understand how they can and should use your computing resources.
CL: So do you think that two-factor authentication – 2FA – is a must at law firms?
JV: That’s a good question. So if you are a law firm that is embracing the cloud—if you’re using Google Docs, if you’re using Office 365, if you’re using Net Docs—I think, two-factor authentication is nearly a must. It certainly is a must for the administrative-level accounts.
We’re seeing a rash of what are referred to as account takeovers. Someone will social engineer through fishing, or through sniffing traffic at a coffee shop or some other nefarious means, and they’ll gain the administrative-level access into a cloud-hosting application. Then they’ll use that access for nefarious means, to gain access to client matters, and the information they’re in. I would argue that it’s a must for all accounts.
CL: Another follow-up: So I know that a lot of law firms are doing this nowadays, the bring your own device (BYOD) sort of thought process. Any thoughts on that from this perspective?
JV: Yeah, BYOD is a challenge more so in law firms than most organizations. In most law firms, where you’ve got partners or shareholders, many have strong opinions on what they want to do and many of them don’t want to give up their personal devices and just want to carry one device. So most law firms do have some form of BYOD in place.
The challenge is that the accounts—the Apple IDs, the Apple accounts, the iCloud—is typically controlled by the attorney and they’re often using applications to simplify their practice of law that are being synchronized to the cloud.
So as an example, we’re working with a law firm that does PI, personal injury work, and the practice lead uses a scanner on his iPhone for all of the medical records and sensitive information during intake of a new client. Of course, that’s being synced to iCloud. You do need to account for those types of risks and ensure that you’re managing them effectively.
If you do that with a good form of mobile device management in place and you’re accounting for those two things, I think you can do BYOD in a relatively safe way.
CL: That leads into the last follow up for this: what kind of password requirements should I have for my staff? Aside from just the simple requirements of these applications. I know that some applications have very, let’s say, less than stringent requirements.
JV: Yeah, so the answer to that has gotten a little bit more complex than it used to be. The classic answer for years was eight or more characters, a mix of upper case, lower case, numeric, etc.
The most recent guidance from NIST, and I actually agree with their guidance, is that longer is better. And the reason is that it’s getting relatively inexpensive to build bots that crack passwords very rapidly. In our office, we have a bot that cracks some inordinate number of passwords per second. If I remember right, it’s something like six quintillions per day or something nutty like that.
So, any eight-character passwords someone can construct we can crack in just about 12 hours. So length is more important than complexity now. That surprisingly includes your personal email address. If you think about it, that’s where almost all of your password reset mechanisms go to. So if I’m able to gain access to your personal email account, I can reset the passwords on your banking account, on your Amazon account, a Netflix account, on any account that I want.
The other thing, too, is the website called, Have I Been PWND? That’s something that you should have your email address registered in so that in the event that your email address is compromised, you’ll have an awareness of it and you’ll know that you should be thinking about changing your passwords.
CL: Just one follow up from my standpoint, is password management. I know that CosmoLex, for example, uses a password management system to have more lengthy, more secure passwords. Do you suggest something like that?
JV: I think it’s almost a necessity these days. I recently did an audit of my passwords. I’ve got over 300 passwords now. It’s impossible to remember 300 strong passwords.
So you almost need to use a good password management tool. We use LastPass Enterprise version here at Pivot Point Security. We think that’s a good one. A lot of our clients actually use it.
Not only does it give you an ability to use very complex passwords and not need to remember them, but it also gives you an ability to share accounts and passwords. We use LastPass to securely share those credentials between those two people.
CL: Yeah, I think there are benefits to that. And we do the same—we use 1Password here. But I think the benefit to that is that it also allows for good access control. Simply writing your password down on a piece of paper and then giving us the person is far less secure than say a system where they don’t ever actually have access to that password. They can never write it down or save them or share or something along those lines.
So moving on, question two: Is the cloud acceptable/secure for law firms?
JV: Absolutely. If it’s done well, I think you could make an argument that the cloud is more secure than most law firms would be. So it’s all about ensuring that security and that’s done through a practice you might have heard of called “vendor risk management” or “third-party risk management.”
As long as you’re gaining assurance that the entity that you are sharing or sharing data with or using to provide services is secure and you do that through vendor risk management we’re in good shape. So as an example, NetDocuments is a very popular document management system that’s the root of many organizations. CosmoLex is an online practice management software for law firms. As long as the third party has the appropriate security in place, you’re gonna be in pretty good shape in most cases.
CL: I totally agree and I suggest reading things like subscription agreements and security-related pages. I know that we have one and I know that a lot of other practice management software in our same space has that just to make sure that everyone’s on the same page.
JV: I would say that unless you are a mid-tier or larger law firm—let’s say on where we’re talking hundreds of partners—the likelihood that you’ll actually be more secure than a well-funded, well-intentioned cloud-service provider is probably not high. I’d say, in most cases, that the cloud service probably ends up being more secure.
CL: Fair point. Another question from one of our followers as we continue: we are moving our data to the cloud—how does that change how we manage our information and security risk?
JV: There’s an old adage that you can outsource the service, but you can’t outsource risk.
So at the end of the day, the risk associated with critical information and, in most firms from most firms’ perspective, that would be considered legal matters, like the risk associated with disclosure, associated with breach—which would be loss of reputation, loss of client, perhaps litigation and fines—you’re not outsourcing that risk. You’re just outsourcing the data. So you still have a responsibility to ensure that you’re managing that risk effectively and the way that you manage risk with a third party is through what’s referred to as vendor risk management, third-party risk management.
CL: I know that a question that we get asked a lot is, for example, server location. It seems to be a hot-button issue. Is that actually something that they should be concerned with in the long run?
JV: It depends on the type of legal services that you’re providing and who you’re providing said services to.
Increasingly, as we move to a world where information security and privacy blend and as privacy becomes more relevant, this will become increasingly an issue. The only reason it’s an issue now is if you’ve got third parties and your clients are giving you what is referred to as DPAs, or data protection agreements, and they’re asking you to conform with Privacy Shield or GDPR, or there’s a new law coming into play in California called CCPA, California Consumer Privacy Act.
CL: So, along that same vein, is there any one, or maybe two, specific questions that they can ask? They can hire someone like yourself, but if they are trying to do that research themselves, do you think there are one or two questions that they can start with?
JV: Yeah, so if you don’t have the bandwidth to do a robust verification of somebody’s security posture, the easiest thing to look for is if they have what is referred to as “third-party attestation.”
So that is, that they’ve paid an independent, objective third party to come in and audit them, and that’s willing to say “yep, they’re secure.” The most common forms of attestation that you would look for, is ISO 27001 certification or a SOC II Type 2 Service Orders report. If an organization has one or the other, that’s usually a pretty good indication that they’re going to be secure.
CL: The perfect lead-in. So what is ISO 27001? Does my firm need to be certified?
JV: ISO 27001 is an international standard, that is a recipe for managing information related risk.
So from a law firm perspective, I think this is a dual-facing issue. So many law firms have chosen to become ISO 27001 certified and they range all the way from top five Am Law type of firms, all the way down to some firms that are small as 10 partners that have gotten ISO 27001 certified. I think most firms that are getting certified are probably somewhere between 100 attorneys and three- to four-thousand attorneys.
ISO 27001 is a way to demonstrate to your customers that you’re serious about information security. You’ll often see this if you’re going to do work in the banking industry or if you’re going to do work for healthcare organizations, if you’re going to do work for technology firms like Oracle or Microsoft, you’re going to see a security questionnaires from them that say, “Hey, prove you’re secure. Do you have one of these certifications?” So that’s why a firm might get ISO 27001 certified.
CL: A side question that we often get is the document management HIPPA compliance. Do you have any vendors that you think are best for that? I know the ones that straddle the line between personal and business, like Dropbox and Box, are good examples of what a lot of smaller law firms use.
JV: So, again, you might have an in-house document management system, you might be using an outsource, like NetDocs, an online document management system, or you might be using CosmoLex’s document management capabilities. Whatever you’re using in any case, it’s absolutely possible for someone like us or another equivalent information security body to be able to review your practices and help you determine whether or not that system or your organization is HIPPA conforming.
People use the term “HIPPA Certified.” It doesn’t exist, there is no HIPPA Certification. The best that somebody can say is that they conform to the requirements of HIPAA. Any appropriately qualified entity can review your information security practices compare them against the HIPPA standard and render an opinion as to whether or not you do that. Then we can issue a letter of what we call a letter of attestation that says that we reviewed the design and operation of firm X and we found that their operations fully conform with the requirements of HIPPA for example.
CL: That’s a great explanation because that is a super common question and I think, like you said, it’s not even a real certification and they don’t really know that.
So is it better to manage my own server and security system or rely on the technology provider?
JV: The answer would be, which is going to give you the best balance between being secure and being efficient and cost-effective. And I think that differs for different organizations. We go into some larger firm there’s going to be a combination of those two. I think in most organizations, we’re seeing a mix. If we go down to smaller firms, they’re going to be more likely to initially start that with a very technology literate partner or shareholder in the entity or they’ve got a good relationship with an outsourced service provider. And then I think most organizations tend to migrate to a model where some percentage of that is mixed.
CL: A follow-up to that would be that a counterpoint that we receive when we talk about the cloud is “I feel much safer that I’m managing my own server.”
I don’t know what your feelings are, but I feel like a physical penetration—someone going into their office installing a device or simply putting a USB into an open port—something like that is just as likely as a large scale data breach from a technology provider.
CL: Yeah I would agree. I think in most instances if you do a good job of a basic level of vetting of the third-party before you choose to work with them that you can end up in a higher security posture, easier, and quicker. I do see as a challenge with organizations is they think “wow, I’m getting rid of my document management system, moving to a cloud-based document management system— okay, I’m secure.” Well, no, you’re not. You can’t rely on that third party because that data is still coming back down and living on your laptops and on your local area network.
So you have to understand that security is always going to be a joint venture because whether or not that third party is hosting your data, that work product is going to end up on your local systems. That work product is still going to be transferred to your clients through some other application whether it’s email, whether it’s NetDocs, DropBox. So I think it’s important that people understand that even though somebody you’re using a third party, you still have significant responsibility for the security of that data.
If your machine is compromised because you clicked on a phishing email and someone gains admin-level access on your desktop, they can log into those systems as you. So, despite how strong the security posture might be of the cloud service provider, your lack of security rendered that meaningless.
CL: So question five: what kind of backups should I have for my data?
JV: Recent ones and complete ones. One of the nice things about working with cloud service providers like CosmoLex and people of that nature is the fact that data backup issue is being done on your behalf. And data backups are a really critical issue in law firms because of ransomware.
You guys have seen the cases of the city of Atlanta, or the healthcare system in San Diego, where somebody gets ransomware on to someone’s machine through a phishing email, someone clicking on a bad link, or opening a document they shouldn’t open. And then what the malware will do is attempt to propagate across the entire network and lock up every file that it can. Then it’ll demand extortion from you to retrieve the key to unlock all those files. In some cases, they’ll actually give you the keys and in some cases, they actually will not give you the keys. The way to make ransomware unimportant if you did get infected would be those lock files, you’ve got recent copies of them, so that way you can just recover those and not worry about the lock files.
So what kind of backup should you have? Ideally, most organizations will have some form of off-site back-up where they’ve got ideally a daily backup of each of those files. That’s relatively easy to do now, either through just the software that comes installed in most systems or using an online backup system.
CL: Yeah, I think the most important key point there is off-site. I know that I hear it a lot when someone says I backup my system all the time and my follow-up question always is, “where do you keep that backup?” And they say my office of course. So off-site is the biggest takeaway from that.
JV: Yeah, off-site is an important issue for sure.
CL: Question six: what is the most secure way to share sensitive communication/files with a legal client?
JV: There are a number of ways that are relatively secure to do that. A lot of people are using tools, which are built on to their email platform. So, as an example, you can use something like Mimecast, which you can layer on top of Office 365 if that’s where you’re using.
We see a lot of law firms using tools like SharePoint, Citrix Share File. Another common one, Enterprise Box, is very big. These are relatively secure ways of sharing files, especially if you’ve got a persistent need to do some form of beyond sharing or collaboration.
If it’s simply a matter of getting a file to a client on occasion, then a couple of things that you should do is ensure that your mail server has something called “Opportunistic TLS” turned on. What that will do is ensure that the data stream is encrypted between you and another mail server that has TLS enabled. And then, contractually obligate your clients to turn on TLS if you can. That way you know that email going to them is encrypted and it can’t be intercepted by somebody. I would still recommend that if you’re doing that, even if you’re using the Microsoft Office Suite of products, you also password protect the document.
What I would encourage you to do is not to send the password in the email. Because what you’ve done then has made it easy if somebody had compromised that email system, they got the document and the password.
If I was going to send you something that was encrypted, I would send the file protected and then I would text you or leave you a message on your voicemail with what that password was. So I knew that in order for someone to compromise this protection, they’d actually have to compromise two modes of communication, which would be very unlikely.
CL: Now, you talked a lot about email, but you did bring up text messages at the end. Text messages: a secure way of communicating with clients or one of the unsecured ways of communicating with them?
JV: That’s a really interesting question, and it’s the same question you get with fax machines. Is a fax machine a secure way to communicate with a client or not?
I would say that a text message for out-of-band communication to transfer a password or to send some simple information, I’m fairly comfortable with that. In order for somebody to compromise that, they’ve literally got to get their hands on that person’s device and in most organizations, the device is protected by passwords, so it’s a fairly secure way. I wouldn’t rely on it, but I wouldn’t hesitate if it was something simple and not overly significant.
CL: Following up on that email portion of things, and I think this is a great topic—is there an easy way to tell if an email is safe or from a legitimate source?
JV: So you’re into an area that I would highly encourage even the smallest of firms to spend a little time on, that security awareness education.
90% of breaches occur through some form of social engineering And the vast majority of social engineering is initiated through email. So what you really want to make sure of is that anyone who works in your firm has some level of awareness and knowledge about the concepts of phishing. You can find online training tools from a wealth of sources and they’re relatively inexpensive relative to the value that they provide. You want to get them to a point where they have a basic level of understanding of how to identify phishing emails.
We have 10 tips we send to clients that you can follow and we’ll send that out after. But simple tips are always hovering over a hyperlink with your mouse before clicking on it. When you do, you’ll see pop a box and you want to look to make sure that the link that’s embedded is actually the link that you think you’re going to.
And then other tricks, things like, as an example, an inordinate percentage of your everyday email is not about money. But, yet, in an ordinate percentage of fishing or malicious email is and just getting that thought in your brain is important. We give some tips on how to recognize return addresses that might be not truthful.
Always look to see what percentage of the emails that are legitimate emails to you from people that you recognize. Emails that start with, “Josh, hey, I was thinking we should do this.” And then if you look at malicious emails, 11% don’t include your name in it. They might say, “Friend” or they might not have a greeting.
CL: One follow up for sure is that, and I know that the situation that happened in our office before is you fall for it and you click the link, you enter your password; what is the best next course of action that you should take, assuming you’ve realized that you’ve made that mistake?
JV: That’s what an incident response plan is about. What do you do when something bad happens and how do you recognize that? An incident response plan tells you that.
As an example, if you’re in an office with 20 people, the incident response plan would tell an individual what they should do when they click on something and who they should report it to. Should they turn off their machines? Should they disconnect from the walls? Should they disconnect it from the wireless? What are those steps? And they differ in different circumstances.
So, generally, if you click on a link, the path is a little bit different depending upon whether or not you think you’ve got good security practices in place.
As an example, do you have good what’s referred to as “patch management practices”? So, have you loaded your Tuesday patches from Microsoft? Do you patch things like Google Chrome or Adobe?
If the answer to that is no, that would be a concern.
If you’re not sure, you could make an argument for turning off the machine, you could make an argument for disconnecting it from the wall or disconnecting it from your wireless network. That’s a good way if your machine is infected to prevent that infection from moving to other machines. And then at that point, what I probably would do is try to engage some IT-literate person who would have the wherewithal to determine whether or not some form of malware has gone on to the machine.
The good news is in a lot of the recent news, we’ve seen a lot less ransomware and a lot more crypto-mining software. So the good news is that you’re not getting hurt by it directly. The bad news is that they’re consuming your resources and eventually to burn out your systems by actually mining a cryptocurrency, using your system.
CL: So I guess the best sort of follow-up question to that is the incident plan that you mentioned, do you think that there’s a size of law firm that should start worrying about that or do you think that every business essentially should have that incident plan in place?
JV: So even if it’s not a super formal documented instant response plan, do you really want to be in a panic situation trying to figure out what you should do or do you want to know what you should do before this situation occurs? Literally minutes, seconds matter at that point in time. It doesn’t have to be anything super fancy, you don’t have to spend tens of thousands of dollars. You can go online and find something simple, but you want your people to know if something bad happens.
I’ll go a step further and ethically, according to the ABA, you have an obligation to do this. ABA Opinion 483 says this. So yeah, I think you need one.
CL: Yeah, I totally agree. Obviously, I may not be a security professional, but I know that for any small business or a large business it’s critically important to know what to do and at the right moment in time. Seconds matter, like you said.
Now, one last question: what’s the best way to test the overall security of my firm?
JV: There are lots of ways to do that. I think that obviously, it does depend on risk, but what I would say is that if I were someone who wanted to cost-effectively assess my security, I would start with something called a “vulnerability assessment.”
You can do a penetration test. Most people are familiar with that, but a penetration test has two components: a vulnerability assessment and a penetration test. The vulnerability assessment portion of it assesses whether or not, either from the internet or from inside of your network, whether or not those systems are vulnerable to any type of potential attack. The penetration test part attempts to exploit that and gives you a measure of how likely it is that those vulnerabilities can be exploited and if they are, what would the impact be? So, do I get to take information on which employees have taken vacation or do I get information regarding your M&A practice and I know about a big deal that’s going to happen?
The other thing you can do is you can actually take what’s called the “credential vulnerability assessment” from the internal perspective and that can give you an idea why they’re systems are configured in a manner which is HIPPA compliant. And then if you chose to do the penetration test, especially an external penetration test, that can be used as a form of attestation for your client. So if you do have clients that are saying, “How do I know you’re secure?” you can say “Hey, we had a penetration test done and we held up.”
So that would be the starting point. And then from there you can get more robust and do things like gap assessments against good practices like ISO 27002. But that gets more expensive.
CL: Awesome, thank you so much, John.
Most lawyers aren’t IT experts and data security can seem daunting, but having a basic understanding of how to handle common scenarios and prevent data breaches can go a long way toward fulfilling ethical obligations of client confidentiality and data protection.
For the complete interview and answers to even more data security questions, check out the full webinar: Data Security Basics for Law Firms
See more of our Ask an Expert webinar series.