Attorneys are often exposed to risk simply because they do not possess a data breach response plan.
Data breaches are becoming too common. According to the FBI, hundreds of law firms have fallen victim to data breaches committed by hackers. Data breaches range from theft or loss of laptops or mobile devices to interference with a law firm’s network, containing files one year or older.
Attorneys have an ethical duty to take reasonable steps to protect information relevant to their clients. They also have an ethical duty to inform clients if there has been a breach of client data. In order to be in compliance with these duties, attorneys must establish information security programs, IRPs. Those who have taken steps to prevent a breach and have prepared in the event one should occur will survive and suffer less damage.
Maintaining data security
In the past, the focus of law firm security was on preventing cybercriminals and hackers from infiltrating firms’ data. Initially, firms installed anti-virus software, ranging from the very basic to the more advanced, and then anti-malware security suites,
next-generation security appliances and other technical defenses.
However, even as there have been technological advances in the various types of defensive software, would-be hackers have grown more adept at accessing data. As a result, detect and respond is the new catchphrase in cybersecurity. Although detection and incident response have been essential aspects of information security for years, they are now not nearly as important as protection. According to Gartner, a premier technical consulting firm, by 2020, 75 percent of all businesses’ information security will be earmarked for detect and respond methods. This represents an increase from less than ten percent in 2012.
Identify, protect, detect, respond and recover
Identify, protect, detect, respond and recover is the principal aspect of the National Institute of Standards and Technology’s Framework for Improving Infrastructure Cybersecurity Version 1.0, issued in February 2014. The objective of the framework is to provide security of critical infrastructure, and realize improvements in cybersecurity programs.
While “identify and protect” applies to the beginning stages of cybersecurity, “detect, respond and recover” have emerged as the new focal point in security from breaches. It can be particularly challenging if you are unaware that you have suffered a security breach. The typical victim has been breached for seven months or longer prior to the discovery of the breach.
The Incident Response Plan
Advance planning is key to getting ahead of any threat, which consists of a procedure referred to as an Incident Response Plan (IRP). An IRP is frequently directed toward data breaches. Some examples of incidents these plans provide a response to include: ransomware, resisting attempted hacks, access of data by an insider without permission, or dealing with the theft or loss of a laptop or mobile device.
While the majority of large law firms have implemented such plans, many smaller firms have not. Increasingly, clients and insurance companies are requesting to conduct a review of law firms’ IRPs. Due to the rising prevalence of data breaches, now is an opportune time to establish and carry out a plan or revise an existing one so that it is up-to-date.
It is best not to use a template IRP. While you can start with a template, be aware that no two law firms are exactly the same, and each has a different business process, network infrastructure and data. An IRP should be tailored to suit the firm. The size of the plan is likely to correspond to the size of the firm.
Want to learn more about Incident Response Plans? Check out UC Berkeley's Incident Response Planning Guideline.
Components of an incident response plan
It is recommended that law firms identify the functions mentioned in the IRP by the titles of the positions, and not by an individuals’ name, because people may leave for other positions. A law firm’s team may consist of all or any of the following categories: management, IT, compliance, information security, marketing, human resources and any other departments. In the event a breach occurs at night or on a weekend, it is important to set up a conference call bridge line. The plan should contain contact information, including home and cell phone numbers and personal and work email addresses. The list will have to be updated on a regular basis as people join or leave the firm.
1. Hire a data breach attorney
It is recommended that law firms secure the contact information for a seasoned data breach attorney. Several large firms currently contain departments that emphasize security and data breach response, while some smaller firms are directing attention to this area. It would be unwise to think that you can manage security and data breach response without the help of an attorney who is versed in data breaches. Under the attorney-client privilege, the data breach attorney may be able to safeguard a large amount of information relevant to the breach investigation.
Moreover, make sure that you know where to find your insurance policy, which should provide coverage for data breaches. Make certain that you have coverage, and are in possession of the insurer’s contact information because you will have to call your insurer immediately should you become aware of even a potential breach of security.
2. Contact law enforcement
It is a good idea to have the contact information for law enforcement, such as the FBI, who are frequently the first people who are contacted in data breach cases. Additionally, secure the contact information for the digital forensics consultant you would like to have conduct an investigation into the cause of the breach, and provide a remedy.
3. Contain and recover
It is recommended that the IRP includes a section on containment and recovery from a breach. A law firm that has suffered a breach is at a greater risk of being subjected to a breach again, or having a continuous breach. This could be because the breach has not been completely controlled, or because the hacker has uncovered areas in which the law firm is not fully protected and that can be manipulated at a future date.
Find out what data has been compromised, or potentially compromised. Also, determine whether all data was encrypted while it was being sent or stored. If it was, then this may diminish the burden of notification. You should also recognize any PII, personally identifiable information, or information that could have been compromised.
4. Preserve information systems
Identify and safeguard the systems logs with respect to your information systems. Be sure to turn on logging functions and retain logs prior to the occurrence of any breach. If you are in possession of intrusion detection or data loss prevention software, record all system logs from the software and give them to your investigator. If you do not have any such software, you may wish to consider acquiring it in order to secure the data for your law firm. In the event your bank authorization has been compromised, obtain the contact information for your bank.
5. Employ a public relations firm
Although it is not required, it may be to your advantage to find a reputable public relations firm. If you do not have to publicize the breach, you may not have a need for such a firm. However, if the breach is made public, you may have to engage in some immediate damage control. You may be able to obtain coverage for this through your insurance company. If so, then your insurance company will refer you to a suitable firm.
6. Disclose the breach to clients
Be advised that it may be challenging to handle clients and third parties in such a way that you do not disclose everything and yet maintain some semblance of transparency. It is important to exercise caution when planning to inform clients of a breach. This is because a data breach that has been publicized could lead to a large departure of clients from your firm.
Refrain from speaking too quickly prior to an investigation into the facts and circumstances surrounding a data breach. A common error is attempting to lessen the harm, but really expanding it as the extent of the breach is different than what you initially thought.
7. Notify employees
Think carefully about how you will notify your employees about any data breaches. Make sure that the law firm communicates with a single voice, and that employees do not circulate information about the breach. Decide whether to share information about the breach on social media, and, if your will be doing so, devise a plan to reveal such information in a manner that will cause the least amount of damage to your firm.
8. Test the plan
Test the plan by having a rapid walk-through of possible scenarios, after which you can conduct a complete exercise of the plan. Incorporate contacts with outside resources to make certain that everything is updated. This will assist in familiarizing everyone with the plan and in recognizing areas that need improvement.
Breach notification law
If your state has a breach notification law, and nearly all do, write it in the incident response plan, along with the rules of compliance. You may have to consult your state Attorney General. Because laws governing breach notification are very different, you should be knowledgeable about the law in your state. In addition, identity whether other states’ breach notice laws are applicable. They could apply to the residences of employees or clients, or remote offices.
Make certain that all pertinent data breach laws are mentioned in the plan, and are appended to it. Recognize any affected data that is subject to other legal obligations such as HIPAA or specifications within client contracts, and compliance with notice demands.
Determine whether the prospect of a breach requires the revision of IT and information security controls and policies. On the basis of what you gleaned from the test, also decide whether the incident response plan should be modified. The plan should state that an annual review is mandatory, even when there is no occurrence of a breach.
Preparation is key
Law firms should prepare for the time at which they will fall victim to a data breach, and not for the possibility that there will be a breach. In order to be ready for such an eventuality, they must implement security programs that consist of detection, response and recovery, and recognition and safeguarding of data and information assets. An effective incident response plan is necessary to achieve a favorable result.
Attorneys who have taken steps to prepare for a breach are more inclined to survive and experience less harm. However, those who do not sufficiently prepare will likely expend more funds, waste more time, and endure an increasing number of difficulties with clients and public relations.