Capsicum’s Leeza Garber authored an article in The Legal Intelligencer entitled “Cybersecurity Threat-Sharing in the Legal Community”. The original article is available here.
The White House and Congress have been rushing to determine how to best handle the cybersecurity risks that have been growing at an increasing rate around the United States and the world. Each new hack, malware, virus, phishing attack, network flaw and cyberincident adds to the flame that has been intensifying and forcing a clear legislative response.
Law firms face cybersecurity risks (and related legislation) on two major fronts: externally, for clients, and internally, as law firms are attractive targets for hackers of all kinds. Recently, The New York Times reviewed an internal report from Citigroup’s Cyber Intelligence Center that outlined the financial institution’s concerns related to attacks on law firm networks, in an article titled “Citigroup Report Chides Law Firms for Silence on Hackings.” The report stated that law firms were at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”
The attacks that law firms face come in many forms. A recent Osterman Research white paper, “Best Practices for Dealing with Phishing and Next-Generation Malware,” cited multiple examples of cyberattacks that law firms continue to face every day. One such example analyzed a phishing email that an attorney received with a malware attachment that allowed hackers bank account access. Another analyzed how a firm was infected with keystroke-logging software from a phishing email. Both situations led to the loss of hundreds of thousands of dollars, in addition to the loss of a variety of information.
A large part of the problem is a lack of communication. Attorneys—nevermind the general public—have likely not heard of many (if any) cyberattacks or data breaches affecting law firms. But they do occur—frequently. Law firms present treasure troves of rich information regarding intellectual property, trade secrets and client lists—on top of personally identifiable information available on internal networks. Unfortunately, a 2014 law firm cybersurvey conducted by Marsh USA indicated that 72 percent of respondents said their firm had not assessed or scaled the cost of a data breach based on the information it retains. This raises significant points to consider: Has your firm established a data breach response plan? Has your firm hired a third-party vendor to perform network penetration testing? Do you know how secure your data is?
As the Citigroup report explained, “due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.” This is why threat-sharing in the cybersecurity community is so vital to offensive and defensive cybersecurity improvement. However, as the Citigroup report explained, law firms are reluctant to discuss cyberattacks due to liability risks. This hesitancy, in turn, thwarts efforts to strengthen the fight against cyberintrusions and breaches. The safer businesses (including law firms) feel in sharing cyberintrusion threat information with the government and other companies, the better they will be at protecting their networks and systems from cybercriminal hacks and espionage originating from foreign nations. New legislation pushes are aimed at creating legal pathways to clarify the structure and intersections of data breach reporting laws, privacy laws and cyberintrusion response action. The past two months have seen extreme flurries of activity in Congress regarding cybersecurity and related threat and information sharing, and this shall only increase as the White House and consumers continue to demand clarification of these issues.
A variety of legislation has been discussed, debated, proposed and passed surrounding the cybersecurity sphere. The NIST Cybersecurity Framework, the Cybersecurity Enhancement Act of 2014, and the Cyber Intelligence Sharing and Protection Act are some of the heavy hitters in this arena. However, in the past few months, three significant acts have been passed by the House of Representatives or the Senate: the Protecting Cyber Networks Act (HR 1560) , or PCNA; the National Cybersecurity Protection Advancement Act of 2015 (HR 1731), or NCPAA; and the Cybersecurity Information Sharing Act (S 754), or CISA. They focus on the idea of minimizing legal liability for companies that voluntarily exchange and discuss cyberincident information.
In addition, these acts look to assist companies in combining efforts to collaborate with the government and other businesses to analyze cybersecurity threats.
On April 22, the House passed the PCNA, which would create new legal authorizations and channels for companies to offer cybersecurity threat information to government civilian agencies. These agencies would then be able to educate other potential cybercrime targets in order to assist in protecting them. On April 23, the House passed the NCPAA, which would offer liability protection for companies that share cyberattack information with the U.S. Department of Homeland Security. Importantly, law enforcement’s permitted use of the shared cyberintrusion information would be limited to purposes relating only to cybersecurity (no massive surveillance efforts, for example). On March 12, the Senate Intelligence Committee passed the CISA, which would order the office of the director of National Intelligence to create a process for the federal government to share cyberthreat data with government agencies and private companies that could be affected.
This is obviously only a partial overview of the cybersecurity and threatsharing legislation that is coming down the pipeline, but the theme is clear: In order to best respond to the ever-changing cybersecurity atmosphere, data sharing is necessary. Liability protections should assist in creating and encouraging an open environment, by shielding participating businesses from shareholder or customer lawsuits. A voluntary network of entities sharing cyberincident experience can only benefit the community as a whole. It is important to note that there are myriad privacy and surveillance concerns mounting in this area, as cyberthreat data will more often than not contain personally identifying information. While they are outside the scope of this article, such concerns are significant and will be debated as these pieces of legislation move through the system.
It is not just law firms that are reluctant to share information regarding data breaches and cyberattacks. However, law firms are at an interesting intersection of these hot issues, as legal practice groups relating to privacy, data security, data protection, cyberlaw and cybersecurity crop up throughout the country. As firms look to protect the cybersecurity legal needs of their clients, they also must look inward and analyze how to best protect themselves as well.
Leeza Garber is corporate counsel and director of business development for Capsicum Group LLC, a technology consulting company that specializes in digital forensics and investigations, e-discovery, and cybersecurity.