Howard Russell, Co-CEO, RBRO Solutions
Law firms have been labeled the new soft underbelly of corporate espionage and cyber-hacking. An article by IPWatchDog contributor Steve Brachmann stated that “At least 80 per cent of the nation’s 100 largest law firms have been affected in some way by a data breach…” The article goes on to describe the growing concerns of major law firm clients who see the risks they face by proxy.
The possibility of hackers gaining access to their information through their legal services’ provider has galvanized the creation of a new set of standards to be met by service providers in order to qualify for their business. Now, when responding to RFPs from major institutions, there is an increasing requirement for law firms to demonstrate that they have effective intrusion detection systems in place, encrypt critical data in storage and maintain effective policies related to data security.
In the code of federal regulations Sub-part C, section 164.305 Definitions, the definition of the term “Security incident” is given as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
Intrusion systems are great at identifying or preventing unauthorized access to content. They enable organizations to quickly identify threats and sometimes provide a means of dealing with those threats. However, they don’t necessarily combat another very real threat to data security; the ‘Trusted Thief’, the ‘Careless Contributor’ or the ‘Unwary User’.
The Trusted Thief is the employee who has legitimate access to critical data but whose intentions with regard to its use is less than honourable. The Careless Contributor is the individual who works hard producing solid content but doesn’t take into account the security implications of posting data, for example, to online temporary storage locations with poor security infrastructures. The Unwary User does not have a good understanding of the governance issues that are associated with the content they generate or consume. They continue working, blissfully unaware of the risks they create for their firms by virtue of how they handle the data in their care.
The latter two risk generators are often overlooked because many organizations haven’t yet fully committed to improving how they manage the storage and flow of document-based data. Of course this flies in the face of ABA rule 1.6 which states that “a lawyer must act competently to protect the confidentiality of clients’ information.” As a result, duplications of data on multiple workstations and server locations have increased the possibility of intentional or accidental access to private data. Users cut corners and used unsanctioned sharing facilities to get content to clients, exposing the client and the firm to the potential fallout from unauthorized access because their firm has not provided better alternatives. Data leakage is harder to detect because the content resides in places that are hard to monitor.
Over the last several years I’ve been contacted a number of times by IT professionals who are scrambling to understand just what data was stolen by an employee and who the data had been provided to. I’ve listened to concerns voiced by corporate legal teams who were concerned that data was being copied from their systems by remote users under duress from local authorities. According to a 2013 report by Go-Gulf, 59 per cent of ex-employees surveyed admitted to stealing company data when leaving previous jobs.
A recent article from Grand Valley State University (https://www.gvsu.edu/e-hr/how-to-avoid-employee-data-theft-62.htm) provides solid information about data theft and the practices/policies that should be put into place to help organizations protect their data. A key point in that article is the difficulty faced by organizations in obtaining the data they need to understand data breaches that have occurred. DuPont was used as an example of a corporation whose employee stole over 600 documents by copying them to a portable hard drive. However, the term “forensic analysis” used in this article is indicative of the fact that dealing with data breaches often happens long after the breach occurs and its impact has already been felt. In such cases the best an organization can hope for is the ability to mount an effective prosecution of the offending employee in order to deter others and recoup some losses. For a law firm, such a breach, if made public, could cause irreparable harm to its reputation and result, at best, in the loss of a good client or at worst, devastating lawsuits.
In the book Glass Houses by Joel Brenner, the author quotes a Major General William Lord of the US Air Force, when referencing a massive heist of up to 20 terabytes of data: “To carry this volume of documents in paper form, you’d need a line of moving vans stretching from the Pentagon to the Chinese freighters docked in Baltimore Harbor, five miles away. If the Chinese tried to do that, we’d have the National Guard out in 15 minutes. But when they did it electronically, hardly anyone noticed…”
As stated early on in this article, there are several solutions available to protect against hacking. To foil the plans of the trusted thief, law firms should look for solutions that enable them to have a clear understanding of where their data resides, a strong ability to regulate access and the ability to know when something out of the ordinary is taking place.
To eliminate the risks caused by the careless contributor and the unwary user, they must be made aware of the risks so that they can make better decisions around their handling of information. It’s also important that an environment be created in which it’s easier to work within the organization’s policy framework than to work outside of it.
Use a document management system (DMS) that provides strong yet simple security management, encrypted file storage and an audit trail of everything that happens as a foundation for good data governance and protection. There is no longer any real excuse for leaving most critical data outside of a DMS. By ensuring all content is in the DMS, organizations can take advantage of the auditing capabilities and reduce the redundant storage of information that is eating into storage budgets, while increasing the access points available to exploit private content.
Finally, employ solutions that enable instant notification—wherever you are—when something out of the ordinary happens with your data so that your firm can respond before the incident becomes a catastrophe. Identify what ‘normal’ user access of data looks like in your firm and configure these solutions to let you know about all activity that falls outside of that scope. Enable your users to perform effectively in your DMS by facilitating the integration of all of your content-producing applications into your DMS environment.
Hackers had to work hard to hack through the multiple layers of security at the Pentagon. Your ‘trusted thief’ can work unhindered from the comfort of their desk. The other two types of employees just aren’t paying enough attention.
What are you doing to ensure that you’re paying attention—especially when it matters most?