Law firms have long been viewed as the most trusted of advisors to their clients, and lawyers learn early in law school the importance of maintaining confidentiality of information shared with them by their clients.
However, the security of that relationship has been threatened of late by the emergence of external cyberattacks and in some cases, weak internal controls. Criminals have in fact identified firms as ideal targets to obtain highly sensitive data that could be used for financial gain and political disruption.
Recently Neil Sternthal, managing director, Legal, Thomson Reuters Canada, Australia and New Zealand (based in Toronto), sat down with Charles Morgan, national leader of McCarthy Tétrault LLP’s Information Technology Law Group and co-leader of the firm’s national Cybersecurity, Privacy and Data Protection Group in Montreal, to discuss how firms like McCarthy Tétrault are managing the cybersecurity challenge.
Neil Sternthal: In the wake of fears around recent ransomware attacks targeting law firms and the 2015 Panama Papers incident, what are the risks legal professionals need to be aware of when dealing with client data in the normal course of information exchange and storage?
Charles Morgan: The main thing law firms have to realize is that we are targets of cyberattacks like any other major business in the world. Law firms have a lot of valuable, confidential client information and so we’re going to be targets, just like anybody else. We have to approach cybersecurity issues through the same “enterprise-wide risk” assessment lens as many of our clients.
As lawyers use more and different kinds of technology that offer new opportunities for efficient communication with clients, so too the “bad guys” are finding new tools to infiltrate that information.
We have put in place safeguards such as encrypted computer hard drives, encrypted mobile devices and dual-factor authentication for any remote access to the firm’s networks.
Hackers aren’t just attacking our network and databases with technological tools; they are also using social engineering and phishing scams to contact lawyers directly.
Hackers are becoming increasingly sophisticated and increasingly convincing in their efforts to present themselves as either legitimate firm clients or as members of an expansive deal-team. The best way to protect against that is to reinforce a culture of vigilance and awareness through training.
In this regard, law firms have a natural advantage over many other businesses in mitigating such cybersecurity risks because the importance of maintaining the confidentiality of client records is hardwired into lawyers’ training, culture and professional responsibilities. But as hackers become ever more sophisticated, it is important to refresh old reﬂexes. Every lawyer and employee in our firm has received recent training on how to spot red flags
Sternthal: A couple of years ago it was thought that law firms were the “soft underbelly” of data security. Is that a dated view or is there still some truth to that?
Morgan: I can’t speak for all firms, but as regards large firms, it is probably a dated view. It may have once been a legitimate concern – but the risks have become apparent and large law firms are acting accordingly.
Law firms have adopted enterprise-wide risk assessment and mitigation strategies.
Sternthal: Are law firms coalescing around a uniform approach to IT security?
Morgan: I think this is an area where there are a variety of standards that can be considered. Many law firms consult SANS Institute for training and IT security resources. Some are moving towards adopting ISO 27001 certification. The key is to adopt a structured, enterprise-wide approach to cybersecurity risk mitigation that is consistent with industry standards.
Sternthal: One pain point I often hear about are the audit requirements clients impose on law firms, particularly that the requirements are same in purpose but different in form and difficult to comply with and scale. Do you think there is an opportunity for leading firms to be proactive, reach out to clients and work together?
Morgan: Absolutely. We are doing that. There has been some frustration that law societies haven’t been more proactive on this point in terms of providing guidance. McCarthy Tétrault is working collaboratively with the other large law firms in Canada to look at an approach that makes sense given the context.
For example, audit questions or cybersecurity auditing may be based on a framework and structure that isn’t yet perfectly mapped to a law firm situation. In a sense our business is all about our clients’ businesses so there are some differences in how you manage data under those circumstances. I think the approach to auditing law firms for cybersecurity purposes could well continue to evolve.
Sternthal: What about artificial intelligence and going to the cloud? Applying a cybersecurity lens, what sort of opportunities, complexities or risks do you think about or advise clients on in terms of going to the cloud and in terms of cognitive computing or Artificial Intelligence (AI) capabilities attacking your firm? How can you mitigate or protect against such attacks?
Morgan: You have to look at the specific circumstances of the cloud offering and of your needs for the use of the cloud. For example, many leading cloud service providers offer an IT security environment that is subject to IT security standards that are much more robust than typical “on-premises” environments.
Whenever a law firm contemplates working with a cloud services provider, it is critical to conduct due diligence and to put in place appropriate contractual controls. Data residency is an example of an issue that should be addressed contractually. If you haven’t done your homework, you may not know where your data is stored, and you may not know whom your service provider is subcontracting to or where a subcontractor is storing your data. Audit rights in the context of cloud services is a second matter that is often subject to a significant amount of contractual negotiation.
Sternthal: What do AI capabilities and the trajectory we anticipate introduce into the thinking about cybersecurity – both from a deterrence perspective and an evaluation of risk?
Morgan: AI is going to be used (in the future) by hackers to overcome any form of password control/access control, and it will become increasingly effective at doing that. AI can also be used for social engineering and to identify individuals who may be vulnerable to phishing. The risk is amplified at that level.
However, AI may also be used for security defense. We’re using a variety of tools to identify security threats and phishing scams. It’s a game of cat and mouse: Our IT security department continues to find ways to stay one step ahead of the hackers – who are using a variety of tools to stay one step ahead of us.
Sternthal: What about cybersecurity insurance? What should one look for in a policy and coverage level?
Morgan: Cybersecurity insurance is one of the fastest growing areas of insurance in the world. An organization should be looking at two basic kinds: first-party and third-party. First-party would cover the costs of business interruption such as notifying the customer base, having to get new software or hardware and forensic services to determine what happened where and by whom. Third-party insurance is for when you might be sued because your organization was involved in data breach and a class action is pending that you have to defend against.
If you want to reduce the amount of insurance you need, you have to put in place a cyber-risk response plan – and it starts with governance. You have to demonstrate you’ve been acting on the risks associated with a cyber breach, that you have IT security policies in place, that you have a communication plan and a regulatory compliance plan. In short, even cyber insurance should be viewed through the lens of enterprise-wise risk mitigation.