Mentioned in This Episode
The Evolving Landscape of Law Firm Data Breach Preparation and Response
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 96th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is ‘The Evolving Landscape of Law Firm Data Breach Preparation and Response’.
Sharon D. Nelson: Before we get started, I would like to thank our sponsor. We would like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek Our guest today is Dave Ries. Dave is Of Counsel in the Pittsburgh, Pennsylvania office of Clark Hill PLC, where he practices in the areas of environmental, technology, data protection law and litigation. For over 20 years he has increasingly focused on cybersecurity, privacy and information governance, including response to data breaches.
Thanks for doing the show with us today Dave.
David G. Ries: Thanks for having me. I am always glad to work with you and Sharon.
Sharon D. Nelson: We are the three musketeers, that’s for sure Dave. Well Dave, as you know, we can’t keep up with all of the current data breach statistics, but there are some new ones to share. What are some of the most recent ones that you have seen?
David G. Ries: Well, some of the current ones for this year; first are the Identity Theft Resource Center. It publishes an ongoing list or catalogue of data breaches involving personally identifiable information, and it shows that the data breaches keep coming.
As of the beginning of this month there were 932 breaches this year, exposing about 47 million records. So that’s first.
Next, there’s some good news from Mandiant’s M-Trends that came out in the spring and that is that there appears to be some improvement in detection of data breaches. It reported that more breaches were discovered internally rather than externally, which is good, because internal discovery is usually faster than external discovery, and this is globally the time from breach to discovery was around 100 days and that’s been consistent for a couple of years, but it’s down from years ago. So there’s some improvements there.
And finally, one of the important things on data breach response is knowing your enemy and the Verizon Data Breach Investigations Report for this year reported that 73% of breaches were from outsiders and 28% were from insiders. So in safeguarding everything and in detection, you know where the attack may be coming from.
Of the outside attacks, 50% were from organized criminal groups and 12% were from nation states. So although nation states get a lot of publicity, there is a lot more data breaches that are initiated by criminals or by insiders.
John W. Simek: Well Dave, I know you and I this coming week are going to be given a presentation on incident response plans, but for the benefit of our listeners, can you identify what some of the elements of a successful incident response plan are and what about the percentage of law firms that actually have an incident response plan?
David G. Ries: Well, an incident response plan to be successful should be part of a comprehensive information security program. It shouldn’t be something off to the side, in isolation, everything should work together. It should be written and in sufficient detail for the size of the firm and the sensitivity of the information.
In addition to speaking on this later this week, you, Sharon and I also published the article in the Michigan Bar Journal that I want to suggest to the audience. It’s in the September edition and it’s on law firm data breaches. So if you do an Internet search for Michigan Bar Journal and data breaches, you should be able to find it and it goes through the elements of an incident response plan in a lot more detail than we can cover today.
But the plan should identify internal and external resources, along with the roles and contact information. It should identify data breach counsel, your bank in case you have to stop a wire transfer or some such thing, insurance carrier, a digital forensic service provider and alternatives, in case the forensics service provider isn’t available and you have to find someone else.
It should be prepared in advance and you should make advance contacts with the external resources. You don’t necessarily have to retain them upfront, but at least talk to them, make sure you are comfortable with them and that they will be available.
It should be tested and that could be a tabletop exercise for a midsized or large firm; for a solo or small firm, it might just be walking through the plan with the attorney or attorneys in staff and talking through what you are going to do.
So those are the basic elements, and again, you should have a lot more detail than that and I suggest the article.
As far as firms that have incident response plans, we see differing statistics, but some of the recent ones that I have seen show that across the board only about 25% of law firms have incident response plans, which means that three-quarters of them don’t. The statistics that I have seen say that smaller firms are less likely to have them, midsized and larger firms are more likely to have them, and when you get to the firms for example of over 100, most of the firms have them. So it varies a lot by size of firm.
Sharon D. Nelson: Well, as we both know, preparing for a security incident is really an evolving topic. What are some of the most current recommendations that our audience might not be aware of?
David G. Ries: Well, the most important one is keeping up to date on current information and sometimes that’s pretty difficult. For example, just last week the American Bar Association published an ethics opinion on data breaches and it outlines the obligation that attorneys and law firms have to notify their clients of any material data breach under ABA Model Rule 1.4, which is the rule on communications.
In addition, understanding current threats, the kinds of things that are in the security press all the time and in the legal technology press, understanding current technology for detection and response. We discussed numerous times in our presentations how the old mantra in security was focusing on identifying and protecting against threats, and both of them are still really important, but the new mantra is an increasing focus on detection, response and recovery, and just understanding that shift in the overall approach to security and the current threats and current detection methodology are really important and it’s difficult to do, so keeping up with the legal press and the security press is the only way for most attorneys to do it.
Sharon D. Nelson: Let me just mention briefly for anybody who wants to look up the new ABA opinion which was released on October 17, it is Formal Opinion 483, so that will be very easy to get to. It’s about — I think it’s about 11 pages and it creates a standard of reasonableness and as always there is some murky areas where it’s a little bit difficult to figure out exactly what you are supposed to do, but anyway, it is worth reading and good guidance.
John W. Simek: It’s 16 pages.
Sharon D. Nelson: Thank you.
John W. Simek: Since I have it right on my desk.
So Dave, are there any new laws impacting data breaches that lawyers should be aware of?
David G. Ries: Yes, there are, and there always are changes in the laws and in regulations, in policies by various states and attorney generals, so it’s something that we need to keep up with.
In addition to looking at the security press, the National Conference of State Legislatures has a website where it lists data breach and security laws broken down by ones that apply only to state agencies and the ones that apply more generally, so that’s a good place to find out what’s going on.
And just some very quick examples, Alabama and South Dakota adopted breach notice laws earlier this year. That means that there now are laws in all 50 states, plus the District of Columbia, Puerto Rico and the US Virgin Islands.
As of the beginning of this month, there were over 30 states that were considering amendments to their existing Data Breach Notice Laws, so again, it’s constantly changing.
Colorado, Louisiana and Vermont have amended their laws this year. They include things like broadening the definition of personally identifiable information that’s covered by the laws, now in a lot of states including biometrics. Some of them have specific time limits now for reporting breaches; 30 days in Colorado, 60 days in Louisiana. And these laws can apply to law firms regardless of what state they are in if they have information about residents of other states.
So a small firm, for instance, in Pennsylvania may have notice obligations under 10 or 20 or more states’ laws. So it’s a challenge to keep up with them.
And of course, California has the new privacy law, it’s broader than a Data Breach Notice Law, but that just went into effect. And GDPR for information on European data subjects now requires breach notification within 72 hours.
So the answer is yes, there are a lot of laws that lawyers need to be aware of.
Sharon D. Nelson: Do you think that we are ever going to see a federal data breach law and when you answer tell us why or why not, Dave?
David G. Ries: Okay. Well, I will give this one a definite maybe.
Sharon D. Nelson: Chicken, chicken, chicken.
David G. Ries: That’s been my answer for a number of years and here’s the reason. Since the first major disclosure of the ChoicePoint breach under California’s Data Breach Notice Law, which was in 2005 or 2006, there has been almost unanimous sentiment in Congress that there should be a national data breach law and that’s really saying something for our Congress that there is unanimous opinion or a unanimous view.
The problem is that it breaks down on what that law should provide, and you have had business and technology groups advocating for a uniform national Data Breach Notice Law that preempts inconsistent state laws. I mean it doesn’t make sense that if you have a national data breach that you have to deal with 50 different states, plus DC, Puerto Rico, et cetera where there are often differences between the laws.
Consumer groups and state attorney generals have lobbied against a national law if it’s going to have preemption. So not having preemption would take away the benefit for businesses, but it would allow states to have more stringent requirements and the states that have more stringent requirements, like California, have taken the position that a uniform national law with preemption in order to get a pass would water down the more stringent state laws; therefore, would provide lesser consumer protection. I mean therefore the only thing that I think anybody can legitimately say today, it would be a definite maybe.
Sharon D. Nelson: All right, all right. Well, you explained that pretty well, so I am going to let you take a pass on the maybe.
John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is ‘The Evolving Landscape of Law Firm Data Breach Preparation and Response’.
Our guest today is David Ries, who is Of Counsel in the Pittsburgh, Pennsylvania, office of Clark Hill PLC, where he practices in the areas of environmental, technology, and data protection law and litigation.
John W. Simek: Well Dave, we know you work with a lot of incident responses as a lawyer, but what are some of the worst mistakes you have ever seen?
David G. Ries: Well, I will give two examples. The first one is not having a plan. The last thing you want to be doing is at five o’clock on a Friday, or into a Friday evening or over a holiday weekend when data breaches tend to become discovered, you don’t want to be starting from scratch and on the Internet, or if you happen to have an old Yellow Pages around, because your computer system is down trying to find the resources that you need to respond to a data breach.
Second one is what I will call the deer in the headlights syndrome. You have a plan but you are kind of like staring in the headlights and you are afraid to move one way or the other or do anything, so you are kind of forced into inaction because you are concerned about doing the wrong thing.
Now, you have to think it through, you have to have adequate information to act upon, but you want to be able to as quickly as reasonably possible gather that information and make the decisions on the steps that you have to take and move forward, not just stand there frozen.
Sharon D. Nelson: That was pretty good. They are deer in the headlights most of the time when we see them. But let’s go to the flip side Dave. What have you seen companies or firms do, what have you seen them do after a security incident that impressed you and actually helped with a positive data breach response?
David G. Ries: Again, I will give two examples. First is having a well-prepared and rehearsed plan. So no plan, as we have often said, survives the first contact with the enemy, but some of them come close and the law firm or company is ready to move ahead with a plan, to go through in a logical order the various steps. You have typically already detected it, so it’s responding, eradicating the threat and starting corrective action. So the well-rehearsed plan is one good example.
The second one is having really good logs, knowing where they are, being able to get to them and retaining them. Just two examples, one where there was an intrusion for several months into an information network. There were very detailed logs that were able to establish that the attackers were just stealing server power to mine cryptocurrency and didn’t touch any confidential data and didn’t exfiltrate any confidential data. So in that case logs are very helpful, if you have them, you know how to deal with them, it can show that it is an incident rather than a data breach.
On the other extreme, getting rid of logs, overwriting them after 30 days or a very short period of time, and again, you have had the same several month security incident, you are oftentimes going to have to assume that it is a breach, because you can’t show what was accessed and what was exfiltrated. So there are two examples.
John W. Simek: I love your clarifying Dave that not just having logs, but knowing where they are, that’s great.
So we all know it’s a really good idea to have a good data breach lawyer, especially advising you, should you have an incident, but how would law firms go about finding one?
David G. Ries: Well, I think it’s the same as finding and retaining a lawyer in any field of specialty, get references, talk to other firms that you know have worked with data breach lawyers. If you know that there are law firms in your area that offer the service, talk to them, but references are important.
And the two things that I think are most important in a data breach lawyer are one, experience. You want someone who has dealt with data breaches for a long enough period of time and enough breaches to have experience. You don’t want somebody going through on-the-job training with your breach.
The second is someone who is available. You can have someone who is one of the top data breach practitioners in your geographical area or in the country, but if they are so busy with bigger breaches that you are at the bottom of the stack, that’s not very helpful.
Find someone upfront; include him or her in your data breach response plan. You don’t want to be looking for them and hiring them when you are already experiencing a breach. And make sure that they have depth; someone else in their firm or possibly having to go to another firm if they are busy at the time that your breach occurs, because sometimes they happen in multiples, almost contemporaneously and it’s difficult to get the resources for each breach.
John W. Simek: Dave, I just want to clarify though. I mean they don’t necessarily have to be local geographically, right? I mean some very, very good lawyers have experience in a lot of the states, but yet they may be two states over from you?
David G. Ries: That’s correct, but you want someone who can at least serve your area and typically you are going to want someone who, either himself or herself or one of their colleagues, is admitted in your jurisdiction, because you are going to be providing legal advice in that particular jurisdiction.
I mean most midsized and large-sized firms have attorneys to do that. If you have someone who is good who doesn’t happen to be admitted in your jurisdiction, they can work with someone who is under the ABA’s Multijurisdictional Practice Rules, but again, this should be sorted upfront.
Sharon D. Nelson: Well, what are some of the best incident response resources out there that you are aware of for lawyers and why would you call them the best?
David G. Ries: All right. Well, if you look at our Michigan Bar Journal article, it actually has a list of additional resources. I just want to point out three of them that are in it. The Federal Trade Commission has published a Data Breach Response: A Guide For Lawyers. I mean it’s a short overview, it certainly isn’t detailed.
The Sedona Conference has published an Incident Response Guide. It’s a Public Comment Version that came out in March of this year. It has some more detail and it’s pretty good.
The US Department of Justice has published Best Practices for Victim Response and Reporting of Cyber Incidents.
The two government publications are kind of short checklists and ones that give you additional resources.
There are ABA publications, like our book ‘Locked Down’ that has some more detail on it.
One source that I think is particularly helpful is the International Association of Privacy Professionals. They have a lot of resources for members, including a detailed database of state data breach notice laws that breaks down all the similarities and differences and requirements under them, and it’s a really good resource.
John W. Simek: Well Dave, I know you are probably going to move to the definite maybe answer again on here, but do a little fortunetelling for us, what do you see about changing threats and the incident responses and how can law firms be prepared for those?
David G. Ries: All right. Well, I mean part of it is uncertain, but I mean the first one I can say is almost certain, and that is that the arms race will continue, with the frequency and sophistication of attacks continuing to grow, the tools for protection and detection will continue to become more powerful and more readily available. So in each instance it will depend who wins the arms race. The bad guys always have an advantage because they just have to find one way in, but I think that the threats and the protection against them will continue to evolve.
The challenge for law firms is to constantly pay attention to security and they don’t do it like we do, where we read security information every day, but focusing on the basics to protect their systems, strengthening safeguards, and paying increasing attention to detection and response.
Sharon D. Nelson: Well, we sure want to thank you today Dave and we look forward to joining you at Suffolk Law School next week for —
John W. Simek: It’s this week Sharon.
Sharon D. Nelson: Is it this week?
John W. Simek: It’s this week.
Sharon D. Nelson: All right, that’s right, we are leaving tomorrow, boy, boy, life is tough. Okay, so this week we look forward to seeing you and lecturing, I think it’s on Thursday, have I got that part right, John?
John W. Simek: Yes, you got that right.
Sharon D. Nelson: Okay, in the Futures Conference of the College of Law Practice Management. So the conference is entitled ‘Cybersecurity: This Way There Be Dragons. And I am doing the tee up with some other folks on the war that law firms are fighting against data breaches and Dave and John are on a panel talking about the response after a data breach. So I know it will be a whole lot of fun and I am glad the three musketeers will get together again.
So thanks Dave.
David G. Ries: I am always glad to do it.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.