No Law Firm is Too Small for Cyber Security

Episode Notes

Transcript

The Florida Bar Podcast

No Law Firm is Too Small for Cyber Security

09/30/2016

[Music]

Intro: Welcome to the official Florida Bar Podcast, where we cover practice management, leadership and what’s happening in Florida Law, brought to you by the Florida Bar Practice Resource Institute. You are listening to Legal Talk Network.

[Music]

Christine Bilbrey: Hello and welcome to The Florida Bar Podcast brought to you by the Practice Resource Institute on Legal Talk Network. We are so glad you are here today. I am Christine Bilbrey; I’m one of the co-hosts. I’m a Practice Management Advisor here and I’m joined today by the Director of the Practice Resource Institute, Jonathon Israel.

Jonathon Israel: Hello. I am Jonathon Israel and as Christine said, I am the Director of the Florida Bar’s Practice Resource Institute.

Christine Bilbrey: Our goal at PRI is to assist all of our members with running the business side of their law firms and we still have all the resources for trust accounting and file retention or if you’re starting a new practice but with all the new technologies available today as well as the increasing challenges associated with that technology, we’re choosing to focus on this topic because it’s a real concern for attorneys at any stage of their careers.

Jonathon Israel: So joining us today we have a very special guest, Mr. Al Saikali to talk to us on the very important topic of data security.

Al is a partner in the Miami office of Shook, Hardy & Bacon, where he founded and chairs the firm’s Data Privacy and Data Security Practice Group. In that role, Al directs breach response efforts, represents companies in litigation arising from data breaches. He maintains a blog titled “Data Security Law Journal”, where he writes about emerging trends and issues in data security and data privacy law. And recently the National Law Journal named Al a “Trailblazer in Cybersecurity”.

Christine Bilbrey: Welcome to the show, Al.

Al Saikali: Hi, good morning Christine. Good morning Jonathon. How are you?

Christine Bilbrey: We’re doing great. We’re so glad you’re here with us, you are the Guru on this topic and I want to brag on you a little bit. Al is a partner in the Miami office of Shook, Hardy & Bacon, where he founded and chairs the firm’s Data Privacy and Data Security Practice Group. And in that role, Al is directing breach response efforts. He represents companies in litigation arising from data breaches. So we know this is one of those things that is keeping attorneys up at night.

He also maintains a blog, which is excellent, and we will give you the address for that at the end called “Data Security Law Journal”, where he is writing about emerging trends and issues in data security and data privacy law.

The National Law Journal recently named Al a “Trailblazer in Cybersecurity”; and, the thing that we like most about Al right now is he’s also the current Chair of the Florida Bar Standing Committee on Technology.

So Al, tell us a little bit about yourself and tell our listeners what that Standing Committee on Technology is doing for them?

Al Saikali: Sure. So thank you first of all for having me as a guest on the podcast. I graduated from law school in ’99 so I’ve been practicing now for about 17 years. I got into this area of privacy and technology back in about 2008-2009 and it slowly started growing, and within the last three years, it just exploded obviously with all of the high profile data breaches if you’ve read about in the news, and so, it’s a fascinating area to be in because the world is constantly changing and developing and so it’s a really neat area. Of course, technology is changing as well so that makes the practice more challenging as part of what I do.

In terms of the Florida Bar’s Technology Committee, I was invited to join that committee I think it was last year and it’s a relatively new committee that the Florida Bar has established primarily for the purpose of allowing members of the Florida Bar to find resources that can help them learn about technology, be competent in technology; of course, we have an ethical duty as lawyers to be competent in technology.

And so, there are many resources in PRIs, the perfect example of that are out there for lawyers to learn about the types of technology that they will use in their practice on a day-to-day basis, and of course part of that is making sure that you are using technology that secures client information.

And so, I think that the two goals that we will be focusing on in the next year or two as part of the committee will be number one, making sure we’ll continue to provide these resources for lawyers and those resources may include references to information security firms that they can contact to assess their security risks, references perhaps to cyber insurance companies or brokers that sells cyber insurance and guides on best practices for data security and privacy of clients’ information and then some standards.

We would like to try to develop some standards that lawyers and law firms can abide by in ensuring that they are using the best practices to secure client information.

(00:05:08)

And then the second goal is to make sure that there are resources out there so that lawyers can simply maintain competence in the different types of technology whether it’s cloud computing or database management and Word processing, the Excel spreadsheets, things like that that they use on a day-to-day basis, so we want to be able to provide those resources to lawyers.

Christine Bilbrey: Excellent, thanks.

Jonathon Israel: Yeah, that’s all sounds great, Al. We are very excited for the committee’s working on what you have coming down the road for our members of The Florida Bar to look into to help them with their practices.

Kind of on that same note, you mentioned how the news headlines these days is always filled with these larger firms or organizations that are being hit with these data breaches, but if I am a solo or a small firm attorney, why should I care, what is it that I should be looking out for as far as the data security goes?

Al Saikali: Sure. So increasingly what we’ve seen particularly within the last two years so is that law firms are becoming the focus and the targets of cyber-attacks. Hackers are realizing that law firms are often the weak link in the chain and they maintain a significant amount of sensitive information for their clients in terms of intellectual property, proprietary information, personally identifiable information, protected health information, the latter two are often stolen and sold on the dark web for identity theft purposes. So there’s value to it to these guys.

And of course, if I am representing a large company that’s engaged in an M&A transaction or negotiations, there’s value to having that information if I’m a hacker because information that can be traded on, not legally, but they could do it. And so, that’s one of the reasons why we’re seeing firms increasingly are the focus of the law firms, they are increasingly a focus of cyber-attack.

But separate from that, the other reason why lawyers of firms of all sizes should care is because there are statutory obligations that require them to adopt the reasonable security measures. There are ethical obligations that lawyers have to make sure that they’re adopting reasonable security measures to protect client information, and quite frankly, clients are just asking about it.

I think that there’s a greater expectation now from clients that their outside counsel have adopted reasonable security safeguards to protect information and they want to know what those safeguards are. So that’s I think why really lawyers should care about it.

Christine Bilbrey: Absolutely. So Al, say that I’m running a small — I have a five-attorney firm, we have a network on site with a server, we’ve got some things in the cloud, how are they getting in? If I have been a victim of a cyber-attack, what are the main ways that they’ve gotten into my data?

Al Saikali: So let me, I guess, sort of level set a little bit and talk a little bit about what is a data breach, and people understand when they hear this term ‘Data Breach’, there is actually a legal definition for it and a data breach is really the unauthorized access or acquisition of sensitive information, usually personally identifiable information.

It is important to understand that definition because it doesn’t just mean cyber-attacks; cyber-attacks is certainly the high-profile method of data breaches and they can affect a significant amount of information very quickly, but there are other threats to information as well.

So we take them sort of in the two buckets, we will talk first about sort of the cyber-attacks and one of the ways in which the cyber-attacks are happening by these phishing schemes. Phishing schemes are basically the hackers will do some reconnaissance online using social media and then send emails to individuals who work for a company, in this case, let’s say it’s the law firm, and it would — the email may appear to be from somebody who would be familiar to the individual. There’s a PDF document or some other file that’s attached and the person is instructed to click on that link or on the document, they open it, nothing appears to really happen, but behind the scenes they have now started to download malicious code into their system that hackers can then use to create a backdoor, get into the system and obtain the sensitive information that may be stored there.

We are also seeing in addition other phishing schemes, we’re seeing ransomware attacks. So in ransomware attacks, the hackers essentially encrypts your data, you would turn on your laptop to start your work in the morning and you see a screen that says “Your computer has been locked up, and in order to access the data, you need to pay a ransom –” and usually the ransoms are not very high, I mean, less than $1,500.

(00:10:01)

And in order to — so you have to pay this ransom and if you don’t have a secured backup then that could cause a significant problem, obviously it prevents you from accessing all of your client’s sensitive data that may be stored there. But I think one of the trends in this era in the cyber side is the level of sophistication that hackers are engaging in.

It’s no longer just a mass email to a bunch of people to see who’s going to click on links, I mean that’s certainly part of it, but we’re seeing also more reconnaissance using social media, going on the websites, learning about a company, learning about the individuals of the company before engaging in the attack. And so, I think that hackers are only going to get more sophisticated, the emails look a little more legitimate, those sort of things.

On the other side of — what are the other risks for a law firm? You have insider threats, people who work for law firms and we’ve represented law firms where their employees who had access to databases that had PII, Personally Identifiable Information or Protected Health Information and then they were misusing that access, taking the information, selling it as part of identity test crime rings, and we unfortunately in Florida are the capital for identity thefts, so that’s another risk. It could be something as simple as forgetting a file on a bus or in a cab or somewhere that has medical records in it. When you lose that and you can’t get it back that is considered a data breach.

It doesn’t have to necessarily be something intentional, it is the fact that that the information is gone and no longer in your possession, maybe enough to constitute a date breach under the Florida Information Protection Act and other Data Breach Notification Laws. And then, that’s just the whole level of the firm itself, but think about the firm shares PII or PHI with its vendors, its copy services, its expert witnesses. When you do that and the vendor has a data breach, you potentially could be liable too. So, there are many different ways in which law firms have to be concerned about these threats, because they can come from all different directions.

Christine Bilbrey: That brings up a really important point, so you can go out and get every firewall and virus protection software, but quite often it comes down to the human factor, that’s the weak link in the chain. So, are there programs where you can actually train your employees to not click on that link? How do you really drive that home with the law firm employees?

Al Saikali: That’s a great point Christine, I mean you picked up on that initially and sometimes it takes the clients quite a while to realize that the human factor is, it underlies all of these data breaches, whether it’s the individual who clicks on the link or the individual who loses the file or the individuals who sent the inadvertent email that has an attachment with the personal information in it. And so, training is the number one defense that any company, including law firms can put into place to minimize this risk and, there are many ways to do.

I think training should be part of the on-boarding process. When you’re hiring the employee, they are trained on these risks and told about ways to minimize the risks. It’s part of the ongoing annual training of employees to make sure that they’re aware of the risk. And then, the third part is a sort of awareness campaign, so periodically, whether it’s quarterly or semi-annually, there are newsletters or emails that go out saying, hey, here’s a new type of risk that cyber attack or way in which companies are suffering data breaches, let’s be aware of this and think about what you do in your day-to-day responsibilities with the law firm to minimize the risk.

I think a lot of employees when they think of data breaches, they think of the cyber attacks. They’re not thinking about what they’re doing on a day-to-day basis. They’re not thinking that if they lose their thumb drive that contain spreadsheets or medical information on it, that they may have now just caused the data breach for their law firm. And imagine the embarrassment of that one law firm has to now email the client saying, we just lost hundreds of thousands of pages of medical records, we have got to notify you, we have got to notify all these plaintiffs, we’ve got to notify the individuals.

So, training is absolutely an important part of it, and one of the things I have recently on training — and we started to do this is as a firm is testing the employees with sending phishing emails to them to see will they click on the link or not, and if they do, then maybe that means they need to have some additional training in the area. But it’s a nice way to see our employee actually clicking on these links or not. And so a lot of companies are doing that sort of thing now.

Jonathon Israel: Yeah, that’s funny Al, because I was just thinking that with disaster recovery you always have annual test, but it doesn’t seem like a lot of companies have picked up on the security awareness training and testing yet.

Christine Bilbrey: I love that you actually test them, because in real practice I think all the warnings become chatter. I think if I was still running a law firm I would just print giant red stickers and put them on every computer that says, don’t click that link, and if you did, you had to wear the sticker the rest of the day.

Al Saikali: That’s a great idea; maybe we’ll try that one.

Jonathon Israel: Al, you had mentioned before about like some of the ethical obligations attorneys have as far as securing their client information, but are there other obligations they may have, maybe statutory or even federal guidelines that need to be following?

Al Saikali: Yes. So law firms are no different than other companies. They are also governed by the State Data Security Laws and HIPPA and other laws. So, on the statutory front and at the state level, you have Data Security Laws, 47 different states have Data Breach Notification Laws and often it’s part of that. There are these data security requirements that require companies that maintain personally Identifiable Information about individuals from those states to adopt reasonable security safeguards to protect that information.

And I keep using this term reasonable security safeguards, and what does that mean? Unfortunately, there is no silver bullet, there’s no single thing that you can do that would constitute a reasonable security safeguard, because, of course, the nature of technology is that it’s always changing and what may be considered reasonable today, two years from now may not be considered reasonable. So, I put it into three buckets. You have your administrative safeguards, your technical safeguards and your physical safeguards. And so, your administrative safeguards are things like training your employees like what we’ve been talking about, and having policies and procedures that govern information security at your organization and having a plan, so that if you have a data breach you know what you need to do and how to respond.

Then in the technical safeguards; those are your IT guys. They’re installing encryption, they have their firewalls, they are making sure you are resetting default passwords.

And then you have your physical safeguards, which would mean making sure that information is physically secured, that you are storing it in a secured way, that the file cabinets are locked, that you have a security guard. And so those are the three areas you need to be focusing on when I keep talking about reasonable security safeguards.

So you have your state laws. And then in the federal level there’s no federal global data security law. It’s more sector-based. So if you are a law firm, for example that does work for a healthcare provider, maybe to doctors’ group or a hospital, then you have an obligation under HIPAA to adopt reasonable security safeguards. You are probably what is called a business associate and there’s a business associate agreement that imposes on you the obligation to adopt these safeguards and some of these agreements can be very specific. Some are more general, but you have the obligation to comply with HIPAA’s security rules.

You may also have contractual obligations with clients and we’re seeing that for sure, as a law firm, we are seeing that as part of the engagement process. Clients are saying we want to adopt the following measures to protect certain types of information that we share with you as our outside counsel. So those are some of the laws that are out there.

And one other thing I will say on the state laws is if you are a lawyer in Florida and your law firm, you are only based in Florida and you may think, okay, well, the only law I need to know about is the Florida Information Protection Act. But actually the way these 47 different laws work is that the law that is triggered depends on the jurisdiction of the individual whose information is being compromised. So if you have that thumb drive and it’s got spreadsheets for financial information from individuals all over the United States, and you lose that, you’ve triggered all of the different 47 Data Breach Notification Laws, not just Florida, and they all have different requirements in terms of how quickly you have to notify individuals, how you notify them, what you have to say, do you have to notify the Attorneys General in the State.

They’re all very different. So it’s important that you kind of get a sense early on, what are the laws that are going to apply to me and what do they require that I do.

Jonathon Israel: That’s really good information. I didn’t even realize that that it all comes down to whose data it is that got lost, not just that it was you holding that data.

Christine Bilbrey: John and I are surprised, and I bet some of our listeners are now overwhelmed and terrified. We got to reassure them, so when we’re encouraging them to start using these wonderful technologies that are out there like the client portals and the file sharing and the electronic signatures, which we love. We are reassured that they’re safe and secure. What can you say to attorneys, because we still have the ones that think that if they keep everything in paper, they are the safest law firm, they don’t even have a computer on their desk.

So we span quite a range of expertise levels, but we are encouraging people to move to the cloud. You’re going to have to move to the cloud. What do you say to them because after you told us it could trigger 47 different laws, who do they reach out to?

Al Saikali: Yeah, so this is a great point Christine. A couple of thoughts come to mind. Number 1; with respect to the lawyer who is saying, okay, well, the safest way for me to practice is just by using paper all the time. I would say absolutely not. I mean we’ve handled many matters for companies where the breach is to paper records, it can be lost.

(00:19:57)

I mean, think of all the paper you are developing, you put that in storage somewhere, it gets lost, or you have — we had a matter where there were people who were part of the cleaning crew who are coming in at night and taking records out of the garbage and out of the recycle bins and selling them as part of an ID theft crime ring.

There have been enforcement actions against companies that were throwing away paper records and then dumpster divers come by in the middle of the night, they go into the dumpster, they find the records, and they sell them as part of an identity theft crime ring and then the enforcement action is based on the fact that the company didn’t securely dispose of the information. So paper records are surely not responsible.

Now, in terms of the cloud, I actually think the cloud is a great way to go, particularly for smaller providers, because for smaller companies like small law firms. For small law firms, you don’t have the money to invest in sophisticated security, safe vaults and high-tech threat intelligence monitoring systems, but the cloud, they have a way to aggregate that, like they are doing that for you, it’s not perfect, and no company — anyone who ever tells you they have a 100% security is lying to you. It’s like, there’s no — you just can’t make that guarantee.

But the cloud providers, whether it’s like a Microsoft Office 365 or AWS or any of these larger Google, they do have a lot of the security already built in, that you would probably never get access to as an individual.

Now, there are downsides obviously to using the cloud. For example, let’s say that one of these cloud providers suffers a cyber attack. The cloud provider is probably not going to be able to tell you which files were accessed and which ones weren’t. They may not even be able to tell you whether your files were accessed as a result of the cyber attack. So you have a little less control over that, but the risks are still lower than if you were trying to do this all yourself.

And so, I am a big fan of cloud computing. I know that we use some of that I think at the firm as well, and I think it’s going to be the future of technology, and a lot of our clients are using it as well and moving to the cloud. And it becomes more cost-effective as a way to do business. You don’t want to be investing money in servers and having to update the servers and worrying about patches to the servers.

It’s a big risk right now is patches. Bad patches means, the operating system for the server changes over time and there are vulnerabilities that are identified, and you have to download these patches to basically cure those vulnerabilities. And they are coming out all the time, and sometimes you don’t remember you need to download them, or you wait and then you forget about them, and so that vulnerability still exists.

And the cloud providers have a way to build in as part of the process a patching update sort of system, so that they are always using and identifying the latest vulnerabilities and responding to them.

Jonathon Israel: That’s great, and I think that cloud is definitely the trend that we are seeing. It was probably slow uptake at the beginning, but it’s definitely rapidly increasing with the amount of firms that are moving to the cloud, especially as the access to it grows with the Internet.

I guess as we are starting to wrap up here, if you had one practical piece of advice that you would give to a solo or small firm attorney who is looking to try and harden up their systems now, what’s like the number one tip that you would say to them to take home today?

Al Saikali: So how about if I give you three quick ones, because there is going to be a little more than that.

I think the first thing you want to do if you are a small to mid-sized firms is hire a security vendor, an information security vendor to come in and do an assessment and they will identify for you the things that — your weaknesses and prioritize them for you, so they can say these are the things that you need to fix first and they are highest priority, and this is what it will probably cost you to fix that. Because you are probably not going to know what those vulnerabilities are, you are not going to know what you are looking for. So there are some very cost-effective vendors in this space that you can use, and I won’t go into them in the podcast, but even the smallest firms can undertake one of these assessments.

The second thing I would recommend is look into cyber liability insurance. Go to your broker and say — ask them questions about cyber liability insurance; what will it cost, because cyber liability insurance can — if you have a breach, you spend a lot of money hiring these forensic firms, outside counsel, credit monitoring, mailing services, and those are just the first party damages; you also have potentially third party claims against, you whether it’s class action lawsuits or enforcement actions, and it costs a lot of money. And so you want to ask, is there cyber liability coverage that will cover you. There are some really good policies out there and some great brokers here in Florida in that space, so you want to look into that.

The third thing I would recommend is doing your own sort of due diligence in the area. Go to the FTC’s website, they have got a really nice paper called Starting With Security, check that out. Go to the Sedona Conference’s Working Group on Privacy and Data Security and other working groups, where they have information about law firm data security. There’s a nice paper that they have put out on this space, so you can start learning about the fundamentals and the language and the jargon.

(00:25:10)

Go to the International Association of Privacy Professionals website, sign up for their updates in this space, so that you are just getting familiar with the concepts and keeping abreast of technology, because under the Florida Rules of Ethics you have an ethical obligation to keep abreast of these changes and the risks in technology, and under rule 1.6(e), you have an obligation to make sure that you are making reasonable efforts to secure client information.

So those are the three things that I would say, and I would hope that in the next year or so we will see the Florida Bar creating more of these guides for Florida lawyers to use as they start evaluating the security risks to their firm, and that’s certainly one of the high priorities that I know Jonathon, you and I are going to be working on as part of the Technology Committee. So those are my suggestions.

Jonathon Israel: Right. And the only site I would add to that list is the PRI site for sure.

Christine Bilbrey: Jonathon does a great job of putting out cyber security tips on a really regular basis, but if you are overwhelmed and you are saying, I just want to practice law, please let me just go back to practicing law. There’s so much to do.

I would say the first step, come to the PRI page or the Florida Bar Member Benefits site, because our Technology Committee, our Program Director Jonathon, we do look into the current technologies out there, you can get a discount on them, so if you are interested in moving into the cloud or upgrading your practice to something that’s going to be more modern and secure, come see what we have available on the Member Benefits page.

Jonathon Israel: Absolutely. I think it’s a great idea, Christine.

Christine Bilbrey: Well, it looks like we have reached the end of our program and I want to thank Al Saikali for joining us today. And I know our listeners have questions, so Al, if they want to follow up with you, how can they get this information from you, how do they reach you?

Al Saikali: Absolutely. They can feel free to give me a call, send me an email, you can go to Shook, Hardy & Bacon’s website and find my bio there and all the information, my contact information will be there. They should definitely feel free to reach out to me directly, I am happy to help, my brethren and sisters in the bar who have any of these sort of questions, for sure.

I want to say thank you to you Christine and Jonathon for having me as a guest on the podcast, and I am glad that the Florida Bar is engaging in these risk minimization efforts for their lawyers and keeping them abreast of these sort of developments in the area of security, privacy and technology.

Christine Bilbrey: Thank you so much Al. This has been another edition of the Florida Bar podcast brought to you by the Practice Resource Institute of the Florida Bar. I am Christine Bilbrey.

Jonathon Israel: And I am Jonathon Israel.

Christine Bilbrey: Until next time, thank you for listening.

Outro: The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

Thanks for listening to the official Florida Bar Podcast brought to you by The Florida Bar Practice Resource Institute and produced by the Broadcast Professionals at Legal Talk Network.