This is the third and final post relaying our interview with Eli Wald, among the foremost experts on the interplay between law and cybersecurity. In previous posts, which can be found here, Wald explained why law firms are attractive targets for cybercriminals, but why, absent stronger regulatory enforcement, these firms lack incentives to step up security.
A former practicing attorney who teaches at the University of Denver Sturm College of Law, Wald recently published an eye-opening academic paper that is the focus of these and other alarming topics. Here we pick up the discussion with a hypothetical we posed many months ago: What would happen if the “next Ashley Madison” was a law firm?
Logikcull: We’ve seen a handful of very high profile breaches in just the last couple months. We’ve had the Panama Papers, followed by this admission from two very high profile law firms, Cravath and Weil Gotshal, that they had suffered data breaches as well.
My question for you is, what do you think would happen if a major data breach on the order of Sony, or Ashley Madison, or Target, occurred due to a law firm’s lapse of security? How would that change the way clients engage with their law firms, and the awareness that people in the legal community have in general about this problem?
Eli Wald: I have a surprising answer for you. I do not think that such a high profile hack would change a whole lot. First of all, it has already happened. We need not speculate. The Panama Papers, of course, in one sentence was a data security breach that happened at a law firm. It compromised sensitive information belonging to many high-profile clients — exactly the kind of scenario that you’re asking about. And the sky hasn’t fallen, so to speak, on law firms and their relationship to their clients when it comes to cybersecurity.
More specifically, however, the reason I believe that little will happen if additional significant cybersecurity attacks perpetrated against lawyers were to be successful is because there is this myth of the “one profession,” where we treat all lawyers the same. But of course, that’s a myth. It’s not true.
“I do not think that such a high profile hack would change a whole lot. First of all, it has already happened. So we need not speculate.”
Let me explain. There are many different kinds of lawyers and they represent many different kinds of clients. Large entity clients tend to be represented by “Big Law” — large law firms. Those clients tend to be very powerful vis-a-vis their lawyers and very sophisticated, and they are already demanding that their law firms take appropriate cybersecurity actions.
For example, if you’re a large law firm and you want to represent a sophisticated financial institution these days, the firm will have to comply with the bank’s long list of demands. If the firm can’t comply, and can’t meet the cybersecurity demands of the client, the client will go elsewhere.
So you have this upper segment, if you will, of elite representation where Fortune 500 companies are represented by Big Law. And these powerful clients are very much able to demand better security practices, and law firms are increasingly complying and putting in place very savvy and sophisticated cybersecurity infrastructure that might very well meet the reasonable measure of care.
“What we ought to remember is there is a sea of lawyers and client out there — not the upper echelon of the profession, not the Fortune 500 and their lawyers, but everybody else — who are susceptible to attack.”
But what we ought to remember is there is a sea of lawyers and a sea of clients out there — not the upper echelon of the profession, not the Fortune 500 and their lawyers, but everybody else — who are susceptible to attack. And many of the clients outside of the elite segment of the bar are not as sophisticated. And even when they are sophisticated, they are usually not as powerful vis-a-vis the lawyer, so may very well not be in a position to demand appropriate cybersecurity action.
I think it’s fair to say that these sophisticated entities, in the Fortune 500, are able to take care of themselves without the ABA, without my article, and without our conversation. But I think that many other clients, businesses, and individuals, are not quite in a position to negotiate strongly vis-a-vis the lawyers, and are very vulnerable to the inappropriate and insufficient cyber-conduct of the lawyers.
“Many other clients… are not quite in a position to negotiate (with their) lawyers, and are very vulnerable to the inappropriate and insufficient cyber-conduct of their lawyers.”
Logikcull: All lawyers are not created equal when it comes to this subject or any other, as you say. What are the most forward thinking law firms doing to assure that their client’s data is safe?
Wald: I think forward looking law firms — and, to be sure, there are many of them — do at least three things. The first, is that they identify, prioritize, and secure valuable information.
Some have put in place cybersecurity planks for clients, but the essential point is that rather than being reactive, forward looking law firms are proactive. When sensitive information comes in, forward-looking firms identify it, catalog it, and prioritize it. You just said that not all law firms are created equal. Of course, not all information is created equal either.
There’s no need to secure every aspect of every piece of information. Knowing what information you have, prioritizing it, and securing it accordingly, is what forward-looking law firms are doing. So that’s number one.
Secondly, forward-looking law firms are investing heavily, both in updating their infrastructure continuously, and as importantly, training both their lawyers and their staffs to understand threats and respond to them appropriately. One can’t emphasize this enough: You can have the most sophisticated infrastructure in place, but if you are depending on people to make judgment calls, if they don’t know how to effectively utilize the infrastructure, the system fails. So the second thing law firms are doing is staying on top of both infrastructure and training.
Thirdly and as importantly, a lot of lawyers tend to believe that cybersecurity is about preventing an attack. But cyberattacks happen all the time, to both the elite and everybody else. What forward-looking law firms do is that they prepare not only for the possibility of attack, which sometimes they cannot prevent, but for breach management and containment. So to the extent that when one does become the victim of cyberattack, the question becomes what do you do then?
In addition to trying to prevent an attack, the best firms are making sure that they are prepared to react swiftly — to do whatever they can to notify clients immediately, contain the attack, and manage the consequences. Let me conclude by saying that backward-looking firms often find themselves clueless. Once they realize that they have been subject to an attack, then and only then do they try to contact the experts. Then and only then do they try to scramble to respond. And we know that that’s not the way to go. So I guess the third aspect of being prepared is not just trying to prevent an attack, but also, being prepared to respond when it happens. And it will happen, to the best of us.