Earlier this year, we were all bombarded with emails informing us of the impending EU legislation around data protection and warnings of repercussions for noncompliance leading up to May 25th, 2018. As we all now know, this was the date the European Union’s General Data Protection Regulation, or GDPR, came into effect.
What might not be as obvious is that GDPR regulations will need to be followed by US law firms if they are doing business with European businesses and citizens, as well. If your firm is charged with improperly handling European citizens’ personal data, you could be hit with a fine of over 20 million dollars.
“The GDPR is a far-reaching legal instrument that will have a significant impact on all companies involved in the processing of personal data, including many outside the EU,” according to Jones Day,
Bloomberg Law states, “Under GDPR... EU data subjects will have the right to access their personal information held by an organization at any time, and the organization will have a very short response deadline. The [subject] would also have the right to object to the automated collection of his personal data, ask [the] firm to correct inaccurate data, or ask for all of his personal data, including metadata, to be put onto a device or transmitted to him—and deleted forever from the company’s servers and devices."
What is considered ‘personal data’? “...'Personal data' includes names, email contact information, location data, social media posts, medical information, and any other information that might identify a person, either directly or indirectly."
"In the case of a law firm...a GDPR-compliant disclosure might include a statement that [the firm] would be disclosing the subject’s personal information to the opposing party, to the court, or any other reasonably foreseeable entities."
Law firms currently doing business with any of Europe’s member countries and citizens will need to become and remain compliant with the GDPR to avoid large penalties. Those that are marketing to prospects in the EU should also be adhering to the more stringent requirements that come with working with European citizens and countries.
Unfortunately, there isn’t a checklist available to firms attempting to comply with GDPR regulations; there are far too many available interpretations of this legislation.
Also important to note is that compliance with GDPR is not dependent upon a single moment in time; rather, how your operations are structured and carried out in the future. This is one reason many firms are hiring or appointing a Data Protection Officer (DPO) to serve as the main point of contact for GPDR compliance and accountability. This person (or team) holds the responsibility of information governance for the business and thus, may implement large operational, organizational and technical changes necessary for compliance.
EU member countries are also in the process of submitting their individual legislation to supplement the laws outlined in the GDPR, allowing for dynamic shifts in requirements for compliance from country to country and as time progresses.
In order to remain compliant, lawyers/law firms with clients in Europe will need to continuously monitor GDPR laws as each country passes its own legislation.
As mentioned above, appointing a DPO is a great first step towards GDPR compliance.
Here are a few additional best practices:
Below is another list from Nymity of the top 10 measures that have been implemented for GDPR compliance purposes, compiled from a survey of 46 organizations.
In the event of a complaint, don’t scramble to ensure your practice is GDPR compliant. Let the experts of Fairdinkum Consulting prepare your firm for compliance prior to any issues. We will identify people, process and technology gaps and will train your staff on cyber security, perform vulnerability scans and penetration tests to ensure your firm is compliant with the required regulations of GDPR, while maintaining the highest security standards.
The American Bar Association completed a TECHREPORT in 2019 to investigate the impact of cyber security breaches on law firms.
According to the American Bar Association: "The 2019 Survey results show that a good number of lawyers, unfortunately, have experienced a security breach. In fact, 26% of respondents report that their firms have experienced some sort of security breach (including hacker activity and website exploits to more mundane incidents such as lost or stolen laptops)."
According to research from the Verizon RISK Team, few breaches are unique, meaning the vast majority of incidents are caused by a small number of scenarios. Verizon classifies 18 different data breach scenarios into four groups; the human element, conduit devices, configuration exploitation and malicious software. For the purposes of this article, we will focus on the malicious software that makes institutions vulnerable.
Verizon’s 2018 Data Breach Investigation Report states that over 75% of confirmed data breaches were financially motivated.
They go on to report that ransomware is at the top variety of malicious software, being found in 39% of cases.
The lesson here is that malware is a big contributor to the breach landscape and it is rare that malware acts alone.
These malicious software attacks can generally be defined as one of the four categories listed below.
Ransomware is a form of malware that uses encryption to lockout institutions from accessing their files. The attacker basically holds the data hostage until the user agrees to pay a ransom to regain access to their data. This type of attack increased by 36 percent in 2017, introducing 100 new malware types.
Ransomware is on the rise, and law firms are especially vulnerable. One common type of ransomware is CryptoLocker, a Trojan that targets computers that run Microsoft Windows. The malware encrypts data with an accompanying message that the data will be decrypted once a ransom of Bitcoins is paid by a set deadline.
So what does the FBI recommend? "As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations [that house personal data] in particular should focus on two main areas:
Sophisticated malware attacks include custom-written viruses designed to disable a system’s security and its anti-virus measures. As suggested in its name, the attacks are highly advanced and often targeted towards specific institutions with well-established IT security implementations in place. While breach detection time dropped significantly to 146 days in 2015 from 416 days in 2012, some malware can still go undiscovered for years.
According to the FBI:
"Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.
And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, 'These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.
Certain malware, known as RAM scraping, is designed to extract data from physical memory and typically targets point-of-sale (POS) systems. This malware targets the POS terminal during the brief vulnerable period when a transaction is taking place.
The now-infamous Target breach in 2013 is a prime example of hackers utilizing RAM scraping to steal the card information of more than 110 million Target customers. The attack went on for nearly two weeks before it was detected.
When credentials are stolen, it is difficult to detect a malicious “known user.” Using spyware/keylogger, stolen credentials, phishing, backdoor and password dumber tactics, these attacks allow threat actors to pose as a known user and gain carte blanche access to the network for months (if not longer), placing a great amount of data at risk. To prevent credential theft, Verizon recommends a strong password policy, two-factor authentication, patching vulnerabilities immediately, reviewing network logs and addressing the SQL injection issues.
Eternal vigilance, quick identification and the right protections are key to avoiding major damage from a malicious software attack. Fairdinkum employs a combination of cutting-edge techniques to ensure your infrastructure is safe, up-to-date, scalable and compliant, keeping your company in good standing.
Today, over 90% of lawyers use smartphones for law-related matters. Law firms have become a prime target for cyber attacks because of the valuable data they possess and their lack of security. A study done by ALM Legal Intelligence reported 22% of law firms do not have an organized plan in place if a data breach were to occur. Hackers have noticed that law firms are vulnerable in this area. Legalitprofessionals.com says for this reason, many law firms are now focusing on mobile security.
With the heavy use of mobile devices for work, more lawyers are working away from an office. Over a third of lawyers work from home or in a shared space. For lawyers that do work in a traditional office setting, 77% of them take work home and often work when they travel. Majority of firms simply do not have the necessary security precautions in place for remote work.
The use of mobile devices in business produces client confidentiality risks for law firms. The American Bar Association (ABA) clearly states client confidentiality applies to all relevant technology in Article 1.1 Comment 8 on Maintaining Competence. Lawyers have the responsibility of keeping up-to-date on safeguarding their technology, implores Sarah Anne Hook, M.B.A. J.D. in her Legal Ethics Update on Mobile Device Use and Client Confidently. Client confidentiality on mobile devices is an ethical duty and should be not be taken lightly.
Having a mobile policy and safeguards in place will exponentially decrease risk of a breach. Only 42% of ABA survey respondents have a written policy on mobile device usage at their firms. Regular employee training on security threats and how to prevent them is recommended.
Firms should implement a filtering software and train employees on how to spot phishing/SPAM emails. Lawyers need to be reminded to be cautious with clients-sensitive information when using email on public WiFi. Downloading email files could contain malware.
New devices should be secured with proper setup. When selecting apps and installing applications, don’t give permissions unless necessary, especially for Android. Mobile devices can also be protected with encryption software that is available for both Apple OS X and Windows. Also, regularly keep the operating system updated whenever updates are available.
Law firms should look for technology partners to assist them in protecting their data. Having a technology partner will bring peace of mind to law firms that are concerned about data breach implications.
We live in a mobile world, therefore, cyber security must be top of mind. Hackers are constantly looking for companies with valuable data and low defenses. Lawyers and firms have a duty to protect client confidently, and the use of mobile devices (whether in or out of the office) is no exception. Law firms need to make mobile policy and cyber security a priority. Employee education and engaging a technology partner are the best ways to prevent a potential threat from occurring.
Before you open that very legitimate-looking email, I just want you to pause a second. If you don’t know already, phishing is a an attack via e-mail, that aims to gather your personal information. Whether it be passwords, account numbers, pins or social security numbers– you do not want that information in the wrong hands. The goal of this email is to look legitimate enough that you don’t see any concern in opening it. Over the years, people have become more savvy in spotting suspicious emails, but as we get smarter, so do hackers.
So let’s say you get an urgent email in your inbox, claiming to be your bank… What do you look for?
You open your inbox and you have an email from your bank with an urgent message. It looks legitimate, but beware of both how you are addressed and the subject of the email. Odds are, your bank knows your name, so if you are addressed generally, maybe take a step back and look at the email before you click on any links that may be harmful. If the subject line claims it’s urgent and sounds like something your bank wouldn’t normally say, it probably is a scam.
You click on the link and it brings you to a banking site. This hacker took a lot of time to make this website so authentic, you would have no idea it’s fake. But look again. Do you see “https” before the URL? If you don’t, get out of there and delete that email. If the website is secure it will have a security certification beforehand in your search bar.
Take your time. The goal of a hacker phishing to get your information is to fluster you and prompt you to fill out a form requiring sensitive information. The subject line might have inclined you to be worried, but just take a moment. Before you fill out any form, really analyze the situation. If something doesn’t feel right, go with your gut.
So simple, yet so easy to mess up. Did your bank spell your name wrong, or perhaps use incorrect punctuation? Stop right there! These hackers are computer wizards not English majors, so do not fall for it.
Cyber crime is a very real threat to the legal industry. One in five law firms reported an attack in 2017. In a survey conducted by ABA Legal Technology, 22% of lawyers reported their firm had incurred a data breach, up from 14% in prior years.
Cyber attacks have become a daily occurrence and organizations both large and small have become victims. The National Law Review pointed out that companies such as Uber, Verizon and Yahoo have had big breaches in the last year. Small law firms must not believe they are too small to be targeted, as attacks are so numerous in the legal field.
One of the main reasons hackers have zeroed-in on law firms is the, “it won’t happen to us” mentality. Hackers are aware law firms have access to valuable data and don't necessarily have the highest security in place, making them easy targets for attacks.
A security breach is not just an inconvenience, either; it can be costly. For law firms, a breach in security carries major consequences. Firms have a responsibility to uphold client confidentiality and protect client data under Rule 1.6 Confidentially of Information. Client confidentiality extends to all relevant tech devices, including mobile devices, as stated in Article 1.1 Comment 8 on Maintaining Competence of the American Bar Association. Loss of reputation, billable hours, files and monetary damages have been a few of the issues firms have encountered with an attack. It's now more important than ever for law firms to take precautions- both for ethical and financial reasons- in order to prevent a beach.
Cyber security is needed now more than ever. One of the ways law firms can protect their confidential client data is by finding a technology partner. Technology partners are the experts on the newest threats and how to prevent them.
Cyber insurance is another safeguard many firms have implemented. Current general liability insurance and malpractice policies do not cover a breach in security, thus making cyber insurance a small but growing need for firms.
Having policies in place and frequent employee training are recommended. If employees are equipped to spot potential security threats before they occur, this minimizes the firm’s risk. One in four respondents to the tech survey claimed they didn’t know about their firms’ policies and procedures around cyber security. The ABA recommends having a formalized structure that incorporates: people, policies, procedures and technology. A firm should have a security plan in place rather than one-off polices around technology.
Encourage employees to make strong passwords and use an app to manage them. Two-factor authentication is key. Two-factor authentication uses a password plus a code sent to a mobile device or google authenticator. This double authentication puts up another barrier a hacker must bypass to get client information.
Encryption protects data in storage and any data transmitted over networks. Encryption is a basic level of protection and should be widely used on all devices. Full drive encryption is strongly advised. Full drive encryption ensures data can only be readable through passwords or other access.
Email is the most common entry point for hackers. 90% of cyber breaches occur because of a phishing scam. A spam filter is a simple line of defense against phishing emails. The best thing for lawyers to do if they have clicked on a phishing email is to change passwords and apply the two-factor authentication, suggests Law Technology Today in a recent article.
Law firms need to take note of data breaches happening on a regular basis in the news. Any firm, large or small, is vulnerable to a cyber attack. By engaging a technology partner and having a technology program, law firms can keep up to date with top threats and defend against them. Making minor changes, such as using two-factor authentication and encrypting all devices, is a step in the right direction. The biggest way law firms can prevent cyber-attacks and protect client confidentiality is by being informed and constantly aware.
Keith has helped us design and develop all of our IT systems. Heis professional and while he is a consultant to our organization,the feeling is that he is an employee! I would highly recommendKeith and Fairdinkum!
Scott Kargman Principal at Systemwide Media, LLC
Keith was our primary contact when I was at Lux Research. He was the 'go to' guy for any and all IT things as we had no internal IT department. He was extremely responsive and always did a thorough job in servicing our needs. I would highly recommend Keith for any position based on my experience with him.
Patricia Constantino Financial Controller/ Business Manager