In her closing plenary address at LegalTech New York 2013, back in January, FBI special agent Mary Galligan warned that “[w]e have hundreds of law firms that we see increasingly being targeted by hackers.” For those in attendance, and for those who read the resulting tweets and blogposts in the newscycles that followed, this was not un-remarkable. In fact, this was chilling: the kind of stuff that keeps those with vested interested in a law firm’s virtual document stores awake. (Not that they get much sleep anyway.) Galligan, the special agent in charge of cyber and special operations for FBI, was a last minute addition to the speaking roster after a late drop-out from NYC’s chief of police. I suspect that few who attended really had any expectations about what they would hear, but this certainly was not it. This was a dire warning indeed. “We all understand,” she continued, “that the cyber threat is our next great challenge.”
OK, fast forward a few months, in May of this year, Galligan was interviewed by NYLJ. Perhaps hoping that Galligan would say something printworthy about the woefully continued vulnerability of law firms, the iterviewer asked a perfectly reasonable question: “Are law firms equipped to handle the threat?”
Galligan had a surprising response:
Law firms are taking cyber security extremely seriously. As a result of their concerns, the FBI has done a significant outreach program to law firms to give them best practices, and to respond when they have an incident. The FBI recommends things like understanding their network, where their data is, patching all their vulnerabilities and having an inventory of all their software.
This canary sees a surprise in each sentence here, so I’d like to take them one-by-one:
1) It surprises me to learn that law firms, only a few months since her initial incendiary statement, are now all taking the matter seriously. No law firm I’ve ever worked for or with has been able to pull-off a quick turn-around like that on anything that did not immediately effect the balance sheets. And the isssue Galligan brought to our attention in January was not of the quick-fix variety. It was a cultural problem owing to perceptions of priorities and expertise within the firm walls. For such a straight shooter, this is an uncharacteristically empty statement including the unquantifiable terms “extremely” and “seriously”.
2) It surprises me to learn that the FBI has been so busy to respond to incidents when they happen, if the firms have become so serious about attending to their security. Security solutions have existed for years and, as events like Black Hat remind us, for every shady Anonymous hacker out there, there is a dedicated ex-hacker working to beat them all. The ability to defend themselves has existed for years, it surprises me to learn that so many law firms, if they are serious about the threat, need the assistance of the FBI and that the FBI is able to assist them all.
3) Finally, it really surprises me to learn that – after all’s been said – the recommendations are that the firms understand their networks, where the data is, what software they’re using and where the holes are. If firms still need to understand their networks, etc., how can they possibly be taking the threat seriously? When I was in digital kindergarten, these recommendations were right there next to “wash your hands after flushing”.
I know, this was a brief interview in broad daylight and I didn’t expect it to dive into sensitive materials. But, still, it troubled me. And I think it should trouble you too …
But, what does this have to do with E-Discovery?
Well, as a result of E-Discovery, law firms collect and hold enormous stores of client data, right? Still, it is no secret that cyber-security is not one of their core competencies. In fact, most law firms and, thus, most attorneys’ electronic files are not well protected. Indeed, most firms (and most small- to-medium-sized businesses in general) simply can’t (or won’t) provide the resources necessary to vigilantly protect their highly sensitive, confidential, documents. Many firms are not even aware that they have suffered a breach until well after the incident, when an agency like the Federal Bureau of Investigation informs them that their client’s data has been found on a server in another country as a result of a security compromise linked back to the firm.
So, what data is being targeted? How about every conceivable form of documented intellectual property? For instances:
• Proprietary knowledge around an invention: specifications, lab notebooks, draft patent applications.
• Financial details concerning a merger or acquisition (even transactions that never fully materialized).
• Details about an organization’s inner-workings – details typically shared with attorneys during many different types of litigation.
The bottom line is that clients generally do not approach law firms when things are going well and they have no sensitive issues. They seek counsel when they are engaged in either deeply sensitive and highly expensive conflicts, which tend to generate correspondingly sensitive information that is of potentially great value to third parties.
So, what do you do? ASK FOR HELP
AccessData has been in the business of detecting, preventing and, when that fails, helping businesses recover from cyber threats for nearly three decades. We understand that the threat continues to evolve at a rapid pace and that answers to and anticipations of the threat require constant and vigilant development as well. In order to find out more about how AccessData is helping organizations deal with cyber security threats, please take a moment to visit us here. And contact our Professional Services department and allow us to assess your needs and provide managed security options.
To quote Special Agent Galligan (the scary, January 2013 version) one last time: “The cyber threat is too big for any of us to fight alone.”
Eric Killough is the virtual canary AccessData has released into your digital mine. He is a JD, a CEDS, and a librarian. He thinks about electronic discovery probably more than he should. Please join him here, at Twitter, at LinkedIn, and at his own blog. He’ll be happy to meet you.