Legal Data Intrusion – Big Risks from Little Action

purplehat

As of 2015, there are a little more than 1,300,000 licensed lawyers in the United States (https://www.americanbar.org/content/dam/aba/administrative/market_research/lawyer-demographics-tables-2015.authcheckdam.pdf).  Also according to this same source, the percentage of lawyers in private practice rose from 68% in 1980 to 75% in 2005.

What this means is that, given that the amount of private practice attorneys have remained constant in the last 10 years, and given that the amount of licensed lawyers have not increased since 2015 (which they really haven’t all that much according to http://www.americanbar.org/content/dam/aba/administrative/market_research/national-lawyer-population-by-state-2016.authcheckdam.pdf), approximately 975,000 lawyers are in private practice.

I did some research and could not find any definitive resource that could show how much data is kept at a law firm, so I thought I would use my experience in IT to come up with a ball park figure to combine with the population figure above.

Let’s assume that a law firm contains 4 people (according to this government source, 1-4 law offices happen more often, almost 128,000 of these offices exist in the US, than larger law offices – https://censtats.census.gov/cgi-bin/cbpnaic/cbpcomp.pl).  Now, let’s further assume that each of these lawyers (or other staff) have at least 1 computer (this could be a dockable laptop or pad which can be mobile), a cell phone (smart phone), and at least one other device that can get access to the internet.  That now means that there are 12 devices that, at any time, can contain (even briefly) client data.  That does not count any “hard copy” files that are carried by the attorney in their automobiles or their homes.  Let’s address each of these areas separately.

First, in my experience any device that has access to the internet is vulnerable every time a user activates that connection.  When the computer is part of a network, that vulnerability expands quickly to other users.  To prove my point, let’s take a formula that is used by project managers to determine communication networks for stakeholders.  This formula is also used in probability, but its use in networks is what we are applying today.

The formula is N(N-1)/2 and is easily calculated using a number of “spokes.”  For instance, let’s say that you have 4 computers that are networked, which means they are connected to each other.  By using the formula, you can calculate that there will be 6 lines of communication between these 4 computers.  This does not look intimidating now, but just increase this by 5, to 9 computers, and you have increased the lines of communication from 6 to 39!  A graph at Figure 1 shows how the increase in spokes can increase lines of communication almost geometrically.

Chart

We present this to make a point.  If you have 4 people in your office and they all have a computer, cell phone, and pad, then we are talking about 12 devices that are interacting not only with internal computers, but EVERYONE on the internet.  This can be overwhelming to anyone trying to protect these devices from intruders.

Let’s take a moment to differentiate intruders from hackers.  Hackers have a connotation of someone in a darkened room, their face illuminated from the computer screen, laughing (“bwa hahaha”) at having taken control of someone else’s computer.  However, hackers are not all bad.  In fact, inventors are hackers, trying to take known processes and improving those processes (Thomas Edison can be called a hacker, for instance).  Computer intruders, on the other hand, have that connotation of bad actors.  In the cybersecurity world, we consider bad actors “Black Hats.”  These intruders may steal for money, celebrity, or just plain because they wanted to intrude.  In any case, intruders are what I will be called the Black Hats, since this is what they do – intrusion techniques for the purpose of achieving one of three things:  Deceive, Deny, or Destroy.  They want you to go somewhere other than where you want to go (on the internet); if they fail at that they will deny you access to the internet (called “Denial of Service” or DOS); or finally they will destroy your data and the machine along with it (by corrupting your hard drive or something similar).

So, let’s review.  You have individuals in law offices that make a living off of social contact with their client.  They bill for services that they do using their mobile devices and make calls and email to their clients.  All this data can be kept on their devices, which puts the data at risk of being stolen, or it can be placed in the “cloud” in order to secure the data.

The cloud is an interesting phenomenon.  The basic concept of the cloud is a place where you can store your data and in case your machine is stolen, destroyed, or damaged, you can always access and download the data that you may have lost from the cloud.   I use the cloud to store some presentations and papers, but I would never trust it for personal data.  I backup my data on a separate drive that I keep in a secure area.

What does all this mean?  Legal offices can have data intrusions.  There, I said it.  In fact, if a law office insists that they have never had an intrusion, I would have a hard time believing that was true.  Even if the office has the BEST automated intrusion detection system, you can see for yourself that even with just 10 employees, you have over 45 lines of communication.  Any one of these lines can be trying to get information from any of these employees; and that does not include email communications which at any time can result in an incident that can lead to malicious software being installed on the employee’s computer.

So, what can be done to prevent these intrusions?   You can educate the users of the computers to protect their credentials (user id, password, pass phrase, etc.).  This is something that is somewhat useful, especially if you make the “training” (ranging from computer based training to in-class instruction) mandatory for every user.  Of course, written computer security policies (including “screen warnings” for users) are good to accentuate the education of those users.

I use the following two phrases in my cybersecurity classes:  Lock the Door, and Check the Stove.

Everyone walks away from their homes at one time or another thinking that they forgot to lock the door.  That may go unnoticed, but forgetting to turn off the stove can lead to a conflagration.  The same is true if you do not have a password, or you forgot to activate your anti-virus or (worse yet) clicked on that attachment that you THOUGHT was from a colleague about next week’s court case when it was in actuality malicious software.  So I thought I would make it simple:  Two things to do – Lock the Door and Check the Stove

Lock the Door consists of the following:

  1. Ensure your password has strength. This does not mean that you put down your favorite golf course or sports team.  This means that you think of two words that have nothing to do with one another (like “beamframe”) and use special characters and numbers to make it more complex.  This helps negate dictionary password breakers and makes the intruder move on to a “softer target.”
  2. Use a laptop when you are getting a coffee at a local coffee spot or on an airplane? Get a polarized privacy screen (they cost around 30-40 dollars, which could be considered expensive,  but can you really put a cost on a data breach?).  In addition, sign up for a virtual private network (VPN) if you do not already get one from your office.  One free VPN is Hot Spot Shield, but there are many others out there, so research the topic and talk to your IT folks.
  3. Be aware of your surroundings. People can be listening to you at an airport or in the seat next to you in a waiting room.  Go outside or outside of ear shot when you are taking a phone call or even texting.
  4. Do you have your cell phone on the desk during an interview with a client? Put in in your desk drawer.  Trust me it is best to keep it in a closed container while you are interviewing the client.  Remember that most cell phones contain a microphone and a camera.  Why would you risk those becoming active?
  5. Remember that the probability of an intrusion is relatively high (in 2013 there was an estimate of 20 MILLION attacks PER DAY according to http://www.deseretnews.com/article/865573798/Cyberattacks-on-Utahs-secure-government-networks-up-dramatically.html?pg=all). As much as you can prevent such a breach, the intruder just needs you to be complacent just once.  You have to be vigilant all the time.  Ensure that you keep the breach to a minimum by implementing good security practices as mentioned in 1, 2, and 3.
  6. Finally, get some training. An intro to cybersecurity for legal professionals is a good thing and can get some great traction once legal professionals understand the risk of their actions.  Remember that an ounce of prevention is better than millions in reputation cost.

This brings into view a new type of “hat” for cybersecurity.  A few months ago, I introduced “silver hat” to denote individuals over 60 that know cybersecurity and share those cybersecurity concepts with others.

Now I would like to introduce “Purple Hats” (currently pending trademark by the US Government). Purple was chosen since it is the color that is worn by those graduating with a law degree.  These individuals will be practicing law professionals (attorneys, paralegals, etc.) that understand cybersecurity principles and share those with others in their profession (and beyond).  By establishing a cohort of individuals that focus on cybersecurity and use those principles to guide their computer use, it is hoped that the amount of breaches that are experienced by legal offices will diminish.

After all this, if you do not believe my take on this (after all, I am NOT a lawyer or legal professional), then maybe you will believe your OWN ABA journal.  According to an article in your journal, less than 17.1% of ALL legal offices have an incident response plan should there be a data breach (http://www.abajournal.com/magazine/article/managing_cybersecurity_risk).  Look at this in relation to the numbers above and tell me it does not give you a moment to think about the consequences of a data breach.  How many billable hours will it take to make up for the reputation costs of just ONE data breach?

More articles on this subject are forthcoming, but suffice it to say that litigation is something that is private and, as such, needs the user to be aware of the possibilities of intrusion at all junctures of computing use.  Just take a look at rule 1.6 in your ABA rules (https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information.html).  If this is not a time to pause and consider cybersecurity, then you may be increasing your risk of a data breach.  Your small prevention will help limit any legal intrusion.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s