Law firms under cyberattack is one of the topics we cover in the October Arizona Attorney Magazine.

Law firms under cyberattack is one of the topics we cover in the October Arizona Attorney Magazine.

How safe is your data? And the data held by you in care of your clients?

In the October issue of Arizona Attorney Magazine, Andres Hernandez asks that question. The evidence regarding law firms suggests the answer may be a distressful “Not very.”

The article explores some in-the-news law firm hacks we’ve read about. He then offers some suggestions to keep your own data safe.

The opening page of Andres Hernandez' article on cyberattacks, Oct. 2016.

The opening page of Andres Hernandez’ article on cyberattacks, Oct. 2016.

Meantime, just today I came across the Arizona Republic headline “Banner Health’s summer data hack triggers 10 civil lawsuits.”

The lawsuit you avoid could be your own.

If you have your own story of law-firm success in crafting ways to protect data in the digital age, write to me at arizona.attorney@azbar.org.

banner-health-cyber-attacks-lead-to-10-civil-lawsuits.jpg

Banner Health cyberattacks lead to 10 civil lawsuits

Advertisements
Cybersecurity and privacy were two of the primary topics at the 2016 TechShow.

Cybersecurity and privacy were two of the primary topics at the 2016 TechShow.

Great learning at conferences is one of the best things ever. But if you can’t be there, hearing the takeaways of smart folks may be the next best thing. In fact, because those correspondents have done the hard work of taking notes and synthesizing, it may be the ideal outcome.

That’s how I felt about this year’s ABA Techshow, which I was not able to attend. (I was in a different lawyer event just blocks away, but the closest I came to joining the techies was nearly crashing the Clio party. Next year.)

Although I missed the event, seven technology experts have boiled down for the rest of us their take on the biggest TechShow messages. You should bookmark and read their complete analyses here.

To synthesize even further their event coverage, here are a few insights from those smart people, whom you should follow (links take you to their Twitter worlds, which you should join):

  • ABA TechShow tips American Bar AssociationFrom Catherine Sanders Reach: “This year seemed to have had an unofficial theme: privacy and security.”
  • From Natalie Kelly: Uber Eats may be a fascinating analogue to assess how we deliver legal services.
  • From Heidi S. Alexander: Stop making unencrypted calls, and be sure you’re using the cloud securely.
  • From Reid F. Trautz: Our regulatory system is stifling innovation in the legal profession.
  • From Tom Lambotte: It’s scary out there, even for Macs.
  • From: Nora Regis: Better use of Excel, including pivot tables, can be your law-practice friend.

And in case you decide you need just a little more impetus to pay attention to technology, especially in regard to cybersecurity, enjoy this article about a hack of New York-based Cravath Swaine & Moore (originally reported by the Wall street Journal, but that’s behind a paywall, so the NYT wins.)

To access law firm data, hackers bypass the front door. Cravath Swaine & Moore cybersecurity

To access law firm data, hackers bypass the front door.

As the article opens:

“Federal authorities have warned for years that big law firms are ripe targets for computer hackers because they are information-rich repositories of corporate deals and other sensitive client information.”

“But big law firms, as a general rule, are loath to confirm whether they have been victims of data breaches, largely out of fear of alarming clients. Breaches and potential intrusions at large law firms often go unreported and generally come to light only anecdotally—often in news reports or discussions at legal conferences.”

Well, the anecdotes are growing more and more common. What are you doing to ensure your data is secure? Write to me at arizona.attorney@azbar.org with your tech-success story.

A cybersecurity panel discussion offered some tips and many warnings, Fennemore Craig, Phoenix, Ariz., May 14, 2015.

A cybersecurity panel discussion offered some tips and many warnings, Fennemore Craig, Phoenix, Ariz., May 14, 2015.

How concerned should we be about the sorry results that may befall us if we suffer a cybersecurity breach?

However bad you think things could be, they’re probably going to be worse.

That’s the challenging takeaway I got from a panel discussion on cyber due diligence. It was hosted at Fennemore Craig on May 14, and it included speakers from the firm, prosecutors’ offices, and security firm Kroll.

(The June issue of Arizona Attorney Magazine contains some practical takeaways on cybersecurity preparedness. Read the complete article by attorney Paul Stoller.)

At the Fennemore event, FBI Special Agent Martin Hellmer urged attendees to consider whether their computers housing sensitive data must even “touch the Internet.” Instead, he said, “air-gapped” computers may fill your needs.

“Threats are very real and everywhere,” he said. “Chances are, if your computers are regularly on the Net, and even if you’re regularly patched, you’ve probably been hacked.”

Generations of FBI-watchers hearken back to their work tracking down bank-robbers. But Hellmer said times have changed.

“It’s a great time to be a criminal in the cyberworld. Why someone would walk into a bank today with a note and a gun, I don’t know. Instead, you could sit in the comfort of your own home and steal millions of dollars from someone on the other side of the world.”

Cybersecurity panel at Fennemore Craig, May 14, 2015, L to R: Jim Knapp, U.S. Attorney's Office; Jonathan Fairtlough, Kroll; Sarah Strunk, Fennemore Craig; Martin Hellmer, FBI; and Melvin Glapion, Kroll.

Cybersecurity panel at Fennemore Craig, May 14, 2015, L to R: Jim Knapp, U.S. Attorney’s Office; Jonathan Fairtlough, Kroll; Sarah Strunk, Fennemore Craig; Martin Hellmer, FBI; and Melvin Glapion, Kroll.

Jonathan Fairtlough of Kroll described the “common vulnerabilities and exploits”—“CVEs”—that are most often seen. They include ransomware, spearfish attacks, and “social engineering”—that is, calling customer service and claiming you “can’t find your password”; it works more often than companies like to admit.

Fairtlough added that last year’s large-scale data breaches involved ransom demands seeking bitcoin.

Kroll’s Melvin Glapion reitereated that “Every cyber problem is a human problem.” In fact, 80 percent of breaches include some form of insider (including vendors and consultants). Given that, companies must ask, “Who are we locking inside the gate?”

Another problem may arise via the BYOD movement—which urges companies to allow employees to bring their own device and to use those multiple devices to connect to company servers.

Glapion told the story of a director and screenwriter for Twilight series who refused to be on Sony Pictures’ computer system, opting instead to use their own device. That gap in security, plus a successful phishing expedition, was all that hackers needed to get access to daily updates of scenes during shooting, and even multiple versions of screenplays.

Fortunately, Glapion said, the hacking was done not by criminals with evil intent, but by fans who were obsessed with actor Robert Pattinson (and who hated his co-star Kristen Stewart).

“Those teen girls had the keys to the kingdom,” Glapion said. And your system may be just as exposed.

Also on the panel were Jim Knapp of the U.S. Attorney’s Office. He—like Kroll representatives—urged companies that had been hacked to contact the authorities.

Knapp said, “You do NOT lose control of your case if you call the feds.” Because the company is a victim, the prosecutors will keep you apprised of every step.

The prosecutor also suggested all of us to use “stock false answers” to those multiple password questions we all face. That way, “correct” and accurate answers cannot be ferreted out by hackers examining your life via social media.

Thanks and congratulations to Fennemore Director Sarah Strunk for gathering together such a helpful panel.

Here are a few images of slides from the presentation:

Cyber security Fennemore 3 presentation slideCyber security Fennemore 4 presentation slide