The Hacker’s Payday, Share Everything Policies, and Other Bygone Eras

"This standard of care which law firms must now shoulder is exactly what changing to the ‘need-to-know’ information policy is all about." 

Originally posted on Law.com, 25-April-2016

Three weeks ago is an example of a bygone era. The breach of the Panamanian law firm, Mossack Fonseca, and the ensuing leak of 11.5 million documents — 2.6 terabytes of data — to the press revealed in extraordinary detail how offshore bank accounts and tax havens are used by the world’s rich and powerful to conceal their wealth or avoid taxes.

In practical terms, it’s the highest profile breach of a law firm to date, and an incredibly impactful one as the anonymous offenders chose to make the fruits of their labor public by delivering their hacked material to the press. Breaches are not new; the consequent public shaming as a result of distributing said material to the press is. People—meaning clients, and now law firms, are suddenly paying attention.

Of course, prior to three weeks ago, data security was necessary; however, firms could operate under a collective illusion—much like the illusions of all bygone eras–that breaches happen to other firms with other staff, other leaders, other protocols, and other infrastructure.  Or, we’ve operated under the laws of inertia such as, “since it hasn’t happened to us, it never will,” its annoying cousin, “if it ain’t broke, don’t fix it,” and its lazy uncle, “if it’s good enough for the Jones’, it’s good enough for us.”  This is poor logic that would quickly be rejected on even an LSAT exam, yet it has somehow underlied many important decisions by firms in otherwise core processes around information security.

I recently hosted a Risk Roundtable in London with the heads of risk and general counsel from several top firms where one of the attendees commented on the traditional nature of law firm information security, noting that firms are “hard on the outside, soft on the inside.” That is, while a great deal of attention is paid to digging a deeper moat surrounding the firm and its data, internally, law firms tend to leave open access policies around their data.

This means staff and employees are able to gain unneeded access to a broad collection of sensitive material via a multitude of mechanisms: sometimes this is under the guise of ‘collaborative culture’ or promoting ‘knowledge sharing environments’.  Some firms may have taken steps internally by implementing ethical walls around some sensitive material, but these are most likely episodic and implemented on a matter-by-matter scenario. Episodically implemented, ethical walls don’t change the nature of open access information environments. Every security expert seem to agree that it’s not a matter of if, but when. It’s time to call the game: the collaborative culture is a ruse.  Lawyers not assigned to the same matter do not collaborate on that matter; knowledge sharing happens in activities surrounding research and knowledge management services, not matters. Which, ultimately, is to say that open access is not a policy. It’s an illusion of a bygone era. Law firm security must change – it must shift to a ‘need-to-know’ environment. The only impediments to such change have been inertia, poor syllogisms (see earlier mentions), and fear of imploding the workflow of productivity-driven lawyers.

Let’s put it into context and perhaps dispel the fear with an analogy: in those bygone days, there were no thieves, ruffians, or rogue; we lived in the suburbs, and we felt relatively secure enough in our homes to leave the front door unlocked. Then, one day, a neighbor’s house is robbed – suddenly, everyone installs locks on their doors. Then, perhaps a short time later, a burglar breaks a neighbor’s lock and that entire home is burgled. Now, people take out theft insurance – and buy burglar alarms to both protect their property and to receive a discount on their insurance policies. And so it becomes the norm, the standard of due care to protect ourselves: lock the doors, own and use alarms, and have insurance in place for when the rogues surmount the tools we put in place. Sure, we’re slightly inconvenienced by keys and pressing buttons on keypads, but, at the end of the day, it becomes our standard of due care. We accept the 30-60 second burden of keys and alarm codes because some of what may be stolen cannot be replaced: the items of sentimentality, the days and hours spent haggling with an insurer, or the feeling of having been violated.

Returning this analogy to the law firm context, it is now incumbent on lawyers to meet the new standard of care because what is at stake is of paramount importance: the trust of clients; the confidential data that those clients had entrusted to their lawyers (and which those lawyers are ethically obligated) to keep confidential; and, the firm’s reputation as a trustworthy steward of sensitive information. Because the cost of implementing that level of due care is reasonable and the results of not taking that standard of care can now clearly be anticipated, the expectation has changed. Insurers even offer professional liability discounts for implementing the appropriate systems.

Clients have begun asking firms to lock down their data, to limit access on their matters to only those who are working on them. Many clients already expect this to be happening. This standard of care which law firms must now shoulder is exactly what changing to the ‘need-to-know’ information policy is all about. It is technologically achievable, available right now on the market, when done properly, will not cause workflow to implode, and insurers offer discounts for doing it. There’s no valid reason not to do it.

Here’s why: the greatest cause of data breach is still human error. The amount of data to which a hacker (or even malicious internal actor) has access is typically limited to that which the target person is privy. Limiting the access, therefore, of individual actors within a firm will inherently limit the reach of the hacker and, therefore, the potential depth of the breach. If a lawyer has access to everything within a firm, including the ‘crown jewels’, when that lawyer is hacked, the hacker has won the lottery. If a firm is locked down and secured in a need-to-know environment, the hackers’ payday is severely limited at any potential entry point.

Lawyers are, in their very essence, risk managers for their clients. They need to manage their own risk in order to better manage the risk of their clients. It is simply the next logical step—and the right (and now, expected) thing to do. No one wants to be that person who must explain it – after the incident, who knew about the availability of keys and alarms – and about how the neighbors bought them. You thought “it hasn’t happened to us, so we thought it never would,” or “it wasn’t broke, so we chose not to fix it.” Rather, this is a simple game to be on the leaders’ side, to leverage it in business development and client relationships. When the breach happens, and every expert says it will, you will want to know you did everything to protect that which is irreplaceable. More so, your clients will be expecting it – and banking on it.

More by | Ben Weinberger , Law.com Contributor

Read more: https://www.law.com/sites/benweinberger/2016/04/25/the-hackers-payday-share-everything-policies-and-other-bygone-eras/#ixzz46r43IFCI