Tag Archives: security

Cyber-Attacks Increase, Threaten Banks, Law Firms & How To Terminate Them!

Of all the scenes in James Cameron’s sci-fi film “Terminator 2,” there’s one in particular we’d like acted out in real like. The one where young John Connor uses a high-tech device to steal money from an ATM.

Free cash being dispensed at your local bank branch as in “Terminator 2” may be science fiction, but ATM hacks are really happening.

This week, a security company claims it uncovered an “unprecedented” number of cyber-attacks on a reported 100 banks, reports the BBC.

The security company, Russian company Kaspersky Lab, claims that first, hackers accessed the banks’ networks by sending spam/spoof emails to staff; then, the hackers manipulated ATM machines to dispense stolen money.

Europol director Rob Wainwright told the BBC the agency had, “issued warnings and intelligence to national law enforcement authorities and European banks through the European Banking Federation.”

“Reported infections in the EU are unconfirmed at this stage, although we are continuing to work actively on the matter.”

Largely out of the limelight, this attack was patient and planned. News sources are trying not to rattle the money market, but the attack was certainly one point for theft, zero for the economy.

“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” one of Kapersky’s directors told the New York Times.

Corporate data security risks are only getting more frequent and more severe. In fact, the news is full of stories about major organizations (Sony, Target, Google, Ebay, Westinghouse, Home Depot, Neiman Marcus) being hacked, with the perpetrators stealing the financial and personal information of clients, customers and others.

While the malicious reason for an attack may not be apparent, one thing is clear: counsel must understand that traditional network security approaches are no longer enough.

Attackers are getting more and more sophisticated and organizations (including law firms) must prepare as if a data breach is imminent. Because it is!

survey by the Ponemon Institute reports the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.

And, PriceWaterhouseCoopers found that this year is expected to see 42.8 million cyberattacks, roughly 117,339 attacks each day, after cyber-attacks skyrocked in 2014 by 48 percent from 2013.

It’s difficult to prevent cyber-attacks. Your law firm must get involved in prevention; developing good policies and practices to stop an attack once it occurs; practicing mock-breaches with your employees; and creating a public relations plan for your clients in the event your firm falls victim.

The threat may still seem like fiction for your firm, but it is already fact for others.

Try your best to avoid cyber-attacks by attending The Center for Competitive Management’s comprehensive webinar, “Mitigating a Data Breach: Proactively Planning For and Responding To a Cyber Attack,” Thursday, February 26, 2015, from 2PM to 3:15PM EST.

It explores real world data breach scenarios, practical tips for how to proactively plan and respond to a breach, discussion of regulatory enforcement activity and practical advice on:

  • Proactive measures to ensure that you (and your clients) are ready in the event that a data breach occurs
  • The kind of incident response plan that should be in place after a breach
  • What to include in the plan and how to execute it
  • How to apply the right blend of legal and IT responsibilities
  • Appropriate breach reporting to state attorneys general, insurance carriers, customers, etc.
  • The type of crisis experts you must have on file before a breach occurs
  • Best practices for company response to lawsuits and investigations that often follow a breach
  • Brief overview of a laws and regulations applicable to personally identifiable information – GLBA, HIPAA, State Laws on information security.

Leave a comment

Filed under Uncategorized

Tragedy In Paris Today & How To Create A Safe Office Environment For Your Employees & Law Firm Clients

A terrible tragedy occurred today in Paris.

French satirical magazine, Charlie Hebdo, went under fire as at least two, likely three hooded gunmen assailed the office, shot and killed a reported 12 people, including the magazine’s top editor and cartoonist Stephane Charbonnier, as well as two French policemen, according to France 24, The New York Times, The Wall Street Journal, and USA Today.

“We need to find the actors of this terrorist act,” French President Francois Hollande said in the aftermath.

“They must be arrested and brought before judges and condemned as quickly as possible. France is shocked today.”

Sadly, this is not the first time the controversial magazine has been victim to violence.

The magazine frequently depicts the Muslim Prophet Mohammed in satirical cartoons, much to the condemnation of Islamic religious representatives. In November 2011, the magazine Charlie Hebdo’s office caught fire the same day it was supposed to release a cover poking fun at Islamic law.

The magazine’s editor, Charbonnier, among the deceased, has been outspoken about his belief in the freedom of the press in France, once saying to the French newspaper Le Monde:

“It may sound pompous, but I’d rather die standing than live on my knees.”

Now trending on Twitter and other social media accounts are digital cries of solidarity, “Je suis Charlie,” or “I am Charlie.”

U.S. President Obama has also joined the many voices condemning today’s attack. He vowed to “help bring these terrorists to justice” and support “America’s oldest ally.” In the meantime, the New York Police Department is adding additional police offers to sensitive sites in the city, including the French Consulate, reports CNN.

Attorneys can relate to the dangers that sometimes come with upholding civil liberties. In many cases, lawyers are under both physical and verbal threat for their actions or words in the courtroom.

The tragedy in Paris should remind us all—beyond just journalists and law firm professionals—of the importance of security measures in and outside the office.

How is your firm protecting its employees from disgruntled claimants or former employees? Do you apply the same security measures to your computer access, as well as paper and digital data? Are clients’ personal information safe? What happens if your office experiences fire or water damage?

For physical security of your data center, Xerox Litigation Services suggests your firm employ extensive processes, including 24/365 staffing and monitoring with professional security guards. They also recommend camera systems to monitor all entrance and exit points and zoned keycard access with segregated security levels. If you work on particularly contentious litigation or corporate cases, consider placing a security guard at your office entrance at all times.

Your firm should also create a disaster recovery plan and develop business continuity capabilities. Faced with tragedy or natural disaster, for example, your firm still has an obligation to its clients to remain available and current, explains Xerox. Can your partners work remotely? Who is the voice of the firm or PR representative that will communicate to clients difficult-to-hear news?

Finally, beyond the physical space into virtual reality, law firm data security has been the subject of numerous articles, particularly after reports of breeches from foreign countries and hackers from Russia and China, as well as high-profile tech breeches of companies like Target.

“Clients are putting more restrictions on law firms about things to do to protect themselves,” said Mary E. Galligan, an executive in the cyber-risk services division of Deloitte & Touche and the former special agent in charge of cyber and special operations for the New York office of the F.B.I., to The New York Times.

“It is being driven by victims of hackers, and they don’t want to be victims again. It’s just good business sense.”

“A lot of firms have been hacked, and like most entities that are hacked, they don’t know that for some period of time,” Vincent I. Polley, a lawyer and co-author of recent book for the American Bar Association on cybersecurity, also said to The New York Times.

“Sometimes, it may not be discovered for a minute or months and even years.”

The bloodshed in Paris is a solemn reminder that simple criticism can quickly and unexpectedly escalate into carnage. So, don’t take any type of security for granted. Consult with experts today about your options for security measures and policies.

For cyber-security advice, consult C4CM’s webinar “Mitigating Cyber Risk: Strategies for Legal Counsel to Reduce Exposure and Avoid a Data Breach Devastation,” available on CD.

This comprehensive webinar will help you to mitigate risk by fine tuning or putting into place key procedures and policies for cyber protection. You will also learn what to do once a data breach is revealed.

  • Data breach response tactics and notification obligations
  • Practical and essential first steps to take if a breach occurs
  • What to include in your Incident Response Plan
  • Securities and Exchange Commission (SEC) disclosure obligations related to cyber risks and data breaches
  • How cyber-insurance coverage acts a risk mitigation tool, and what to look for in your policy
  • Key individuals that your organization should be developing relationships with and why
  • Practical protocols for reviewing and including cyber clauses in vendor and client contracts
  • Much more…

Leave a comment

Filed under Uncategorized

‘If I’ve Told You Once, I’ve Told You A Billion Times… Cybersecurity Matters!” -Hackers Say To Lawyers

If a billion kids made a human tower, they would stand up past the moon. If you sat down to count from one to one billion, you would be counting for 95 years. If you found a goldfish bowl large enough hold a billion goldfish, it would be as big as a stadium. A billion seconds ago it was 1959. A few seconds ago, a billion passwords were stolen from Russian criminals leaving your firm, its clients and employees, at risk.

An exaggeration, you think? Hardly.

“A lot of firms have been hacked, and like most entities that are hacked, they don’t know that for some period of time,” says Vincent I. Polley, lawyer and co-author of recent book for the American Bar Association on cybersecurity.

“Sometimes, it may not be discovered for a minute or months and even years.”

Unfortunately, when it’s late and you still have a few hours work to do, it’s easier to pack up your laptop, save some client information on a portable flash drive, and then head home. Nobody wants to prioritize cybersecurity over work-life balance.

The problem is, hackers these days have become more and more sophisticated. And your efforts to make working from home more efficient have, instead, made stealing confidential and private information more prevalent.

In fact, cybersecurity concerns within law firms has become so important to high-profile, high-profit clients, like big banks, have started to withdraw business from firms that demonstrate relaxed regard for security measures.

“Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity.”

“Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections,” writes Matthew Goldstein for the New York Times online.

Other corporate clients, the same article reports, are requesting that law firms stop putting files on portable drives altogether, emailing them on non-secure devises, such as smartphones or tablets, and sharing servers with offices in notoriously cyber-insecure countries, such as China and Russia.

Today, we realize how important these measures may be in securing your future as CNN reports that Russian criminals stole 1.2 billion passwords.

Hold Security founder Alex Holden told CNNMoney that the treasure trove includes credentials gathered from over 420,000 websites, both smaller sites as well as “household names.”

Thus, chances are high that your firms assets—or those of its employees—are among the exploited.

Some think that pressure from clients will help law firms get with the digital times and clean up their cybersecurity act. Daniel B. Garrie, executive managing partner with Law & Forensics, a computer security consulting firm that specializes in working with law firms. He thinks, “When people say, ‘We won’t pay you money because your security stinks,’ that carries weight.”

Law firms, however, are notoriously slow in upgrading their technological tools.

Do you agree with Garrie, are law firms finally paying attention?

One last lesson in one billion: If we wanted to make a book with a billion dollar signs, printed 1000 per page and with pages printed on both sides, the book would be 500,000 pages long. How many billions of dollars are you willing to risk (after being told a billion times) before your firm upgrades its cybersercurity systems?

To learn more, get C4CM’s webinar “Mitigating Cyber Risk: Strategies for Legal Counsel to Reduce Exposure and Avoid a Data Breach Devastation,” available on CD.

This comprehensive webinar will help you to mitigate risk by fine tuning or putting into place key procedures and policies for cyber protection. You will also learn what to do once a data breach is revealed.

  • Data breach response tactics and notification obligations
  • Practical and essential first steps to take if a breach occurs
  • What to include in your Incident Response Plan
  • Securities and Exchange Commission (SEC) disclosure obligations related to cyber risks and data breaches
  • How cyber-insurance coverage acts a risk mitigation tool, and what to look for in your policy
  • Key individuals that your organization should be developing relationships with and why
  • Practical protocols for reviewing and including cyber clauses in vendor and client contracts
  • Much more…

Leave a comment

Filed under Uncategorized

Court Case To Decide Future Of FTC Regulation Of Firm Cyber Security Systems

America, in the 1800s, was filled with trusts. “Trusts” referred to giant businesses that controlled the lay of the land.

Think about the major economic drivers in the Wild West—railroads, oil steel—or other commodities—sugar, for example—and you’ll likely find a trust behind it. U.S. Steel and Standard Oil once ruled the supply, controlled the price, and generally monopolized the market in American in the nineteenth century.

The rich seemed only to get richer, which is why President Theodore Roosevelt sought to break up these trusts through legal action.

Teddy, with the help of Congress, soon passed The Sherman Act in 1890, which became the country’s oldest anti-trust law. In 1914, another anti-trust bill, the Clayton Act, was passed by Congress under President Woodrow Wilson. With it came the Federal Trade Commission, or FTC.

The FTC was an agency tasked to enforce anti-trust laws and regulate and oversee business practice to ensure fair and equitable competition.

More recently, the FTC started to work in conjunction with the Department of Justice to promote consumer protection and anti-competitive business practice.

The FTC’s professed mission, specifically, is to “prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.”

The key players in trust regulation in Progressivist America could never envision the lack of trust consumers face today with the evolution of e-commerce. Today, the FTC’s mission of protection is being challenged on its home turf—in court.

Adding to the U.S.’s long history of anti-trust regulation, a case pending in the federal court for the District of New Jersey will decide whether or not the FTC has the right to oversee and regulate data security services provided to consumers by private firms.

Hotel conglomerate, Wyndham Worldwide Corporation, is challenging the authority of the FTC to enforce action against Wyndham and several of its subsidiary companies. The FTC’s action alleges Wyndham failed to secure the data and privacy of its customer accounts after a hacking incident claimed more than $10.6 million from Wyndham’s customers via fraudulent charges and the loss of information belonging to 500,000 individuals, according to the Westlaw Insider.

Deciding whether or not the FTC’s authority extends to oversight and regulation of the operations and other practices of private companies will definitely change the way firms can and will business. Audits to ensure firms have incorporated sufficient security measures are on the horizon, and fines for insufficient security measures would, then, be imminent.

And, although consumer protection and privacy concerns should be considered paramount to businesses, to what extent should the government be privy to the same concerns and information? Also, to what extent are businesses liable for implementing state-of-the-art cyber-protection software in the eyes of the law?

These days, breaches of online security—from cloud computing espionage to electronic spam to broken passwords (despite the alphanumeric complexity)—are common place.

The Wyndham case should certainly prompt law firms and the clients they represent to tighten those security belts before driving down the information superhighway—not just because it’s good sense and safe, but because it may soon be the law.

In our modern world, the Wyndham case serves as a gentle reminder for firms to be wiser about their computer security hardware and software, but also for governments to implement constitutional measures to find the source of this malware without violating the same privacy they seek to protect.

For more information about how to protect your firm, read “Cyber Attacks: Why Your Firm Is At Risk & How To Prevent Them.”

-WB

Read more about the history of the FTC in a fact sheet, here.

Leave a comment

Filed under Uncategorized

Law Firm Security In The Age Of Technology–Human Error & Some Things That Never Change…

Security is on the minds of Americans these days. And, it seems, at least one law firm has developed paranoia.

King & Spalding announced to its employees this week that private e-mail will no longer be accessible at work. And, in the event firm network blocking measures are inadequate, employees have been advice not to open personal email accounts from a firm computer, according to a King & Spalding e-mail released by Above The Law Blog.

“The firm’s internal security experts, as well as our outside security experts, have advised us that accessing Personal Email Accounts from firm computers creates a significant security risk,” the widely-circulated e-mail states.

“The firm has installed a wireless network called ‘ksmobile’ in each office. This wireless network is reserved for K&S personnel (not clients or visitors who should be directed to the ksguest network), is a direct route to the Internet, and is appropriately sized to accommodate the many personal devices that are being used by K&S personnel.”

So, although checking personal e-mail on firm computers is prohibited, responsible and irresponsible Internet browsing is permitted on mobile devises, like smartphones. With network firewalls and digital security measures improving day-to-day, some wonder if this announcement isn’t a bit technologically too late.

However, what any number of firewalls, complex passwords, and e-mail prohibitions can’t solve is human idiocy.

Seriously.

“There’s no device known to mankind that will prevent people from being idiots,” Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp. (CSC), said to Bloomberg.

Rasch is responding to an experiment conducted by The U.S. Department of Homeland Security where, in order to determine how easy it was for hackers to manipulate employees or gain access to computer systems, Homeland Security employees secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors.

Not only did workers pick up those devises, but 60 percent of them plugged in the USB drives and inserted the discs into their office computers. If the devise displayed an official logo, 90 percent of workers installed the drive.

It turns out, curiosity does kill the cat—or, rather, scrambles the cat’s computer screen, steals its social security number, and swipes its confidential data through viruses, clandestine computer programming, and general digital mayhem, describes The Center For Competitive Management (C4CM)’s law blog.

“The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers,” reports Bloomberg.

And, because 92 percent of lawyers agreed that email was the primary function of their smartphone in an ABA Legal Technology Resource Center survey, perhaps King & Spalding’s reaction isn’t as misguided as first believed. Accessing personal e-mails from a smartphone, according to participants, was more important than making a call, which goes to show how frequently lawyers rely on electronic communication, concludes an article about attorney mobile phone use.

Coupled with curiosity, perhaps law firms should consider even more stringent Internet policies.

It’s surprising how many liabilities and issues accompany Internet access in the office. And, smartphones open up an additional can of worms for curious cats.

Write a smartphone policy that addresses:

  • Handing data breeches
  • Use of company phones outside work
  • Wage and hour compliance
  • Text, talk driving issues
  • Text harassment
  • GPS tracking
  • Lost devices
  • Etiquette
  • Employee productivity
  • Photography in and out of the office

If you’re unsure how to draft a policy, including what kind of language and tone to use, take C4CM’s audio conference on crafting a bulletproof workplace policy for smartphones.

In the end, it’s important to write and implement a concrete and clear policy regarding Internet access, e-mail, and mobile phones. It’s important to highlight the security risks and repercussions for both employees and clients.

Make sure your employees know how to safely navigate the world wide web, only then will law firm managers have piece of mind when engaging in legal technology and software.

Remember, the “smart” in smartphone refers to requirements of the user, not the gadget.

-WB

Leave a comment

Filed under Uncategorized

Are Law Firms In The Eye Of The Storm For CyberSecurity?

Last year, a Canadian company was investigating a possible takeover of a Chinese state-owned chemical and fertilizer group. Until, that is, several large Canadian law firms involved in the takeover were attacked by hackers linked to computers in China, reports the Wall Street Journal.

The extent of the breach was never fully understood. Nor were the culprits behind the cybersecurity incident identified.

In this case, computer infiltration was not the only thing to fly under the radar—the fact that law firms are being targeted for their valuable and confidential information also seems to be a tight-lipped secret among governments and corporations.

Will your law firm be next?

“For hackers bent on insider trading, targets could include lawyers at top law firms that handle mergers and acquisitions, such as Cravath, Swaine & Moore LLP, Skadden, Arps, Slate, Meagher & Flom LLP or Davis Polk & Wardwell LLP,” said Mr. Friedberg, a former federal prosecutor, to the WSJ.

“Half the time people post their cell numbers on their v-card,” Friedberg continued.

Lawyers live by their mobile phones, laptop computers, and portable harddrives full of sensitive client information. Passwords, firewalls, and common sense may not be strong enough to resist a talented hacker.

So, if your law firm is the type to post downloadable business cards on its website, it’s time to reevaluate your cybersecurity measures.

Still think this sounds more like a Tom Cruise movie than a law firm reality?

“We’ve seen specific documents from law firms on specific deals being exfiltrated from cyberattacks,” the FBI’s Mary Galligan said in April at a law-firm conference in New York.

The perpetrators “know exactly what they are looking for and, as a result of that, there is some undercutting of bids in those deals.”

Law firms have been targets for awhile now, but they’ve managed to stay out of the media.

“All of this is underreported,” said Mr. Henry, who left the FBI this year to become president of CrowdStrike Inc., a security start-up that investigates breaches, to the WSJ.

“Law firms have incredibly valuable and sensitive information, and the Internet just provides a whole other methodology through which the information can be accessed and pilfered.”

So, how do you become the next victim?

Forbes explains that there are many ways to open up your business network to a possible hack. Below are just a few:

  1. Simple Passwords. Isn’t it a pain to assign a different 10-digit password to each computer or program login? Absolutely. But, not more painful than having to report to your firm manager that you lost a million-dollar case because confidential material was leaked from your Blackberry—locked with the password abc123. Complicated, frequently-changed passwords are even more important for the Admin login. Don’t use any of these, either.
  2. Failure to Educate. It’s important to teach your employees and law firm associates the proper protocol, not just in creating passwords, but also in handling day-to-day sensitive documents. Develop a policy and protocol for preventing cyberbreaches and for mitigating the ones that still get through.
  3. Allowing Unrestricted Access to All Employees. Talk to your IT Department and decide, does everybody need access to everything? There’s a reason why, for example, the government has security clearances.
  4. Lack of Monitoring. Don’t wait for a breach to happen before you start to monitor your network. Most attacks don’t happen instantly. Instead, systems are infiltrated over time. Hire IT employees who understand how to identify the introduction—slowly but surely—of malware and discrepancies.

Although it may seem like a lot of time and manpower, installing proper cybersecurity equipment now can prevent expensive patchwork on bigger breaches in the future.

Talk of cybersecurity has died down, in general. Unfortunately, reports on the number of computer breaches at law firms are still kept close to the vest. After all, nobody can afford to lose clients during a recession. For you, and your firm, all may seem quiet and calm.

Therefore, you may not get solid proof that the industry of law is under particular attack until it’s too late. The field of law may be, at present, in the eye of the storm for computer hacking.

The question is, how long are you going wait for the damage to be done?

-WB

Leave a comment

Filed under Uncategorized

Cyber Attacks: Why Your Firm Is At Risk & How To Prevent Them

You’ve heard of cyberwarfare against nations, but what about cyber attacks against law firms?

It’s not as obscure as it sounds. In fact, it’s not obscure at all.

A quick poll of law firm professionals at The Standing Committee on Law and National Security sponsored-program, “Whither Cyberspace: Security, Privacy Rights, the Law and the Private Sector,” revealed 100 percent of professionals believed their firm has been, at one time, victim to a cyber attack.

Unfortunately, Stewart Baker, partner at Steptoe & Johnson and panelist at the program at the American Bar Association’s Midyear Meeting in New Orleans, said it was difficult to measure the occurrences of cyber attacks within the law industry. 

Corporations generally withhold information about their computer systems when and if they have been compromised because most businesses are either embarrassed or fear other companies will have a competitive advantage, said Baker (via the ABA).

Nevertheless, “Law firms are a prime target for cyber attacks,” confirmed Baker (via the ABA).

Statistics regarding the frequency of cyber attacks may be limited, but action to prevent them should not. Law firms must take steps to protect the confidentiality of their clients and cases.

Harriet P. Pearson, vice president, security counsel and chief privacy officer at IBM Corp., suggested three starting points for your law firm (via the ABA):

  1. Risk Awareness: “Isolate your crown jewels or most sensitive matters and devote resources to protect them.”
  2. Ask yourself, “Do you have the right approach?  What is your plan if your system has been compromised?” 
  3. What is your plan of action to respond?

The last point is especially important for the modern law firm.

Ensure your IT department has a plan of action to respond to potential cyber attacks. How will you shut down the system and restart securely?

How should your associates continue to operate? How and when will you inform clients?

Law firms have an ethical (if not legal) duty to inform their clients of any potential compromise of private information. However, due to the sensitive nature of such an announcement, make a plan of action specifically for name partners.

The name partners should call each client personally. They should assure the client that all security measures have been restored successfully. Be as clear and concise about the cyber attack as possible.

Quick action will lead to the best possible outcome. As will honesty and open dialogue.

Panelists agreed that lawyers need to do all they can to help their corporate clients understand the risks (via the ABA).

Before any incident, lawyers should provide clients with tools to understand the risks of a cyber attack, including:

  1. The book, Sailing in Dangerous Waters
  2. A Study of Sony’s $1.2 billion loss and the cost of other data breaches at the Ponemon Institute
  3. Securities and Exchange Commission (new disclosure requirements)

 Cyber attacks not only make a firm’s finances vulnerable, but their reputation as well. Although costly, finances can be recuperated via increased casework, time, or insurance. Howeer, reputation is harder—if not impossible—to completely renew.

 
-WB 

Leave a comment

Filed under Uncategorized