12 Steps to cybersecurity: a guide for law firms12 Steps toCybersecurity:A Guide forLaw FirmsBrian Fochtclio.compage 1

12 Steps to cybersecurity: a guide for law firms12 Steps toCybersecurityWhether you admit it or not, your law firm is vulnerable.While 79% of respondents in a 2014 law firm cybersecuritysurvey ranked cybersecurity as one of their top 10risks, fewer than 28% had actually assessed the cost of adata breach.1 Your files contain valuable confidentialinformation2—confidential client information, birthdates,credit card numbers, Social Security numbers, all nicelyorganized and easy to access.Hackers are wising up to the wealth of data available frommost law firms.3 They know how to find that valuableinformation and how to get it. They also know that mostlaw firms don’t appreciate the threat that cyber attackspresent, and are vulnerable. In fact, Cisco ranked legalas the seventh most vulnerable industry in their annualsecurity report.clio.comA successful cyber attack exposes you to financialliability,4 can ruin your reputation,5 and put your lawlicense in jeopardy. It’s a modern day fact of life: you’revulnerable—but exactly how vulnerable is up to you.You can never completely eliminate the risk posed bycybersecurity threats, but by implementing a cybersecuritypolicy, you can significantly reduce it.6 However, it can’t bejust any policy. The right cybersecurity policy isn’t one-sizefits-all, but rather one that is designed to accommodateyour law firm’s unique character and circumstances.Creating such a policy isn’t easy without help. That’s whywe’ve developed a comprehensive 12 Step Checklist inconjunction with Brian Focht, The Cyber Advocate, forcreating the right cybersecurity policy for your law 2

12 Steps to cybersecurity: a guide for law firmsRISKIEST SECTORSforMALWARE & HACKERS123Manufacturing2 Joseph M. Burton, 4 Steps to Getting Serious About Law Firm Cybersecurity,LAW PRAC. TODAY (Sept. 15, 2014) tting-serious-law-firm-cybersecurity/.3 Lolita C. Baldour, FBI: Hackers targeting law and PR firms, ASSOC.PRESS (Nov. 17, 2009, 10:58 AM), available at and ms/#.VSauxvAYHCU.7The legal sector was rankedSEVENTH in Cisco’s 2015Security ReportMedia &Publishing1 More Cyber Preparedness Needed, According to 2014 Law Firm CyberSurvey, MARSH USA (Jan. 15, 2015), comLEGALPharmaceutical& ChemicalFood &Beverage6Aviation5Transportation& Shipping44 IT Security Risks Survey 2014: A Business Approach To Managing DataSecurity Threats, KASPERSKY LAB, 18-20, Security Risks Survey 2014 Global report.pdf (last visited on April5, 2015) [hereinafter Kaspersky 2014 Survey]; Alex Williams, Target MayBe Liable For Up To 3.6 Billion From Credit Card Data Breach, TECHCRUNCH (Dec. 23, 2013), ach/.5Kaspersky 2014 Survey, supra note 4, at 21.6 Ari Bai and Nick Verderame, Cyber Attacks are a Risk for Businesses of All Sizes,LAW TECH. TODAY (March 27, 2015), tacks/.page 3

12 Steps to cybersecurity: a guide for law firmsStep 1: Identify YourIT ManagerIdentifying and empowering an IT manager is critical tothe success of your cybersecurity policy. Your IT managerneeds to be an expert—not an unpaid intern. Whetherinternal or a third-party contractor,7 this person must bean experienced and knowledgeable IT professional.Your IT manager also needs oversight.9 Determinespecifically where the role fits within your organization.Your IT manager runs your cybersecurity based on yourdirection and policies,10 not their own whims, preferences,or personal beliefs. Oversight cannot be nominal—rather,it must be active and respected. The supervision is notthere because you want to dictate to your IT manager, orbecause of a lack of trust. The supervision is there becauseit’s option for an internal IT professional is a more likelyoption for medium and large law firms. Solo and small firmswill need to rely on third-party vendors or outsourced IT.8Fortunately, the role of IT manager is not a full time positionin most small firms.)7 2014 Legal Technology Industry Survey: The Emergence Of Tigers And BearsAnd Other Law Firm Trends, ADERANT, available at port.html (last visited April 5, 2015).8Id. at 6.9 cybersecurity and the Duty of Care, DLA PIPER (Feb. 9, 2015), Jim Calloway, IT Governance: A Critical Issue for Law Firms, A.B.A., availableat practice ce.html (last viewed April 5, 2015).page 4

12 Steps to cybersecurity: a guide for law firmsYour IT manager will have several responsibilities,including: Enforce your cybersecurity policy – Implement,administer and enforce your cybersecurity policy. Conduct regularly scheduled Cybersecurityaudits – Ensure compliance with your cybersecuritypolicy and test its effectiveness.I nstall and maintain security software –Research and recommend security and anti-virussystems (including email and web filters); install andupdate the systems your law firm uses.4 stablish and implement a system forEoperating system and software updates –Whether through regularly scheduled updatesor through automation, ensure that all operatingsystem and software updates are installed, especiallycritical security updates.5 Application Whitelisting11 (Optional) – Reduceyour potential vulnerability to cyber attacks bylimiting software and apps your employees areallowed to use to those designated by your ITmanager. Bear in mind, though, that Whitelistingisn’t without costs and trade-offs: Attorneys and staff may find Whitelisting to berestrictive;May delay use of new programs and apps; and A poorly implemented Whitelisting programmay reduce morale and compliance. In my opinion, if you use Whitelisting, only use it formajor types of programs and applications, such ascloud storage, law practice management systems, andfile transfer programs.Make sure it fits your law firm:Your IT manager is a part of your law firm. Theymust be able to work with your attorneys, and staff.The prototypical cranky IT guy who gets annoyedby the complaints of other company employeesneed not apply. Your IT manager is a part of yourteam—any conflicts will prevent your IT managerfrom being effective.11 Small Firms Cybersecurity Guidance: How Small Firms Can Better Protect TheirBusiness, SIFMA, 6-7, available at mpage 5

12 Steps to cybersecurity: a guide for law firmsTERCETOP SStep 2: Create aData ClassificationFrameworkThis is a fancy way of saying ‘organize your data based onhow valuable it is.’ There are two parts to your framework:1) General Classification and2) ConfidentialClassification. Your cybersecurity policy is going todepend a lot on knowing what you’re keeping safe.General ClassificationThe first part involves categorizing all of your data into oneof three categories:12General Use Data: information that is generally availableor made available to the public, such as informationpublished on your law firm website and included in publicreleases or disclosures.Internal Use Data: non-confidential information that isunavailable to the public without prior authorization, such asinternal communications. This category includes informationthat, if released publicly, may cause embarrassment, butwould otherwise only cause minimal harm.Confidential Data: information that you have a legalobligation to keep private.clio.compage 6

12 Steps to cybersecurity: a guide for law firmsHIPAA-relatedConfidential ClassificationThe second part involves information you’ve classifiedas Confidential Data. Create sub-categories within theConfidential Data category based on the nature of yourlegal obligation to protect the data. For example, I groupmy data as follows: Information subject to protection under specificgovernment statutes or regulations, such as medicalrecords protected under HIPPA13 or financialinformation protected by the IRS14;DATA BREACHfines have topped. 25MILLIONSINCE2014 Commercially sensitive information, such as tradesecrets, future business plans, or negotiation strategies; Information you are contractually obligated to protect,such as information subject to your cyber insurancepolicy or a particular client agreement; and Confidential information not subject to any specificprotection system outlined above.TipYou may also want to determine whether accessto certain information will be restricted. If you do,make sure that the restrictions are appropriate,that the right people have access, and that theyunderstand the importance of keeping logincredentials secret.12 Enterprise Information Security Standards: Data Classification, STATE OFMASS. EXEC. OFF. ADMIN. & FIN., (March 6, 2014), curity/.13See e.g. 45 C.F.R. §§ 164.302-164.318 (2015).Make sure it fits your law firm:Creating a data classification framework is crucialfor ensuring that your cybersecurity policy is rightfor your firm. An effective response to a cyber attackmay not be the same for different information (i.e.intellectual property vs. medical records).Additionally, not all law firms need a system ofrestricted access. Only create one if you actuallybelieve it is necessary. Aside from making you mucheasier to hack (those more likely to have restrictedaccess credentials are frequently targeted15), usingcybersecurity as just another way to reinforce youroffice’s social structure is a recipe for disaster.15 Russell Brandom, Spy Group Stole Business Secrets Over CompromisedHotel Wi-Fi, THE VERGE (Nov. 10, 2014, 8:58 AM), -fi.14 Tax Information Security Guidelines For Federal, State and Local AgenciesSafeguards for Protecting Federal Tax Returns and Return Information, U.S.INTERNAL REVENUE SERVICE, 44-112, available at (discussing cybersecurity requirements) (last viewed April 5, 2015).clio.compage 7

12 Steps to cybersecurity: a guide for law firms50%65%OF FIRMSOF ATTORNEYSENCRYPTIONENCRYPTIONdo not usedo not useStep 3: EncryptYour DataData encryption is no longer a ‘nice to have’ for lawfirms16. For reasons passing understanding, there are a lotof people out there (not just law firms) who don’t encrypttheir data.17 If you follow every step of this checklist, butrefuse to encrypt your data, your cybersecurity policy willbe ineffective and your data will still be at risk.Encryption methods and practices vary, however, basedon your data’s location:16 Adam Clark Estes, How to Encrypt Everything, GIZMODO (June 5, 2014,4:40 PM), a security precautionwhen sending confidential/privileged communications/documents to clients via e-mailData at RestWhere do you save your data? Whether on your mobiledevice, in your server, or stored in a cloud storage system,data at rest ALWAYS needs to be secure. As far as data youentrust to third parties, the security will be largely basedon the third-party’s terms of service (discussed below).On the other hand, for the data you save on your server,office computers, or mobile devices, that data needs to beencrypted. Your cybersecurity policy needs to addressboth the location of your data storage and how the data isto be encrypted when at rest.1817 Joshua Poje, Security Snapshot: Threats and Opportunities in ABATECHREPORT 2013 (ABA Legal Technology Resource Center ations/techreport/2013/security snapshot threats and opportunities.html.18 Alan Henry, Five Best File Encryption Tools, LIFEHACKER (Feb. 8, 2015,8:00 AM), ols-5677725.clio.compage 8

12 Steps to cybersecurity: a guide for law firmsaonortCONFIDENTIALITYn e ys relyof at73%STATEMENTin the body of the email as thesole security measureData in TransitHow does your data get from one person to another?When your data is “in transit” is when your data is mostvulnerable.19 Whenever you’re sending confidentialdata from one place or person to another, it needs to beencrypted from the moment you send it to the momentthey receive it. This type of security is called “end-to-endencryption.” 20One way to transmit confidential data is through a secureportal21 such as Clio Connect.22 Numerous email, filesharing and messaging services23 also provide end-toend encryption. Even if someone intercepts your datain transit, they will still have to crack your encryption inorder to read it.Data in UseThe only time your data should be unencrypted is whenit’s being used. Once no longer in use, you data shouldbe encrypted immediately, regardless of any minorinconveniences that may result. Do not allow yourconfidential data to be used and saved unencrypted (e.g.saving an important document as a Word file on yourdesktop) simply because it’s easier for the user at the time.Remember: The data of 80 million people stolen inthe Anthem hack was not encrypted,24 for the sake ofconvenience.25clio.comMake sure it fits your law firm:Your data encryption policy will need to walk theextremely fine line between useful and secure.Never sacrifice security simply for the sake ofconvenience.26 However, if your encryption inhibitsyour ability to function efficiently, it’s probably timeto reexamine your encryption policy.19 See, e.g., Brian Focht, New Threats to the Attorney-Client Privilege Part2, THE CYBER ADVOC. (Nov. 21, 2014), eats-attorney-client-privilege-part2/20 End-to-End Encryption, WIKIPEDIA, encryption (last viewed April 5, 2015).21 Client Portal, WIKIPEDIA, portal (lastviewed April 5, 2015).22 For more information on Clio Connect, visit 8534-Clio-Connect-for-the-Firm.23 See, e.g., Lisa Needham, Keep Your Data Safe While Skyping, Chatting, andUsing Your Smartphone, LAWYERIST (Dec. 1, 2014), at-smartphone/.24 Danny Yadron and Melinda Beck, Health Insurer Anthem Didn’t EncryptData in Theft, WALL ST. J., Feb. 5, 2015, available at a-in-anthem-hack-1423167560.25 Amar Toor, Anthem Failed to Encrypt Customer Data Prior toCyberattack, THE VERGE (Feb. 6, 2015, 5:21 AM), ck-encrypted-data.26 Mark Wilson, After Anthem Hack, What GCs Should Know About Encryption,FINDLAW (Feb. 6, 2015), 9

12 Steps to cybersecurity: a guide for law firms)gYA8X !! D0s j K2Step 4: RequireStrong PasswordsThis step has two parts. The first should be obvious:require passwords. Any computer, laptop, device, app, orsoftware system that interfaces with your client data mustbe password protected. MUST.The second part: the passwords need to be strong.******This will not be easy. For most people, passwords are theannoying aspect of cybersecurity they deal with every day– any inconvenience is amplified.27The result: we don’t use secure passwords.28 They’re tooshort, only contain letters, and are easily remembered.We use the same one over and over across multiple sites.Worse, they’re easily guessed by any hacker who accessesour Facebook page.29A “strong” password30 is: At least 8 characters (although many expertsrecommend 1231); A combination of character types (at least onelower case letter, one upper case letter, onenumber and one symbol; newer password systemsalso recognize spaces);NOT a common word or phrase; and4Changed regularly.clio.compage 10

12 Steps to cybersecurity: a guide for law firmsYour cybersecurity policy should require strongpasswords. They really are better, providing considerablymore security32 for your data. I strongly recommendusing a password storage system33 like 1Password (whichconveniently integrates with Clio).34 In addition to storingvarious passwords, these systems can be set to generatestrong passwords for you to use.TipAlso consider implementing multi-factorauthentication where available.35 Multi-factorauthentication is a means of sending userverification messages when your accounts areaccessed from a new device, and are offeredby many services you currently use, like Clio36or Gmail.37 These tools offer multi-factorauthentication for little or no cost.Make sure it fits your law firm:Passwords are pretty much universally hated,so expect resistance. Remember, regardless thesecurity benefits, you’re making your employees’day less convenient. Like anything, if the system istoo difficult or inconvenient, people will find waysaround it.Also remember that people use passwords inmany parts of their daily lives, so beware theunintended consequences38 of your policy. Themore complex a password has to be, the harder it isto remember. As a result, your employees may bemore likely to use a password they already use (formany, many logins). Require everyone to changetheir passwords frequently. People will inevitablyuse the easiest password to remember (like “0000”then “1111” then “2222,” etc. on a mobile device),or write them somewhere that other people haveeasy access to. Ensure that the consequences ofthis are clearly explained, and make it firm policyto use a password manager.27 Jason Straight, Law Firms Aren’t Immune to cybersecurity Risks, NAT’L L. J.,(Jan. 26, 2015), ty-Risks.33 Roberto Baldwin, How To Protect Yourself Against Hackers (Or At LeastMake It Difficult For Them), THE NEXT WEb (Sept. 3, 2014, 9:33 PM) ackers-least-make-difficult/.28 See, e.g., Brian Focht, Stronger Passwords to Protect Your Practice[Infographic], THE CYBER ADVOC. (Nov. 20, 2013), r-passwords-infographic/34 For more information about 1Password, visit John Pozadzides, How I’d Hack Your Weak Passwords, LIFEHACKER (Dec.16, 2010, 9:01 AM), kpasswords.30 Kevan Lee, How To Create a Strong Password You Can Remember Later: 4Key Methods, BUFFER (June 25, 2014) rd/.31 Safe and Secure: cybersecurity Practices for Law Firms, CNA, available at (search for “safe and secure”; select first item returned)(last viewed April 5, 2015).32 Annalee Newitz, 9 Facts About Computer Security That Experts Wish YouKnew, GIZMODO (March 4, 2015, 2:05 PM) that-experts-wish-you-k-1686817774 (discussingemail correspondence from Alex Stamos, Yahoo’s Chief Information SecurityOfficer).clio.com35 See Brian Focht, Multi-Factor Authentication: the Imperfect Tool You Needto Use, THE CYBER ADVOC. (Jan. 26, 2015), actor-authentication-imperfect-tool-need-use/;Tony Bradley, Data Breaches Can Be Prevented With One Simple Solution,PC WORLD (Jan. 19, 2015) 6 For more information on Clio’s multi-factor authentication options, 203756468-Advanced-SecurityFeatures-in-Clio.37 For more information on Gmail’s multi-factor authentication options, visit Omer Eiferman, Millennials Don’t Care About Mobile Security, and Here’sWhat to Do About It, WIRED, urity/ (last viewed April 5, 2015).page 11

12 Steps to cybersecurity: a guide for law firmsStep 5: Implement aBYOD PolicyOVERWe live in the era of the mobile device. 39of firms with 50lawyers or fewer1/4Your attorneys and staff likely use their own devicesfor work, bringing with them a host of benefits40 andpotential risks.41 No cybersecurity policy is adequatewithout addressing Bring Your Own Device (“BYOD”).Your BYOD policy must address the following issues:DIDNOTrequire employees toPASSWORDPROTECTTHEIR MOBILE DEVICESPasswords – They’re required. Period. Data encryption – Every device must be able to encryptdata, and encryption must be active (see Step 3).Make sure it fits your law firm: App Whitelisting (Optional) – Allowing onlycertain apps for business use.People are quite attached to their personal devices,and studies indicate that people prefer45 usingtheir personal devices for work over a “companyphone.” However, an oppressive BYOD policy willquickly remind them46 that you are treating theirpersonal devices like company property. Mobile Device Management/Security Apps(Optional) – At a minimum, your BYOD policyshould require use of basic security tools like Find MyiPhone42 or Android Device Manager.43 Additionalsecurity and management apps that allow remotelocking and wiping of confidential information areuseful, but can be seen as intrusive.44Draft your BYOD policy with your employees inmind,47 respect their privacy and seek their input.Remember, they’re using a device they paid for tothe benefit of your business.Download a BYOD Policy Template39 See Brian Focht, Law Firms in a BYOD World [Slideshow], THE CYBERADVOC. (Oct 17, 2014), urity/.40 See generally, Brian Focht, BYOD: Five Steps to Protect Your Clients andSave You Money!, THE CYBER ADVOC. (Aug. 19, 2013), /.41 See generally, Brian Focht, Awareness is the Key Ingredient for a SuccessfulBYOD Policy, THE CYBER ADVOC. (Oct. 2, 2014), ss-key-byod-policy/.42 For more information about Find My iPhone, visit 4 Fixing the Disconnect Between Employer and Employee for BYOD (BringYour Own Device), WEBROOT, 4-5, available at ityReport2014.pdf [hereinafter WebrootBYOD Report].45 Susan Bassford Wilson, BYOD Requires BYOB: How to Handle the ChallengesInherent in a “Bring Your Own Device” Program in CONSTANGY, BROOKS,SMITH, & PROPHETE LLP CLIENT BULLetins (March 30, 2014), availableat 6See Webroot BYOD Report at 4, supra note 44.47 BYOD Security: What is the impact on employees?, WEBROOT, yees (last viewed April 5, 2015).43 For more information about Android Device Manager, visit compage 12

12 Steps to cybersecurity: a guide for law firmsStep 6: Create (andRegularly Update)a Network MapYou can’t protect your data unless you know who hasaccess to it. An efficient way for your IT manager to trackaccess is an up-to-date network map.48A network map is a visual representation of all thepeople and devices that have access to your network. Alldevices, including their IP address and other identifyinginformation, are listed and linked to an authorized user.The view gives your IT manager a quick glance overviewof your network, and its interconnected relationships.49The network map itself includes all employees, attorneys,and third-party vendors. It should reflect any restrictedaccess, as well as all third-party connections (e.g.including cloud storage vendors, IT contractors, and youraccounting/practice management companies).An updated network map has two primary purposes:First, it allows your IT manager to ensure each connectedcomputer or device has the proper updates and to fix securityvulnerabilities. In the event of a data breach, you will be in abetter position to identify the source of the breach.clio.comSecond, it highlights vulnerabilities caused by expansionand modifications of your network. Frequently, when newnetwork connections are added, existing cybersecurityprotocols do not entirely protect the new connection. Bykeeping the network map updated, your IT manager canminimize any associated vulnerabilities.Make sure it fits your law firm:While the network map is important, it isimportant that you do not use the maintenance ofthe map as justification for being inflexible. Yournetwork map should reflect the current status ofyour law firm, but cannot serve as a gatekeeperfor change.48 Network Map, TECHOPEDIA, map (last viewed April 5, 2015).49 Working With The Network Map, MCAFEE, /GUID-C9551648-E355-4C15-86A551AE76D79E51.html (last viewed April 5, 2015) (a list of resources for usinga network map).page 13

12 Steps to cybersecurity: a guide for law firmsStep 7: Audit YourThird-Party ContractsYour employees aren’t the only people with access toyour network. Every third-party vendor who connectsto your network is a potential vulnerability, unlessmanaged properly.50Although some vendors who deal exclusively withattorneys understand the unique privacy issues lawyersdeal with, most won’t take it into consideration bydefault.51 That’s because most vendors do not dealexclusively with lawyers, particularly cloud storage andIT vendors.You trust your vendors with information that you arelegally bound to protect. Under the Model Rules ofProfessional Conduct, you’re required to ensure theinformation remains protected52 by your vendor. Yourvendor’s Terms of Service need to answer the followingquestions53: Who has access to your data?- Does every one of your vendor’s employees haveaccess? Just a few?- How does your vendor record attempts to accessyour data?- Must meet same ethical standards applied to yourlaw firm! How can you retrieve data from your vendor - If you terminate your contract with the vendor?- If your vendor goes out of business?- In the event of a break in continuous service? Will the vendor return or destroy all data on demand?- Will they guarantee it’s in a universal format? How do they keep your data secure?- What types of encryption and firewalls do they use?- What duty do they have to notify you in event of abreach?- Who will be liable for any damages suffered by yourclient? What is their data backup system/policy?Download a Vendor Audit Checklistclio.compage 14

12 Steps to cybersecurity: a guide for law firmsAT LEAST80%You will also likely have to ask questions based onyour state’s ethical rules. For example, can you obtain acomplete copy54 of any client’s information in the eventyou haven’t paid your bill?Fortunately, many vendors understand that lawyers’needs are a bit different than the norm. Vendors will oftenallow you to negotiate parts of their Terms of Service.55However, do not compromise. If a vendor is unable orunwilling to modify their terms to meet your needs, don’tuse them.Make sure it fits your law firm:of the biggest100 LAW FIRMShave had some sort ofBREACH50 Ajay Patel, The Secret to Secure Data in the Cloud? Know What You’re UpAgainst, LAW TECH. TODAY (Sept. 30, 2014), available at gainst/.51 See Carolyn Elefant, New York Report on The Cloud and Small Law Firms: Reasonable Advice But Wrong Solutions, ABOVE THE LAW (Jan. 6, 2014, 3:44 -but-wrong-solutions/ (discussing the difficulty solo andsmall firms might encounter in negotiating terms of service).52 See A.B.A. Comm. On Ethics & Prof ’l Responsibility, Formal Op. 08-451(2008) (discussing lawyer’s obligations when outsourcing legal and nonlegalsupport services).53Straight, supra note 27.clio.comRelationships matter. It’s likely that many of yourvendors have been working with your law firm forquite some time. You and your staff are familiarand comfortable with your vendors.If a vendor has provided excellent service, butcannot meet your requirements for handlingconfidential information right now, it doesn’tmean they’ll never be able to. Informing themof your specific needs might encourage them toimprove. Until they do, however, you have a legaland ethical responsibility to take your businesselsewhere.54 See, e.g., N.C. State Bar 2008 Formal Ethics Opinion 5 (2008) (discussing webbased management of client records).55 Sam Glover, Terms of Service for Cloud Software Are Negotiable, LAWYERIST(Sept. 23, 2013), ftware-negotiable-cliocloud9/54 See Lee Rosen, Are You Backing Up Your Life?, DIVORCE e-cloud-software-negotiable-cliocloud9/ (last viewed April 5, 2015) (discussing the consequences of being unable to recover lost data).55 Mark Wilson, How to Survive After a Law Firm Computer Crash, FINDLAW(Feb. 24, 2015) ge 15

12 Steps to cybersecurity: a guide for law firmsStep 8: Establish aData Backup SystemIf your local server was hacked and you lost everythingstored there, what wo

12 epS o ceSeci a gie o la imS page 7 Make sure it fits your law firm: Creating a data classification framework is crucial for ensuring that your cybersecurity policy is right for your firm. An effective response to a cyber attack may not be the same for different information (i.e. intellectual property vs. medical records).