Law Firms Prime Targets of Cyber Attacks
“There is no target in the U.S. that cannot be successfully attacked today,” said Stewart Baker, talking about cyber security. Baker is a partner at Steptoe & Johnson and served as a panelist at a program on the issue at the American Bar Association’s Midyear Meeting in New Orleans.
The Standing Committee on Law and National Security sponsored the program, “Whither Cyberspace: Security, Privacy Rights, the Law and the Private Sector ,“ to discuss privacy issues and to understand cyber security in the 21st century in light of recent government and private sector developments in new monitoring and security systems.
Panelists agreed that cyber security is a major challenge because corporations and individuals have not weighed the risks of an actual attack or how a security failure could affect their bottom line.
Baker said it is difficult to know how big the problem of security failures is because corporations generally withhold information about their computer systems being compromised. Most businesses are either embarrassed or fear other companies will have a competitive advantage.
“Law firms are a prime target for cyber attacks,” added Baker. A quick poll of the audience at the program revealed that nearly 100 percent of them believed that their law firm computer systems had been attacked.
Harriet P. Pearson, vice president, security counsel and chief privacy officer at IBM Corp., said that everyone needs to recognize there is an issue in securing information. She suggests three starting points for any individual, firm or corporation:
- Risk Awareness: “Isolate your crown jewels or most sensitive matters and devote resources to protect them.”
- Ask yourself, “Do you have the right approach? What is your plan if your system has been compromised?”)
- What is your plan of action to respond?
Vincent I. Polley, president of KnowConnect, PLCC, has been exploring security issues for nearly 20 years. He said security concerns in a corporation have changed from employees making a mistake on the system or an insider threat, to corporations increasingly being vulnerable to advance persistent threats. These are threats from groups or foreign governments designed to retrieve data for financial gain.
“The Sony attack may make it possible for people to understand there are dollars attached to risks,” said Judith Miller, former senior vice president and general counsel at Bechtel Group, Inc.
The Sony PlayStation hack, occurring in April 2011, is estimated at a $1.24 billion loss.
“No company can say ‘I can’t worry about losing money,’” Miller said. “Because we don’t talk about this and prioritize the problem we have been stuck.”
“I had someone to say to me, ‘When you text, it’s gone.’ What? You can’t count on communications disappearing,” Miller added.
When assessing an organization’s vulnerability, Baker said a good question to ask is, “Who is our adversary?”
Baker shared a scenario of a group capturing information to give to an opposing oil company in the hopes of outbidding the company on a contract. Baker said, “There are sophisticated adversaries—you can’t afford that.” He advised that a company decide what information it can’t afford to have in the hands of its adversary and to take precaution.
Panelists agreed that it may be difficult for small firms to incorporate technologies to ward off adversaries, but said that lawyers need to do all they can to help their corporate clients understand the risks.
Polley shared three tools that lawyers could use to help corporate clients:
- The book, Sailing in Dangerous Waters
- Study Sony’s $1.2 billion loss and the cost of other data breaches at the Ponemon Institute
- Securities and Exchange Commission (new disclosure requirements)
Harvey Rishikof, chair of the ABA Standing Committee on Law and National Security said ABA President-Elect Laurel Bellows has made cyber security one of her key focus areas.