This past week, the world learned about the big hack of Biglaw. If your employer was one of the almost 50 firms prestigious enough to be targeted by Russian hackers… congrats?
The targeted firms tended to be transactionally oriented; the apparent plan of the hackers was to obtain confidential, market-moving information and trade on it. But litigators should be concerned as well. As noted by Logikcull, the discovery automation platform, ediscovery is the next frontier for hackers.
It’s not clear that any information was actually taken or used for insider trading in the big Biglaw hack, but it might still generate headaches for the firms — in the form of litigation. Noted class-action lawyer Jay Edelson — known to the general public for suing tech giants, and known to Above the Law readers for suing ExamSoft (and winning a hefty settlement) — has announced plans to file class-action malpractice cases against various firms, alleging inadequate cybersecurity.
That’s at the institutional level. What about the individual level? What can you as a lawyer do to prevent yourself (and your confidential client data) from getting hacked?
Here are some tips derived from two panels at the recent ABA TECHSHOW conference: a panel called Security Awareness and Phishing, featuring tech consultants Sherri Davidoff and Adriana Linares, and a plenary session called Can They Hear Me Now? Practicing Law in an Age of Mass Surveillance, featuring technologist Christopher Soghoian and lawyers Marcia Hofmann and Ben Wizner. (I attended the first panel and I moderated the second.)
1. Don’t be lax; make cybersecurity a priority.
That you’re reading this article is a good sign. “Lawyers get complacent,” Linares said. “They think, ‘Nobody’s going to come after me.’ But that’s not how things work.” Linares and Davidoff gave numerous examples of law firms — many of them small firms, not Biglaw behemoths — that fell victim to hackers. As Linares put it, “Eighty percent of law firms have been hacked, and the other twenty percent are either lying or don’t know about it.”
2. Backup, backup, backup — early and often.
You need to have your data backed up in case you suffer some misfortune, such as a fire or flood in your office or a massive hack of your computer system. Backing up to the cloud is a increasingly popular option, but be careful when selecting a service. As Linares pointed out, some cloud-based services (such as the widely used Dropbox) simply replicate everything on your desktop or laptop computer — which means that if you have a virus on your laptop, the problem can spread to your backup files.
3. Use two-factor authentication.
Two-factor authentication is an increasingly popular and effective way to protect the security of online accounts — so start using it.
“Yes, it can be a pain,” acknowledged Linares, since it’s slower and more cumbersome than simply entering a single password. “But you will get used to it.”
4. Consider using a password manager.
Speaking of passwords, there are solutions out there for handling your plethora of passwords. Chris Soghoian of the ACLU recommended password managers like 1Password or LastPass.
5. Look into encryption to protect the privacy and confidentiality of your (and your clients’) data.
Chris Soghoian and Ben Wizner of the ACLU spoke about how having NSA whistleblower Edward Snowden as a client forced them to up their game on the encryption front. Because of his high profile and the attention focused on him by multiple international intelligence agencies, Snowden insists on encrypted communications. But you don’t need to have a client like Snowden to benefit from the security and privacy that encryption can afford.
For a while, PGP was the leading encryption technology (and you’ll still see many journalist and techie bios on Twitter with PGP key information; see, e.g., former ATL editor Kashmir Hill). But because it’s cumbersome, PGP is losing market share to other encryption technologies, according to Soghoian (who revealed that he’s currently on a PGP hiatus).
For example, Marcia Hofmann uses Signal from Open Whisper Systems, a free and open-source app that allows for encrypted voice calling and instant messaging. It’s easy to download and to learn how to use.
If you’re too lazy for that but at least own an iPhone, you can actually use FaceTime for your phone calls and iMessage for your messages to other iPhone users, as Soghoian pointed out. Both FaceTime and iMessage offer so-called end-to-end encryption — which means, in a nutshell, that neither the government nor hackers can intercept your communications midstream and read them.
As for encrypted file storage and backup, Soghoian gave a shout-out to SpiderOak as a more secure alternative to Dropbox.
6. Educate your colleagues about cybersecurity.
You might be savvy about cybersecurity, but all it takes is one weak link in your organization to throw your computer system into chaos. Linares and Davidoff shared the story of how one Florida firm got hacked after a secretary clicked on an email attachment that was labeled “résumé for your review” but was actually malware. (One tip from Linares: learn how to hover over links to check their validity — is it a link to a website that you know and trust, or is it a link to an executable file (.exe) that might contain malware?)
7. Don’t let the perfect be the enemy of the good.
As Davidoff pointed out, you can never be 100 percent secure. The best you can do is “just put one foot in front of the other,” she said, and try to protect yourself against major or obvious threats.
A good starting point: an assessment of your computer systems to figure out what your potential issues and biggest risk points are. This is what a number of law firms are now doing in the wake of the hacking reported last week, often with the help of outside consultants or technology firms.
You should also do your best to keep up with developments in the tech space, in terms of both new threats and new tools. You can do so with the help of Above the Law’s extensive and ever-increasing legal technology coverage, an area we’ve expanded dramatically in the past few years.
“Security is never perfect,” Hofmann said, so don’t stress yourself out by aspiring to perfection. But you can, and should, try to do better over time. You — and your clients — will be very glad you did.