Posts

Law Firms And Banking Industry Cyber Attacks

Protecting your Information

Did you know that in 2011, 90 percent of American companies said they had been hacked at least once? In 2012 alone there were over 600 confirmed hacks and while many of those hacks targeted small businesses, a fair number targeted law firms.Read more about 2011 cyber attacks here.

Law firms are quickly becoming a popular target among cyber-thieves because of their clients. Law firms have access to personal information including bank accounts, social security numbers, birth dates etc. Many hackers also know that law firms are skilled at researching clients. Successful hackers can access information and quickly attack financial avenues.   Many law firms are now working with professional companies to stay on top of potential threats.  Since cyber hackers are learning more and finding more avenues for exploitation every day, it’s understandably difficult to keep up with the threats.

Security Improvement Against Cyber Attacks

In order to help improve security at law firms there are a few things firms should consider:

  1. Reveal cybersecurity profiles

Being more revealing within the law community is one way to help and learn from each other. Sharing potential security threats with like companies will help everyone. Information is power and law firms will be better able to protect themselves from threats they know about.

  1. Keep clients informed about potential data breaches:

Companies are generally required to inform clients or customers of potential hacks. It’s good business practice and it lets your clients know they can trust you. Letting a client know their personal information may have been compromised gives them time to prepare and protect themselves.

  1. Hire security:

Hire professionals who understand cyber-threats and are capable of working with your security systems. Communicating with other firms and businesses about vulnerabilities, threats and security systems will only work if you have someone qualified to put adequate protection in place.

  1. Pay attention:

Lawyers are busy. Between cases, paperwork and court sessions there is a lot to do! While this makes for excellent workers, it also makes for easy targets. Busy workers are less likely to notice or pay attention to warning signs that could indicate a breach. Simply encouraging lawyers to pay a little more attention to emails they open, links they download and unexpected updates on their computers can make a big difference.

  1. Have a plan:

One way you can help protect your company is by creating a cyber-threat plan. This may include training for lawyers and office staff on how to recognize and handle a potential breach. You will need to have a plan for contacting clients affected and dealing with potential information leaks. If your law firm experiences a major breach, you’ll likely need to work with the press to get your message out.

Plan now so that if the unexpected happens you can act quickly to stop as much damage as possible.

Keep Your Clients & Company Safe

While it is understandable that law firms may not want to spend a lot of money worrying about cyber threats, the potential for loss and damage is very real. Cyber-attacks are occurring more frequently at law firms because security is so much more lax than banking institutions. This is unfortunate because most law firms have a lot of personal information at hand. Fully grasping the potential for loss is necessary if law firms are to take the threats seriously.

We know that your law firm honors privacy and protection. Paying attention will help you keep your company and your clients safe.

Hiring an Educated Broker for Cyber Liability Insurance

Cyber liability insurance policy covers businesses from unauthorized access, use of electronic data, or software, with a business network. Cyber liability insurance policies also provide coverage for claims that come about as the result of viral outbreaks, malicious code, extortion, computer theft, and other internet related losses. Losses may also include mistakes, errors, and omissions made by employees while on the job. We’ve written an article about cyber liability before, go here to read it.

Do You Need Coverage?

Companies lose billions of dollars because of various types of online fraud, data breaches, and other cyber related activities. In 2005, less than 1/3 of businesses experienced some degree of cyber liability or other insurance coverage for cyber fraud. Today, more than 60% now have some form of cyber liability insurance. As criminals become more internet savvy, the risk that customer’s data falls into their hands increases as well. Every industry that conducts business, in any manner online, is at risk. The risk grows daily. When certain customer and company information is at risk for falling into the hands of crooks, companies need to take steps to insure that their customer’s personal information is safe and guarded from unauthorized access.

Choosing the Correct Insurance Broker for your Cyber Liability InsuranceCyber Security Insurance

Cyber liability policies vary as much as the businesses they protect. You should compare different companies and potential policies, just as you would with car insurance, to make certain what policy will best suit your individual needs. The following are some points to consider in the process of choosing:

  • Prepare questions and personally interview companies before choosing a policy.
  • Go over all the products with the insurer to make sure what they have available will cover you in case of a loss. Personal customer information, if leaked, causes businesses to fold, due to lack of trust on the customers behalf.
  • Most insurance brokers perform an in depth look at current data protection plans and internal security measures you have in place. From there they suggest which products best suit your business.
  • Go over the insurance company’s records. Know how they handle claims and breaches. Ask questions. A trustworthy broker answers your questions and is upfront about their coverage in multiple scenarios.
  • Look at the scope of an insurer’s duty to defend and/or pay defense costs when a liability indemnity policy receives a claim. Do they cover court costs, lawyers’ fees, and other recovery fees if necessary?
  • Make sure the brokers are knowledgeable with an in depth understanding of current products for protection available. Ask about the benefits and limitations of various products.
  • GSL insurance alone is not effective any more. These policies don’t cover certain aspects such as electronic data. Read more about GSL insurance from Cyberinquirer.com.

Knowledge Is Power

In conclusion, almost all businesses rely on some form of technology. Today the cyber liability insurance market is constantly growing and changing. As a result, coverage needs to include new technologies and the need to protect more data than ever before. A myriad of policy types is available, whether the business is online or a brick and mortar store. Choosing an educated and knowledgeable insurance company makes all the difference should you ever need to make a claim. Make sure you understand all the policies ins and outs before signing on the dotted line.

 

State Data Breach Notification Laws

Data breaches have happened since the earliest days of recorded information, and recently have led to the downfall of CEO’s. As companies collect more and more data and consumers seek convenience while relying on technology, the potential damage from cyber security breaches and data stealing continue to escalate. If a client you are representing is caught in one of these internet break-ins; who is ultimately liable?

State by State

Currently cyber security is regulated at the State level as opposed to the Federal level. Right now forty-seven of the fifty States have cyber security or data protection laws in place, with a proposal in New Mexico for one that calls for hacked businesses to report to their customers a data breach within 45 days. This leaves South Dakota and Alabama as the only States in the Union to have not addressed this critical area of consumer protection.

There is discussion to move cyber security to a Federal level of legality as a tremendous amount of interstate commerce occurs via the internet, and many of the attacks to steal data are implemented over seas. Given the political climate it is unlikely that this will happen in the next few years.

Who is Responsible?State Laws Data Breach Notifications

Many states have recently strengthened their data laws to protect the consumers, most notably Florida and Delaware, both of which use the standard of “reasonable” actions by the business to dispose of consumer data or protect it. “Reasonable” however is a moving standard as the criminal element continuously improves their skill set in data attacks, and it literally takes only a moment’s lapse of judgment by an employee to open the door to a firm’s data.

Several well-known data breaches have actually happened from a physical access of information instead of a hack. A stolen laptop is essentially a skeleton key for criminals, and all companies should implement policies as to how to address this issue. Remote data wipe processes should be standard operating procedure.

Many companies attempt to contractually shift the risk and liability for data security to third party providers that focus on this, allowing these organizations to bring to bear greater resources due to their specialty in data transfer and security as opposed to selling garden hoses or muffins. These cyber protection agencies are employed in addition to the payment processors such as Square or the credit card companies, who have their own procedures in place to protect consumer data and assume partial responsibility for protection thereof. Real time threat assessment can help locate a breach before the stolen data can be misused to harm clients, thus reducing the damage and ultimate liability to companies.

Ultimately, anyone who has access to the data could be held liable if information falls into the wrong hands, as California’s laws clearly state. Thus everyone along the knowledge chain needs to take actions to prevent stealing of the information they possess. Read our previous blog about cyber liability insurance here.

Knowledge is Power

Data is the driving force in the interconnected Web 2.0 world we live in. Consumers have shifted away from cash for convenience, and huge amounts of information and money are hidden behind electronic locks that can be breached by keystroke or old fashioned snooping techniques. Both consumers and companies need to be smart about who they give their information to and companies have an obligation to keep consumer information safe.

Cyber Liability Insurance

One of the primary responsibilities of an attorney is keeping client information confidential and secure. As most information is now stored electronically, keeping data confidential is in some ways more difficult than it was in the past. Law firm cyber security breaches often involve the leakage of client or employee information, which can be damaging for all involved. While breaches of cyber security have become increasingly common over the years, many fail to realize how susceptible they truly are to such attacks. However, the threat cyber hacking is particularly threatening for law firms. In fact, in 2009 the FBI issued an official warning that hackers were specifically targeting law firms.

Beyond hacking, are three main causes for Law Firm data leaks:

1. negligent disposal of client records
2. theft or ruin of devices
3. improper use of internal security

While steps may be taken to prevent a data breach from occurring in the first place, the consequences of such an occurrence are so great that law firms are advised to invest in cyber liability insurance.

Ramifications Of A Cyber Data BreachData Protection

Cyber data breaches may result in a series of harmful consequences for those involved. As attorneys are by law obligated to protect client information, following a data leak, firms may be presented with malpractice claims and lawsuits. Depending on the state in which you practice, laws regarding the appropriate treatment and disposal of client information vary. The consequences your firm will face following a cyber attack are often unpredictable, but recovery from a data leak is almost always an expensive process.

Cyber Liability Insurance For Your Firm

According to the Ponemon Institute, in 2013 the average cost of a data breach, for one company, was 3.5 million. The full study may be read here. Security breaches often result in unexpected costs, such as those related to hiring an IT investigator to determine what went wrong and allowed the breach to occur in the first place. There are costs related to public relations, alerting those whose information has been leaked, and managing any resulting legal expenses. Many believe cyber liability is covered under legal professional liability insurance. While traditional insurance may cover certain aspects of a cyber attack, there are many grey areas that remain exposed. The only way to truly protect your firm from the costs of a cyber data breach is by investing in cyber liability insurance.

Cyber liability insurance ranges widely in coverage and protection, to fit the needs of your firm. You should ask your insurance provider to conduct a cyber risk review to ensure your plan meets your needs. Consider whether or not you want your insurance to cover the following:

  • costs related to hiring an IT investigator following a data breach
  • third party claims (violation of one’s right to privacy, ect.)
  • meetings with PR firms
  • business interruption

For more tips on cyber safety, look here.

How Lawyers Can Secure PDF Documents

With cyber security being a major issue for law firms today, we decided to post this article on some very basic things you can do to ensure your documents are secure and that the wrong eyes are prevented from seeing sensitive and privileged information.

How To Protect Yourself

PDF files are potentially safer than paper documents, at least in the event you apply security to them. PDF security isn’t infallible, but it’s important for lawyers to know ways to enable it, and to know what it can and can’t do.

1. Two Kinds of PDF SecurityPDF Documents

Acrobat enables you to lock down PDF files in two ways: (1) to stop a user from opening a PDF without having a “document open password,” and (2) to limit what can be done with a PDF once opened, unless the user enters a “permissions password.”

Why might you wish to restrict PDFs in these ways? The answer undoubtedly differs from lawyer to lawyer, but listed below are some common scenarios.

Let’s say you want to send a confidential document to a client by e-mail, but you’re wary that a spouse or secretary could possibly have access to the client’s e-mail program. You should enable security that prevents the PDF from being opened without a password; then call your client and be sure to disclose the password (and maintain that password for virtually every future PDF you need to send to this client).

If you’re producing documents in PDF form to opposing counsel, you may want to restrict their capability to insert or remove pages. If the PDFs are text searchable, you might want to inhibit the capability to select and copy text (although doing this is likely to create problems under F.R.C.P. 34(b)(E)(ii), which mandates that documents be produced in a “reasonably usable form”). If a protective order specifies the documents are not to be printed, you may properly restrict printing.

2. Setting Security On the PDF

So, how can you enable security to achieve such goals? In the File menu, choose Document Properties (or utilize the shortcut CMD/CTRL + D) and then click the Security tab. From there, choose the Security Method drop-down menu. Choose Password Security on the drop-down.

From the next dialog box, you can (1) enter your password which will be necessary to open the PDF, (2) enter a password which will be necessary to make changes to your PDF, and (3) specify the changes that are allowed or disallowed.
You’ve got options to prohibit printing (or limit printing quality) and preclude changes (e.g., inserting or deleting pages, content copying, and commenting). You can also set your password to restrict modifications to the PDF without setting a password for opening it.

Better Safe Than Sorry

3. PDF Security Isn’t Perfect By Any Means

After you apply security, Adobe will warn you that, while all of its products will enforce security settings, some third-party products might not, enabling recipients of the secured PDF to bypass a number of the restrictions you set. Put simply, Acrobat’s security is pretty good, but far from perfect. Still, it’s an improvement on nothing, and for that reason useful.

4. Save Security Settings for Reuse In The Future

If you find that you reap the benefits of utilizing the security settings, you might start making use of them a lot. You may realize that you’re utilizing a certain group of security restrictions over and over. Fortunately you can create a saved policy that you may quickly apply to future PDFs.

To do this, navigate to the Tools menu and choose Protection > Encrypt > Manage Security Policies. Then, choose New > Use Passwords and provide the policy a name (and description, if you want). Following that, you’ll see a dialog box, and you can define the security settings you would like to save for future use.

When you want to make use of the saved security settings, open the Tools menu and select Protection > Encrypt. Select the policy you created and apply it to the open document.

One Last UpdateData Protection

The very last important thing to cover about security is that you should frequently update Acrobat (and Reader, if you are using that as well). Adobe is constantly pushing out important security patches, so you want to have those right after they are available. To check for updates visit Help > Check for Updates