Large data breaches are typically boom times for the lawyers, called upon to control the bleeding and manage the fallout. But the same law firms tasked with minimizing client liability, and providing auditing and insurance underwriting, grapple with risk from a breach of their own systems and data.
Indeed, as companies scramble to assess their own vulnerability amid the wave of supply chain attacks in recent months, law firms find themselves doing double duty: providing complex legal support to clients, and assessing internal safeguards to ensure they themselves practice what they preach.
Thomas Zych, partner and chair of privacy & cybersecurity at Thompson Hine, said large software supply chain breaches with industrywide implications “almost act as stress tests on an enterprise and specifically a law firm or law department’s operations,” casting a spotlight on the procedures that firms have in place for vetting and managing their vendor relationships.
Getting ones house in order
Campaigns like the one carried out on SolarWinds and other third party software providers last year or the ransomware attack on Accellion, are often defined by their shades of gray. The number of victims often remains unclear for months or longer, and breaches often beget more breaches.
In the meantime, a legal sector that thrives on certainty and precise language must navigate this landscape of doubt, not just on behalf of their clients but their own organization as well.
“My advice doesn’t change and that is that every single supplier, hosted service provider, should be taking responsibility for data security,” said Cynthia Cole, a partner at law firm Baker Botts. “The level of responsibility varies depending on multiple factors, but indemnification is a good starting place.”
Others said that the first step after news breaks around a major supply chain breach is getting your their own house in order, auditing software inventory and consulting with internal security to investigate whether they're using the affected software.
“It’s not the first time we’ve thought about this, but it’s another opportunity for us to make sure appropriately aligned to prepare for and respond,” said Zych, who doubles as his firm’s security officer and helps lead investigation and incident response activities.
Indeed, lawyers often carry legal and professional ethical obligations to keep attorney/client communications and data confidential, and a slip up or reckless act could potentially impact their license to practice law or damage their reputation among clients.
“When I work with clients, I say ‘okay…make sure all of your service providers are obligated to notify you if they have a breach,’ so understandably our clients look at us as trusted service providers with the same expectations,” said Zych.
Elizabeth Wharton, a technology attorney and chief of staff for cyber threat emulation company Scythe believes that swaths of the legal industry are ill-prepared to grapple with the same software supply chain visibility challenges they advise their clients on.
In the legal industry “the focus isn’t on the security investments, the IT investments,” Wharton said. “Being able to change the conversation, focusing on ‘hey, we are a target, we are a data rich environment, and we are reusing software and systems that are older,'" is critical.
System security, a mixed bag
The legal arena is less likely to see the kind of decades-old, insecure legacy systems that are more common in government and critical infrastructure, and there are some signs that investment in improved tech is getting better. According to research and estimates compiled by legal blogger and attorney Bob Ambrogi, industry startups are thriving and there was north of $1.2 billion invested in legal technologies in 2019, compared to $1.5 billion total invested from 2010-2017.
“The legal industry has turned a corner on its use and adoption of technology,” Ambrogi wrote in January. “Law firms are becoming innovators, legal departments are demanding efficiencies and process improvements, a cavernous justice gap cries out for better delivery systems, and regulatory reform efforts foretell a new era of private-sector involvement in the delivery of legal services.”
Still, Wharton argued the speed at which new vulnerabilities are found and weaponized by malicious hackers today mean that even newer systems with regular patches can be exposed to exploits for crucial periods of time that put them at risk of compromise.
The ransomware attack on Accellion that led to the compromise and eventual leak of confidential client data from major law firm Jones Day demonstrates how law firms can also wind up in the same supply chain security vortex as their clients. In that example, Accellion’s file transfer system that housed the stolen documents was breached, not the security systems of Jones Day themselves. Nevertheless, that did not stop the firm from becoming a victim of extortion and leaking tactics by ransomware operators.
“If you’re trying to build a reputation as the go-to law firm for [merger and acquisition] deals, or say 'trust us with your deepest, darkest business, but oh we have vulnerabilities because of a supply chain issue and your data may get hacked,’ people don’t focus on [the distinction that] it was one of their vendors,’ said Wharton. “People instead say ‘Oh, Jones Day got hacked.’”
Software supply chain attacks can have other downstream effects that impact the work of attorneys. The same campaign that hit SolarWinds eventually led to the compromise of PACER, the judiciary’s online court records system. Investigators believe the hackers gained access to reams of sensitive or confidential court filings that were under seal and not otherwise available to the public.
That has caused more strain for firms who don’t know if their sealed filings were accessed or exfiltrated, nor do they know in whose hands that information may ultimately end up. Zych said many firms are opting to file physical records instead of online where possible, but uncertainty among clients persists.
“None of us can say 'yes, that file was taken, that file was exfiltrated," said Zych. “The courts, like everyone else, don’t have a full picture yet of what’s happened, they just know the vulnerability.”