This blog post was written by INTA's Law Firm Committee.
INTA is dedicated to supporting trademarks and related intellectual property (collectively “intellectual property”) to protect consumers and promote fair and effective commerce. Trademark owners and professionals dedicated to supporting intellectual property have come to rely heavily on mobile technology to work and communicate. While focus has been heightened on improving cybersecurity in the workplace, instituting cybersecurity procedures for mobile technology remains lacking. To effectively protect an entity’s or a client’s intellectual property, those using mobile technology should ensure that security measures taken rebuff a cyber-attack. Otherwise, the possibility to have a client’s intellectual property compromised by unauthorized intrusion through a mobile device is possible.
Law firms act as repositories for large amounts of confidential information ranging from intellectual property information and strategies, to client’s personal information, to commercially sensitive business information, data, and records. Clients rightly expect such information to be kept safe and secure and remain confidential. This is a key element of the law firm client relationship.
As technology develops, the amount of confidential information held by law firms increases, as such, so does the risk of cyber-intrusion or cyber-attack.
Law firms are viewed as high-risk targets because a cyber-intruder could potentially obtain confidential information regarding multiple clients from a single intrusion. The 2016 data breach incident known as “the Panama Papers,” the largest law firm data leak in history, is an example of the damage that can be caused to multiple clients as a result of a cyber-intrusion. The Panama law firm of Mossack Fonseca was hacked, resulting in offshore banking information about numerous entities being acquired and then made publicly accessible over the Internet. This is not an isolated incident. Mandiant, a cybersecurity firm, since acquired by FireEye, estimates that 80% of the largest law firms in the United States have experienced some form of cyber-intrusion since 2011.
Cyber-intrusions may come from individuals, organized crime syndications, hacktivist groups, or nation states for a number of reasons, including economic/industrial espionage, theft, system disruption/destruction, extortion (ransomware), or cyber-facilitated fraud corruption.
Protecting against Cyber-intrusion
To best protect against cyber-intrusion, law firms should take steps to fortify their data and computer networks. While such internal data and network protection is now occurring among law firms, an area that has received the same level of attention is mobile device security.
Mobile Device Security
The use of mobile devices by law firms continues to grow as advances in such technology platforms evolve. In today’s world, not only are laptop computers, tablets, and smartphones being used by lawyers for work-related functions, but wearable devices, such as smartwatches, are being used as well to connect to their work data and clients. The use of mobile technology has assisted law firms in moving toward paperless offices, increased productivity, and improved efficiency, creating a better service for clients. According to the 2015 American Bar Association Legal Technology Survey, approximately 90% of lawyers are using mobile devices for legal tasks away from the office.
In response to increased mobile device use, law firms should implement policies and procedures to address not only the risk to a firm’s internal computer networks, but also the risk to mobile devices used in connection. If the proper protections are not implemented, a cyber-intruder could potentially transmit viral emails throughout the law firm, access secure network data, and upload ransomware or malware.
Policies and procedures relating to mobile devices should specifically address the situation where a mobile device is lost or stolen. Foremost, a lost or stolen mobile device should be immediately reported to the firm in question. All mobile devices should have mobile device management (“MDM”) software installed to, at a minimum, enable the law firm to remotely wipe the lost or stolen mobile device of sensitive information. The ease at which a law firm can remotely wipe a mobile device may depend on whether the mobile device is firm owned and controlled or whether the lawyer is using a personal mobile device on a bring-your-own device (“BYOD”) policy.
Ensuring any BYOD policy provides for installation of MDM software is crucial. Ideally all MDM software will be centrally managed by the law firm. The MDM software may also be used to provide for secure email, secure Internet browsing, and designate which applications may or may not be downloaded to the mobile device. Typically, MDM software provides for compartmentalizing of confidential information, such as emails, documents, and firm applications in an encrypted location in the mobile device that is separate from personal information. Because of the intrusive nature of MDM software, a detailed explanation of the limits of such encryption is important to ensure employee confidence in any BYOD policy.
All mobile devices that have access to firm data—even emails—should be password protected. For mobile phones, a secure password should be used. With the advances in mobile phone password technology, which now includes biometrics, either a complex password or biometrics should be used. If a laptop or tablet is able to access data on the firm’s computer network, two-factor authentication for remote access is recommended. Two-factor authentication is a method of confirming a user’s identity by utilizing two different authentication factors, such as, but not limited to, a combination of a knowledge factor (a password), a possession factor (a security token that may be provided via a mobile phone), and a physical characteristic of the user (biometrics).
In addition to encrypting mobile devices, portable storage devices, such as USB flash drives, should also be protected by encryption.
To limit employee error causing cyber-intrusion, recurring cybersecurity training should form part of a law firm’s ongoing professional development and training. As an example, monthly reminders could be sent to all employees reminding them of security policy and procedures and the need to be vigilant. Reminders can discuss recent noteworthy cyber-intrusions and act as cautionary tales, or explain some of the most common data security threats employees may face.
Thanks to Terry Sanks and Scott Moran of the Law Firm Committee for co-authoring this blog post.