This article has been written by Mridul Tripathi who is currently pursuing BBA LLB from Vivekananda Institute of Professional Studies. This is an exhaustive article on cybersecurity and the issues law firms face. Also, the steps it should take to approach the cyber-related problems.
What could be the most profitable option for a hacker? Some might come up with bank accounts, government networks, but over some last years, the law firms are witnessing the biggest cyber siege of their time. The reason is simple. The caches of a law firm are loaded with sensitive information about their clients. The data if procured could be used to earn a fortune.
There have been cases like the ‘Panama Paper leak’ where more than 11.5 million documents were leaked to the press that showed how scores of people used offshore companies to avoid paying taxes. This one case and its aftermath in itself is sufficient to show the magnitude of damage a data hack can cause.
Surveys show that despite being continuously made aware of the increasing threat and problems with the security, the firms failed to take actions that were necessary to be taken to ensure that the data is kept intact. This article deals with the need behind tightening the cybersecurity of a law firm. Let’s start with discussing the need behind taking measures to tighten the security.
Need for cybersecurity
According to John Reed, President of a Consulting Limited Liability Company which specialises in data breach response, the caches of a law firm comprised of:
- Corporate deal’s confidential documents.
- Evidence related to high profile cases.
- Sensitive information about the client’s finances.
- Emails that contain private information about the client’s personal and professional life.
- Patented Information about intellectual properties and trade secrets.
The law firms face the maximum risk of being hacked into due to the nature of the profession. It is high time that the firms that face an attack by the hackers are treated not as ‘victims’ but as negligent employers who owe a vicarious liability towards the clients and their employees.
In one of the articles by www.theprint.in it has been stated that India was the most cyber-attacked country in the world for three months in 2019. The article gathered data from the report released by Subex, a firm that provides analytics. Though these attacks were mostly targeted towards the critical sectors that don’t include law firms, following the international trends, it cannot be denied that the law firms are next in line. The attacks were majorly launched by the help of botnets which is nothing but a network that is constructed between different devices (computer, mobiles, laptops etc), infected with malware and is controlled by third parties or hackers.
To install the malware in one’s computer to create a botnet is an illegal activity. Therefore the government came out with various policies majorly focussed towards botnets to safeguard the systems from such cyber attacks.
Policies on Cyber Security in India introduced in 2019
In 2019, the Government of India came up with many policies to combat the threats that are posed to cybersecurity. Law firms should be aware of the aides provided by the government.
- CERT-In (Indian Computer Emergency Response Team): It is a national response centre for addressing significant cases related to cybersecurity. Detailed information on the initiative can be accessed at www.cert-in.org.in.
- Cyber Surakshit Bharat: This is an awareness programme on the importance of cybersecurity and is based on three principles, i.e. Awareness, Education and Enablement. It is based on private and public partnership and aims at building capacity for the Chief Information Security Officers. It has been launched by Meity ( Ministry of Electronics and Information Technology) and NeGD (National e-Governance division)
- National Critical Information Infrastructure Protection Centre: Created u/s 70(1) of the Information Technology Act, 2000, this organisation aims to ensure secure and resilient infrastructure for the nation.
- Cyber Swachhta Kendra Initiative (Botnet Cleaning and Malware Analysis Centre): This initiative has been taken to ensure secure cyberspace free of infections caused by the bots. It is being run by ‘CERT-In’ u/s 70B of the Information Technology Act, 2000. All incidents can be reported with the help of the helpdesk, free of cost. Any incident can be reported at the email [email protected].
Measures that could be taken to combat cybersecurity threats
Apart from availing the general options that are available for everybody in the nation, the law firms can go for a particular approach so that the security systems aren’t breached. The following steps can be taken towards building sturdy cyberspace.
Choose a model
The firm needs to start by deciding whether it would go for an in house team or whether it would outsource. If one chooses to go for an in house team then that would take up considerable time and money with the hardware implementation, administration and architecture etc but an in house team is more dependable and trusted than the outsourced one. Some firms are reluctant towards handing over the entire data systems to an outside company which results in the faulty assessment.
Outsourcing will prove to be a cost-effective option but it faces problems related to establishing familiarity with the client’s business. The firm can go with establishing a mixed model. A small team working closely with external technical and domain experts would assure better quality services as well as a close-knitted working environment too.
Since this threat is a growing phenomenon and not an already pervasive problem, the firms do not consider cybersecurity as one of the priority and that leads its delegation to technical personnel that have lesser skills than required or giving the job of overseeing the defence structure of the firm as well as reporting any incident to the same team of people and this creates a conflict of interest, therefore, it reduces the possibility of any potential threat being reported to the authorities.
The firm should make sure that senior leaders of the firm are involved with cybersecurity to show the importance of this concept and its maintenance. The entire job should not be only dumped on the IT team of the firm rather every person should be held accountable for any potential leak of information that would lead to a client’s loss.
Pen-testing and Security Assessment: Know your weaknesses
Pen testing or penetration testing is a simulated cyber attack on your systems done by a company to bring out the weaknesses in your system. You cannot implement solutions or take measures without knowing and analysing the scope of the problem.
Pen testing and other similar tactics of assessing the risk should be the first step taken by the law firm in the process of getting the cyberspace adequately secured. The firm needs to be cautious while choosing the company for pen testing, spear-phishing or any other kind of risk management. The firm can adopt the approach of going with the best in the market.
Considering the increase in the number of cyberattacks, it would not be far fetched to say that cyber insurance will be a new normal. The firms along with taking other basic insurances such as property insurance would consider taking cyber coverage too. Data from DSCI (Data Security Council of India) shows that the cybersecurity-related products showed a jump of 40% in sales as compared to 2017. India is still a developing country where the concept of digitisation is still new. This indicates cybersecurity provisions in this country are weaker than those which are already well equipped. Thus, there is all the more reason for more cyber insurance policies to come up and a better legislative policy as well to govern these provisions.
Updates and patches
Timely updation of software when a patch is issued is necessary. Many security breaches occur because the software was not updated. None of the solutions would work if they aren’t kept up to date. A failure to update and apply a patch is equivalent to sending an invitation to the hackers. The management should be probed with their patching practices every once in a while.
Many law firms allow their employees to bring their own devices to the office space. Law firms need to strictly monitor what information the employees have on their devices as well as the ability to remotely wipe out all the data as and when needed.
Usage of safe networks
Sometimes while the attorneys are travelling to other places or are working out of their office space, they tend to use networks that aren’t safe for conducting confidential work online. This makes the system prone to be attacked. The firm should have a policy for such a situation in the place that ensures that the legal staff uses a secured mobile hotspot while travelling.
It cannot be denied that the employees are at the centre of a law firm’s vulnerability when it comes to cyber-attacks. The executive management of the firm needs to predetermine the training session. A schedule of these exercises should be prepared beforehand during the annual planning meeting.
Cyber-security should be taken with utmost sincerity. There has to be a change in the mentality while dealing with the concept. It should not just only be the responsibility of the IT department of the firm. Every employee should take responsibility for their systems and their security. It is about time to stop treating law firms that get cyber attacked as victims but to start treating them as negligent parties.
Encryption is at the beck and calls for all the companies to secure their data. Encryption means changing sensitive information into codes and securing it through a key for preventing any unauthorized access. When it comes to implementing encryption, weightage has to be placed on getting the quality and the type of encryption right too. Encryption can be easily broken into if the law firm is using an outdated and flawed programme. After securing robust encryption of the documents the information can still be leaked and attacked if the law firm shows any kind of negligence and the key gets released somehow. Whenever somebody accesses the encrypted files, such incidence of access should be logged and analysed.
Encryption saved the files being accessed in the event of theft. Any discrepancy or unauthorized use by an employee should be immediately brought into concern and dealt strictly.
Readiness to deal with data loss
Data Loss Protection(DLP) systems or Data leak prevention systems, help to detect and stop unauthorized transmission of files by employees of the companies. Such systems classify confidential and critical information and prevent the employee to transfer any of it outside the firm’s network. By such classification, the law firms can block transmission of these files and therefore safeguard themselves from any potential loss.
Managing a response plan
Every firm is advised to have an incident response team in place i.e. a go-to plan in the case a break happens. Having a response plan in place should be as natural as keeping a fire exit in case a fire breaks out. The plan should consist of contacts of people or communication lines that should be enabled at the time of such breach.
The plan should specify the people that are supposed to take decisions in the event of such a breach. A good plan in place not just enables the company to cope with a breach but also acts as collateral and helps it build a credible image in front of the client as well as the insurance company.
With the ever-evolving technology, as the technology and the protection of the data becomes more complex so will the hackers try to get better at their job. For a country like India, which is taking big leaps when it comes to technology it becomes imperative to amp up the cybersecurity game too. Without securing the network and the information there is no point in launching new technology-based schemes for achieving convenience when it comes to administration. The cyberattacks in 2019 and the cases such as Panama Paper leak should work as a clarion call for taking cybersecurity seriously.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: