Law Firms: Privilege Does Not Apply To Hackers

“PRIVILEGED”, “CONFIDENTIAL”, “COURT ORDERED”, “PRIVATE”, “SEALED” and all the other important legal definitions mean something to attorneys, litigants, judges, juries, legal consultants, and the experts that work on a case.  We all know those simple words identify special documents that are not to be shared except under very special circumstances.  If you accidentally provide an opposing attorney a client-attorney privileged document, in some cases you have a “clawback” right and the opposing party cannot use the accidentally disclosed information in the case against you.  However, there are groups of people who do not respect privilege restrictions:  Hackers. Cyber attacks against U.S. defense contractors have received a lot of media attention recently. These companies develop our nation's most sophisticated weapons, and work on highly sensitive projects.  Gaining access to such information would give an adversary a competitive edge against the U.S.  The same is true for corporations who don't contract to the government, but where would an attacker gain the greatest competitive advantage over a corporation or high profile individual? Attack their law firm.

Law firms, like many corporations, are consulting shops.  One of the golden rules of consulting shops "if it can’t be charged back directly to a client, then do we really really need it?”  Most of the time the answer is “no.”  However, using that same simplistic ROI calculation when it comes to computer and network security can have devastating results.

As an example, let us consider the case of  Mr. John Smith, Esq. and his client Mr. Ted Jones.  Jones has worked hard his whole life and has accumulated wealth commensurate with his efforts.  Jones wants to begin selling his personal artwork, which is formed via metalworking. Each piece is quite large and contains sharp edges.  People love his art and he sells to them directly, without the protection of a parent company.  As an attorney, Smith may advise Jones that he should set up an LLC, complete with the appropriate insurance, to limit his liability should one of his works of art tip over and hurt someone. Should Jones spend the time and money to do as Smith advises, even though it might seem like a lot of money up front?  Or should Jones ignore Smith’s legal advice? If his art tips over and hurts or kills someone he may be held liable.  Which position would Jones want to be in now?

This same analogy can apply to computer security at a law firm.  Security is a non-billable expense without an obvious corresponding ROI, but a reasonable investment up front could spare your law firm from dire consequences should an attacker gain access to your files. Said investment need not be expensive; there are some easy things you can do to reduce your risk:

  • If at all possible, implement encryption between emails from clients and attorneys along with any sensitive communications internally about the client’s case.  There are many commercial products out there, such as PGP (http://www.pgp.com), which can be used for this purpose and integrate well with most email applications.  There are also free open source alternatives like GNUPG (http://www.gnupg.org) if your firm has an IT staff who can put a little work into setting it up.
  • Look at using the free open source encryption package TrueCrypt (http://www.truecrypt.org) to encrypt all of the contents on your hard drives (or FileVault if you use an Apple).  Having your laptop stolen is an easy way for an attacker to gain access to your files.  Plus, with TrueCrypt you can encrypt containers and share them with the few co-workers that “needs to know” what’s going on in a case.
  • Make sure you are using strong encryption on any internal wireless networks and watch out for physical network ports in places like conference rooms where a waiting “client” could plug in a device and be directly on your network.
  • Most network printers or multi-function devices also come with wireless connectivity turned on by default, which is basically an open back door into your corporate network.
  • And of course, all of the other security practices preached over the years apply:  use a firewall and keep it well tuned, don’t open attachments when you don’t know who sent it, etc.

Having a periodic security assessment by a qualified computer security company can go a long ways towards improving your internal security.  Not only could they help you lock down your security posture, but a firm well versed in incident response can detect if someone has already entered and established a foothold in your network.

Just as you may recommend in your legal capacity not to sign a document without an attorney review, the same goes for setting up a network without a professional computer security review.