Data is an asset and a liability. It fits into both accounting columns and will not fail to be used against a corporate entity if not secured properly. Databases contain trade secrets, personally identifiable information, HIPAA-protected health care information, proprietary information and classified data. They also house sensitive information and evidence of liability or criminal behavior. As the size of databases grew, one thing became apparent: the information stored in those repositories had to be kept secure. As the importance of data became more evident, so did the importance of information security and cybersecurity.
Lawyers and cybersecurity experts were forced together as soon as employees had access to the internet. Before data breaches became the norm, the ugly secret in the IT closet was the amount of pornography in databases. Employees were searching pornographic materials at work, from their work desktops, and they seemed to believe that no one would ever find out. Unfortunately for them, when lawyers conducted ediscovery for investigations and litigation, they uncovered large volumes of pornography in their clients’ databases. Attorneys were obligated to inform corporate executives of this behavior, including the who, what and when. It was not long before firewalls were installed to block pornographic websites and other nefarious sites.
Lawyers routinely battled over the discovery of electronic data and how to get more data from adversaries in court. Receiving more data also meant reviewing more data. Lawyers reviewed data by looking at every document for relevance and privilege. But what good is it to pore over documents and strategically produce data if a hacker can breach your client’s database, exfiltrate all of the most sensitive data and post it on the dark net? Lawyers needed information security and cybersecurity experts to help block access to the Internet.
Meanwhile, the military and intelligence community were light-years ahead of lawyers. They compiled classified data and kept it from being compromised. The IC was aware of the value of sensitive intelligence data and the hazards of that data falling into the wrong hands. Thus, the military created cybersecurity tools and protocols within the Air Force Computer Emergency Response Team in the late 1990s — primarily network defense tools. Lawyers were largely unaware of and had no access to them, but as corporations and other governmental agencies started looking for ways to protect their most valuable assets, they had to turn to the U.S. government for help. The two professions rarely speak the same language but have the same goals and are often in the room at the same time. For information security and data security, the federal government led the way, with corporations following closely behind, leaving only law firms still lagging.
In 2002, Congress enacted the Federal Information Security Management Act (FISMA), 44 U.S.C. S 3541, et seq. As part of the E-Government Act of 2002, FISMA created the foundation for information security in the federal government and recognized the importance of InfoSEC to the economy and national security.
As data grew, federal CIOs recommended moving data to the cloud to reduce the government’s on-site data storage and risk. Federal CIOs agreed with this protocol, but lawyers did not. Lawyers tend to be risk adverse, not familiar with cybersecurity and very busy. They had no intention of pushing their data outside of their agency. There was one exception, the Department of Justice has had a contract known as Mega for litigation support for over 20 years. Early on, the Mega contractors were primarily defense companies like Lockheed Martin and CACI. The DOJ controlled the environment and worked seamlessly with the Mega contractors for a couple of decades. All federal agencies could utilize that contract for litigation support help. It was convenient because the security component was handled by the DOJ and the contractors were in the defense business.
However, by 2010, federal agencies were looking to upgrade their ediscovery platforms to more modern and robust tools only available in the cloud. Law firms and corporations were using ediscovery vendors to host robust and revolutionary software applications in their environment. Technology-assisted review, computer-assisted review and predictive coding became the norm for the private sector. These tools were innovative and saved time and money, but for the private sector, there was no standard security protocol for hosting third-party data. In fact, while each vendor follows some form of security protocol today, there is still no standard in the private sector. Vendors cobble their security programs together based on ISO and NIST publications.
In 2011, the Office of Management and Budget authorized, via memorandum, the Federal Risk Authorization Program, and the FedRamp Program Management Office was established in 2012. The purpose of FedRamp was to provide a set of guidelines and protocols for securing government data in the cloud. A FedRamp authorization consists of 170+ controls and subcontrols that secure cloud infrastructures, networks and databases. Many of these controls are policies. The bulk of data in agencies that investigate and litigate is used by attorneys. To avoid breaches of legal data, federal agencies locked down their data behind firewalls.
FedRamp authorization allowed federal agencies to put their data in the cloud, but it was an expensive and painful process for those with no knowledge of cybersecurity. Until this year, only three ediscovery companies have made it through the FedRamp authorization process. Meanwhile, data breaches were becoming a common occurrence.
If you are an attorney and you need ediscovery tools, having them behind the firewall of your corporation, firm or agency is no longer the best option. Having the technical expertise, budget and variable options for the management of terabytes and petabytes of legal data is not usually feasible. Multinational organizations and financial institutions are the only entities that can support such infrastructure, and most of them still use cloud-based vendors for ediscovery.
The best cybersecurity experts come straight out of the government. They are in our armed forces, the intelligence community and entities that include DHS and the White House, and they have been dedicated to protecting our government networks from attack. Therefore, using a FedRamp-authorized vendor is turning out to be the best option for agencies. The FedRamp guidelines work as private sector guidelines too. Legal departments, CISOs and vendors are working together to meet the FedRamp guidelines to build secure environments for the tools of their choice.
The fight to keep data safe has become an extremely complex and expensive endeavor. A 2019 study by Emsisoft reported that in 2019 at least 966 health care providers, government agencies and educational institutions in the U.S. were targeted by ransomware attacks. See, The State of Ransomware in the US: Report and Statistics 2019 (Dec. 12, 2019). The cumulative cost of those attacks to taxpayers was more than $7.5 billion. Id. The number of attacks on law firms and corporate legal departments is also increasing and jeopardizing attorney-client privilege. Let us look at some recent data breaches and what could have prevented them.
Federal Breach: OPM
In 2014 and again in 2015, the U.S. government discovered the theft of all personnel security clearance information including background investigation files and fingerprints. The attackers gained valid user credentials and employed malware which installed itself onto the Office of Personnel Management’s network and established a back door. More than 20 million records were exfiltrated. The Chinese government reportedly stole the entire database. The fallout from this breach is so wide-reaching that we may not know just how many Americans were targeted after China analyzed the data. Basic cyber hygiene could have helped prevent, identify and detect the initial attack in the early stages before the hackers had opened access to OPM’s network for almost 18 months. Routine patching, user awareness and trained network defenders would have significantly reduced risk. Also, using enhanced protections and monitoring around the OPM security file database could have reduced damage and exposure of millions of U.S. government employees’ security files.
State Breach: IDES
The Illinois Department of Employment Security contracted with a vendor to launch the Pandemic Unemployment Assistance Portal as an add-on to its unemployment system. The new PUA went live in May 2020. A few days later an outside entity discovered that a spreadsheet with the names, addresses and Social Security numbers of Illinois unemployment applicants was publicly visible on the website. Approximately 32,500 applicants’ personally identifiable information was exposed. This breach has been referred to by officials as a “glitch.” Free credit monitoring services are being offered to the victims.
New IT projects need to be put through an information assurance process, and data projects require quality assurance processes. A good IA process checks all the risks associated with the hardware, software and implementation of both. During the IA process is when any open portals should have been discovered. A good quality assurance program will check all permissions and access for data and would have discovered PII that was public facing. Neither process worked on this project. Contractors need to include these assurances before turning over a new system. The client must be involved and needs to see the results of both processes before going live.
Law Firm Breach: GSMS
Recently, Grubman Shire Meiselas & Sacks, a New York entertainment law firm to the stars, was hit with a ransomware attack. The attackers allegedly demanded 12 bitcoins for the decryption key. At the time of this writing, 12 bitcoins converts to about $111,265 — not a lot of money to a New York law firm. However, approximately 750 GB of attorney-client privileged data was also being offered on the Internet to the highest bidder. Ransomware is a particularly vicious cyberattack because it shuts your business down, destroys goodwill and breaches client trust. Law firms have been especially slow to seek out cybersecurity and information security experts before they get attacked. At least five law firms were hit with the so-called Maze ransomware in January 2020 alone.
Basic user awareness can help block ransomware. Initial attacks usually come in via phishing messages, phone calls and text messages. Never give up sensitive information nor click on links or attachments from unknown senders. Security email filtering and scanning for inbound email to law firms should be in place and only allow trusted file types. Finally, routine security updates for endpoint machines, mobile devices and servers need to be performed to close vulnerabilities.
E-Discovery Vendor Breach: Epiq Global
In February 2020, Epiq Global — an ediscovery vendor with 80 offices worldwide — was the victim of big-game hunting, a practice where Ryuk ransomware attackers go after large enterprises. Epiq Global hosts client data and third-party data for law firms and corporations. The attack followed a format usually used by the Ryuk attackers: A phishing scheme gathers administrator and user credentials to gain access to the network. This opens the door to spying, encrypting data and exfiltrating it or demanding a ransom and extorting the victims. Law firms and corporate legal departments around the world were impacted. The big question for law firms is whether these vendor breaches violate attorney-client privilege.
It comes down to end-user awareness, basic cyber hygiene and information separation as well as partitioned access for sensitive data. End users need to be able to identify potentially malicious messages and alert their cybersecurity team. If one user identifies a malicious message, there are likely nine other staff receiving the same message. Building an alert culture is key to helping secure sensitive data. Additionally, separating key databases and putting up enhanced protections such as access control and monitoring will help detect and identify anomalous behavior. Administrators must use a separate account and a separate machine for troubleshooting and maintenance of the crown jewel datasets. Finally, two-factor authentication for all users greatly reduces risk of user and administrator accounts being compromised.
As we see the ransomware attacks against law firms, state and local governments and corporations increase, the need for a set of cybersecurity standards for law firms that host client data also intensifies. The Association of Corporate Counsel is working on a new Data Steward program that will create a baseline for law firms and corporate counsel. In the meantime, lawyers would be wise to follow the FedRamp Moderate authorization requirements for the hosting of client data. In the long run, it is less expensive than paying a ransom and losing the goodwill and trust of your clientele. Moreover, some of these breaches may eventually constitute a breach of attorney-client privilege and lead the courts to start sanctioning lawyers. The intersection of cybersecurity and ediscovery is complete.
Originally appeared in Cybersecurity Law & Strategy. © 2020 ALM Media LLC. Reprinted with permission.
Kenya received her law degree from The College of William & Mary. She can be reached at [email protected].
