If you’re like most lawyers around the country, chances are you do not have cyber liability insurance. Recent surveys conducted by the ABA showed that less than 15 percent of lawyers said their firms had such insurance, though some firms had reported that they had fallen victim to computer viruses or hacking.
Among the sessions at the State Bar of Wisconsin’s recent Solo & Small Firm Conference in Wisconsin Dells were a few on cybersecurity and what it means to law firms. The messages were clear: cyber risk is not going away, and lawyers must pay attention to securing their computer networks and the client information on them.
Brent Hoeft, who presented a program at the conference, is a solo practitioner in Madison. He also is the founder of FirmLock Consulting LLC, which provides information security behavior consulting to solo and small law firms.
Hoeft says, “I do think that risks will increase in the near future. I really think that it is a numbers game for hackers right now. The return on investment with social engineering, including phishing and ransomware, is much greater than with investing the time, skill, and knowledge to write malware or find software or hardware holes to exploit and infiltrate a network.
“As security software and hardware evolve and more and more artificial intelligence is implemented to analyze and assess threats to networks, the more hackers will look at the humans as the weak link. Until the mindset of law firms can be changed and a culture of security within the legal industry established through repeated education and training, the humans will remain the weak link. So long as the return on investment is there for the hackers to exploit human behavior as the biggest security hole, the risks will continue.”
Tom Widman, president and CEO of Identity Fraud Inc., also spoke at the 2018 Solo & Small Firm Conference. His company administers cybersecurity insurance policies that are offered by Wisconsin Lawyers Mutual Insurance Co. (WILMIC) and the State Bar, and he agrees with Hoeft that the situation will only get worse.
“I do believe the risks will continue to increase. We thought the environment was bad 20 years ago. It is exponentially worse today. The fact remains we are up against serious and motivated adversaries that are profiting greatly at our expense. They have countless attack vectors into our most precious assets.”
According to Widman, “Cyber is unlike other risks. We are not up against mother nature, but rather human nature, and unfortunately, the evil side of human nature. As technology continues to evolve and artificial intelligence becomes more pervasive, attacks will increase. They are already automated and that will become more widespread in the future, further exposing even the smallest of firms.”
Most law firms in Wisconsin have five or fewer lawyers. But even those firms can get hit by a hacker, a virus, or another kind of security breach. Hoeft says the biggest risk is the lack of a security culture within the legal industry.
“This stems from a lack of education and training. If more attorneys and law firms understood the threats to law firm information security and the ramifications of those threats, I believe that they would focus more on education and training of the people in their law firm. As attorneys, we understand the risks of not being educated and not having a plan. We see clients who have gotten themselves into trouble due to a lack of planning and preparation.”
Hoeft continues, “Yet it seems like many attorneys in solo or small firms approach cybersecurity with a kind of keep your head down and hope you don’t get hit philosophy. And with large firms the attorneys seem to have a false sense of security because they have an IT department so the attorneys think that they do not have to have security front of mind. Not only does this kind of thinking go against our training as attorneys but it also falls short of what is expected of us under the Rules of Professional Conduct for Attorneys.”
When it comes to training your employees and yourself, security should not be a crash course.
Widman says financial, reputational, and liability risks are all prevalent in the legal industry. “Even firms that run a tight ship and have good cybersecurity measures in place fall victim to new ‘zero day’ attacks and simple errors by vendors and employees. And, firms that do not have great defenses are truly low-hanging fruit for cyber criminals. It is just too fragile. A principal or employee can click on a link in an email and have their credentials stolen or suddenly experience data destruction, business interruption, and breach response costs that can each be very substantial.”
Terry Dunst is a lawyer at Bakke Norman in New Richmond. He says, “There are two main categories of risk, in my opinion: technological and social engineering. Firms can harden their technology to prevent most technical hacking by maintaining up-to-date operating systems and software, virus protection, and firewalls. But hacking the human side, referred to as social engineering, is probably the greatest threat to most firms. The bad guys are clever and know tricks to fool people and gain trust. Most successful cyber attacks occur because someone opens the door and lets the bad guys in. Someone clicks on a link in an email or goes to an infected website.”
Cyber Insurance: Know Your Member Benefits
The State Bar of Wisconsin is partnering with 3M Insurance to offer coverage that can be specifically tailored to meet your cybersecurity needs. The BIZLock program provided by Identity Fraud includes third-party liability insurance coverage and defense, coverage for regulatory fines and penalties, cyber extortion, data reconstructions, media and website liability, the costs for forensic investigations, and identity monitoring for breaches.
To learn more, visit Member Benefits on WisBar.
Preventing Cyber Attacks
Matt Beier is a claims attorney at WILMIC. He says, “Most of the lawyers I speak with on the subject of technology do not have the time to become experts in cybersecurity. So, rely on the experts. Use them. The best guidance I can offer is to develop a good relationship with an IT expert who will manage your office technology for you. Even if you are a computer ‘geek,’ setting up your equipment, establishing policies and procedures, and training your employees takes a substantial amount of time. Hiring a reliable IT expert to install and maintain your information systems will ensure it is done correctly, allowing the lawyer to spend his or her time on legal services.”
Hoeft says as much as lawyers want to focus on their practice and their clients, it is vital to spend time on cybersecurity. “Security is ongoing and it must be approached from multiple angles. In order to have the best security a lawyer should pay attention to at least three areas: security hardware, security software, and security behavior and planning. The first two, what I consider the front-line security tools, are what are generally put in place first and often the attention to security stops there.”
Hoeft has a caution. “However, if you stop there and do not address security behavior and planning then all of the time and expense invested into the front-line security items might be all for nothing. It would be like getting a brand-new security system for your home and the most secure safe to protect your valuables. But then you never lock the doors, close the windows, turn the alarm system on, or even take the time to lock your valuables away in that state-of-the-art safe. What’s the point of investing the time and money when your behavior is really your biggest issue?”
If there is a breach, we want our clients to know that we were doing everything we could to protect them.
Hoeft adds that even after you have taken the time to educate and train the people in your firm, the last part of this security step is to plan. “You need to have a written information security policy so that everyone in the firm understands what is expected of them in handling the firm’s information and the requisite behavior to do so securely. And finally, as nothing is 100 percent secure, as humans make mistakes and systems can be breached, a plan must be in place for the steps to take when disaster strikes and the firm suffers a data breach. Part of that disaster plan has to be cyber insurance and knowledge of what’s covered and what isn’t.”
Beier says that when it comes to training your employees and yourself, security should not be a crash course. “Cybersecurity is a new way of thinking. It is necessary to create awareness of the information being generated, the manner in which it is produced, and the method used to communicate. Once your staff have that awareness, they also need to know and understand the tools they have at their disposal to protect sensitive information. Communicate what your firm is doing and how it helps protect clients, employees, and the business from attack.”
Beier also says you should not skimp on hardware and software. “As frustrating as the ‘planned obsolescence’ of technology can be, investing in the most powerful current computer technology you can afford is definitely worthwhile. Also, as society becomes more mobile and clients’ communication expectations advance, it becomes more important than ever to be sure that your technology can keep digital content secure. Maintaining outdated, sluggish devices and computers can make a lawyer less competitive, while at the same time expose the lawyer to greater risk of data loss or inadvertent disclosure of confidential information.”
Hoeft says the view of the information security industry is that it isn’t a matter of if you will suffer a breach but when. “Cyber insurance is important because it fills a hole in the coverage of the law firm’s insurance. Most malpractice or general liability policies do not cover loss of electronic data due to computer fraud or cyber breach. If a ransomware or other cyber breach occurs the monetary loss can be extensive as a firm will have to hire experts, there will be loss of business income during the time period the law firm is down, and [the firm might] have to pay a ransom to the cyber criminals. Cyber insurance can cover a firm in those instances.”
According to Hoeft, “Another advantage of having cyber insurance is your provider becomes a valuable resource in the event of a cyber breach. The provider will be able to provide recommendations on steps to take and experts to contact to assist your firm in navigating the complexities of handling a breach.”
WILMIC has made cyber liability insurance coverage accessible to lawyers since 2013. Many lawyers have inquired about it, but only a small percentage of them actually purchase it.
Cyber hacking is something we are all aware of, but mostly because we see it in the news headlines; Target, the Pentagon, the credit agency Experian, NASA, Facebook, and the list goes on. It seems there is a cyber hacking story in the news once a week, if not more frequently.
Milwaukee attorney Carlton Stansbury says his firm has cyber insurance because the protection is reassuring. “We get busy with our clients’ work and running a business, and we can’t also be ahead of the curve on technology-related issues. Also, incidents of data breaches are becoming more and more common, and we want our firm and clients to have protection. If there is a breach, we want our clients to know that we were doing everything we could to protect them.”
Stansbury says the process of obtaining the insurance helped them identify risks. “It led to changes in our thinking about security, communication, online presence, storage, and back-up systems that resulted in more protection for our clients.”
Dunst says Bakke Norman carries cybersecurity insurance because the cost of a data breach can be extremely high, for items including notifying clients whose personal identifiable information has been compromised and defending against potential lawsuits.
“The bad guys are out there. The threat is real. As attorneys, most of our data is confidential, and attorneys are required to take reasonable steps to protect client data. In addition, almost all businesses fall under the statutorily required protection of personally identifiable information pursuant to Wisconsin’s breach notice law [Wis. Stat. section 134.98], which applies to almost all businesses.”
Most lawyers have heard of ransomware, a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through receipt of phishing emails or visits to infected websites. It can happen without warning. A lawyer or staff person may inadvertently click on a fraudulent email or attachment to what looks like a legitimate email. The consequences can be devastating and costly.
Ransomware is a major issue for all businesses, including law firms. As Widman points out, the tools and scripts being used continue to outpace our defenses. “Right now, the two main attack vectors are simple or sophisticated phishing scams, whereby folks click on links in emails and malware is spread throughout the network; and hacking via remote desktop access either by brute force, stolen credentials, or weak credentials. Once inside, the criminal will take their time to understand the environment, like finding data backups, and then inflict maximum damage to the entire network.”
Hoeft adds that the ransomware business model has, sadly, been very successful for hackers. “Ransomware is rampant. It is easy to infect a firm and extract funds in the form of Bitcoin. It is by far our most frequent type of incident and claim. Having said that, law firms are also being specifically targeted because of the nature of their business and the type of private information they maintain, and the types of transactions they are engaged in on a daily basis, whereby the severity of a claim is often quite high.”
Almost everyone sometimes takes technology for granted. We assume that it will work (most of the time) and we will remain safe. Unfortunately, that doesn’t always happen. As Widman points out, “The risks are real. Everyone needs to try their best at mitigating their exposures. Simple risk management steps and education on scams and tricks can go a long way. Similarly, deploying certain fundamental technologies like two-factor authentication and data backup are definitely worthwhile. Having good computer and network hygiene coupled with cyber insurance as your last layer of defense is simply prudent and might just save the day.”
It is important to take the risk seriously. Dunst says it’s easy to ignore, as lawyers focus on their practice and their clients. “I think there is a general tendency among most computer users to think ‘it won’t happen to me.’ Lawyers are no different. Solo and small firms may think that the Russians or the Chinese or the rogue hackers are not interested in them and won’t spend the effort to try to hack their system. And that may be true. But that sort of hacking is fairly rare. The mass phishing emails don’t target anyone in particular, and fool enough people to keep that crime syndicate operating. And for larger firms, the threat of spear phishing, where hackers deliberately target specific higher ups in firms where there is some particularly valuable data, are occurring more and more.”
Stansbury says he has seen what can happen. “I am aware of situations in which people thought it would never happen to them, and it did. It only takes one incident that can happen in a blink of an eye at the worst possible time for people to realize the immense vulnerability. Many law firms are smaller operations and are concerned with the day-to-day operations, but do not realize that they could be targets, directly or indirectly.”
For Dunst and his firm, it’s a security “attitude.” “Be extremely wary of websites that you are not sure about. Treat every email as a possible threat, even if it’s from someone you think you know.”