Hacked, tracked and fighting back
Take it from me: discussing cyber crime with your bank at 7.00 on a Saturday morning is not the greatest experience.
“No, I’m not in Malaysia.” Followed by, “I have no idea why all of my (personal) funds have been withdrawn from an ATM there.” And finally, “Yes I would love a new EFTPOS card that cannot be skimmed.” Not fun.
For law firms, the consequences of a cyber attack or data breach are much nastier. Insurance cover is limited. The consequences are harder to see. Clients may walk out. And, after the dust settles, we have to answer to remaining clients, colleagues, insurers, the Law Society and, ultimately, the courts. Reputation may be harmed.
What if it happened tomorrow? You might see an unfamiliar screen in place of your desktop, demanding a ransom in bitcoin, to be paid to the Ukraine, for access to your own files. You might get a phone call – a distraught junior staff member saying he or she has made a silly error. A colleague at another firm might get in touch, asking if that trust account payment went to the right account. Or an angry client, demanding to know how their confidential information got into the news. If so, would you have a plan to follow?
If not, do something about it. Talking through these risks is much better than ignoring them. Documenting a solid, basic plan will give you some security. Imagine what might happen, and do the firm’s best to document a response plan.
The goal is not to plan for every eventuality.
That is impossible. Instead, we must plan our firm’s defences based on broad principles. Law firms must be organised and flexible enough to react soundly to a wide range of cyber attacks. Pragmatic and documented planning for computer risks, data breaches and cyber attacks is now part of reasonable care and skill in modern legal practice.
The firm’s leaders should start by committing their own time and effort to raising these issues. The firm cannot rely on one partner or a practice manager to address this alone. A problem can start anywhere in a firm, and it is vital that everyone is comfortable to ask questions and to admit mistakes. Starting to plan usually requires a bit of shared learning about the shape of the firm’s IT systems. It often requires getting around to fixing a known security weakness that has been languishing on the to-do list.
With that information in hand, the firm should adopt a brief written plan to respond to a cyber attack or data breach. This will raise questions. Do the partners know where the firm’s data is backed up? Are back-ups separated from other systems, or will they all be affected by an attack? Do you have a strong relationship with key IT suppliers? Do you have the trust needed to work together quickly after a problem emerges? Does more than one person have that relationship, in case the primary IT contact is unavailable? Can you pay for an emergency response, even if your primary banking and other systems are affected by an attack?
Before an attack
The firm’s cyber attack plan needs to be usable by whoever is available, during and after an incident. Often the plan needs to be on paper as well as digital. It needs to be in a location in the office that the right people can access. It also needs to be stored at multiple off-site locations (e.g. partners’ homes). You may want your IT provider to keep a copy in their records. If cyber attacks seem like “Maxwell Smart” spy antics, then use that to your advantage. Use elaborate stationery, bright colours, and spy-like seals to make this document distinctive.
The firm needs to make sure that all of its staff know enough about cyber issues to spot if something is wrong. This is often the hardest part. It involves a culture change. It requires leadership every day. With the right information and support, everyone can watch for suspicious emails, ask about installing software, avoid public WiFi, and speak out when something goes awry. The firm’s leaders must make a huge commitment not to blame staff if something goes wrong. Accidents happen – if a junior solicitor stays silent for fear of getting yelled at, you will miss out on key information that could stop things getting worse.
Before an attack, talk through what the firm can do to respond instantly. The goal is for your team to understand the plan and how to use it. Does someone in the firm keep abreast of security issues? Can you instantly unplug your computer servers from electricity or internet? Can staff disable the WiFi router to stop an attack spreading through the office WiFi network? Can all staff make emergency contact with the right people, instantly? How long would it take for the firm to reset/change key passwords? While not perfect, a toolbox of intelligent actions can help in the moments after an attack is discovered. To build understanding and trust, you can invite your team to talk through scenarios, like “what if we had no email for a week?” Keep the plan up-to-date and regularly check it.
Last, and definitely not least, make sure that your firm is doing everything required by its insurance policy. Cyber cover often includes detailed requirements, e.g. planning and preparation. Insurance cover may be declined unless you make sure you have complied with all of your insurer’s requirements.
After an attack happens
There are some key actions and elements that all response plans must address. Assemble your team, fast: First, the response plan needs to provide for the firm to rapidly assemble the team of people who are needed to respond to the problem. An IT person alone can achieve little. Such a team must include:
- A partner to take responsibility for the governance elements of the response. This person will lead the response team’s work. She or he will interface with the firm’s governance team.
- An operations person who is familiar with the normal operation of the firm’s IT systems. This person should also have the credentials to talk to Landonline, or with the firm’s bank.
- An IT specialist. Whether the firm manages IT in-house or relies on contractors, the firm must ensure that an IT specialist will be available rapidly to coordinate and lead the technical response to the hack.
- A communications specialist. This person needs to understand legal privilege and confidentiality. There is no simple recipe for who you will have to talk to. The response team needs someone who can manage communication outside the firm and understand who they need to notify/talk to, when the right time to communicate is, and how to communicate. As discussed below, this key action may take more work than one partner or operations person can handle in the heat of the moment.
Governance and authority: The response plan requires the response team to operate with clear lines of communication and clear authority. The partners must commit to that plan in advance. The people responding to a cyber attack must have confidence in their own authority to take emergency actions. Usually, there will not be time to call a partners’ meeting before some important actions are required. If the partners try to re-litigate the structure of the response after a hack, then the time it takes will likely make matters worse.
Deploy your back-up communications systems: In a cyber attack, the first communications issues are often mundane – yet vital. Where do you find a phone that works? Where do you find an internet and email connection that is separate from the hacked systems? If your email systems are compromised, how will you make contact with clients and others in a way that proves you are using a safe system (and that you are who you say you are)?
Assess privilege and confidentiality, then communicate: Next, the plan needs to enable the team to identify issues of confidentiality and privilege, and to then begin communicating with third parties. Note:
- Contacting the firm’s bank or insurer usually does not involve issues of privilege.
- If Landonline or a similar IT system is at risk, talk to them as quickly as possible.
- If clients’ data or affairs are compromised, then the firm’s duties to clients will usually require prompt notification to clients. The first communications must be brief, unemotive and focussed on the facts. Make it clear if clients’ own IT systems are at risk. Let them know how to contact you. Then, continue ongoing communication with clients.
- In the future, there will be more pressure on law firms to communicate with the Government’s cyber-response authorities (CERT), to communicate with privacy authorities, and to give public information via organisations such as NZLS or ADLS. Often, communication is very beneficial. However, as lawyers we must consider privilege first. For example, CERT communicates with similar organisations in Europe, Australia and the USA. Therefore, something about your own firm’s clients may dictate that your law firm should not make these communications, or it should limit the scope of its disclosure.
- Some hacks require a public statement. Achieving a balanced statement in relation to complex technology can be very hard. Many businesses will engage a PR or communications firm to help.
It is worth repeating – we do not say “bah, humbug” to CERT or to any other public agencies who have cyber-response functions. They are committed professionals. They do good work. They provide leadership on a difficult issue. But legal privilege is unique to law firms. Privilege must be addressed before contact is made.
IT specialists must lead the technical response: The IT person in your response team will need space and resources to assess the firm’s systems. It will be a tricky investigation. For some attacks, the response may be as simple as throwing the computer in the bin, and starting again from back-ups. For other attacks, a slow and careful response is needed, with specialist IT help, and careful coordination with insurers. The IT specialists may need to call in further specialists.
After the dust settles, review what happened: The hardest part of a successful response will be to carry out a fair and impartial review of what happened. While blame and retribution can be tempting, it usually does nothing to improve the firm’s ability to respond to a cyber attack. To succeed after a cyber attack, a firm needs to review its staff training, its technology, its expenditure on system maintenance, and all of the other little details that impacted on the scope and consequences of the attack.
Each firm will need further planning to meet its own needs. The plan will usually include items beyond those mentioned here.
This is not about perfection. Every expert in the IT industry has his or her own horror stories – usually something stupid that they themselves did. Therefore, we should not be afraid to commit some time and energy, planning to do the best we can. For the future, it will be a core part of our shared brand as lawyers.
Richard Anstice is a member of ADLS’ Technology & Law Committee and gratefully acknowledges the Committee’s input into this article. Mr Anstice has worked as a lawyer advising on a range of commercial transactions, including distribution and IT design and build, with a particular focus on the balance between the legal aspects of technology and the practical needs of nontechnical people. He can be contacted at firstname.lastname@example.org.
The next instalment in the Your Legal Business series is “Technology – Tackling It, Taking It On and Transforming Your Practice”, on 27 November 2018.