© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Veterans Helping State Fight CyberSecurity War Mike   Hamilton,   featured   in   a   KING-5   TV   news   story   in   his   role   as   Policy   Advisor   to   the   Washington   State   Office   of   the Chief   Information   Officer.   In   his   job   as   Policy   Advisor,   Mike   collaborates   with   organizations   around   the   state,   including the   military,   public   utility   and   water/sewer   districts,   University   of   Washington   and   local   governments.   The   objective   of this   work   is   employment   as   cyber-analysts   for   our   veterans,   and   availability   of   these   resources   for   business   and government in our state. Watch the story on KING-5's Website by clicking here .
You’ve   just   returned   to   your   law   firm   from   a   long   holiday   weekend   and   are   looking   through   your   email.   You   find   a   note from   your   financial   institution   regarding   a   large   transfer   of   money   from   one   of   your   trust   accounts.   The   figure   is   in   the high-end of six figures and you nearly spill your coffee running over to your bookkeeper’s office. He   knows   nothing   about   it.   It’s   time   to   push   the   panic   button.   Eventually   you   figure   out   that   your   bookkeeper   received an   email   with   a   poisoned   attachment   and   his   account   was   compromised.   Over   the   weekend   criminals   used   his credentials to steal a lot of your money, and you are very unlikely to ever see it again. You have just been the latest victim of a growing cybersecurity crisis that is beginning to target law firms. This is not fiction or FUD (fear, uncertainty and doubt) – this is a story straight from recent news. Anyone   who   reads   the   newspaper   or   listens   to   the   news   cannot   help   but   be   aware   of   the   number   of   organizations   that are   being   victimized   every   day   by   our   cyber   adversaries.   The   year   2014   has   been   dubbed   the   “year   of   the   data breach.” Among   small   businesses,   law   firms   are   an   increasingly   popular   target   for   hackers   for   two   reasons:   Hackers   infiltrate law    firms’    networks    to    gain    access    to    their    clients’    networks,    and    are    very    aware    of    the    wealth    of    confidential information   that   lawyers   amass   and   use   in   representing   their   clients   —   from   attorney   work   product,   firm   business   and employee   records,   to   attorney   client   data,   trade   secrets   and   PII.      Lawyers   also   store   reams   of   e-discovery   records, both civil and criminal, from opposing and third parties generated through discovery. As    corporations    and    other    organizations    beef    up    their    cybersecurity,    hackers    have    used    law    firms    as    a    virtual backdoor   into   their   clients’   confidential   information.   In   2012,   China-based   hackers   overcame   the   “secure”   computer networks   of   seven   major   Canadian   law   firms   to   destroy   data   and   steal   sensitive   client   information   in   a   coordinated attempt to derail a corporate acquisition. External   attacks   are   not   the   only   risk.   Internal   threats   from   corporation   or   law   firm   employees,   whether   intentional   or negligent,   are   equally   likely   and   as   devastating.      A   Seattle   law   firm   employee   recently   emailed   the   highly   confidential files   of   nearly   8,000   special   education   students   to   a   student’s   parent   —   likely   violating   federal   law   and   the   firm’s ethical   duties.      Luckily,   the   recipient   recognized   the   mistake   and   returned   the   files.      The   Seattle   School   District promptly   fired   the   law   firm   and   called   in   the   US   Department   of   Education   to   investigate   the   mechanism   and   exact cause of the barely averted disaster. In   response   to   the   rise   in   cyberbreaches,   the   American   Bar   Association   (ABA)   has   issued   new   regulations   encouraging all    organizations    to    “develop,    implement,    and    maintain    an    appropriate    cybersecurity    program    that    applies    with applicable   legal   and   ethical   obligations,   and   is   tailored   to   the   nature   and   scope   of   the   organization,   and   the   data   and systems to be protected.” The   ABA’s   Cybersecurity   Task   Force   also   recommends   constant   monitoring   of   computer   logs   to   detect   and   respond to   threats.   Without   monitoring,   the   compromise   of   one-work   station   can   mutate   into   a   large   scale   theft   of   confidential client and proprietary information. Their   new   resolution   reflects   the   many   sources   of   the   legal   profession’s   responsibility   to   provide   data   security:     regulatory,   contractual,   common   law,   and   ethical.      Of   these,   the   ethical   duty,   grounded   in   the   Rules   of   Professional Responsibility, is most broadly applicable.  Comments   to   Model   Code   of   Professional   Responsibility   (MCPR)   put   greater   onus   on   lawyers   to   understand   the ramifications   of   practicing   law   in   the   virtual   world.      They   now   require   an   attorney   to   “keep   abreast   of   changes   in   the law   and   its   practice”   as   well   as   “the   benefits   and   risks   associated   with   relevant   technology”   (ABA   Model   Rule   1.1 Comment 8 (2012)). They   also   require   a   lawyer   “to   make   reasonable   efforts   to   prevent   the   inadvertent   or   unauthorized   disclosure   of,   or unauthorized access to, information relating to the representation of a client.” To   meet   regulatory   and   ethical   obligations   in   the   dynamic   environment   of   information   technology,   an   attorney’s   only safe   course   is   to   employ   cybersecurity   best   practices.   Industry   standards   abound   for   cybersecurity   storage   of   data, and   access   to   and   use   of   that   data.   But   for   many   practitioners   those   industry   standards   may   be   neither   reasonable   in scale    nor    scope    given    foreseeable    threats.        What    is    an    attorney    to    do?        Based    upon    the    ABA’s    Cybersecurity Handbook   (Rhodes   and   Polley,   The   ABA   Cybersecurity   Handbook,   American   Bar   Association   (2013)),   and   our   extensive experience, we have a specific set of tailored suggestions we would gladly share with your firm by appointment. The   advent   of   technology   has   been   a   boon   to   the   practice   of   law.      Discovery   no   longer   means   sitting   in   a   cold warehouse   with   boxes   of   poorly   organized   documents.   The   boon,   however,   has   not   come   without   risks.   If   you   use technology   in   practicing   law,   you   now   shoulder   the   duty   to   understand   the   risks   it   creates   to   your   clients,   and   the obligation   to   reasonably   protect   them.      Reasonable   protections   means   employing   best   practices   appropriate   to   the sensitivity   of   the   data   involved,   scale,   regulatory   requirements,   among   other   considerations.      Crafting   appropriate   best practices   is   and   will   continue   to   be   an   ongoing   challenge   to   the   practice   of   law   that   will   require   closer   work   between information security professionals and lawyers. Authors:   Suzanne   Skinner ,   an   attorney,   and   David   Matthews ,   a   cybersecurity,   risk   management   and   incident   response expert.   Both   are   Associates   with   CI,   an   information   security   consulting   and   managed   services   firm,   specializing   in critical infrastructure cybersecurity. Please contact CI for a consultation appointment.
MIND   THE   BACK   DOOR:   PROTECTING   CLIENT   INFORMATION FROM CYBERSECURITY THREATS AND DISCLOSURE   9/24/2015 By Suzanne Skinner and David Matthews M.K. Hamilton & Associates, LLC
(206) 687-9100
© Critical Informatics Inc. 2016 All Rights Reserved


Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013


Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100