Ride the Lightning

Law Firm Cybersecurity Sharing Coming Soon

March 9, 2015

When I reported on this previously, it was thought that law firm cybersecurity sharing might come by the end of the year. Hat tip to Sean Harrington for sending me a story indicating that the timetable has been accelerated.

According to a story from The American Lawyer (sub. req.), at least five Am Law 100 firms are involved.

The group includes Sullivan & Cromwell, Debevoise & Plimpton, Paul Weiss Rifkind Wharton & Garrison, Allen & Overy and Linklaters. It will be affiliated with the financial industry’s forum for cyberthreat discussions, called the Financial Services Information Sharing and Analysis Center, according to Bill Nelson, CEO of FS-ISAC.

The goal of the law firm group is to have a more focused method to share intelligence about cyber threats with other law firms and also to receive information from major financial institutions about possible threats.

Although Nelson notes that law firms are not eligible to be members of FS-ISAC, the new legal offshoot will be affiliated with it. FS-ISAC will provide law firms with resources and technical infrastructure to help them get started. The firms will also be privy to some, but not all, of the information that is shared among financial services members of the FS-ISAC.

Law firms will be able to share information anonymously, including technical details of cyberthreats and vulnerabilities, hoping to anticipate and defend against cyberattacks. The group is now expected to be operational within 60-70 days and will be comprised of 6-12 law firms, with the expectation that dozens will join shortly afterwards. Membership fees will be less than $10,000 a year, and there may be a tiered price structure for smaller firms in the future, according to Nelson.

According to law firm spokesmen, no information will be shared that could compromise client confidentiality.

The firms in the group are working in collaboration with LegalSEC, a cybersecurity-focused component of the International Legal Technology Association.

In one example of a law firm data breach (and there are many), McKenna Long & Aldridge in February 2014 informed current and former employees of suspicious activity on servers belonging to one of its vendors. The firm said there was "malicious and unauthorized access” to names, addresses, wages, taxes and Social Security numbers, dates of birth and ages obtained through the user identification and password of an account administrator. The firm has since reset all passwords.

Shane McGee, chief privacy officer of cybersecurity company FireEye, says his company has responded to dozens of law firm attacks and compromises. “The law firms are a weak link that lead into the financial industry,” McGee says. “If you have a hardened environment, then attackers will go in through your affiliates.”

Traditionally, lawyers have been complacent about information security – and many point to the fact that taking cybersecurity measures (some of them expensive) directly impacts the profits of law firm partners. As clients demand better security and the fear of losing clients as data breaches become public knowledge increases, that is slowly changing.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson