New York State Bar Association Panelists Discuss Insider Threats to Cybersecurity
The legal profession and legal system have become increasingly vulnerable to cyberattacks as attorneys and courts become more dependent on technology.
To help attorneys understand their ethical obligations when it comes to cybersecurity, the New York State Bar Association Committee on Technology and the Legal Profession and the Committee on Continuing Legal Education sponsored a program entitled Insider Threats and Ethics.
Panelists defined insider threats, examined statistics, explained the New York SHIELD Act, and recommended practical measures that law firms should take to protect their own and their clients’ data.
The speakers were Ron Hedges, co-chair of the association’s Committee on Technology and the Legal Profession and senior partner at Dentons; Erez Liebermann, a partner at Debevoise & Plimpton; and Debbie Reynolds, founder, CEO, and chief data privacy officer at Debbie Reynolds Consulting. Gail Gottehrer, vice president, global litigation, labor & employment law, and government relations at Fresh Del Monte, moderated the panel.
“Our faith in people may be one of the biggest obstacles we must overcome in securing cyberattacks. You know, we aren’t always thinking about threats. We’re thinking everyone who’s in the system is good people, and they’re going to do things kind of in the right ways and whether it’s malicious or not, that may not be the truth,” said Reynolds.
In fact, 34 percent of cyberthreats in 2018 were caused by an internal actor according to Verizon’s 2019 Internal Data Breaches Report. Meanwhile, 53 percent of organizations have experienced one or more data breaches by a third party, which will lead to an estimated cost of $10.5 trillion annually by 2025 as reported by Cybersecurity Ventures.
Internal threats are also rooted in vendors, visitors, and others who may gain access to data. Furthermore, external threats are often disguised as internal ones.
“An external hacker is going to come into an organization and it’s going to hack into my computer and it’s going to start pretending to be me,” said Liebermann.
However, a tension with internal monitoring leads to a discourse on employee privacy rights.
“We’ve got a user behavior analytics program that is looking at what I am doing, and all of a sudden I’m doing weird things that my computer has never done,” said Liebermann. “You’re creating an insider program to make sure that insiders aren’t stealing customer and employee information and taking it out sounds a lot like protecting privacy. On the other hand, you’re monitoring people’s information and that sounds a lot like not protecting privacy and so you’ve got privacy versus security.”
The SHIELD Act, signed into law by then New York Governor Andrew Cuomo in 2019, boosts the protection of consumers’ private information and sets forth the standard of what it means to be reasonable.
“A place where a small business should start is who is in your organization and what access do they have,” said Reynolds about the act. One thing I see, with a lot of smaller businesses, is that they have systems where they have shared passwords and that’s not a great thing, especially if you’re on the cloud.”
It is also important to understand who is in your organization, determine what access they have, and close any security gaps.
Reynolds added that regulators don’t look favorably when a former employee is able to log into a firm’s data after they have left.
The risk of not being vigilant can be profound including the loss of clients’ trust.
“A good law firm does not, I think, want to have a reputation of ‘losing’ its clients’ information,” said Hedges. “I think the message is you need to be vigilant in all the space and you need to be prepared to have a plan in place. We’ve been talking about the factors involving that all along and don’t do this ad hoc. That would be my biggest suggestion at the end of the day.”
Liebermann concluded that it is important to have everyone on the same page.
“If you’ve got a bigger organization and you’re afraid of changing the culture by doing employee monitoring, then create a steering committee that gets everyone together, compliance, law, ethics, and H.R. Everyone sits together and oversees what this program looks like so that you’re not creating the big brother’s watching program, you’re creating a program that everyone understands,” he said.