Today, cybercriminals targeting law firms are focusing on the wrong information in the wrong places. Even the recent Chinese hacking of U.S. law firms for inside information was hackers going after information contained in email servers. That’s not where the real valuable stuff is.
The complex data involved in e-discovery, which may include trade secrets and other intellectual property, is often transferred electronically back and forth during lawsuits, and is sometimes stored in cloud-based servers. So, targeting the place where law firms store the documents collected during this process is where the real gold is.
Inside Counsel recently sat down with Andy Wilson, CEO and co-founder of Logikcull, and Lael D. Andara, patent litigation partner at Ropers Majeski Kohn & Bentley PC and Chair of eDiscovery Electronics Services Protocol [ESP], to discuss what next steps can be taken to safeguard data.
According to Wilson, while it may not be the case that cybercriminals have focused on e-discovery databases, it is likely that the materials they've accessed in recent high-profile data breaches were being handled for the purposes of discovery. Law firms and legal services providers handle sensitive data belonging to their clients. Basically, those firms act as clearinghouses for all of their customers' most valuable information, because it is often the case that this data is relevant to litigation and investigations.
“In the course of discovery, data goes everywhere. The client has to collect data and send it to its outside counsel, who is sending that data to vendors and other colleagues throughout the firm,” explained Wilson. “Then, discovery materials are produced to opposing parties, and the whole process starts up again. It's an incredibly risky process because, often, that information is sent through insecure channels, such as unencrypted email, file sharing services and via physical media, like DVDs or hard drives. All of those channels expose information to breach.”
“The reality is this has already been happening – we just haven't necessarily identified the hacks,” said Andara. “Another issue is a lot of these hackers are gathering information they may not know the benefit of, creating a separate affect where the data is gathered and then taken to the black market where the person who can capitalize on the information obtains it sometime later.”
So, why are e-discovery document repositories so valuable?
“The very nature of litigation requires us to get to the most valuable assets of the companies that are in dispute,” he explained. “Think of it as mining for gold, business data is piles of paydirt that is yet to be processed, and law firms are the sluice box that sift through the business data and pull out the gold nuggets. The irony is those piles of paydirt (business data) typically have better security than the law firms (sluice box).”
In addition, according to Andara, this is not a typical hacking where there are invaders at the gate. Often times your adversary in litigation is behind the gate, and taking appropriate safeguards is imperative.
“Structuring a protective order that includes encryption and other safeguards to maintain proprietary business data will be the norm in the next few years,” he said. “Encryption should be directly addressed in the protective order along with the logging of who had access to the data.”
So, is e-discovery the next frontier for cybercrime?
Wilson said, “It very well may be. Security experts are quick to point out that data is most vulnerable when it is in motion.”
Discovery is a process of motion, where sensitive materials are gathered together quickly from all kinds of different repositories and locations, and shared with requesting parties with few safeguards. So, it's not unusual for parties to exchange this information through insecure means (DVDs, email, etc.). And, often, the e-discovery tools lack appropriate security safeguards and do not encrypt data that is stored at rest. All of this leaves valuable information exposed to breach, whether it's from loss or theft, according to Wilson.
As long as law firms are on networks, we can anticipate these types of future cybercrimes.
But, the value of this data crates two potential risks, according to Andara. The first being that they will steal the proprietary data to obtain an unfair business advantage against our clients, and the second is the phenomenon of the data being held hostage by ransomware.
“The use of ransomware does not necessarily indicate that the data has left the organization or will be used or sold in the open market, but rather being locked out because the data has been encrypted and in order to have access they have to pay a ransom,” he explained. “It is not uncommon for entities to maintain a balance of bitcoin in the event that they are hit with a ransomware attack.”
Discovery is a process where data is shared widely, with many parties, in often insecure fashion. So, it's not unusual, for instance, for corporate counsel to mail hard drives across the country to get data to their law firm counsel. “That's absurd, and risky,” said Wilson. “It's imperative both to limit the amount of times that data is shared or ‘touched’ in the course of discovery, and to make sure that data is encrypted at all times.”
According to Wilson, the most secure e-discovery or legal intelligence platforms are the ones that eliminate the risk inherent to discovery by providing one central hub where all data is securely hosted and all channels in and out of the database are secure. When data is in the platform, it must be encrypted at rest.
And when it is shared with opposing parties, it should be shared through encrypted channels -- ideally a secure, permissions-based link whereby requesting parties can access that data remotely and instantly.
Sometimes admitting that your clients’ security measures are superior to the law firm, and maintaining the data within their security, is the most efficient approach, said Andara. The other issue is making sure that you meet the same security standards your client has in place, or identify potential cloud service providers or vendors that maintain the same if not better security measures. But, not all business data requires this level of protection, nor should all data be treated equally, given the significant costs of maintaining hire security levels.
“In my experience there have been situations where it was just not cost-effective to create a security infrastructure to support the volume of data,” he explained. “In the alternative we created a clean room to allow the defendants to come and review the data under very controlled circumstances that monitored what was reviewed and what was requested to be copied. In the several circumstances where we used this approach, the amount of data that was sought to be used in litigation was a de minimus fraction of the overall data at issue.”
In the past five years, cyber hacking has been on the rise and approaching the norm. The fact of the matter is that most of the public has been desensitized to the rampant cyberattacks because they have become a daily occurrence, according to Andara.
He said, “The question is not whether or not you've been hacked, the question is ‘do you know when and to what extent you’ve been hacked?’ It's imperative that we acknowledge that there is no such thing as perfect security, and much like with the discovery, the standard is reasonableness.”
According to Andara, to be confident in the practice of law you must take minimum measures to secure your clients’ confidences, which are often contained in the business data relevant to discovery in litigation.