Is Your Law Firm Running ‘Encryption Light’?

By Nina Cunningham

With so many warnings to lawyers about transmitting unsecured email and attachments, it can be difficult to understand the solutions available and how they differ. Some may improve security but make communications cumbersome. If too cumbersome, users seek a way to work around them or choose less powerful tools.

Because few commercial firms have developed defense-grade cryptography for use against breaches of data security as would be desired by government agencies, the American National Standards Institute (ANSI) has taken the initiative and set standards for the next generation cryptography. ANSI documents related to cryptography can be found at https://www.ansi.org/.

Demand for secure products has increased dramatically both by government and industry as dependence on connected platforms and applications expand. With this growth, the data risk environment grows exponentially from occasional to openly routine. This invites additional teaching on where in the system the security should rest. Will we secure the network or the data? Companies on ANSI’s go-to list are sure we must secure what we can control, and that’s the data. More and more, we are seeing references to data security where once we saw only network security.

What makes this problem so impenetrable? While most IT professions on top of this issue recognize encryption as a solution, the foundational issue is the encryption key management. Most products on the market today are based on a 50-year-old technology called public key. This approach was designed decades ago to address channel protection, one device to another, with a fixed key, used over and over. This approach is built on a communications model prevalent when designed. Today we are in a very different situation, and what is necessary is an information model designed to protect information rather than protecting the always open communications channel. ANSI requires a solution that protects data from origin through distribution, use, storage, and archive, up through destruction. This calls for an enterprise solution that is efficient and manageable.

Over time, information is considered to belong to the organization and not to the individual. Health records are at great risk today, but must be kept securely for over 125 years. Differential access must be offered to individuals and processes that may need access to data in the future without concern about where the data may be stored or how it may be transmitted. The protection is at the data layer itself. This process both creates self-protecting data objects that are data label aware and offers services based on that awareness. Th s process of data label awareness facilitates a smarter network of layered cryptography.

Ponemon Institute, a pre-eminent research center dedicated to privacy, data protection, and information security policy, has quantified costs of data breaches for several years. Collaborating in 2016 with IBM, they turned these reports into valuable tools for helping businesses understand the real consequences of lost or stolen data. Since most companies deal in some form of digital communications, both studying the data and performing analyses are more challenging than ever. Ponemon found the average total cost of a data breach up 29% in 2015 from 2013 at $4M. By February 2016, it was reported at $6.5M, and this data is widely cited. Also, widely cited is the $2 Trillion projection as average total cost by 2019.

In addition to cost data, the 2015 report introduced a global study to anticipate yearly growth in major data breaches. While they suggest that more than a decade of research about data breaches has made us smarter about solutions, new approaches by hackers demand ever new solutions as well. Litigation and ensuing regulations over breaches heighten that demand. Why else would Cybersecurity provide new opportunities for lawyers, liability insurers, and other risk management providers? The industry is expanding so rapidly that the statistics now anticipate a severe shortage in trained personnel to deal with it will increase from 1 million vacant jobs entering 2016 to 1.5 million by 2019.

Ponemon reveals that the loss of reputation and customer loyalty does the most damage to the bottom line. It is understandable that in the aftermath of a breach, firms spend heavily to regain their brand image and acquire new customers. Industries commanding a large amount of trust, such as pharmaceutical companies, financial services firms and healthcare organizations, experience a high customer turnover following a breach.

In 2016, Verizon found that 89% of all cyber-attacks involved financial or espionage motivations, but IBM reported that the healthcare industry was the one most frequently attacked, speeding straight past financial services and manufacturing. Focusing on the concerns of their customers, companies in these industries spend more heavily on settlements because litigation hurts that much more. KPMG reported on the vulnerability of medical devices and wearables as recently as June of 2016. In their list of “10 Hard- hitting Cyber Security Statistics” published last year, analysts with Swimlane.com made it clear that 2015 would be the year we would witness exponential growth in cybercrime statistics. Since it takes time for data to roll in and then be studied competently, statistics from 2015 are the most prevalent.

Analysts suggest that companies consider having an incident response and crisis management plan. But while these plans are great for describing what happened, they will not prevent future breaches. A focus on data security would be far better. Rather than limiting who gets access, ANSI favors protected data, indifferent to network topography. This approach facilitates transmission as a matter of availability and storage as a matter of convenience.

According to Greg Ruppert, Charles Schwab’s senior vice president of financial crimes

investigations, there are only two types of firms: those that have been hacked, and those that don’t know it yet. During the IMPACT 2015 conference, Ruppert said this ignorance is a major reason hackers are such a threat to financial advisors. Ruppert’s insights can be reviewed in “ Cybersecurity: A Checklist for Advisors,” from our ALM sibling, ThinkAdvisor.

Gone are the days of 14-year-old hackers. “This has turned into an organized enterprise,” Ruppert said. “These are now sophisticated, well-designed, targeted campaigns.” Before joining Schwab, Ruppert had a career in the FBI’s cybercrime division. He suggested that of the two billion emails sent every day, one in seven contains a phishing link.

Jay Wack, President & CEO of TecSec, and owner of more than a dozen U.S. patents in cryptography and security system design, suggests an enterprise-level solution that provides attribute-based access control that protects data because of what it is, not because of who reads it.

Understanding how phishing and other fraud schemes work is paramount in preventing fraud, said Clyde Langley, another former FBI agent who is now Schwab’s VP of Fraud Prevention and Investigations. Langley showed IMPACT event attendees what Schwab is doing to fight cybercrime, including their recent initiative to monitor the Web for phishing scams using Schwab’s brand.

Everyone sees coffee shops and public areas populated with individuals doing business on mobile devices. Lawyers and other law firm employees take their devices everywhere, and messages generated from these areas are unencrypted, even within networks thought to be secure. This inherent security flaw places confidential client data at risk.

TecSec has created a platform-neutral solution with a common architecture that complements ANSI standards. Wack describes platform-neutral as technology that can be maintained by those familiar with the social fabric of an organization (guards for physical assets, network administration for logical, application owners for functionality), and who realize the significance of classifying content on a need-to-know basis.

Nicole Black, the data security specialist and contributor to Legal IT Professionals, noted that the American Bar Association’s Standing Committee on Ethics first approved the use of email by lawyers in the 1990s without requiring client consent. But new technology, routine use of email, and new ways to encrypt and protect electronic communications, led to reconsideration. In 2011, the ABA issued Formal Opinion No. 11-459, giving lawyers an ethical obligation to warn clients of the risk of third party access.

Today, the ABA has a Cybersecurity Legal Task Force to identify and compile resources within the ABA that pertain to cybersecurity. It also coordinates the ABA’s legal and policy analyses and assessments of proposals relating to cybersecurity. In April 2016, it offered a seminar on Cybersecurity: Ethically Protecting Your Confidential Data in a Breach-A-Day World. In October 2016, the Task Force issued a checklist for vendors that includes risk management requirements in the contracting process. This is an important step in controlling third-party risk.

The profession continues to address this issue today. While the risk may in fact vary, the only reasonable action for lawyers is to communicate and collaborate with clients using encrypted transmission. If convenience determines the method of delivery, the most convenient method is to protect it all. Assuming the likelihood of risk of encroachment must be taken seriously.

TecSec’s KeyVeil is a patented product that meets ANSI standards by featuring private key management technology in combination with Microsoft Outlook. This combination makes it possible to send and receive secure email in the law firm environment regardless of the firm’s size or the destination of the data. Technology of this type is likely to become state-of-the-art under ANSI authority, providing the user with the security, confidentiality and privacy demanded by clients and firms alike, regardless of the version of Microsoft Office being used.

As applications like KeyVeil evolve to take on greater responsibility for protecting information shared across systems, many lawyers are either using some sort of encrypted email or are migrating to Web-based client portals as a more secure method of communicating with clients. Web-based portals are appealing because cloud computing platforms with encrypted client communications provide a ready-made solution to a more secure method of communicating. KeyVeil has dozens of customizable security settings and offers high-grade data encryption, giving employees and clients access only to the files, or parts of files, you want them to see — whether your firm employs one person or 1,000. Veil offers customer support, live training sessions, and white glove onboarding for staff and clients. Above that, it provides industry-specific solutions for business workflows, integrating conveniently with email and desktop to add security and easy file- sharing to meet the needs of enterprises with data demands that continue to evolve.

Nina Cunningham, Ph.D., is an affiliate of Altman Weil, Inc., and president and CEO of Quidlibet Research Inc., a global strategic planning and cost management firm founded in 1983.