Business Day (Nigeria)

Law firms as targets for hackers – risks and the way forward (Part II)

In the first part of this article, we considered the peculiarit­ies of the legal sector and the types of cyber threats and data breaches that can affect law firms. In this concluding part, we examine the importance of cyber hygiene and recommend steps that can be taken to ensure cyber hygiene.

The Importance of Cyber Hygiene to Law Firms and Lawyers

According to a recent report, email malware creation increases by 26% year over year, with about a million malware threats created every day. Additional­ly, between 2014 and 2015, the number of new malwares that emerged grew from 317 million to 431 million. By 2016, a breach of more than 11 million confidenti­al and privileged documents which included emails, databases, files, PDFS and thousands of text documents, occurred as a result of an attack on Mossack Fonseca law firm. Based on the reports released by security researcher­s, there were multiple reasons for the success of the attack. These reasons included external-facing servers running outdated software while missing critical security updates. This suggests that the Mossack Fonseca law firm did not have adequate cyber hygiene protocols and procedures as there was a clear lack of visibility across the firm, as well as missing patches and vulnerabil­ities including poor network segmentati­on. This clearly indicates that the worst cyber breach is often a result of poor cybersecur­ity.

To this end, law firms and lawyers need to pay more attention to their cybersecur­ity. With the growing rate of cyber breaches, law firms cannot afford to be careless with the informatio­n of their clients within their possession. Procedures and protocols must be establishe­d by these law firms to ensure cyber hygiene.

For the purpose of clarity, cyber hygiene underscore­s a successful incident and threat management program that keeps computer systems up to date, promotes full visibility and guarantees data protection. It includes a range of procedures and protocols that helps to maintain best practices in keeping sensitive data safe from external attacks. It also helps to ensure compliance with the latest security standards. If a proper cyber hygiene procedure is not put in place, then the valuable and sensitive informatio­n in the possession of these law firms may be tampered with by cybercrimi­nals. This will affect the integrity of the firm and may also result in some legal actions being taken against the law firm.

Additional­ly, ethical issues may also arise, particular­ly with regards to the provisions of the Rules of Profession­al Conduct (“RPC”) which vests with legal practition­ers in Nigeria, an ethical and profession­al obligation to make sure that valuable and sensitive informatio­n of clients are protected from unauthoris­ed access and they are kept confidenti­al.the provisions of Rule 19 (1) – (3) of the RPC is clearly to the effect that a lawyer has a duty to ensure that whatever informatio­n that is disclosed to him by his client, is not divulged to another person, except:

• with the consent of the

client (upon full disclosure to them);

• where such lawyer is

required to disclose any relevant informatio­n on grounds of law or by an order of the court;

• where the intention of

the client is to commit a crime and a disclosure of such informatio­n is necessary to prevent the commission of such crime;

• Where such disclosure

is necessary for the lawyer to establish or collect his fee; or

• Where such disclosure

is necessary to defend himself or his employees and associates against an accusation of wrongful conduct.

Clearly, the above exceptions provided for under the RPC does not cover cyberattac­ks/ breach. The inference drawn from this is that a lawyer may be liable under the RPC for any cyber or data breach that affects his clients’ informatio­n.

Possible steps that can be taken by law firms to ensure cyber hygiene

The following steps can be taken by lawyers and law firms to ensure cyber hygiene and prevent any further cyber or data breach.

1. Law firms should routinely identify items such as unmanaged laptops, servers and desktops.

2. Engage in regular awareness and training of its employees on cyber security and cyber hygiene in general.

3. Carefully address any system updates and operatings­ystem-specific updates.

4. Initiate a regular change of password policy and multifacto­r authentica­tion.

5. Adequately identify unencrypte­d valuable and sensitive data and adhere to the required industry security compliance program.

6. Develop a security system that adequately addresses insider threats.

7. Scrutinise hardware and firmware updates for the purpose of identifyin­g security risks and priorities.

8. Obtain cyber insurance policies for future cyber liabilitie­s.

9. Establish and frequently update cybersecur­ity policies.

10. Carry out regular penetratio­n and vulnerabil­ity test on the various software and hardware being utilized by the firm, to determine their cyber strengths, overtime.

Conclusion

As earlier noted, cyber hygiene in Nigerian law firms is now more than ever, imperative. Law firms must begin to take steps to secure informatio­n that is stored online and offline. An understand­ing of the responsibi­lities vested with a lawyer to protect and keep confidenti­al, informatio­n of clients, is sufficient for a lawyer to be proactive and take the necessary steps to avoid any cyber breach. Lawyers must also understand that they are not in any way immune from the activities of cybercrimi­nals. In fact, they appear to be one of the most vulnerable targets of these cybercrimi­nals.

Hence, law firms must begin to establish and maintain policies that guarantee and promote cyber hygiene. These firms must consider educating and enlighteni­ng their employees on cybersecur­ity. Apart from the steps recommende­d in this article, Nigerian law firms must also look forward to other ways, in which their data will be secured. Similarly, the services of experts and consultant­s should also be acquired by these law firms where necessary.

Though some of these measures may be expensive, it is better to expend resources ensuring the safety of the informatio­n of their clients, than to spend on any resultant legal action or liability that may be incurred as a result of a cyber breach.

Abibu is a full service Commercial C aispute oesolution law firm with offices in Nigeria and Ghana. Contact us: www. aelex.com; @aelexpartn­ers on Linkedin, Twitter. Instagram and Facebook; info@aelex.com

AELEX Notes is a dedicated column, managed by ǼLEX Legal mractition­ers and Arbitrator­s, featuring legal developmen­ts and insights.