23 August 2015

Legal Risk: The Insider Threat from Outside Counsel...

What will the "New Normal" be for the United States in the era of increased scrutiny on privacy law, civil liberties and the continuous quest for the security of the Homeland?  Operational Risk Management (ORM) professionals are ever more focused on "Information Operations" and counterintelligence functions while simultaneously working side-by-side, with their own General Counsel.  The laws in each state are changing and being updated as the Federal legislation stalemate continues:
Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements By Ellen Moskowitz on July 15th, 2015 Posted in Legislation

On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
If you happen to be concerned about the "Insider Threat" within your enterprise, then you realize the importance of creating the foundations for a sound legal framework.  One that addresses the rules that must be followed and the protocols for building trust with key corporate partners.  This includes the outside counsel that your enterprise engages with on an annual basis.

So what legal duty of care do your retained outside counsel have to secure your information?  What do they have in the environments that they operate in that may cause additional legal risks for your enterprise?  Do they understand the difference between information security and confidentiality?

First tier supply chain partners such as outside counsel are no different than the cloud provider or the HVAC contractor that may have access to the corporate network.  So what is the root cause of substantial intellectual property theft and industrial espionage targeted on law firms?  Failing to understand the vast landscape of "Operational Risk."  This includes negligent conduct and intentional misconduct.  So what can you do now to improve the outcomes of managing the legal risks of "Outside Counsel"?

Start a Dialogue:  Request a commitment to review the privacy vs. security environment of the key retained firms who provide the outside legal work for the enterprise.  Provide a case example of your corporate information security structure and priorities.

Ask Questions:  The whole spectrum of information security deserves a deep dive in the dialogue on managing digital information, making effective "Trust Decisions" and addressing eDiscovery and Records Management questions.

Team Together:  What if you worked with your outside firm to create a solution that included a collaborative design, prioritized execution, insisted upon cooperative feedback and insured continuous improvement?  Get your legal teams to train together with your CISO and CIO security teams.

Revise the Engagement Letter:  The contracting language must include the nuances of information security, privacy controls and an informative strategic plan for the inevitable point in time when there is a data breach at your outside counsel.  More here:
As Willie Sutton supposedly said, he robbed banks “because that’s where the money is.”  That also explains why law firms and lawyers are increasingly the targets of cyber-intrusion, particularly phishing scams.  Apparently, phishing in legal waters can yield a full net of stolen information.

“Most likely” to take the bait
Verizon’s 2015 Data Breach Investigations Report has found that a company’s legal department is among the ones that are “far more likely to actually open [a phishing] e-mail than all other departments.”

In case you’ve been living under a rock, “phishing” is the attempt to obtain sensitive information fraudulently by means of a deceptive electronic communication that appears to come from a trustworthy source.  (Some link the term to the indie rock group Phish, but according to Computerworld magazine, the term was coined round 1996, with the obvious analogy to the sport of angling using a lure.  Under that view, the “ph” is a nod to an old form of telephone hacking known as “phone phreaking.”)

Shockingly, Verizon found that 23 percent of recipients open phishing messages, and 11 percent click on the fatal attachments.