The Role of Vendors in Avoiding Cyber Attacks and Information Disclosure
TechnologyThe recent massive cyberattack on federal agencies can be traced back to an Austin IT management company, SolarWinds, which is literally down the road from TLIE. According to reports, SolarWinds appears to have been hacked due to lax security practices. After breaching SolarWinds, the hackers were able to breach many of the company’s 18,000 customers.
This scenario is quite similar to a situation a TLIE insured faced last year, where a company providing IT management services for a number of other businesses was breached. The breach of the law firm’s IT management service led to a ransomware attack on all of the IT management company’s customers.
ABA Opinion 477R entitled “Securing Communication of Protected Client Information,” released in 2017, makes the following recommendation regarding lawyer supervision of vendors:
- Conduct due diligence on vendors providing communication technology. Take steps to ensure that any outside vendor’s conduct comports with the professional obligations of the lawyer.
This article will discuss how lawyers, who of course are usually not well trained in cyber security and other IT issues, can meet professional obligations to supervise vendors and to avoid negligence claims in supervising and monitoring vendors.
Who Are Your Information Technology (IT) Vendors?
Law practices increasingly rely on a variety of vendors to provide the technology necessary to practice law. These vendors may provide physical items, such as computers, laptops and phones. They may provide computer software to carry out various tasks. They may also provide services, such as setup and management of lawyers’ computers and servers. When lawyers use cloud services, they could be considered IT vendors subject to the conduct of due diligence suggested by Opinion 474R as well.
Indeed, Texas Ethics Opinion 680 indicates that among the reasonable precautions lawyers must take when using cloud services is (5) remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to “hacking” of stored information.
Specialized services for law firms are increasingly common. For example, services that analyze and report on discovery are vendors that should be subject to due diligence. In one case, a law firm outsourced analysis of voluminous documents to be produced to a third party. Lax procedures at the company led to the release of important keys needed to decrypt the client’s satellite signals, leading to a significant loss of revenue. The law firm paid the client for that loss.
What Vendors Should Be Doing
Determining proper questions to ask in the pursuit of due diligence requires some level of understanding. Even lawyers who are not technology experts can understand generally what should be done by vendors.
First, vendors should at least be following security guidelines that law firms are following in their own practice. In the SolarWinds case, among the lax practices discovered was that the company used solarwinds123 as a password. Both law firms and vendors should have strong password policies.
Vendors should either provide certifications regarding their security procedures or be willing to answer questions regarding their practices. It is not sufficient for a vendor to simply say “We don’t discuss security issues so as to avoid someone gaining information about our systems.” There should be a way for the vendor to provide appropriate information necessary to allow customers to judge the security of their products and services.
Two common certifications currently provided are SOC 2 and ISO 27001. Each of these certifications indicates that a company has followed a three-step process: an analysis of gaps in their security, what security goals are necessary to fill those gaps, and an audit to assure that the necessary action has been taken. Either certification can give customers some level of assurance that security is a serious concern of a company. However, such certifications are expensive and not available from many very legitimate, thoughtful vendors. A certification is no guarantee that there will be no problems.
Another common indicator of security provided is HIPAA compliance. This will be important for any law firm which works with medical providers who disclose patient information to their lawyers, such as doctors, hospitals and medical insurance companies. Texas lawyers are also subject to the more wide-ranging Texas Medical Privacy Act, which applies to all personal medical information. HIPAA compliance may be important for those lawyers as well.
One problem to watch for is borrowed certifications. For example, many cloud vendors note that their software runs on Amazon Web Services (AWS) and that it is compliant with one of the standards. Such a credential only means that the Amazon service is compliant, not that the vendor’s software provided on top of Amazon’s platform is compliant.
What to Ask Vendors
A very good set of form questions for vendors has been developed by the Vendor Security Alliance, www.vendorsecurityalliance.org.
These questionnaires are free to download from the VSA website. The subject matter of the VSA forms addresses the following questions:
- What are the vendor’s security measures?
- Is security testing done, such as penetration testing and code analysis?
- Do they vet their own vendors?
- What is their financial situation? A company with poor financials may be less able to concentrate on security.
- What is the location of facilities? The laws of the jurisdiction where services are actually located may influence how secure the facilities are.
- Do they provide security support?
The Vendor Contract
Because lawyers have a special obligation to keep all client information confidential, it is good practice to commit vendors to the confidentiality of all information they receive from the law firm and its clients. In cases where client information is likely to be seen, it is important to specifically direct vendors to instruct their employees about the lawyer’s confidentiality obligations.
Vendor employee education may be as important as law firm employee education. This was reinforced by recent amendments to ABA Model Rule 5.3, including Comment 3, which extend the obligation to educate nonlawyers retained by the law firm in the professional obligations of the lawyer.
Remaining Alert
Both before and after obtaining software, hardware and services, it is a best practice to monitor news about vendor security issues, as suggested by Texas Opinion 680. Subscribing to email information from the vendor about software changes and security issues is one important step in this process. Also, a lawyer can create email alerts for the vendors of their products and services. More generally, it is a good practice to keep an eye out on reported security breaches regardless of whether they pertain to a particular vendor.
This is not to suggest that a lawyer must read every single security bulletin issued by every software company. However, it is important to learn about how widely reported issues may affect the law firm. As an example, the Heartbleed bug which led to stealing of passwords on websites a few years ago was contained on many websites. Simply asking a website service vendor if the buggy software was used on the law firm’s website could perhaps avoid problems.
Conclusion
Due diligence with vendors is an important concept for all lawyers to master in order to protect confidential client information. The steps in this due diligence are not overly complicated, and do not require a degree in computer science. As ethics opinions suggest that such due diligence is part of the lawyer’s ethical responsibility, it is not hard to imagine that adequate due diligence will become more important in legal malpractice cases over time.
