Jim Koenig thinks that law firms need to adopt comprehensive information security programs and train their employees to become better versed in handling the fallout of a cyber attack.
Perhaps there’s no clearer reminder of this than last month’s global malware attack, which, along with a number of global companies, hit DLA Piper and forced the firm to shut down its networks, including email.
In light of such cyber threats, Koenig, who co-chairs the cyber practice at Fenwick & West, said that firms and companies alike should take a look at the information they store and ask whether they need to keep it.
“Can they de-identify or even delete the information to minimize their cyber and privacy exposure?” said Koenig, in a recent interview. “The best protection from privacy and cyber-security risks is not to have the information at all.”
In June, Koenig joined Fenwick’s New York office from Paul Hastings. The Silicon Valley firm launched the office in 2016 and is known for representing start-ups to tech giants like Facebook and Buzzfeed.
In late June, Big Law Business caught up with Koenig in an interview and he discussed the fast-changing cyber security field and how to keep up with it. Below is an edited transcript of the discussion.
Big Law Business: Following the cyber attack at DLA Piper, how are law firms protecting themselves?
Koenig: Many law firms are taking cyber security threats seriously. They are enhancing controls, many seeking ISO certifications - often at the suggestion of their clients or as a prerequisite for doing business.
For example, many banks and other financial institutions have required specific enhanced controls and incident response procedures for law firms to protect the client’s valuable proprietary and sensitive client information. Some law firms initially responded by implementing heightened controls just for the client. Over time, those safeguards have been rolled out firm-wide in many cases. More recently, oil and gas companies have also joined the trend expecting heightened safeguards among law firms and other service providers.
Big Law Business:What would you suggest law firms do in response to the pressures?
Koenig: Law firms, like most companies, should implement a comprehensive information security and cyber program. Patching and anti-phishing training are two essential elements of the program as many of the recent catastrophic cyber attacks can be linked back to failures in these two areas. WannaCry and Petya (also known as NotPetya or GoldenEye) primarily took advantage of operating system vulnerabilities which companies had not patched. In both cases, they took the form of ransomware. Companies (and law firms) should also have and follow an incident response plan to make informed decisions about the veracity and seriousness of a ransomware threat. Some ransomware is copycat false threats, while others have catastrophic consequences. Increasingly, companies are practicing their ransomware and cyber decision-making in advance with tabletop cyber wargame simulations.
Big Law Business: When it comes to cybersecurity, what are the primary methods of protection?
Koenig:What I find to be most helpful is for the company to maintain all the key building blocks for an effective cyber program. They have the key controls, they buy the threat intelligence, they practice instant response and war game so they can minimize any impact that [attackers] happen to have. Some companies that are in tougher economic straits try and save money by not updating their software. Phishing, coupled with not updating software patches, are the most common ways for catastrophic cyber attacks to occur. There’s a human component, and a very simple and relatively inexpensive technical component that would minimize some of the largest catastrophic cyber attacks. That doesn’t mean that there aren’t all sort of new, very sophisticated attacks. But some of the most basic ones exploit and take advantage of these vulnerabilities.
The best protection from privacy and cyber-security risks is not to have the information at all.
Big Law Business: So, it sounds like there are lots of simple things big firms and other companies can do to minimize their risk. What are the simplest steps they can take to protect themselves?
Koenig: Many companies should take a step back and look at whether they truly need the sensitive information that they’re collecting and handling. Can they de-identify or even delete the information to minimize their cyber and privacy exposure? The best protection from privacy and cyber-security risks is not to have the information at all. [Other than that] the most effective control is training your people, since the majority of catastrophic cyber events and breeches involve some human factor or mistake. The next tier is encrypting and monitoring improper access and use of information. Don’t have the information, or train the people around and watch it.
Big Law Business: Technology is changing all the time, and laws are changing with it. How is privacy changing?
Koenig:Every day I’m getting questions from clients about new uses of information in different ways. Many of the Fenwick clients are the incubators for new uses in the next generation of technology. To help those companies pave the path, that’s something to me that’s really exciting. I do a lot of work with large companies, but typically innovation starts at these smaller companies. ... For people that are coming out of law school or into business, having an understanding of privacy can help you in a career with compliance law, or data, but it also can help you on the business side to design products and services, because your products will strike the right balance, not getting in trouble from a compliance point of view but being more attractive and more likely to have trial and use by consumers. ... When you think of all the things that make people comfortable using a new product, they need to trust that they can provide it with their information. Privacy is a proxy for trust, and trust is essential for the use of innovative new products and services.
Big Law Business:And based on how quickly the tech industry is growing, people must be starting to extend their trust. What parts of your practice are actually growing the fastest?
Koenig: Five years ago when you said you could be subject to a Chinese cyberattack, people thought that idea was very remote. They were there, taking intellectual property from companies... [but] many companies didn’t talk about losing that information. [Identity] thieves do something different... Once they started going after personal information for identity theft purposes, that’s when all of that started becoming disclosed. Now there’s much more awareness by consumers, companies, regulators, lawmakers, and the impact and the number of attacks is so much more pervasive.
Big Law Business: You just mentioned a Chinese cyberattack, like the 2015 attack that affected many big law firms and businesses. What did your industry learn from that attack?
Koenig: That [cyber attack] is just an example of the need to know your cyber attacker. Often, the Chinese and other state actors are looking for intellectual property. There have been Russians and others that are looking for value, things that can be monetized. It used to be that the big treasure trove was just credit card data. But there have been changes in the payment card industries’ data security standards that have made it harder, not hard but harder, for thieves to just exploit credit cards. So now they’re going after health insurance information, law firm information, intellectual property and patents and pharmaceutical companies, and technology companies, anything that has value. Some of it is also becoming more dangerous. The threat of cyber-attack on infrastructure, the power grid, denial of service attacks to bring down online companies, targeting government. The nature of the proliferation of cyber is pretty significant.