Canadian Lawyer - sample

w w w . C A N A D I A N L a w y e r m a g . c o m N O V E M B E R / D E C E M B E R 2 0 1 6 21 those surfing the darknet where the information retrieved through the hack had been posted for sale. Foreign countries, unlimited resources Foreign companies, often equipped with unlimited resources, are behind many of the attacks on systems, observes Algeier. The tra- ditional craft of government spying has evolved into digital spying. "There's a clear trend where governments are interested in private corporate networks." For firms that are hacked, there is a further problem, particu- larly if they're trying to protect their reputation by keeping it secret, adds Tobok, the cyber sleuth. The first issue is that many are not prepared if something happens, and once hacked, there's potential for further harm. "The problem is you're now put on a dummy [sucker] list," he says. "We have seen some very high activity, up to 46 per cent, on the dark web . . . where activity of lists of people . . . are being sold to different organizations. "We see Canadian law firms on the dark web in the investigations that we do . . . Nobody's immune to this." Regulation Among the differences between law firms and other professions is how they are regulated. Lawyers and not firms are regulated. So while there is an obligation to report any breaches to clients, there is no central location to which law firms must report and no real clear indication of the breadth of the problem. New privacy legislation is in the works, which compels businesses to report when there is a real risk of significant harm, although it applies to information pertaining to individuals and not corporations. "The lack of reporting on it I think relates to the fact that if there's a breach in Canada and 100 clients are notified, clients won't tell, nor will firms," says David Fraser, an Internet and privacy lawyer with McInnes Cooper in Halifax. He does expect to see lawsuits in the near future for firms not taking adequate care, but again, there will be a great incentive for them to settle to keep any breaches under wraps and steer clear of risk to reputational harm. Info sharing Canada's banking sector is seen as being more on top of breaches. The Financial Services Information Sharing and Analysis Center has launched a section specifically for law firms. The premise is that if breaches are reported to this central clearing house, experts can analyze the breaches and strengthen their security and defen- sive approaches. The International Legal Technology Association is a Texas-based non-profit that shares information on the broader approach to technology as it relates to law firms. Mark Sangster is the legal industry cybersecurity strategist for Cambridge, Ont.-based eSentire Inc., which manages detection and response in the mid-market. Law firms, he says, are seen as the back door of the industry. But there are other motivations than just information, he says. He has seen ransomware paralyze information for a specific firm preventing them from conducting business. The motivation was not money but likely tied to a specific file. "It's a nasty version of painting graffiti on the wall of an organization you don't like. People do this all the time. "The technology that's available now, you have very complex cyber-weaponry." It's readily available on the darknet, with instruc- tions or one can pay someone in another jurisdiction. Prevention Personal emails of CIA officials have also been hacked, leading to the suggestion that less mighty organizations are perhaps more vulnerable, says Vancouver-based Boughton Law's information technology manager Rob Walls. "I would say that at least half the law firms get poked by things every once in a while, possibly more. Some of them may not be aware that they are being hit by things." But, he adds: "You can do a lot to make sure you're not as juicy a target. "It's challenging because if IT gets too intrusive in the way people want to do things, they stop relying on IT and start doing their own thing. It's a balancing act." The general belief is the bigger the firm, the more protections they have in place, meaning smaller firms are more vulnerable. Walls, who also serves as the British Columbia Legal Management Association technology subsection co-chairman and the International Legal Technology Association's member liaison for the Vancouver area, sug- gests firms approach their security plan from the perspective that, eventually, they are going to be compromised. Should the firm be held by ransomware and can't access their systems, a robust recovery system can help get them back up and running in a few hours. A layered defence system is seen as the best approach, so the firm has a variety of protection procedures and tools in place. Security organizations point out if different areas are protected by different tools, compromise of one won't necessarily mean another section will be penetrated by hackers. The key, though, is testing the security measures that are in place to ensure they are robust. Many firms prefer to hire outside agencies to run regular tests. McCarthy Tétrault, for instance, requires multi-factor autho- rization for any remote access, points out George Takach, whose legal practice focuses exclusively on technology-related law. In addition to having a plan to deal with any breaches, he suggests putting a team in place that is equipped to respond immediately, push out the hackers, understand the scope of the breach and deal with notifications. "I think it's just going to be, unfortunately, a cost of doing busi- ness," he says. "I see the same trend in physical security … It's a sign of the times that we live in." Those who work in the industry also say firms need to draw the distinction between those who work on the firm's informa- tion technology systems and security because they are separate disciplines. IT staff might manage the firm's security, but they don't necessarily have the expertise to put it into place. Security checklist • Stay current on available tools; • Have a recovery system in place in case of penetration; • Have data loss protection points focusing on the end points; • Keep separate controls on every individual using the system; • Use encryption; • Train staff on secure use of systems and be wary of the latest phishing email schemes; • Keep testing.

• Cover