Time to confront cyber crime

В статье рассматриваются вопросы, связанные с борьбой против киберпреступности. Особое внимание уделяется необходимым мерам в работе юристов по защите от подобных преступлений, то есть преступлений, которые совершаются с использованием компьютерных технологий и телекоммуникации. Автор приходит к заключению, что безопасность в сфере высоких технологий должна быть в центре внимания всех, кто имеет дело с конфиденциальной информацией. Статья сопровождается вопросником, в котором содержатся вопросы, ответы на которые помогут установить удовлетворительное состояние и соответствие системы кибербезопасности минимальным требованиям, а также надлежащее использование этой системы всеми юридическим фирмами.

Big business is increasingly vulnerable to cyber-attack and the legal profession is no exception. Lawyers must do more to confront the threat as a core business risk in order to neutralise it.

All lawvers, whether working in-house or in private practice, have struggled to appreciate fully the threat presented by poor cvbersecuritv. Historically, it has been treated as fairh minor: businesses wanted the information technology (IT) department to keep malware out of the system, and it was easy to spot a hoax email.

There was a lack of concrete examples of what the threat looked like. The situation has now changed, and the time for indifference is over. The people I contacted before writing this column were specific about the nature of the threat posed to counsel and their clients — and about the consequences.

The key threats are: direct financial loss; loss of client data; a regulatory compliance danger; the loss of privilege, or privileged information; and a breach of the legal regulator’s professional rules.

As Schillings’ Delivery Director of Cyber & Information Security, David Prince, says: ‘Cybersecurity is not just a technical issue. Ii is a business issue that requires the attention of everyone in order to be managed effectively.’

Ultimately, a good data breach response is a practised response

David Prince

Delivery Director of Cyber & Information Security,

Schillings

While diverse technical knowledge is required to implement the relevant safeguards, ‘these safeguards are ineffective if in-house lawyers do not at least understand what controls are in place and the purpose they serve,’ Prince adds.

The advice from legal regulators does not really help, not least because it fails to take account of how organisations need to work in the modern world. In the United Kingdom, as elsewhere, the legal regulator’s rides are designed to protect money held for clients and commercial confidentiality. Hence the reminder from the UK Solicitors Regulation Authority (SRA) that: ‘Cyber crime… presents a risk to Outcome 4.1, which requires that law firms “keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents’”. The SRA notes that ‘responsibility to manage this risk is also aligned by Principle 8, which states: “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles’”.

The position is comparable with many other jurisdictions. The New York State Bar Association has similar rules on protecting confidential information (rule 1.6) and client funds (rule 1.15). Even in jurisdictions where lawyer regulation is less clearly defined, such as Greece and many former USSR states, a financial services regulator may apply relevant rules.

Risk management is a defining aspect of any in-house role, yet it is a new concept for private practice. The SRA’s guidance on cybercrime is based on insights largely gained from the private practice model, and is therefore unhelpful in the in-house context.

For example, a modern business derives extra value from the flexibility of its workforce – people have a ‘bring your own device’ (BYOD) approach, are on social media, access systems remotely, and a long-hours culture, quite reasonably expect to manage aspects of their personal lives from work.

In the process of this way of working, some of the borders crossed are social – others are technical and commercial. Take the example of someone who is a friend and a work contact, which is common in professional circles. Start to email them from a smartphone, and with the device now pre-empting their full email address based on the two or more accounts you run from your phone, it is pretty easy to enter a personal email address instead of a work address. Work conversations can switch between two accounts and iwo systems. If this happens, do you separate the conversation cleanly in your head? Of course not.

The IBA Technology Law Committee estimates that the challenge of responding to cybercrime has led businesses to place the problem in a box marked ‘too difficult’ for too long. ‘Risks that can arise from IT security-related incidents were either ignored or neglected,’ says Stefan Weidert, Co-Chair of the IBA Technology Law Committee and a partner at Gleiss Lutz. ‘However, in the last few years, the importance of IT security has become more and more relevant, especially in public sector projects. Ii is to be expected that IT security standards will develop or even will be required by law’.

When assessing the risk posed by cybercrime, in-house and commercial lawyers must also consider the risk of action by financial regulators such as the United States Securities and Exchange Commission (SEC), which works closely with the US Department of Justice. For any business – or its in-house lawyers – that’s something of a perfect storm.

As magic circle firm Freshfields Bruckhaus Derringer warns clients: ‘Knowledge ofacyber attack may be regarded as inside information that meets the “reasonable investor” test (ie, information likely to inform investment decisions). The SEC… has issued guidance on when a company should disclose an incident, and has threatened enforcement action for failures to report.’

Most recently, Freshfields notes, the SEC announced a programme of inspections covering the cybersecurity measures in place at various regulated firms.

So, for those working in-house, but subject to rules designed for private practice, how is one to behave and respond? Unfortunately, the legal regulators are still ‘learning’ about the role of the in-house lawyer, and what it entails. Models of how to respond need to be borrowed from elsewhere. Banks are regularly ‘stress-tested’ by conducting financial crisis roleplay scenarios: all businesses need to do the same for a possible IT crisis. As Prince explains: ‘Ultimately, a good data breach response is a practised response.’

As with other areas where in-house needs to dovetail with the rest of the business, lawyers cannot work in isolation. They must spend time with colleagues in business-critical roles, learning their language and business practices. It’s no good taking comfort from a policy that assumes BYOD or home-working does not happen, when in fact it does.

Think of the casual interchange of information between banks revealed by the LIBOR rigging scandals, then ask why legal and compliance departments were caught off guard. Arguably, those charged with risk management simply did not know how their less careful colleagues worked. In future, where risk managers are lawyers, they may be disciplined by their own regulator for such an omission.

As ever, the basics apply, but they need to be applied with cybersecurity in mind. I hope I’ll be excused for suggesting a checklist as a series of posed questions (see box below’). Answering such questions would take any in-house legal department a long way towards preserving commercial value and minimising regulatory risk for the business.

As Weidert concludes, for these reasons, and many others besides, ‘IT security and the implementation of in-house reporting standards should be at the top of the agenda for every company dealing with confidential information’.

Are your cybercrime defences up to scratch?

Does the business’ cybersecurity policy reflect actual business practice?

Are the cybersecure policies consistent with the business’ other policies?

Would compliance checks on the use and security of the IT system and devices meet the standards expected by relevant regulators?

Is encryption adequately understood and applied?

Is access to business-critical and privileged information adequately limited?

How is the sharing of patents, contracts and privileged advice controlled? Does it meet the standards set out by our regulators and in the business’ policies?

How recently were answers to these questions reviewed?

Do all law firms that the client deals with have adequate safeguards in place?

Автор:  Eduardo Reyes

Источник: IBA GLOBAL INSIGHT. – 2015. – October/November. – P. 13 – 15.

Читайте также