Nightime Shadow

Reposted with permission from Akron Legal News.

There is at least one in every firm, said Joseph Marquette, president of Accellis Technology Group, a Cleveland-based computer security firm specializing in law firm technology safety.

Marquette says it is the attorney or attorneys, usually a senior partner, and even often the partner-in-charge of the office’s technology, who thinks that the firm’s computer security rules do not apply to him.

“Every firm,” said Marquette, who described what is essentially low-level anarchy in the inner office workings of law firm technology that is now being called “Shadow IT.”

Marquette spoke at a recent Cleveland CLE seminar entitled “Securing Your Digital Files from Cyber Threats.”

A well-known local figure in law firm computer security, Marquette shared presenter duties with John H. Roth II, another member of his firm, and with Rebecca Sattin, CIO of World Software Corporation, developer of legal document management system (DMS) Worldox.

The term “Shadow IT” is becoming a term of art, according to Tech Pro Research who defines the phrase in a communication as “a recent phenomenon whereby technology, services or systems are used within or by employees in an organization without knowledge of or approval from the IT department.”

Shadow IT, said Tech Pro, “can help promote user productivity, self-reliance and technological familiarity, but it can pose serious risks to data security and corporate compliance.”

In the law office, said Marquette, Shadow IT manifests basically as attorneys using their own personal devices, email and social media accounts to conduct firm business without the knowledge or consent of either or both of the IT department or the partners(s) charged with computer security.

Shadow IT can come from an attorney’s frustration with the rules of computer security, or just from impatience, said Marquette. But, he said, it does not really matter because any device or account that has access to the firm’s computer system and that is not controlled by the firm’s computer security systems poses an automatic threat to the firm.

And more and more “law firms are now specifically subject to attack,” said Marquette, noting that a number of New York firms reported ransomware and phishing attacks in the last several months.

Sattin said that the federal government saw this coming a long time ago.

“In 2012, the FBI met with about 200 law firms in New York City to warn them,” said Marquette. “There are no regulations for how law firms store data. Law firms’ data storage was a virtual treasure trove for hackers. Their response was: ‘Why Me? ‘Why spend the money?’”

In 2015 and 2016, there was something very different about the recent attacks from previous ones in years gone by, said Marquette. Instead of looking for specific information that could be cashed in on the spot, like information that could be used for insider trading or billing information, Social Security numbers and so on, these attacks compromised all of a firm’s data, whether it could be used now or not, he said.

“This is the long game, the long con,” said Marquette, likening this new hacking technique to the movie The Sting. “They may be sifting through information that they won’t even be able to use for years.”

When creating a security strategy, Marquette said, a major part of that planning is deciding what information is most important, and should be secured the most effectively. Hackers used to target specific information. No longer, he said. Now, all data is at risk. And lawyers, he said, really have very little idea how much, or what kind of, data they really have.

The threat is exacerbated by a firm’s Shadow IT, he said. A lawyer could be using his own email account to send emails to himself or a personal Dropbox account that contain confidential client information and “Wham,” said Marquette. “That data is vulnerable.”

That information, he said, could include confidential client data, to be sure, but, beyond that threat, using a Shadow IT technique also violates ABA Model Rules 1.1, 1.6 and ABA Resolution 109—all rules regarding data security.

The solution to this problem, said the panelists, is to run a sweep of the firm to make sure that no one has created a personal Shadow IT problem and, if there is one, to make sure it is corrected, and that the proper people control the security of every single device that can be connected to the firm’s data.

That now should be a part of every security plan, and include all personnel–even the senior partners.

Article by Richard Weiner, Legal News Reporter. Published June 17, 2016.