On the heels of breaches at Cravath Swaine & Moore LLP, Weil Gotshal & Manges LP among others, The Association of Corporate Counsel (ACC) has issued its first-ever guidelines on the basic data security measures that in-house counsel should expect from their law firms.
Law firms are warehouses of client information making them prime targets for attackers. The legal ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to a client (ABA Model Rules 1.6). Attorneys also have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, financial and health, for example.
Big law firms are the most vulnerable to hackers, according to an American Bar Association survey. The ABA found that 26 percent of firms with 500 or more attorneys that responded to its survey experienced a security breach in 2016. To put that into perspective that is 1 out of every 4! While many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, the industry is not using common security measures that other industries employ. Enter the least privilege model.
As part of the guidance that has been issued, the ACC, calls for adopting a least privilege model for the information that law firms possess. Least privilege is the concept and practice of restricting access to only the information and resources that are necessary for its legitimate purpose. In practice, least privilege means enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role.
So, how do users acquire privileges? Depending on the system, some privilege assignment, or delegation, to people may be based on attributes that are role-based, such as business unit, (i.e. Finance, Human Resources, or IT) as well as a variety of other parameters (project groups, physical location, executives and decision makers, etc.). Hackers, malware/ransomware, partners, malicious insiders and simple user errors—especially in the case of super-user accounts, are responsible for the most common privileged threat vectors.
Getting to a least privilege model can be complicated, but does not have to be. Here are some best practices to follow on your way to adopting a least privilege model:
Start a Free Stealthbits Trial!
No risk. No obligation.