The need to input a username and password when logging into a computer is a “single factor” authentication. But, from a security perspective, that single factor authentication only goes so far. Consider, for example, the ramifications if a hacker steals or guesses your username and password. What information could be compromised?
For law firms, cybercrime and data breaches have become a major concern because of the confidential and sensitive information lawyers have access to and often store on their computers.* Recently, the New York City Law Department, a 1,000 lawyer agency responsible for representing the City of New York and guarding the personal information for thousands of city employees, was snakebit by a cyber-attack. The cause of the cyber-attack was a stolen email password from a Law Department employee. The aftermath, however, has been devastating in many respects. First, attorneys for the Law Department have been unable to access files. This in turn has necessitated requests for adjournments and compromised counsel’s ability to represent zealously its clients. Second, the security lapse revealed the Law Department was alarmingly disorganized in its handling of confidential information, such as clients’ medical records. Third, as a result of the hack, the Law Department’s Chief Information Technology Officer was reassigned and replaced.
Regrettably, the incident may have been avoidable. Indeed, the Law Department was sluggish in maintaining its network’s systems and failed to comply with a 2019 directive from New York City’s Cyber Command Division to implement multi-factor authentication on all systems. Specifically, multi-factor authentication requires a user to enter multiple credentials to verify their identity within a system. Multiple factors may include confirmation of (a) something known to the user (password); (b) something a user possesses (phone or code); or (c) other personal identifiers (biometrics or voice recognition). The benefits of implementing multi-factor authentication is rudimentary in nature, as increasing the amount of layers of security will decrease the likelihood of cyberattacks. For example, had the Law Department implemented multi-factor authentication prior to the breach, the cyber-criminal would have needed the employee’s password and cell phone to access the network. Further, multi-factor authentication can protect a law firm’s network from more sophisticated cyberattacks such as phishing.**
In sum, with many law firms still working remotely, improving the security of a firm’s network may feel like a moving target. Nevertheless, as the title of this blog post suggests, implementing multi-factor authentication will not only help law firms protect clients’ interests, but also save them the embarrassment of spending a significant amount of money and time to resolve a preventable disruption.
*An October 2020 American Bar Association report found 29% of law firms reported a security breach, with 36% reporting past malware infections to their systems (https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/
Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.