by Paul Jensen
The point at which law and technology meet is becoming more prominent in litigation proceedings, effectively dictating outcomes of trials with greater consistency as time goes on.
Attorneys are gaining access to sensitive devices, data storage environments, and other cornerstones of digital business more frequently than ever before. Collections, reviews, and other evidence-focused processes can be extremely sensitive, and all attorneys must recognize the principles, best practices, and virtues of these activities before beginning to interact with information sources.
One increasingly popular subject in this conversation is ethical hacking.
In many cases, attorneys will be overseeing and orchestrating ethical hacking activities, especially when they are not themselves computer scientists. However, regardless of what role an attorney is playing in ethical hacking procedures, there are some key points they must understand.
Let’s discuss the topic through the lens of varying ethical hacking objectives.
Ethical hacking for data security
This is easily the most commonly discussed element in the ethical hacking arena today, and continues to be a more important subject as IT security concerns heighten across industries. In this scenario, ethical hackers will conduct penetration tests to evaluate how tight a legal or corporate entity’s controls are in practice.
The American Bar Association published an article by Ronald Raether, Jr., who is a partner at Troutman Sanders LLP, regarding ethical hacking’s rise to prominence in the fight to protect intellectual property. According to Raether, attorneys need to understand several core elements of ethical hacking to ensure that they are using the strategy properly, including the following:
- Data: The evaluation of information that is accessible to nonauthorized parties through pressure testing, as well as the identification of data usage rules and limitations.
- Methodologies: The types of ethical hacking techniques being used, which could be highly technical in nature, or complete trickery. Think of different hacking tactics here, such as those that seek to fool victims into giving up sensitive information (phishing) or brute-force techniques (distributed denial-of-service).
- Hacker: Laether urges attorneys and firm leaders to be especially careful with who they choose to act as the ethical hacker, and to be thorough when crafting the agreements, such as non-disclosure, the party will sign.
- Analysis: The decision of who gets to view the findings of the hack, how that data is used, and in which ways the final insights will be distributed.
Laether argued that every cybersecurity strategy needs to include an ethical hacking component, and that the legal side of the firm must work closely with IT to get the job done properly and in such a way that minimizes liability.
Law firms and legal departments that have never conducted ethical hacking projects should certainly consider doing so soon, particularly when they specialize in IP management. Keep in mind that the World Intellectual Property Organization estimates that IP can account for up to 80 percent of an enterprise’s value, and hackers are increasingly targeting these assets.
Ethical hacking can help to better protect all data from internal and external threats.
Attorneys acting as ethical hackers
While third parties and internal IT professionals will often be the ethical hackers, there is something to be said about attorneys playing this role. Again, it is a highly technical ordeal, but the benefits of having a legal background mixed with the ability to hack computers can be vast in today’s landscape.
Take, for example, attorneys Dan Nelson and Lucas Amodio of Armstrong Teasdale LLP, who underwent the necessary certification and training programs to become ethical hackers. Because of their understanding of the law, particularly with respect to privacy and information retention, they can provide their clients with more comprehensive insights into the methods and results of ethical hacking activities.
Additionally, think back to Laether’s assertion that the data at issue component of ethical hacking needs to be understood through the lenses of liability and legal implications. Whereas a strictly IT-minded ethical hacker might not comprehend those matters given their backgrounds, attorneys are expected to be well-versed in liability and relevant subject matter.
The Electronic Frontier Foundation mentioned the inherent risk involved in leveraging the services of a pure IT-based ethical hacker, as the individual might mistakenly violate a law during the process. According to the organization, when this occurs, matters get very dangerous, with firms facing either a continued susceptibility in their security framework or a lawsuit following the admission of the mistake.
This is not to say that businesses should not consider leveraging an IT-minded party to complete these activities, but rather that there are quite a few advantages of having an ethical hacker with a legal background. Given the new demands of attorneys and legal professionals in the digital age, it is likely that more will seek out these certifications.
The path forward
If you are interested in learning more about ethical hacking certifications, education, and training, here are a few resources to consider:
- EC-Council: This group provides a range of white-hat hacking certifications.
- Tom’s IT Pro: This publication offers some strong insights into how to become certified.
- Legaltech News: The popular online magazine has a great article written by Gabrielle Orum Hernandez that focuses particularly on ethical hacking in the context of eDiscovery.
Finally, you could heed the call of Franklin Graves, who argued that “every attorney should participate in a hackathon,” and join one of the events in your area.
At the end of the day, though, if computer science and technical certifications are simply not in the cards, make sure you are working with a service provider that possesses a strong balance of legal and IT expertise.
For example, leveraging the assistance of a litigation support firm rather than a pure-cybersecurity service provider can help to keep liability low while still yielding an exhaustive and accurate analysis of your firm’s security performance. As long as you appreciate the importance and risks of ethical hacking in the legal sector today, this practice can be extremely valuable to your firm.
Paul Jensen is a Discovery Consultant at HAYSTACKID