Clutch’s Information Solutions Architect Quoted in Law360 Article

March 31st, 2015

KJ Stillabower, Information Solutions Architect at Clutch Group, was recently quoted in a Law360 article about firms’ increasing fear of cyberattacks. Stillabower talks about how encrypting your company’s website can be one of the most important steps taken when amping up cybersecurty. Read the full text below or follow this link to the article.

Firms Move To Encryption To Quell Cybersecurity Fears

By Jonathan Randles

As law firms continue to face pressure to bolster their cybersecurity, large firms like Perkins Coie LLP and DLA Piper have begun encrypting all traffic to their websites, a basic tool to protect client privacy that has so far been overlooked by most in the industry, experts say.

Perkins Coie and DLA Piper recently switched their Web protocols to Hypertext Transfer Protocol Secure, or HTTPS, which is the encrypted version of standard HTTP; other firms are also moving in that direction, experts said. Although HTTPS is not new, and is used for online banking, email and other forms of secure communication, its use is not widespread on law firm sites.

But that’s likely to change as firms continue to face pressure from clients to ensure all Web data is protected and more and more firms move their sites to HTTPS by default. HTTPS prevents third parties or Internet service providers from being able to tell what sites you’ve visited.

Before a client even begins talking with an attorney, a wealth of information can be gleaned from what practice areas a person is researching, said Christopher Soghoian, principal technologist at the American Civil Liberties Union. A hacker or corporate adversary could try to exploit a company it knows is clicking on law firm bankruptcy pages or researching mergers and acquisitions practice groups.

Ultimately, the failure of firms to switch their sites to HTTPS by default will be seen as unethical, Soghoian said. Several federal and state agencies have already made the move to HTTPS by default, including the White House last month.

“Encryption should be the default for everything on a law firm’s website” said Soghoian. “Encryption isn’t just for protecting private data transmitted to a firm, but should also be used to protect which pages a client or potential client is looking at.”

Soghoian spent years pushing Google Inc. and Facebook Inc. to go to HTTPS. He said he became aware of the oversight at U.S. law firms while attending the National Association of Attorneys General conference held last fall in Providence, Rhode Island. He said he communicated the concern to DLA Piper’s Jim Halpert, co-chair of the firm’s U.S. cybersecurity practice.

DLA Piper spokesman Josh Epstein said in an email that the firm implemented HTTPS “across our website,” as well as additional changes to the site, on Nov. 19.

Since the conference, Soghoian says he’s been in contact with several firms who have either switched to HTTPS or are planning to do so in the near future. Perkins Coie confirmed it is also among the recent converts that have gone to HTTPS by default.

Law firms — which historically have been slow to adapt to market changes and adopt new technology — have been under pressure to sure up their cyberdefenses. In October, New York’s banking regulator said law firms are a type of third-party vendor that could compromise a financial institution’s security.

Lawyers have said that, in recent years, they’ve begun to see more clients inquire in greater detail about what type of security they have in place for the sensitive customer and business data the banks are preparing to share with the firm.

More law firms have shown greater urgency in beefing up their security and adding levels of encryption to their websites in the last 12 to 18 months, said KJ Stillabower, an information solutions architect at Clutch Group LLC, a legal, risk and compliance consulting firm. He said Clutch Group has also seen some hesitance from corporations in allowing law firms to hold onto sensitive data.

Ensuring its website is encrypted is a basic step every firm should take to build trust with clients, particularly large businesses and corporations, he said.

“If your website isn’t secure, what else isn’t secure?” Stillabower said.