Minneapolis attorney Stephen Yoch became a cybersecurity expert by accident.
Six years ago, he represented a construction company in a lawsuit in which an employee claimed unpaid wages after he reportedly stole data from the company. Yoch learned about cybersecurity as he went and ended up winning the case.
Since then, Yoch has developed an expertise in cybersecurity response and has advised a growing number of businesses, including other law firms, on cybersecurity preparedness and crisis management.
While news headlines focus on data breaches at large companies, the reality is that basically every company is open to cyberattacks, Yoch said.
“Breaches aren’t preventable. They are inevitable,” Yoch said.
Yoch spends a lot of time telling organizations that he calls “low-hanging fruit” for hackers what to do to prepare for cyberattacks. But most of the time, they call him after data has been compromised and they want to know the best course of action.
In a study by the Ponemon Institute on cybersecurity in small and medium-sized businesses published this past July, 55 percent of respondents said their companies had experienced a cyberattack in the past year and 50 percent reported they had data breaches. According to the National Cyber Security Alliance, 60 percent of small firms go out of business within six months of a data breach.
Cyber-response issues have grown to be about one-fifth of Yoch’s business at the Felhaber Larson law firm. He regularly teaches webinars on the topic, and he recently earned a certificate in cybersecurity and privacy law from the Mitchell Hamline School of Law, a program that the school started offering last year.
The program was created to fill an educational gap that has become more important as those in the legal and other fields need practical skills to address the growing threat of cybersecurity, said Holly Noble, a director in professional legal education programs at Mitchell Hamline.
“It’s helping to build a framework around cybersecurity and privacy within an organization,” she said.
Many times Yoch is called when a data breach has already happened. He helps secure forensic computer consultants who try to recover the computer systems and figure out what data could have been compromised. After the extent of the breach is determined, Yoch assists companies figuring out how to notify people whose data was stolen and make public disclosures if necessary.
Companies should have incident response plans in case a breach does occur — response plans that can also help identify any security weaknesses the company has. Oftentimes, Yoch said, it is hard to convince smaller companies of the benefit of cyber readiness since it is yet another cost that they have to shoulder.
“I feel like I’m crying fire when there hasn’t been a fire,” Yoch said.
Yoch is not the only local attorney who is working on cybersecurity issues. Several larger local firms, such as Fredrikson & Byron and Briggs and Morgan, have separate data protection and cybersecurity practices.
While many law firms have begun to advise on cybersecurity, they can still do a better job as an industry in protecting their sensitive information, Yoch said.
This summer, DLA Piper, one of the world’s largest law firms with about 3,600 lawyers, was hit with a ransomware attack that is believed to have spread from Ukraine. For days after the attack, all phones and e-mails at DLA Piper were knocked out. What happened to DLA Piper was seen as a wake-up call for other law firms, Yoch said.
“They are the second tier down. … They have huge amounts of data,” he said.
One industry segment that has become more sophisticated in their approach to data protection are utility companies.
“Cybersecurity in general is one of the strategic objectives of the organization,” said Mjyke Nelson, chief information officer and vice president of information services at electric distribution cooperative Dakota Electric Association, a client of Yoch’s.
During a board meeting in which Yoch needed to insert a memory stick to share a presentation, Nelson had it yanked out of the computer, saying that it needed it to be checked first to make sure it was safe.
Nelson declined to provide details on the level of security measures that Dakota Electric practices, but he said a big part of the challenge is to keep employees well-trained.
“Our people are our greatest strength and they are also our greatest weakness,” Nelson said.