Law firms have long held the position in our society of being problem solvers. They untangle the mess of business and create rules for society. Since their inception, law firms have devoted significant resources to ensuring the best representation of their clients. But now there are new threats that law firms face beyond the practice of law, namely data breaches and cyber-attacks, and they must begin to devote sufficient resources to ensuring the security of their clients’ data. If a firm is breached, its client files may inadvertently end up on a file server in China, Brazil or perhaps Russia, and in the hands of investigative journalists, government officials, corporate rivals or worse. One need look no further than recent headlines detailing the Panama Papers scandal or the recent string of law firm data breaches to know that there is a looming threat, and it must be addressed.
Consider the following hypothetical: A global law firm did not have proper access controls for different employees, which allowed for any employee to access the highly sensitive data of all the firm’s clients. One day, a new associate decides to poke around the firm’s high-profile client files. This employee is shocked at what he finds: The firm has been helping its clients move funds offshore and hide billions of dollars. This young, idealistic attorney decides to collect and leak all of the firm’s files related to this issue and is surprised to find that he has nearly unlimited access to the firm’s client data. After the leak, the firm – and the world – is scrambling to figure out what happened, and how millions of confidential documents were leaked to the public, as well as how to stop the leak, and control the subsequent reputational fallout to both the law firm and its clients.
While the above hypothetical may seem like a doomsday scenario, it is in fact analogous to what may have happened in the Panama Papers data leak. In that leak, it appears that an anonymous source, John Doe, found that the Mossack Fonseca law firm was not encrypting its emails, and was running a severely outdated version of Drupal, a content management
system. John Doe was able to exploit the vulnerabilities in these systems and gain access to the firm’s files. By not having an up-to-date and proper information security posture, Mossack Fonseca exposed its clients’ data to a substantial, and otherwise avoidable, risk, which became realized when John Doe leaked over 11 million files to the public. The fallout of the leak has led to political scandal throughout the world, including the resignation of several high-level political officials (including the Prime Minister of Iceland).
These examples are not meant to scare lawyers out of the practice of law, but rather to serve as an explanation of the seriousness of a data breach in the law firm context, and as a reminder of why firms should be investing in their own information security. We all take calculated risks in our everyday lives, but generally we are cognizant of those risks, and are able to make well-informed decisions. Law firms must become cognizant of the risks associated with a data breach and focus on how they can best protect and secure their clients’ confidential data.
Investing in information security does not mean that a firm should go and spend millions of dollars. Rather, by becoming educated on the issues, and using common sense, lawyers can implement cost-effective methods that can dramatically improve their information security practices. Regular updating and basic IT controls, paired with developing a security-conscious business culture, will go far in addressing a firm’s data security liabilities. Moreover, certain security assets are cost- effective, and can be very useful in securing a firm’s data, namely secure and easy-to-use file transfer solutions such as Citrix ShareFile or Covertix, a highly advanced email encryption service such as Safe-T or HPE SecureMail. Also, there is an integrated malicious code-detector such as Kaspersky Endpoint Security or Sasa Software for both the firm’s Internet connection and its individual physical devices. As effective as these solutions are, they all require buy-in from the employees of the company, regular maintenance by the IT department, and proper and repeated training, to be truly efficacious.
Even if these measures are taken, there will always be criminals actively trying to gain access to your systems, and ultimately, with enough time, it is almost certain that one will be able to get through a firm’s cyber defenses. However, implementing the above steps will prevent the situations detailed in the earlier examples, as well as deter the vast majority of cybercriminals, who generally seek out “low-hanging fruit.” Thoughtful pre planning and moderate investment in human and technology assets will prevent all but the top cybercriminals (or top nation-state cyber players) from breaching the cyber defenses of a firm.
We all take calculated risks in our everyday lives, but generally we are cognizant of those risks, and are able to make well-informed decisions.
Law firms can address the risks of a data breach by strengthening the cyber walls surrounding their client’s data. This can be achieved through a variety of means, including: investing in cybersecurity tools (such as those listed above); hiring internal and external cyber resources to augment the firm’s current information security practices; and most importantly, developing a security-conscious business culture within the firm (more often than not, it is human failure rather than technological failure that results in a breach). As clients begin to place greater scrutiny on a law firm’s cybersecurity, firms that do change in order to employ the above strategies will see an increase in their marketability, and those that don’t evolve, risk facing extinction.
With that being said, there is no one-size-fits-all solution for dealing with cyber threats, but with proper focus and resources, a firm can consider its unique factors and develop an information security posture that addresses its most compelling concerns. There are resources aplenty for learning about these issues, but it must be the firm that takes an initiative to implement them.
Meet the author
Daniel Garrie is Executive Managing Partner of Law & Forensics, Editor-in- Chief of the Journal of Law & Cyber Warfare, and Head of the cybersecurity practice at Zeichner Ellman & Krause LLP.
Author’s Note: Daniel Garrie would like to thank Masha Simonova and Benjamin Dynkin as contributors. Contact: Daniel@lawandforensics. com. The thoughts expressed herein are solely those of the author, and not those of ZEK, Law & Forensics, or JLCW. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by Law and Forensics, JLCW, or Zeichner Ellman & Krause, and such reference shall not be used for advertising or product endorsement purposes.
Read more from Forum Magazine in the Know 360 app