Law firms are under fire as a result of recent cyberattacks, specifically in the wake of the Panama Papers leak. The “Panama Papers” leak exposed 11.5 million records from the Panama-based law firm Mossack Fonseca, which has put the legal community on high alert. There is no doubt that law firms are being targeted by attackers seeking to access, steal, and leak their clients’ secrets and confidential information.
Law firm IT accounts for some of the most unsecured banks of data, as the practice of law is a venerable profession in which change comes slow. However, it is only a matter of time that the ABA and courts raise the bar of ethics and “reasonable measures” to protect client data. Some information is extremely sensitive that an entire corporation's survival rests on the security of that information.
Recently, BankInfoSecurity.com weighed in:
Two lessons that all law firms - and other organizations - should learn from the massive leak are the need "to protect against insider threats - if they have not learned the lesson from Edward Snowden," as well as "to double-down on their due diligence in hiring employees," says attorney Sean Doherty, an information governance, compliance and e-discovery analyst for market researcher 451 Research. A third lesson, he says, is "the power of the press," noting that "their power to investigate is second only to nation-states."
But it's not clear how many law firms - or other organizations, for that matter - have been heeding advice to beef up their cyber defenses, despite law enforcement agencies and cybersecurity firms issuing repeated warnings about the risks of attacks by insiders, fraudsters, hacktivists, unscrupulous competitors, and nation-states."
The article went on to note that in 2011, the cybersecurity firm Mandiant estimated at least 80 U.S. law firms were hacked, noting:
Law firms are a prime hacker target because they handle secret details of intellectual property, mergers and acquisitions, and other potentially valuable information.
A spokesperson from a global information technology analyst firm said,
Law firms, being "custodians of client data," must make sure they're encrypting all data, both when stored and in transit, and carefully control, via granular file-access controls, who can open, view, edit, copy, even transmit them via email. All file access should be logged, analyzed and reported for unauthorized use or unusual activity or anomalies. Of course, that advice applies to any organization that handles or stores sensitive data. [I am] also a proponent of using dedicated and secure virtual workspaces for handling confidential information. The damage of a data breach in law firms is monumental. In the era of cybersecurity, firms must up their defenses against evolving threats.
The damage of a data breach in law firms is monumental. In the era of cybersecurity, firms must up their defenses against evolving threats.