Towards a Security-First Law Firm
In some circles, IT in particular, lawyers and law firms are considered luddites. Evidence that the legal community lags behind in the adoption of technology can be found in the annual ABA surveys where in 2018, only 57% of law firms even set aside a budget for technology, including only 53% of firms with 2–9 attorneys.
Whether attorneys are ready or not, the legal field is squarely within the crosshairs and at the mercy of some of the most advanced emerging cyber-threats. A concerted effort to upgrade the security policies and technical infrastructure of law firms will be necessary if firms are to avoid exposing themselves and their clients to serious risk and liability.
Why do cybercrime syndicates target law firms?
The answer is simple: law firms have copies of confidential and valuable information about the world’s largest and most powerful corporations and governments. The largest law firms represent a global cross-section of nation states, Fortune 1000 companies, billionaire investors, monarchs, financial institutions and many more.
Law firm servers hold valuable business intellectual property, embarrassing personal information, bank and financial information, tax documents, patents and a whole host of data that could tip the balance in a merger/acquisition setting, an insider-trading scheme or in an active legal dispute.
In short, cybercriminals who are looking for valuable information to quickly monetize through an auction or via ransomware have hit the jackpot with the poorly guarded information systems of many law firms.
In the latest example of a hacking group targeting law firms, The Dark Overlord group hacked and released litigation information stemming from the 9/11 attacks that involves companies such as Lloyd’s of London, Hiscox Ltd, Silverstein Properties Inc., and many others. The group is attempting to sell the rest of the data before public disclosure.
Posted on a Twitter account claiming to represent The Dark Overlord, the since-deleted posts originally promised:
If you’re one of the dozens of solicitor firms who was involved in the litigation, a politician who was involved in the case, a law enforcement agency who was involved in the investigations, a property management firm, an investment bank, a client of a client, a reference of a reference, a global insurer or whoever else, you’re welcome to … make a request to formally have your documents and materials withdrawn from any eventual public release of the materials. However, you’ll be paying us.
This data is believed to have been stolen from an unknown American law firm that was hacked in April 2018. While the value of the data is unclear, it is quite clear that the law firm exposed all of its clients and anyone even tangentially related or involved in the matters that the law firm handled to public exposure.
The hacking group, who was also responsible for leaking Netflix shows, is asking for cryptocurrencies on threat of continued public release. Depending on the value of the data, parties may be willing to pay to suppress public release of sensitive documents and confidential information.
The situation, while unfortunate, will be all too common as more and more hackers turn their sights on law firms.
1 in 5 Law Firms Has Been Breached & 40% of Them Don’t Know it
Public awareness of the vulnerability of law firms first emerged during the 2016 leak of the Panama Papers after the attack on international offshore law firm Mossack Fonseca. While the Mosssack Fonseca breach is perhaps the most notorious breach of a law firm, the FBI’s cyber division’s records reveal that the attack against law firms is ongoing and escalating.
According to the American Bar Association’s Legal Technology Survey, 22% of law firms experienced a breach, with 35% of firms with 10–49 attorneys reporting a data breach.
Additionally, surveys from the IT consulting company Logic Force, demonstrate that 40% firms who experienced a breach in 2016 were unaware of it. Additionally, 45% of law firms do not have active and updated cybersecurity policies in place or ongoing and documented cybersecurity training for their staff.
These statistics are especially alarming in light of how quickly the cyberthreat landscape evolves.
Safeguarding a Law Firm’s Information, Reputation & Standing
The damage to a firm’s reputation after a successful breach and exposure of confidential client information can be catastrophic and final. Indeed, despite representing more than 300,000 companies over decades, Mossack Fonseca was forced to shutter its doors in March 2018.
In addition to concerns about reputation, the American Bar Association (ABA) has affirmed the duty of lawyers to monitor and report on data breaches that affect former and current clients. Additionally, the ABA encourages law firms to go above and beyond reactive breach notification procedures and proactively develop incident response plans. In October 2018, the ABA issued Formal Opinion 483, which states:
“As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach,” …“The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”
If law firms adopt the conduct of corporations in regulated industries and obtain an ISO 27001 certification, they can decrease their exposure significantly.
While a certification will not eliminate the risk of a potential breach, such a certification would allow a law firm to secure critical information assets while reassuring clients that the firm has a robust security information process in place.
Law Firms & Competitive Differentiation
There is an opportunity here for law firms to distinguish themselves with their clients by proactively demonstrating that they are a security-first legal services provider.
Law firms that can detail precisely how their firm have secured their processes, software, hardware and staff with an active security management program will be an asset to their clients rather than a liability and a security risk.
Such a program will be a competitive advantage when soliciting new clients and retaining existing ones.
#Law Firms, #Cybersecurity, #Hacking,
Authored By: Khullani Abdullahi