Attacking the Weakest Link Law Firm Data (In) Security
by Daniel B. Garrie the Senior Managing Partner at Law & Forensics LLC. He focuses on e-discovery, digital forensics, cyber security and warfare, data privacy, and predictive coding working with law firms, governments, companies, and non-profits globally.
Law firm culture has long focused on the ability of its attorneys to bring a high level of thought and analysis to every legal case on its roster. However, similar care has not been spent by firms when it comes to data security. For many firms hiring world class security engineers to work full time is seen as impractical or acquiring the right hardware and software solutions is too costly. What firms do not realize is that client service must include these steps to ensure that all of the files are not found on a file sever located somewhere in Asia, Brazil, or Russian for example.
Consider the following hypothetical: A global law firm with over 500 attorneys had a policy allowing employees to use their personal devices, including cell phones, tablets, and laptops, for work purposes. One senior partner used his smartphone for work email, viewing files, and connecting to the law firm network to access client materials outside of the office and to get documents stored in the cloud. This senior cost-conscious partner chose to use his smartphone for both work and personal use, as the need to segregate data and users was not brought to his attention. One day while driving his son to school, the senior partner lets his son use the smartphone to surf the internet and download a new game. However, this game came with malware code attached to it, which accessed to the senior partner’s data on his smartphone. More importantly when the senior partner logged onto the firm’s intranet, the malware program infiltrated the firm’s servers. This silent intrusion allowed the malware to transmit data back to the developer, this data included bank account information, credit card information, confidential information for high-profile clients, all available to the highest bidder. Within days of the breach, the law firm was floundering to determine how their networks were hacked, how to stop the leak, how to manage their client relationships, and how to remedy the reputation fall out.
While the above hypothetical may seem like a doomsday scenario, a simplified copycat version of Stuxnet could easily do just that. Our experience advising law firms and in-house legal departments on these issues has shown that there are cost efficient alternatives that can dramatically improve a firm’s data security. While investing millions is not practical, if the law firm has a security aware culture and has purchases and implements one of the current solutions available in the marketplace, it can implement a secure, easy to use and manage file transfer solution; highly advanced email encryption — any size, any client, any device; integrated malicious-code-detection for both internet connection and physical devices; solution that manages and protects data in transit between mission critical system and security platforms; and technology that provided network protection from all outside threats.
The list of software discussed above seems long and complex, however, several vendors offer a single solution and can be purchased and managed by in-house or third-party vendors. While we will probably never live in a world where parents never lend their smart phone to their children, we do live in a world where the entire hypothetical could have been averted by some thoughtful pre-planning.
Law firms have long been the vault for personal and corporate confidences, but the increasing number of hacks should leave clients questioning the strength and security of their law firm protects their data. The simple principle of attacking the weakest link often may lead back to law firms, as they often do not invest in the technology, people, and cultural awareness necessary to provide strong security.
A recent Wall Street Journal article lauded law firms as the first stop in cyber security response, lauding the benefits of attorney-client privilege and knowledge of corporate disclosure laws. While knowing the law is great and half the battle, the physical hardware and software piece is equally critical. A more tangible public example one can turn to the article published on January 31, 2012, on Bloomberg where it discusses how Chinese based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal. The details while not fully available recognize that the hack hit seven different law firms as well as Canada’s Finance Ministry and the Treasury Board. While the deal fell apart for unrelated reasons, the incident illustrates the vulnerability of law firm. According to Mandiant, it estimates that 80 major U.S. law firms were hacked last year which is in-line with our experience.
The knowing the law is a great arrow in ensuring a law firm protects their client’s data, but rest assured neither individual nor state-sponsored hackers are deterred by the tenets of attorney-client privilege. Just as you wouldn’t put your money in a bank without a vault, you should not trust critical, sensitive, or material corporate data to a law firm, if the said firm has a weak “data protection vault.”
Unlike a physical structure of a bank, the level of information security readiness and effectiveness is not readily apparent, especially to those that are not technically skilled. Thus, any company large or small, should in retaining counsel demonstrate they know how to securely hold and manage your organizations data. This is particularly true in cases involving technology, trade secrets, or sensitive corporate data. In turn, firm’s who know how to manage and secure technological assets should use that competitive advantage in marketing themselves to existing and potential clients.
So, what can law firms do to simultaneously enter this new area of practice and ensure that their new client’s data remains safe? Create network data maps, monitor digital access logs, hire in-house and outside experts, acquire appropriate computer hardware, buy software such as (Safe-T), and create a culture that is security-centric. Often the weakest link is not the technology but the people, so it is essential firms make sure ingrained in every employees mind is the need to be security aware. These are a few of the preventive and prophylactic measures that are at the disposal of law firms. There is not silver bullet and the right solution will vary based on the size, geography, people, and systems a firm has deployed. That said, every firm should seek out and employ the right solution for it and their clients.