As reported in the Wall Street Journal on March 29, 2016, a number of U.S. law firms—including the prestigious Wall Street firms Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP—have become the latest victims of significant data hacks. And in posts to underground web sites, the hackers have threatened to breach other firms. Consequently, the Federal Bureau of Investigation recently issued another alert warning law firms about potential attacks.
These news headlines draw attention to an issue that we’ve been worried about, and talking about, for years—the security vulnerabilities of law firms, who posess their clients’ most confidential and valuable information. In a terrific article published recently by the Association of Certified Financial Crimes Specialists, the author aptly describes the problem:
“Hackers are increasingly painting a bullseye on the cyber defenses of law firms, attempting to gain access to a ‘treasure trove’ of sensitive, material and confidential information on everything from mergers and missteps to patents and punitive lawsuits.”
In connection with the recent law firm breaches, the Manhattan U.S. Attorney’s office and the FBI are conducting a probe into whether the hackers stole confidential information for the purpose of insider trading. But insider trading is only one reason thieves might target law firms. Law firms hold information about potential mergers and acquisions, patents, trade secrets, litigation plans, corporate financials, property transactions, personal financial and health information, criminal investigations of organizations and individuals. . . and the list goes on. All of this non-public material holds value for hackers, and they are turning to increasingly sophisticated means to steal it.
So what can law firms do? First, start with amped-up training for lawyers and staff. The weakest link in the security chain at most firms is its people. Hackers exploit this weakness by using email scams, along with phishing, spear phishing and business email compromise attacks. Train all members of the firm, from the most senior partners to the newest legal assistants, about how to spot these cyber attack techniques and refrain from falling victim to them. Law firm personnel also need good training on essential physical data security measures, especially for their mobile devices. Lawyers who use unencrypted laptops and smartphones with weak password protection pose a major security risk—these devices are electronic “keys to the kingdom,” which hackers can easily get their hands on.
Beyond training their people, law firms should follow their own advice, and develop robust data privacy and security programs on par with those deployed by their corporate, financial, and government clients. A law firm’s data security should be as tight as—or perhaps tighter—than its clients’. Here’s a good list of action items to get started (credit goes to the ACFCS for compiling this list in its article):
- Conduct a vulnerability assessment: Every firm’s weaknesses are unique. Consider engaging an independent consulting firm to conduct a “cyber risk assessment,” that will examine the firm’s systems and weak points. The goal is to find security openings before the bad guys do, and close the gap between current and ideal security states. The widely-used NIST framework can be a useful benchmarking resource for firms.
- Shore up systems and software: Ensure that all computers connected to the network have appropriate, updated anti-virus systems, and that programs and operating systems have all the latest patches installed.
- Implement access monitoring and restrictions: Law firms should consider access limitations for its network systems, using role-based requirements. Firms may also want to invest in network monitoring systems that can reveal unauthorized access to and/or transfer of data.
- Hire data security professionals: In today’s environment of significant data security threats, the traditional IT generalist employed by a law firm may not have the skills and experience necessary to carry out a rigorous security program. Consider hiring one or more experts who do.
- Don’t forget physical security: While information stored electronically on network systems poses a substantial risk for law firms, so does old-fashioned paper. Likewise, physical media such as USB drives and removable hard drives can contain large volumes of sensitive data. So firms must also undertake physical security measures. Consider restricting access to places where sensitive paper records are stored, and perhaps adding cameras to those secure spaces. Train personnel on the proper methods to store records and digital media that contain confidential information.
According to an American Bar Association report released last fall, 25 percent of U.S. law firms with 100 or more attorneys reported that they suffered a data breach. Among firms of any size, 15 percent experienced a breach. These numbers are too high for law firms to ignore—it’s time to make data security a top priority. Here at DiscoverReady, we’re proud of our industry-leading security measures. And we welcome the opportunity to partner with our clients’ law firms to share our strategies for protecting our clients’ most important information assets.