Industry Specialization

Legal Services

Our certified experts have the tools necessary to protect your systems across different industries.

Although they generally don’t make headlines, there have been numerous law firm data breaches stemming as far back as 2011.

The legal industry is no longer immune to cybersecurity risks. Law firms are considered soft targets and provide a wealth of information that can easily be accessed by malicious hackers.

They are trusted to guard their client’s most sensitive information including intellectual property or trade secrets, but their level of security has been less than adequate. This has made law firms a prime target for data breaches. A 2012 Mandiant report estimated that 80% of the 100 largest U.S. law firms suffered successful data breaches by cybercriminals in 2011 alone. 

In 2011, the FBI held a meeting with the top 200 law firms in New York City to discuss the threats. In March of 2016, a number of news media outlets confirmed that a Russian hacker named “Oleras” targeted close to 48 law firms. The goal behind these attacks was to acquire confidential insider information as it pertains to mergers and acquisitions to be used to manipulate the financial market. One of the largest data breaches in history hit the legal industry in April 2016. The Panama Papers, as it’s better known, consisted of over 11.5 million documents (2.6 TB of data) spanning over 40 years being stolen from Panamanian law firm Mossack Fonseca. This massive amount of data was compiled from 14,000 clients and over 214,000 companies. The confidential files that were leaked from the Panamanian law firm included legal documents for law firm clients that were engaged in secret banking schemes and tax-related matters in Panama. This hack has opened up investigations into the activities of both the law firm and their clients and whether their conduct was proper.

 

This massive attack should be a wakeup call to all law firms to have a vested interest in improving their overall security posture.

In March of 2016, the FBI’s Cyber Division issued a Private Industry Notification warning law firms that a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms. The most recent breaches in the legal industry have caused severe and long-term damages towards a law firm’s brand and reputation. Malicious hackers know that it’s easier to hack into a law firm than a large company that has layers of security in place. This has prompted not only the FBI’s Cyber Division to issue a warning to all law firms, but for the American Bar Association to pass a resolution that urges all private- and public-sector entities, including law firms, to craft and institute a robust cybersecurity program to tackle mounting data security threats.

The ABA’s Cybersecurity Legal Task Force Section of Science and Technology law adopted a resolution that “encourages all private and public sector organizations to develop, implement and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected."

The bar association’s Cybersecurity Legal Task Force Section of Science and Technology Law wrote that an “appropriate cybersecurity program” should entail conducting regular assessments of the threats, vulnerabilities and risks to data, applications, networks, and operating platforms as well as the implementation of appropriate security controls to address them. The ABA also encourages all organizations to “develop and test a response plan for potential cyber attacks, including disclosure of data breaches, notification of affected individuals and the recovery and restoration of disrupted operations,” and to enter into cybersecurity information-sharing arrangements and develop points of contact and protocols to enable such data sharing where appropriate.

Implementing an adequate cybersecurity program at both public and private law firms would not only mitigate the risk against today’s sophisticated cyberattacks but also reduce the high costs associated with cybercrime, including incident response and forensics, data breach notification, and reputational damage.

In addition to implementing an appropriate cybersecurity program, the ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. Compliance requires attorneys to understand limitations in their knowledge and to either obtain sufficient information to protect client information, or to get qualified assistance if necessary. These obligations are minimum standards—failure to comply with them can constitute unethical or unlawful conduct. Attorneys should aim for security that goes beyond these minimums as a matter of sound professional practice and client service.

 

The first step that must be taken as part of an information security program is a risk assessment.

A risk assessment provides organizations with a tool to determine what needs to be protected and the types of threats that it faces. Two factors that must be taken into account is the level of sensitivity of the information that needs to be protected and the probability of disclosure if additional safeguards are not implemented. The results from a risk assessment determines the reasonable measures that attorneys should employ.

Security programs should always include measures to prevent breaches, but more importantly, information security should incorporate a four step approach of identifying, protecting, responding, and recovering from data breaches and security incidents. Security is not one-size-fits-all, and in order for it to be effective, it must be an ongoing process and not a set-it-and-forget-it effort.