Law firms are sitting on a veritable treasure trove of data for hackers to poach. They have credit card information, social security numbers, and intimate details about their clients that could all be exploited if a hacker found an opportunity to do so.
Unfortunately, law firms are sitting ducks for a cyberattack.
In 2015, at least 60% of companies would have to deal with a data breach according to some analysts. Yet, only 21% of global security technology decision-makers report that improving incident response is a critical priority.
With big data comes big responsibility. Big data hit the mainstream in 2015, and in 2016, the focus will shift in two ways. First, analysts will move away from just gathering and organizing the mass of data and start moving toward actionable insights and suggested courses of action for their companies and subscribers. Second, organizations will focus more on keeping all that data secure.
This two-part series will investigate how law firms are far too often the weak spot in corporations’ data security. It’ll dive into what hackers want, what the consequences are if they succeed in getting it, and concrete steps to close the gaps in your firm’s digital data security.
Cyber threats are real, and growing
Sony recently faced five class-action lawsuits for failing to properly secure former employees’ personal information. Data theft is often laughably easy.
A hacker who called himself Guccifer, after the luxury brand and lord of the underworld, stole powerful politicians’ emails with a single normal PC and cell phone. He has no advanced training in software or programming. Real name Marcel-Lehel Lazar, he used a VPN tunnel to change his apparent IP, then literally spent six months guessing usernames and passwords until one worked. He then trawled through the email accounts of the Bush family, Colin L. Powell, military and intelligence officials, and scores of celebrities. Lazar published a massive archive of stolen emails on cryptome.org. He’s now serving a seven-year sentence in a Romanian prison for hacking.
The cost of lax security is significant. Ponemon Institute calculated the cost of cyber crimes in 2014. It found the cost has grown by 96% over the past five years for U.S. organizations. Over that time, the average organization’s overall data breach outlay was $12.7 million.
More than 80% of directors say they discuss cybersecurity at most if not every board meeting, according to a 2015 survey by the NYSE Governance Services and Veracode. But 66% are not confident that their company is able to protect itself against hacking.
According to The Wall Street Journal, Allied Business Intelligence Inc predicted that globally, critical infrastructure industries would spend $46 billion in 2013 on cybersecurity. When the costs of a breach are high, precautions are warranted. The same article begins with the story of Robert Carr, CEO of Heartland Payment Systems Inc.
Hackers found more than 100 million of his customers’ credit- and debit-card numbers. Carr ended up paying $150 million in fines and legal costs. Worse, his credibility in the payment-processing industry suffered considerably. In the interim, Carr has quadrupled the security budget for his company, including adding more encryption and system-monitoring tools.
That’s the general threat–and unfortunately, law firms have their own unique vulnerabilities, including being targeted specifically by hackers.
Firms are vulnerable
“There are two types of law firms today,” wrote Steve Fletcher, in Law Technology News, recently. “Those who’ve had a security breach and those who will.” As vigilant as corporations might be, FBI. officials and security experts say that law firms are too often the weak spot in a corporation’s armor. Vincent Polley, a lawyer in Bloomfield Hills, Mich., co-wrote the American Bar Association’s cybersecurity handbook. He describes a law firm which doesn’t take cybersecurity seriously while working with a secure corporation as an unlocked back door.
That might be because a facepalmworthy 89% of attorneys surveyed use unencrypted, unsecured emails by default for client communication.
Hackers know this, and are increasingly targeting law firms to steal intellectual property data and trade secrets. The information is incredibly valuable on the black market, according to Daniel Garrie, founding editor of the Journal of Law & Cyber Warfare. Garrie told TribLive that assets such as corporate financial reports, proprietary software code, industrial designs, and emails command a high price on anonymous websites. It also has some pretty obvious benefits for opposing counsel. There’s also the threat that hackers will expose information about corporate deals which are still in the works.
Patrick Fallon Jr., is the FBI’s assistant special agent in charge of the Pittsburgh field office. He warns attorneys that computer attacks on law firms happen every day. What he didn’t mention is that it’s not always lawless hackers intercepting private information illegally. Sometimes it’s government agencies. Last year an Australian intelligence agency was caught working with the NSA to intercept communications between lawyers at Mayer Brown, a big Chicago-based law firm, as the New York Times reported. The American Bar Association wrote a letter to the agency reminding them that they are required to respect the principle of attorney-client privilege.
However, it’s difficult to know how frequent law firm cyberattacks are. As the New York Times explained, firms’ limited direct interaction with consumers exempts them from requirements to publicly report a hacking incident the way a bank or a retailer would. But even with that limitation, security consulting firm Mandiant estimated that 80% of the 100 largest American law firms had some malicious computer breach in 2011.
Lorey Hoffman, chief information officer at law firm Goodwin Procter LLP, told the Wall Street Journal, “Our external-facing Internet sites are probably getting hit 400 to 500 times a week” by third-party bots or denial-of-service attacks. “That kind of activity is the new normal and it’s hitting everybody.”
Big corporate clients are concerned. As the threat grows, they are increasingly demanding more from their law firms to prevent sensitive information compromising hacks according to the New York Times.
Wall Street bankers, continuing their long tradition of not playing around, are forcing their firms to fill out 60-page questionnaires about what, exactly, they’re doing to protect their private information. This wouldn’t be necessary if lawyers weren’t still carrying sensitive information on insecure thumb drives, using unencrypted email on insecure iPads, and using shared networks in cybercrime-heavy countries like Russia and China. The Wall Street Journal reports that background and security best practices check are becoming routine as banks such as J.P. Morgan Chase & Co., Morgan Stanley, Bank of America Corp., and UBS AG seek counsel. They’re asking firms to show them their computer systems to see what tech they’re using, who has access to their data, and even doing on-site visits to confirm security. In some cases, noncompliance leads banks to skip a firm, limit work, or switch firms.
“Law firms can no longer afford to treat cybersecurity as an afterthought,” Clio Social Media and Communications Coordinator Derek Bolen wrote me. “Law firms possess an incredible amount of sensitive client data and have lagged in applying up-to-date security standards, making them easy targets. Sadly, ‘data security’ is rarely part of the law school curriculum, and with roughly 50% of attorneys in the US practicing in solo or small firms lacking an onsite IT department dedicated to ensuring data security, the onus is on these lawyers to ensure they’re aware of cybersecurity practices.”
Cybercrime is risky, and expensive. Hackers wouldn’t be bothered unless law firms had valuable data. It’s time for firms to build their security infrastructure to become equal to or greater than the threat. The next post offers concrete suggestions for decreasing susceptibility to attack.
Law firms are increasingly the weak spot in corporations’ data security. Hackers want access to the customer data, payment information, emails, intellectual property, and trade secrets that law firms’ servers contain. In the next part, I’ll provide concrete steps for helping to close the gaps in your firm’s digital data security.