October 08, 2015
Just because you don’t see a lot of headlines about law firms getting hacked doesn’t mean they’re not being targeted.
Law firms handle a lot of sensitive data involved in intellectual property cases, corporate transactions, mergers and acquisitions, business strategies, and lawsuit data, which means law firm security should be a top priority.
In fact, one industry observer in a Bloomberg.com story described law firms as “a treasure trove that is extremely attractive to criminals, foreign governments, adversaries, and intelligence entities”.
Consider that a few years ago, Mandiant, a division of the data security company FireEye, said 80% of the largest 100 law firms in the U.S. have been hacked.
This year, a new study by Digital Defense confirmed that law firm data breach and information security are top of mind. The 2015 Study of the Legal Industry’s Information Security Assessment Practices showed that external threats such as hackers are the biggest perceived security threat. The top security concerns were employee negligence, phishing attacks, and virus, worms and malware threats.
What information security strategies are being recommended for law firms?
Reporting: While law firms have both ethical and legal obligations to safeguard confidential information, in the U.S. they are not required by law to disclose hacking incidents. But they are being urged to be more open about reporting. In a Nytimes.com story, John Carlin, assistant attorney general for national security, encouraged lawyers to promptly tell clients and law enforcement authorities about attacks that might compromise confidential information.
Partnerships: There have been various reports of new kinds of beneficial partnerships. For example, a group of law firms may form an alliance to share information about cyber security threats. The Nytimes.com story mentioned closer ties between Wall Street banks and law firms to share information about hacking incidents.
Target Vulnerabilities: According to the Digital Defense study, approximately 70% of respondents conduct security assessment and penetration tests – and this is seen as a positive trend in proactive strategies. Since exposure to third-party suppliers and vendors increases vulnerability, for example, a Vendor Management Evaluation process is recommended. Of course, it is most important to have the latest antivirus and data-loss and data protection technologies in place.
Employee Education: Law firms are urged to provide on-going training so employees are aware of scams and safeguarding behavior.The 2015 Verizon Data Breach Investigations Report showed that the legal department was one of three most likely to fall victim to phishing scams (which target individuals).
Security Policies: Implement a culture of security with written policies and procedures that address information security. Appoint someone to be in charge of information security. The Digital Defense study showed that 65% of organizations have no staff devoted to information security.
Document Management: Create a comprehensive information inventory system that protects confidential data from its creation to disposal. For document destruction, partner with a reliable company that provides a secure chain of custody from locked consoles in the workplace to on- or off-site shredding (of paper and hard drives and e-media), and a Certificate of Destruction after every shred.