Hackers attack banks because they have actual money. They attack hospitals because they have readily monetizable data (PII, PHI, financial data). The fact that law firms also have monetizable data is why they are increasingly coming under attack. Mossack Fonseca, the firm behind the Panama Papers, was arguably the case
that brought this problem to the fore. Chicago firm Johnson & Bell Ltd made the news this past December when a proposed class action suit accused them of failing to protect client data. If you do M&A work you may be familiar with charges and arrests made in New York in response to foreign hackers breaking into law firms to obtain insider information in order to profit from stock manipulation.
Cyberattacks against law firms may not seem to be as epidemic as they are against financial institutions, but if things hold true to form, that’s only because of a lack of awareness or visibility into the state of a firm’s IT security. Organizations writ large are historically poor judges of their cybersecurity posture, and their ability to detect breaches is generally poor. The time between compromise and detection is usually measured in months. If cybersecurity practices at your firm are an afterthought, or what might be best described as ‘minimal,’ it is time to point out that the absence of evidence of a breach isn’t evidence of an absence of a breach.
In addition to various regulatory and contractual requirements to protect PII and PHI, legal ethics rules require that attorneys take measures to protect client information that are “competent and reasonable.” Thankfully, that doesn’t mean having to spend a lot of money on software or services designed to combat “advanced” threats or “sophisticated” actors (terms cybersecurity companies love to throw around to increase your sense of fear, uncertainty, and doubt).
Model the threat. The work that you do and the information you deal with is probably only of value to a certain type of threat actor. Who is that and what sort of capabilities would they be able to bring to bear against you? Let that inform your subsequent decision-making so that you’re not buying the wrong things or spending too much or too little.
Understand what you are trying to protect and where it is. Depending on the size of your firm and the sophistication of your IT enterprise, you may have data in all sorts of places. Some of it centrally located, some of it spread across attorney or paralegal PCs or other devices. You cannot protect what you do not know you have.
Focus on blocking and tackling. Most data breaches could have been prevented if the victim had followed some very fundamental practices. Using two-factor authentication for system logins, full-disk encryption on computers, and ensuring you make regular backups and store them off-line will address the most common avenues of attack, make your firm a much harder target, and enable you to rapidly recover from an attack.
We would like to get your feedback and also find out how we can team up your experts with our experts at cicayda. We would be happy to schedule a demonstration of our software and go over any eDiscovery services we provide.