The data breach at the law firm of Mossack Fonseca in Panama sent shock waves around the world recently with the prime minister of Iceland stepping aside, Swiss authorities raiding the headquarters of the Union of European Football Associations, and relatives of the president of China linked to offshore companies. The size of the breach was also shocking with 2.6 terabytes of data leaked. That's 30 times bigger than the WikiLeaks release or the Edward Snowden materials. However, the most shocking part of the "Panama Papers" story is that the breach and exploit of the popular open source project Drupal was totally preventable.
Everyone knows that law firms manage large amounts of highly sensitive information. Whether the data involves an individual's estate plan, a startup's patent application, or a high-profile merger and acquisition, clients expect their information to be secure. Indeed, lawyers are required to keep this information both confidential and secure. Yet, despite the very high level of security owed this information, many firms lack an IT staff and outsource the creation and maintenance of their data management and security services. Once outsourced, there is an assumption that someone else will effectively manage the data and ensure its security.
This is many firms' first mistake. Even if they aren't managing their own IT, law firms still have an obligation to make sure that data is properly secured. This means asking frequent questions about security and ensuring that the vendor is implementing reasonable security measures.
This level of diligence is critical today, as law firms are increasingly under threat of attack. In March, the international firms Weil Gotshal & Mangers and Cravath, Swaine & Moore reported data breaches, highlighting the risks for law firms and their clients. With the amount of confidential information retained by firms about business deals and strategies, there is an expectation of future attacks. Confirming this is a 2015 Citigroup Cyber Intelligence Center report cautioning big firms about the threat of attacks on their networks and websites.
Implementing reasonable security measures means continuously monitoring both proprietary and open source code for vulnerabilities. This is a notion that lawyers should be familiar with. In most M&A deals many lawyers advise clients to run security scan of the codebase to understand the code integrity and surface any vulnerabilities.
This is a particularly important M&A exercise for open source usage as much open source is not supported in same way proprietary software is -- through automated updates and patches that are pushed out proactively. Still, open source code is the way software applications are built today and open source makes up 35 percent to 50 percent of the average code base so managing and securing it is vital. It is widely incorporated into programs used by law firms around the world. Open source tends to be high quality and offers powerful tools. However, you can't reap the benefits of open source programs without managing their risks.
When a security vulnerability is identified in open source, it is publicly announced along with ways that the vulnerability can be exploited. Sometimes there is even a sample code or YouTube video giving cybercriminals a recipe for hacking. However, security updates and patches are usually made available too. Because the process is not automated, these announcements should be monitored and the patches installed promptly to ensure the security of data.
Sometimes this is easier said than done. Even when firms know open source software is used in their codebase, it can be difficult to know exactly where it exists. Without that visibility into what open source they're using and where, the patches aren't of much use. This is why it's critical for law firms to identify all open source code in use, inventory it, and map it to a known vulnerability database. When a vulnerability is announced, the firm can decide from a business standpoint if it's material and requires action. When it's deemed material, the stakes can be extremely high so scanning the code should be a regular compliance process.
Whether law firms have IT departments or outsource to a service provider, they should use products that automate the inventory process, monitor the software, and send automatic alerts when a security vulnerability is identified. It's not difficult to secure data when the right products are in place.
If Mossack Fonseca had such a procedure in place, the Panama Papers scandal never would have happened. The version of the open source project used, Drupal, had 25 or more known security vulnerabilities. They were publicly announced as far back as 2013. If anyone at the firm was paying attention, it could have implemented the security patches. When the patches weren't applied, it was open season for hackers.
The Panama Papers scandal illustrates the dangers of being lax about the security of client information. It also shows how law firms that take security seriously have a competitive advantage. As more data breaches are sure to come to light, law firms have an opportunity to differentiate themselves with a higher level of service. Those that don't could be the next hacking victim -- or already are and just don't know it yet.