Large corporations constantly make headlines when they are hacked and millions of customers’ information is stolen. It seems like no industry is immune, from banks to retailers and even the U.S. government. But it was not until April of this year that the public became aware of the fact that law firms are also frequent targets of organized hackers when 11.5 million documents were leaked from Panamanian law firm Mossack Fonseca.
In the subsequent weeks, the world was thrown into a tailspin as the paper trail revealed corruption and crime among the world’s wealthy and powerful. The aftershocks of the Panama Papers are still being felt and law firms are paying closer attention to their security.
But what can and should law firms do to protect their clients’ confidential information? Furthermore, what should legal clients know about the measures their firm has taken? To find out what cyber security looks like and where it is headed in the legal industry, I connected with John Sweeney, President and COO of LogicForce, a firm that helps law firms with their security and IT services.
Q: Why are law firms attractive targets for international hacker groups and how real is that threat?
Sweeney: First and foremost law firms are attractive targets because that is where trade secrets reside and is where they’ll be most vulnerable to theft. The amount of client information sitting on law firm servers spans the gamut from extremely valuable intellectual property (aka “company secret sauce”,) to potential merger and acquisition deals, to highly sensitive government information. Hacking law firms is all about making money by selling stolen information. Hackers can make a lot of it. Just think about the insider trading potential they could have with the right, highly confidential corporate information!
The fact is many law firms still remain exceedingly and unnecessarily vulnerable to cyber breaches due to poor security practices. This isn’t always about not having the latest preventative software and IT systems. Often it comes down something as simple as the lack of or non-enforced password protection policies or poor encryption practices. To compound the problem, it only takes one unsuspecting person at the firm to open a hacker’s phishing email or the illicit behavior of a rogue employee to compromise the security of sensitive information.
As far as the threat of breach is concerned, it is very real, continuous, and will only get worse. I attended a cyber security conference at The Army Navy Club where a managing partner of a law firm headquartered in Washington DC was on the dais. I will never forget him speaking directly to a table of FBI and DOJ Agents while shaking a stack of invoices for software and hardware upgrades, saying, “We’re a law firm. When the hell did we get into the IT business. We need help!”
Q: Is the security technology used to protect law firms different than what is used for other types of businesses?
Sweeney: I don’t see the need for any “law firm specific” technology to be implemented that differs from any other company who is diligent about protecting their data. As long as they deploy the needed security technologies for encryption, intrusion protection, detection, response, monitoring, and event management they should be OK from a technology standpoint.
However, the responsibility for redressing IT ecosystem vulnerabilities and potential data leaks starts with the Managing Partner. There is a whole list of actions that need to be taken in conjunction with the deployment of technologies if the law firm is going to take a programmatic approach to cyber security. A documented data security plan should be put into effect that includes policies and procedures outlining training, disaster recovery, BYOD (bring your own device), passwords, business continuity, remediation, communication and insurance coverage. That is absolutely necessary to reduce security risks to a minimum.
Q: What kind of exposure would a client of a law firm have if the firm were hacked? Should clients ask their law firm about their security measures?
Sweeney: Let me first state that every attorney is entrusted with protecting their client’s information whether it is a trade secret, social security number or health record. Model Rule 1.6 of the American Bar Association code provides that attorneys shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure or access to confidential client information.
The resultant exposure from a data breach is potentially catastrophic for any company. Financially, companies and their law firms get hurt. But their reputation takes the biggest hit, which over the long term is devastating to the viability of their practice. The biggest financial consequence is lost business due to trust issues. According to a Ponemon Institute 2016 Cost of Data Breach Study of the 64 companies surveyed in 16 industry sectors the average total cost of a data breach is $7.01 million.
Given what is at stake it becomes the fiduciary responsibility of every company to ask their law firm about their data security program and existing IT Ecosystem. We recommend they request documentation of their security program as well.
Q: Is the cyber security industry ahead of or behind hackers at the moment in your opinion? Who has the upper hand?
The cyber security industry is constantly developing new software, hardware, and techniques to mitigate the threat of a data breach. Companies, government agencies, law enforcement, and law firms continue to work together and invest in innovative programs and systems to thwart intruders while on-boarding more and more experts to help the cause. But until we take the necessary steps to lower the value of cybercrimes while increasing the likelihood of the perpetrators actually being caught and punished, it will continue to be a burgeoning profession. And as much as I don’t like saying it, cybercrime does pay.
Q: Where do you see your industry in five years? What will LogicForce be doing differently, the same, or better?
We consult to Managing Partners, COO’s and CIO’s of law firms on strategies and programs to effectively address the critical business issues facing them today. The strategic and secure use of applications, artificial intelligence and data analytics will have any increasingly direct correlation to revenue growth or decline at law firms for the foreseeable future. More and more I see law firm leadership acknowledging the need to move from their traditional business models to a more IT-centric approach for competitive advantage.
LogicForce has designed a new style of IT that will revolutionize the way law firms use and pay for their entire IT, electronic discovery, and cyber security ecosystem and harness its power to gain competitive advantage in the legal market. Through a proprietary analytical approach known as Synthesis E-IT we can deliver a secure and state of the art IT ecosystem that will never become obsolete and is scalable according to the capacity requirements of the law firm so they are paying for only what they need when they need it. This works particularly well for midsize firms looking to compete with Big Law.