If you were a hacker trying to decide your next target, you’d likely want to pick an entity that has highly valuable and useful information that, simultaneously, lacks an effective security program.
Though so many of us focus a significant portion of our in-house practices on cybersecurity and data breaches, it may not come to mind right away that this target is right in our backyard: the law firm.
In a recent webinar put on by Logikcull, Olga Mack and Brian Focht (@NCCyberAdvocate) discussed not only the vulnerabilities every law firm is facing, but specifically focused on the kinds of cyber and data security related questions in-house counsel should be asking when hiring outside counsel.
As entities, law firm systems contain highly-sensitive financial data, corporate strategies, trade secrets, business transaction information and plenty of both PIIA and PHI. Unfortunately, many firms lack a complete, effective, privacy and security program. According to an ALM Legal Intelligence study, 22% of law firms did not have an organized plan in place to prepare for or respond to a data breach. Only 50% of law firms included in the study have cyber security teams in place to handle and implement the types of complex programs and initiatives necessary to deal with a data breach.
And, unsurprisingly, hackers have noticed these vulnerabilities. In February of 2016, Russian cybercriminal, under the name of “Oleras,” targeted law firms; in March, the Wall Street Journal reported that the nation’s biggest firms have been hacked (including names like Cravath and Weil Gotshal); in April, the “Panama Papers” were leaked, revealing confidential attorney-client information detailing tax evasion techniques; in May, a Chicago-based law firm was sued by a client for cybersecurity flaws that “systematically expos[ed] confidential client information”; in December, the DOJ charged three Chinese nationals for insider trading based on information hackers obtains from law firms.