On May 5, 2016, the Panama Papers were leaked to the public, making it the biggest leak in world history. The international law firm based in Panama, Mossack Fonesca was compromised, giving hackers access to over 2.6 terabytes of data and 11.5 million documents. The firm’s security failed on several fronts; they hadn’t encrypted their files or emails, they were missing updated patches and failed to update log-in credentials as well as a multitude of other issues.
Joel Brenner, former Senior Counsel at the US National Security Agency, says in his book “America the Vulnerable”, for hackers "lawyers are the perfect targets", he goes onto explain that they are privy to loads of confidential data such as financial records, corporate data, strategic business plans and other details. Brenner also mentions that law firms often fail to take security seriously, making them an easier target.
The American Bar Association conducted a Legal Technology Survey in 2016, they found that only 38% of respondents used file encryption, 26% used email encryption for confidential communications and documents sent to their clients and only 15% used drive encryption. Additionally, Bloomberg business states that more than 80% of the 100 largest U.S firms have been hacked since 2011.
Based on these findings, Mossack Fonesca clearly aren't the only ones falling behind on security. The legal field as a whole is falling behind on security measures, putting their clients and firms at risk.
Law firms have a legal ethical commitment to protect their client’s information. It is their obligation to take appropriate steps to safeguard data on behalf of their clients. To create a strong and effective security plan, law firms must consider several key factors.
Policies and Procedures Based on Jurisdiction
Depending on the type of data your firm hosts and what legal jurisdiction you fall under your organization will be held to different laws and regulations. For example, if your firm hosts health information in the USA you are held accountable to the requirements determined by HIPAA. PCI-DSS and other policies will also have implications for your law firm. Your firm should be aware of the legal and ethical standards they are held to based on these data determinants. The new General Data Protection Regulation (GDPR) coming into effect on May 25th, 2018 will force all organisations (regardless of their country of operation) with EU citizen data to uphold certain security measures or face significant fines and penalties. This forces many law firms globally to re-examine their data security policies and systems. These protocols and frameworks may require firms to utilize encryption for certain materials, store client data in a specific way, and employ new technologies for data protection. The new GDPR will also require organisations to notify clients of a data breach within a designated period, making it even more prudent that firms take steps to ensure their data security is in tip-top shape, protecting their reputation and bottom-line.
How Valuable is Your Data?
Data varies in its value to hackers. Highly classified information needs to be treated differently than low-value information. Create different levels of value and confidentiality for your data and create security protocols for each. These security protocols may include features such as encryption, restrictions on staff access and data loss prevention (DLP) solutions. The more valuable the data, the more hackers are willing to do to take the information. Don't make their job easy, put the appropriate measures in place to protect your data.
Where is Your Data Located?
Where is your data located and how is it getting there? Based on the location of your data, the type of data and value, your firm will have to consider different types of encryption. Will you encrypt your data in transit, at rest or both? The appropriate level of encryption may differ based on the sensitivity of the data, the need for usability and convenience and the impact if the data were to be compromised. You may also want to consider the devices your staff use; do they store data on their laptops or other mobile devices? What happens if one of your attorneys loses their laptop? There are plenty of mobile management programs available on the market to help your firm monitor and secure devices, investing in one of these programs is extremely valuable. You should also ensure your network is protected by strong security protocols and technologies such as VPN, mobile management software, next-generation firewalls, access management programs, behaviour analytics, etc. Location of data should also be considered for physical materials such as paper files and documents or material stored on a usb. How is your firm protecting this data and limiting access and risk?
Every law firm should have a strong data security plan in place that takes into account the policies and procedures based on jurisdiction, the value of the data and the location of the data. Unsure of where to begin? Cloud Carib offers a full suite of security services including a managed security option. This offers your firm premium security services while minimizing your costs and upholding your promise of confidentiality and security to your firm and clients.