CONTACT US

Data Privacy Exposure at Law Firms In the News – Are You at Risk?

A recent article from CNBC highlights some of the latest concerns facing today’s law firms as they collect, transmit, and store sensitive information in the form of electronic data records. Specifically, this news speaks about a hacker on a dark web forum selling access to a New York City law firm’s network and files for $3,500. Unfortunately, this instance is not as uncommon as we would like it to be.

Law firms are just one type of organization that possess valuable information about employees, clients, and related parties. Business intellectual property, medical records, bank information, and classified government information are just some examples of the types of sensitive data that law firms frequently possess that could be of value to cybercriminals.

How firms store and protect their data is becoming critical as hackers target more valuable information. This is particularly challenging for law firms involved in transactions of publicly traded companies.  Law firms and financial services organizations are seeing a constant increase in the targeting of their organizations by hackers.

Any firm that possesses data that has monetary value to someone is at risk. Some examples of recent data breaches include:

  • 11.5 million files leaked from the database of the 4th largest offshore law firm – Mossack Fonseca.
  • DLA Piper fell victim to a ransomware attack, locking the law firm from accessing its own data.
  • 1.16 million e-mail addresses from 500 of London’s largest law firms were exposed on the dark web, with passwords included for 930,000 of them.

According to a survey of 200 firms, 40% of law firms had experienced a data breach in 2016 and did not know about it. It’s not if, it’s when, a breach will occur. Organizations need to take steps to ensure they have proper cybersecurity prevention and detection tools in place to minimize the impact of a breach when one occurs. As firms assess their cybersecurity risk and preparedness, they can identify areas of opportunity to address and choose to deploy technology resources and spending where it will have the greatest impact.

Hackers hold a strategic advantage because of the growing number of devices and associated vulnerabilities. Hackers make it their full-time job to search for and exploit weaknesses at organizations.

Every access point is a potential source for a breach. The Internet of Things, or “IoT,” poses new challenges, as employees and organizations introduce more devices to the network. From smartphones in an employee’s pocket to the appliances in the breakroom, access points are increasing our exposure to vulnerabilities.

To properly address the constantly evolving security threats, industry expertise needs to be coupled with the latest technology to develop the optimal solution for your firm. Organizations can prepare for data breaches by developing comprehensive incident response plans and implementing cybersecurity programs. Additionally, it’s imperative that organizations invest in resources, internally or through outsourced service providers, that check for patches, research new vulnerabilities, and perform other updates to computer security software and appliances. Engaging IT security experts to perform risk assessments periodically is critically important to ensuring a firm remains proactive.
 
It is important to ensure that employees receive periodic training to enforce security best practices around passwords and data loss prevention.  Without training, employees become complacent and more susceptible to e-mail phishing campaigns. Every member of an organization must be included in an organization’s data security plan for it to be successful. No organization can prevent a breach from ever occurring, but an organization that is prepared and practices their response for when a breach does occur can minimize the impact to their reputation and the cost of repairing and responding to a breach.
 
The costs of cybersecurity prevention, detection and, more importantly, response has been skyrocketing. Hiring teams to manage cybersecurity programs in-house is simply not feasible for most law firms. As an alternative, many law firms rely on consumer-grade technology that is ill-equipped for the threats facing these firms today.

Solutions are available for law firms of any size. Cybersecurity and information security programs can be outsourced, giving firms access to the best-in-class security solutions without the price tag that typically accompanies such a high level of security including Software as a Service (“SaaS”) and Managed Security Services Programs (“MSSPs”).

Kevin Brady is a Manager in Process Risk and Technology Solutions with advisory, audit, and compliance experience including public accounting and private industry, and IT audit and risk services to clients in various sectors.

Contact Kevin

* Required