Data hacks and breaches in the legal sector are not new, but you’d be forgiven for thinking they’re enjoying something of a renaissance at the moment. Just last month, US-based security firm Flashpoint warned that a Russian cybercriminal had targeted 48 elite law firms, including Hogan Lovells, Allen & Overy and Freshfields, in order to steal information about mergers and acquisitions.
Around the same time, New York-based firm Cravath Swaine & Moore – famed for its corporate merger advisory work – admitted a breach of its computer network, while a suspected email hack at the now-renowned Mossack Fonseca led to the leak of 11.5 million confidential documents dating from the 1970s to late 2015.
The questions is, if the legal industry is such a rich target for cybercriminals, what action can Chambers take to safeguard against further security breaches?
The weak link?
It’s a well-known fact that barristers deal with large amounts of highly sensitive information. Whether that’s trade secrets, confidential data about high-profile clients or undisclosed mergers and acquisitions, they are privy to a wealth of knowledge that’s ripe for exploitation.
The often sprawling and collaborative nature of legal work, spanning both internal and external parties, means that the risk of leaks and data breaches is particularly pronounced – a view corroborated by Citigroup’s intelligence unit in 2015. In a report designed to educate bankers about the cyber threat to the legal sector, Citigroup cautioned big law firms and Chambers about the threat of attacks on their networks and websites. It said they were at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”
Recent cyber-attacks on the legal profession appear to show thieves scouring the digital landscape for sophisticated types of information, often stealing large amounts of data indiscriminately and then analysing it later to see how it can be useful. Indeed, computer networks, including emails and file sharing solutions, have been directly breached by hackers with this very goal.
Despite being a particularly attractive target for fraudsters, legal practices are also dealing with ‘insider threats’ caused by employees routinely disregarding IT policies and placing company documents at risk. In fact, the vast majority of smaller data breaches come down to human error rather than an employee maliciously stealing data, showing how inside attacks or accidental losses can be just as serious as outside threats.
Research by the Ponemon Institute confirms this, and shows that 51 percent of respondents doubt whether their organisation has the ability to manage and control user access to sensitive documents and monitor how they are shared.
While many practices do enforce measures to protect themselves from hacking and other malicious activities, their own employees can undo this effort by using the free cloud based applications so ubiquitous on mobile devices and home computers. While they enable large documents to be shared quickly and easily, these platforms are a risky option and lack the key security features required to operate effectively and securely.
Steps to security
This potential vulnerability of barristers is raising concerns among clients, who expect their information to be kept both confidential and secure. However, there are steps that can be taken to address these issues and ultimately reduce the risk of a data breach.
In the first instance, barristers must assess the systems they have for sharing documents and keeping client information safe. They must invest in technological solutions which enable safe collaboration and secure sharing, while also offering back-up security features. An “unshare” capability can allow access to shared files to be revoked, regardless of whether they have been copied, shared or saved elsewhere. And if, for any reason, the document needs to be retracted, it can be remotely disabled.
These types of controls that are already in use in other industry sectors (such as financial services), could be employed by the legal profession to provide additional protection against electronic information threats ranging from malicious criminal intent through to accidental loss. As new regulation such as the GDPR takes shape the risks of damaged reputations will be compounded with the potential for huge fines for getting this wrong.
BPP University Law School is just one example of an organisation that has re-evaluated its file sharing practices with the goal of avoiding a large-scale data breach. BPP runs a number of pro-bono legal advice clinics, in which it handles many documents that include Private Personal Information (PPI) such as names, addresses, emails, phone numbers and financial information.
Historically, all BPP University Legal Advice Clinic client files were stored in both physical filing cabinets and Google Docs, a consumer-grade document and storage application. However, the BPP University Law School could not endorse any of these methods, due to requirements set out by the 1998 UK Data Protection Act and by the Solicitors Regulation Authority (SRA).
The university therefore decided to implement a secure, compliant, enterprise-grade alternative to the consumer-grade tools they had previously been operating with. As a result, barristers, solicitors and clients can now share files easily and securely, with the ability to set permissions to control access and apply security at content level, reassuring all involved that PPI and other sensitive information is protected and safe from data breaches.
But, clients can also take responsibility for ensuring their barrister and Chambers adequately addresses any security concerns they may have, and should work with them to review specific due diligence areas – the most pressing of which include:
- What protection is used for document collaboration — such as rights management?
- What were the results of external and internal penetration tests? How frequently are these performed? When was the last test performed?
- How are networks and systems monitored? Is monitoring 24/7?
- Does the Chambers have forensic capabilities or does it have a contract with a vendor to provide Incident Response service with short SLA-defined response times?
- Did the Chambers engage in any threat assessment that would audit the current system for indicators of compromise? What’s the ongoing frequency of this assessment?
- What compliance or industry framework does the Chambers follow? If certification was obtained (like ISO or SSAE16), what is the technical and operational execution path?
By holding the legal profession to account in this way, clients can help speed along the cybersecurity reforms, guidance and best practice that the sector so desperately needs.
Richard Anstey, CTO, EMEA, Intralinks