August 30, 2018
Among the multitude of industries that store and process information, the legal sector handles some of the most sensitive and critical data. Organizations rely on their legal team and outside vendors to secure their information from competitors, opposing parties, and any other prying eyes. Information is the most valuable asset in the legal industry and keeping it secure is paramount to success.
A new threat is striking the legal sector – hackers.
In fact, in March 2016, the Cyber Division of the FBI warned that hackers are specifically targeting international law firms, seeking confidential data. This trend has continued through 2017, as noted by The Information Commissioner’s Office (ICO) stating that there was a 173% increase in data security incidents in the legal sector between Q3 and Q4. It’s clear why a survey published in the General Counsel Excellence Report found that 31% of GCs are concerned with cybersecurity and privacy.
But why has the legal industry seen such a sharp rise in the rate of attacks and become a prime target for cyber criminals?
1. Valuable Information
Corporate Law Departments and law firms store tons of confidential information that can be extremely financially and strategically valuable. Opposing counsel, business competitors, and foreign agents can use the information to manipulate markets or threaten parties. For example, a cyberattack against the computer networks of two major New York law firms in which servers were penetrated, malware installed, and Merger and Acquisitions partners’ emails exfiltrated was instigated by three foreign nationals who levied this information to make millions through insider trading.
2. Backdoor Access
The relationship between clients and their outside counsel is based on high levels of trust, and often unauthorized access to a legal network can lead to unauthorized access to client networks. The legal sector is now not only responsible for protecting its own data, but is also responsible for access to that of its clients. It is well understood in the hacker community that one of the best ways to penetrate a company’s network is to infiltrate the networks of partners and vendors.
3. Industry Culture
There is also the historic prioritization of financial success over security and compliance within the legal sector. In the past, many firms have spent time and money on efforts to increase profitability, while law departments focused on saving costs. Thus, information security has been less of a priority and has made the legal industry more vulnerable than other industries such as financial and insurance.
What was once an afterthought has become a point of focus for many firms and law departments, security and compliance now primary IT initiatives.
Increased regulation has also driven this shift.
Domestically, states such as California, Massachusetts, and Illinois have expanded their laws and definitions to enact more stringent requirements for protecting Personally Identifiable Information (PII). Internationally, the General Data Protection Regulation (GDPR), implemented in May 2018, applies to the entirety of Europe, with some countries further building on it, such as the UK’s Data Protection Act.
Increased scrutiny isn’t just coming from governmental bodies, it’s coming from within the legal community as well. The American Bar Association (ABA) made amendments to the ABA Model Rules of Professional Conduct Rule 1.1 in August 2012 stating that in order “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” The following year a special Cybersecurity Legal Task Force within the ABA was delegated to investigate the growing problem of intrusions into the computer systems and networks utilized by lawyers and law firms. Their report stressed that “these breaches undermine the legal profession as a whole by threatening client confidentiality, the attorney-client privilege, and the broader confidential lawyer-client relationship.”
What now?
As network security breaches are becoming more common, the search for financially-feasible solutions has become a primary focus for firms and legal departments. With 93% of large companies and 87% of small businesses in the UK are reporting at least one security incident, and governments and leading industry organizations putting the pressure on, there’s a growing question of how best to protect data.
For corporate law departments that utilize technology vendors to manage and store their sensitive information, it is imperative that those vendors also prioritize information security and are equipped with creditable security certifications. For firms, securing collaborative environments with legal departments has become a point of focus, thus it’s important to find technology tools that handle the relationship and exchange of information securely.
Here at Counself, we take information security seriously so lawyers can focus on their work and clients with peace of mind. Find out more about Counself Risk and how you can use it to manage your vendor risk here as well as the value we place on information security here.
Sources:
- American Bar Association. August 2013 Resolution. Report no. 118, American Bar Association, 2013.
- American Bar Association. AUGUST 2012 AMENDMENTS TO ABA MODEL RULES OF PROFESSIONAL CONDUCT. American Bar Association, 2012.
- Department of Justice, Office of Public Affairs. Manhattan U.S. Attorney Announces Arrest of Macau Resident and Unsealing of Charges Against Three Individuals for Insider Trading Based On Information Hacked from Prominent U.S. Law Firms. By Department of Justice Office of Public Affairs, 27 Dec. 2016.
- Dixon, Creighton, et al. “Notable New State Privacy and Data Security Laws – Part One.” S&W Cybersecurity and Data Privacy Blog, 13 Feb. 2017.
- Friedman, Gabe. “FBI Alert Warns of Criminals Seeking Access to Law Firm Networks.” Big Law Business, Bloomberg Law, 11 Mar. 2016.
- The Global Legal Post. The General Counsel Excellence Report. The Global Legal Post, 2015.
- Kongnso, Fedinand Jaiventume. Best Practices to Minimize Data Security Breaches for Increased Business Performance. Walden University, 2015.
- O’Donoghue, Cynthia, and Eleanor Brooks. “ICO publishes its 2017/2018 Annual Report.” Technology Law Dispatch, Reed Smith, 31 July 2018.
- Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients.