LAW FIRMS ARE A ONE-STOP SHOP
It’s not difficult to fathom why law firms appeal to hackers. When you need groceries, you go to a supermarket and when you’re looking to
redecorate your living room, you go to a furniture store. Sure, you could visit several stores buying a few things at each one, but that’s not efficient. Or, you could opt for a visit to Walmart, but your choices will be much more limited and skewed toward the lower end of quality.
So, if you’re a hacker and you want the most valuable data with the least amount of effort and the greatest chance of success, a law firm is your Land of Plenty.
The American Bar Association (ABA) says that one-in-four (26%) law firms has been the victim of a some sort of data breach,
and an additional 19%, or one-in-five, firms was honest enough to admit they didn’t actually know if they had been breached or not.
So, for the remaining 65% of firms that report they haven’t been breached, it’s possible that some have been compromised without knowing it or simply decided not to report it. While all states have security breach notification laws, there are differences in harm thresholds, what constitutes personally identifiable information (PII), and even the definition of a breach.
When any one company’s network is hacked, it will likely provide access to PII about its employees and customers and maybe some trade secrets or useful financial information. But there is also a lot of useless data to cull through to find the good stuff.
ENTER THE LAW FIRM
A law firm has all of that good stuff tied up in a bow. Most of their data is confidential or sensitive information and can include embarrassing secrets or illegal activity that can damage a client’s reputation. Law firm files may also contain information that makes it easier to hack into a client’s network.
Consider all the confidential information that law firms have on intellectual property, trade secrets, contracts, business strategies and nondisclosure agreements, which represent valuable information for a company’s competitors…or for that matter, China. And let’s not forget the financial gain of a well-timed stock purchase or short. Law firms house all the nonpublic information that could impact a company’s stock price when that nonpublic information becomes public: information on mergers & acquisitions, research & development, investment plans, and pending legal or financial trouble, as a start.
LAW FIRMS HAVE A BAD REPUTATION IN THE CYBERSECURITY DEPARTMENT
Whether it’s true or not, hackers consider law firms to be easy targets and lagging in cybersecurity sophistication. What is true, however, is that lawyers tend to be continually time-pressured, which can lead to cutting corners on security practices.
Further, the ABA TECHREPORT 2019: CYBERSECURITY indicates that only 44% of law firms use file encryption, 38% use email encryption, and 22% use disk encryption. Local backups were made by a mere 27% of the survey’s respondents and only 23% performed vendor due diligence. Just last month it was reported that data from 193 U.K. law firms that had been uploaded to a legal software company’s database, was exposed.
This highlights another problem for law firms — data in motion is the data that is most vulnerable to attack, yet lawyers regularly communicate sensitive information to clients and third parties, mostly in electronic form, and frequently unencrypted and via unsecured channels.
MORE TO COME
The Grubman, Shire, Meiselas & Sacks hack highlights that law firms store valuable data. In this case it was 756 gigabytes of data, which is not insignificant. In our in our next blog, we’ll have some fun exploring what 756 GBs looks like.