Hacking of law firms highlights serious security breaches for companies entrusting them with sensitive data. A report by Citigroup urged their employees to be mindful of the risks of trusting law firms with sensitive digital data for three reasons:
- Law firms continue to be a high value target for hackers and foreign entities
- Law firm security is below industry standards--given the assets they hold
- Law firms have been unwilling to disclose when they have been breached, and the severity of breaches, despite ongoing pressure from clients and law enforcement officials.
This warning may just as easily apply to all CFOs evaluating whether their company should entrust trade secrets and other sensitive company information to their law firm. Unfortunately, the same high trust-level clients have traditionally given their law firms and lawyers has been extended to data security of confidential company information. That trust and expectation may be misplaced due to a combination of factors: Law firms present an especially rich data target for hackers coupled with generally low levels of cybersecurity protection of client information.
The concerns seem warranted given various surveys and reports on law firm security:
- Only 29% of legal firms use 2 factor authentication for remote access (ILTA Tech Survey, 2014)
- Without 2 factor authentication, 71% of law firms are vulnerable to the number one form of hacking attacks using stolen passwords. (Verizon Data Breach Report, 2014)
- 80% of the top 100 law firms have been successfully hacked (Mandiant, 2011)
A recent New York Times article highlights the growing friction between Wall Street and law enforcement on one side, and big law firms on another, over the lack of transparency provided by law firms on cyber breaches.
The ramifications of the report extend far beyond Wall Street, as the underlying concerns affect many companies, especially those that rely on trade secrets, intellectual property such as life science companies, and technology companies with unique financial and technical information.
Daniel Garrie, of the Journal of Law & Cyber Warfare , states, “Law firms represent, in today's information security environment, the easiest and richest target to go after...Law firms have no incentive to protect themselves from being attacked because, to date, there has been no meaningful financial impact to the law firms' bottom line.”
Given the tempting target law firms provide hackers, CFOs and Corporate Boards are left with two options:
- Audit their law firm’s security. This assumes expertise, resources, and costs that many mid-sized companies cannot assume.
- Retain their own documents and utilize no-cost or low-cost security solutions like:
- 2 factor authentication on email
- 2 factor authentication to protect company signature documents, trade secrets, and human resource information (such as SecureDocs or another virtual data room)
- Permission-based access restriction to limit internal and external access to sensitive information, reducing the likelihood of leaks and the number of computers with access to sensitive information
Whatever path a CFO or Corporate Board takes, trusting the digital security of your outside legal counsel is gambling with your company’s financial information, trade secrets, or human resource information. Basic protection of a company’s secrets is not as complex or costly as many CFOs might think. CFOs and companies may be better off implementing basic security - like 2 factor authentication - and keeping sensitive company information away from their law firm which may be the weakest link in their security perimeter.