Can law firms put a price on their clients’ privacy?

Law firms are a one-stop-shop for cyber criminals – not only can they get their hands on large financial transactions, but there’s plenty of sensitive, highly valuable client information to be had too. Protecting this confidential information is paramount to law firms keeping their reputation – and the reputations of their clients – intact.

Confidentiality is at the heart of the legal sector, with individuals and businesses alike placing their trust in law firms to transact securely and discreetly on their behalf. A breach of this trust can mean the end of the road for a law firm – just look at Mossack Fonseca, the firm that lost 11.5 million documents (2.6TB of data) in a 2016 breach dubbed the ‘Panama Papers’, due to weaknesses in their client portal which hadn’t been updated. The sensitive information in those documents about wealthy, famous, and public office clients was exposed to the press. Mossack Fonseca never recovered from the massive reputational damage caused by the breach, and was forced to close.

Law firms’ reliance on digitised information makes them particularly vulnerable to data breaches. They are accustomed to taking instruction and conducting transactions almost exclusively via email, including the transfer of extensive amounts of confidential, personal, and financial information. The constant movement of this information increases the risk of exposure.

The impact of the media

The affairs of high net worth individuals are temptingly lucrative targets for cyber criminals. Secrets and scandals sell newspapers. The 2017 ‘Paradise Papers’ scandal saw 13.4 million files leaked to the International Consortium of Investigative Journalists. The documents were stolen from Appleby, a major offshore law firm based in Bermuda that “specialises in advising some of the world’s wealthiest individuals”. The files showed the multitude of ways companies and affluent individuals avoid tax, and included names and financial information. Needless to say, the press had a field day.

Getting personal

It’s not just the rich and famous who are at risk of having their confidential information stolen. Enlisting the services of a law firm normally involves sharing a small library of personal information which, in the wrong hands, could easily lead to identity theft and fraud. Clients’ names, addresses, dates of birth, financial records, and sometimes medical information are all held by law firms, and usually transferred by email.

Law firms need to be particularly careful with this level of sensitive personal information, not least because of the further crimes it could be used for if stolen. The introduction of the GDPR in 2018 has already seen eye-watering fines making the headlines for Marriott and BA. Any breach of personal information must be reported, and fines are levied against the company that held the data for not adequately protecting it.

Finding the weakest link

Law firms are privy to some of the world’s most sought-after business secrets, through their contracts and transactions with multinational businesses. State-sponsored attacks are a daily occurrence against these businesses, targeting their top secret IP to gain a commercial advantage.

Cyber criminals are sometimes much more subtle in their approach than targeting the big fish straightaway. Smaller law firms are more likely to outsource certain services to external suppliers, especially for large contracts – these third party systems can provide an easy route in for cyber criminals if they’re not sufficiently secure. All it takes is a poorly protected link in the supply chain to lead to infringement of sensitive data and privileged information. Law firms need to be able to demonstrate that they can protect all client information, both up and down the supply chain.

What’s the best approach? 

Law firms are required to go through rigorous checks and certifications to transact as a law firm, which engenders implicit trust that the firm clients are dealing with is legitimate and secure. Clients don’t expect that such a pillar of security can be spoofed and compromised by cyber criminals. Law firms need to make sure they can keep hold of the secrets their clients entrust them with.

The potential cost of a data breach – including malpractice suits, significant loss of business, and hefty GDPR fines – is substantially more than the cost of implementing preventative measures. Law firms must ensure their cyber security strategy includes proactive detection methods that flag non-compliance and potential data breaches before they can cause damage. For example, law firms should use technology that scans all outbound emails to identify if multiple email addresses have been entered into the CC field, which could constitute a GDPR breach. If such an event is detected, the email can then be quarantined to prevent the breach, and the IT admin notified.

If a data breach does occur, law firms need to be able to prove compliance with strict data protection regulations, by confidently and accurately reporting exactly what information was accessed, who accessed it, and whether data was exfiltrated from their systems. Questions that need to be answered include how and where the security breach took place, what information was accessed, how systems can be recovered quickly, and how to prevent it from happening again.

Answering these questions gives a comprehensive response, enabling any law firm to report to the ICO in full. Once the issue has been resolved, the firm can reassure clients and stakeholders that its systems are secure.

Andy Pearch, Head of IA Services, CORVID