Eye on Discovery – 11.5 Million Reasons for Law Firms to Take Data Security Seriously
In early April, we bore witness to what may be the largest data breach in history: 11.5 million confidential documents spanning 40 years were leaked from Panamanian law firm Mossack Fonseca to German newspaper Süddeutsche Zeitung. So far, the aftermath of the Panama Papers has included speculation about potential money laundering, fraud and corruption by numerous world leaders, sports figures and billionaires. The Prime Minister of Iceland has already resigned, with more fallout still to come as the U.S. Attorney for the Southern District of New York recently launched a criminal investigation into matters disclosed in the breach.
The law firm claims the leak resulted from an unauthorized breach of its email server, though some have speculated that an internal source was to blame. Regardless of the cause, the scandal has highlighted the need for law firms to closely examine their cybersecurity practices. Going forward, regulators as well as clients are likely to demand security audits and law firms should focus on shoring up their cybersecurity to comply with data protection laws as well as their ethical duty to protect their clients’ data.
Here are 11.5 strategies law firms can immediately employ to begin improving their data security.
1. Form a data security team.
Law firms cannot afford to designate security to IT and forget about it. To ensure every aspect of the firm is considered, law firms should establish a data security team consisting of IT, practice leaders, security personnel, human resources, procurement, finance, and other key departments. Law firms should consider hiring one or more information security professionals who can guide investments and initiatives with the requisite skill and experience. Breach Response Plans and periodic breach exercises ensure the team is ready to handle a breach scenario.
2. Create robust data security policies.
The firm should establish written information security policies regarding the use of data, including data stored on mobile devices and portable devices such as laptops and thumb drives. Remote access policies should address the risks of public Wi-Fi areas. Data Classification Standards should instruct employees about the sensitivity of information and where it may be stored or shared, either internally or through external cloud services.
3. Require the use of complex passwords.
Law firms must require employees to use complex passwords with a combination of letters, numbers, and symbols. Firms must also prompt employees to change their passwords frequently—at least twice a year. Employees should also turn on password settings on all of their mobile devices, or better yet, enforce device passwords with Mobile Device Management software.
4. Promote cybersecurity awareness.
It takes more than policies to weave security into the firm culture, and risky user behavior is often a significant weakness in law firm security. Firms should require training on current best practices and policy requirements and send periodic updates to remind employees regarding their role in protecting client data. In a law firm environment, this should include all personnel who may come into contact with client information, from partners and paralegals to temps and cleaning staff.
5. Keep technology up-to-date.
Firms should implement security patches and updates as soon as they are available. Mossack Fonseca had not updated its Outlook Web Access login since 2009 or its client login portal since 2013. The firm’s website relied on an outdated version of WordPress, while its client portal opened itself to hackers by using an outdated open-source content management system with at least 25 known vulnerabilities. The same holds true with protective technologies, such as antivirus, spyware, and firewall solutions – they should all be kept up to date with the latest versions.
6. Encrypt emails and mobile devices.
Mossack Fonseca did not encrypt its email. But given the sensitivity of privileged materials, work product, trade secrets, and other proprietary and confidential email traveling through cyberspace, it makes sense to accord email with the highest level of security. As email encryption over the internet requires that each client supports encryption on their end as well, consider additional software for secure end-to-end messaging for highly secure files and information. Law firms should also encrypt client data while at rest as well as while it is in motion across a network. All laptops, smartphones and other mobile devices should be encrypted.
7. Govern data with an iron fist.
Law firms should create a data map that inventories their data sources, hardware and software systems and categorizes them according to their risk. They should then deploy escalating security measures commensurate with the risk. Client data should be retained only as long as it has a legal or business purpose; thereafter, it should be destroyed as part of an information governance program.
8. Compartmentalize sensitive information.
Access to client information should be restricted based on “need to know”. Only those personnel working on a client or matter should have access to the information. Further, some highly sensitive information should be restricted to an ever smaller subset. Databases which contain sensitive information should also be segmented across multiple systems, so that hacking into only one of them doesn’t provide useful information. Law firms should also consider storing information in some regions and countries locally rather than centrally based on risk profiles and data sovereignty laws.
9. Monitor data traffic.
Law firms should consider installing controls that alert information security personnel when there is a large spike of outward data transfer, or an unusual amount of files accessed by an employee as compared to a normal working day. An intrusion detection system can warn about malicious activities or violations of security protocols.
10. Test for vulnerabilities.
Antivirus software is not enough to safeguard against today’s sophisticated attackers. IT personnel should monitor firewall and other system logs and conduct regular penetration testing and auditing. Many firms have retained an external security vendor to perform periodic intrusion testing of their networks to identify potential vulnerabilities. Many corporations demand this from their third party providers and increasingly, law firms fall into this category.
11. Assess vendor data access.
Before law firms give third parties access to client data, a thorough review of the vendor’s policies is necessary. Vendors must contractually agree to follow the law firm’s protocols and should employ features to safeguard data against unauthorized access, including encryption and password protection. Regular assessments and audits of vendor security practices ensure compliance with contractual agreements and latest security best practices. Using an external consulting firm to assess the vendors’ security practices is an extension of the corporate expectations placed on the law firm itself.
11.5. Constantly re-evaluate your firm’s security posture.
Data security risks are ever-changing; so must be law firms’ tactics to meet them. The data security team should meet regularly to evaluate evolving threats and confirm that their policies are following the latest security best practices.
Implementing these 11.5 strategies can create a strong data security foundation that lessens threats and mitigates the risk of reputational damage and economic fallout in the event of a breach. Moreover, it can make firms more appealing to prospective clients who want to ensure the safest haven for their most important information.