Time for mandatory breach notification for law firms?

The FBI has been on their case for several years. Their key banking clients have warned them that they are woefully underprepared to keep their hugely valuable data secure from cyber attack. But how much have law firms paid heed?

Quoted in American Lawyer, John Reed Stark, a former SEC enforcement lawyer, says: “I just don’t get the sense that law firms really want to seriously engage for risk and security assessments” event though he could foresee a breach so catastrophic that it could be “the death knell of a law firm. I’m not sure that law firms truly appreciate that.”

But now – or rather in mid-2015 but revealed now – the legal industry has truly had the wake-up call. In late March,the FBI issued a Private Industry Notification to law firms indicating that a cybercrime insider trading ring was targeting “information used to facilitate business ventures.” Seemingly dozens of law firms were targeted by a Russian hacker, “Oleras”, seeking information on M&A deals.

Just days later hackers breached the most prestigious law firms in the US, including Cravath Swaine & Moore and Weil Gotshal & Manges. Other firms also were breached and hackers, in postings on the internet, are threatening to attack more. The billions of dollars-worth of confidential information inside law firms is now firmly on cybercriminals’ radar.

Legal firms have long been singled out as especially vulnerable to cyber attack. They are guardians of huge amounts of highly sensitive data attractive to both commercially-driven and state cyber threats. They are also dependent on ease of information flow and access. Information must routinely be shared across geographies and technologies.

Also, personality-driven partnership structures are notoriously difficult for compliance and risk functions to influence.(De-coded: partners can be arrogant and egotistical, often technophobic and tech illiterate, and don’t respond well to being told what they must do by people they regard as mere functionaries.)

This combination of high-value information, SME-like structures and constant information sharing are still making law firms tough to secure.

The latest revelations are interesting for three reasons: first, the FBI’s warning is a specific red flag that law firms are definitely being targeted. Second, the top firms have been breached; third, the breach has been made public – albeit six months late.

This unwillingness to disclose problems is a recognition of the reputational damage that data breaches can create, but it is also a symptom of wider problems. Law firms are still understaffed in cyber security. They still face significant cultural problems in addressing the problem at senior level. They generally do not share their experiences – and if they do only within the industry.

But should this change? It’s clear that law firms are the targets of phishing scams, ransomware and all the other tools of the cybercriminal community (some have paid seven figure ransoms already). It’s clear that sensitive debt, IPO and M&A data is vulnerable, data which the companies involved in the transactions would themselves have to declare breached but which confer no such obligation on the law firms that store them. And it’s clear that while they are able to hide failures, law firms have little motivation to do better.

So is it time for mandatory notification and would that change law firms’ attitude to and investment in cyber-security?

B2B media executive with an unusually broad and international range of experience in both the editorial and commercial aspects of publishing, social media and events. I write a range of content types on technical subjects in wholesale finance and IT and have interviewed senior figures from the public and private sector globally for many years.

Related posts

Your thoughts