Speed read

Law firms can be juicy places for hackers to dig up their clients’ confidential information, ranging from IP and patents to M&A information (thereby getting around the company’s own cyber security defences). Recent US and UK data shows a fair bit of activity, as IT industry reporter, The Register, outlines in its 16 April article, Miscreants rummage in lawyers’ silky drawers at will, despite warnings.

For example, the article reports that at least 80% of the largest law firms in the USA have been involved in breaches since 2011.

That’s a heads-up for both companies and law firms. Companies with great security might see their confidential information walking out via another back door. Similar issues arise too as to other external advisers such as accountants and consulting firms.

There’s more information in our articles, Top 100 General Counsel position on cyber security law and practice, What lawyers need to know about BYOD: Bring Your Own Devices, and in a useful article recently in LawTalk, Stop using free email services, expert says.

The Detail

In the UK, the equivalent of our Privacy Commissioner – the Information Commissioner – last year warned lawyers  to be careful around data security.  Plus the English Law Society issued cloud computing guidelines for solicitors.2  Those guidelines have been picked up by our own Law Society in Practice Briefing: Cloud Computing Guidelines for Lawyers.

The Register, in the article above, noted that 173 UK law firms were investigated last year by the Information Commissioners (although we expect quite a few will not be IT breaches, eg, they would include paper based breaches). Raised are issues such as encryption, use of Dropbox, cloud computing, etc.

A recent Bloomberg article, Cyber Attacks Upend Attorney-Client Privilege, gives useful examples of attacks in the US and what law firms and their clients are doing about it, especially at the big end of town:

“Many Wall Street banks, including Bank of America and Merrill Lynch, typically require law firms to fill out up to 20-page questionnaires about their threat detection and network security systems. Some clients are even sending their own security auditors into firms for interviews and inspections.”