What seems like a long time ago now, in 2011 PricewaterhouseCoopers (PwC) warned that “there is no question that law firms are among the companies being targeted by cyber criminals.” Despite this, many law firms believed (or just did not feel the risk significant enough) that they were unlikely to be the target of a cyber-attack. In the same 2011 report, PwC reported that “a number of law firms believe they were too small or obscure to warrant the interest of professional hackers,” and Legal Week have also reported that law firms are far less likely (to the order of 35%) to have a response plan in place for cyber-attacks than non-legal professionals (a slightly better 52%).
The issue of cyber-security at law firms has been brought to the fore in recent weeks due to two significant data breach incidents which have targeted the legal sector.
In March 2016 New York security firm Flashpoint issued a statement to 48 prestigious law firms warning them that they had been targeted by a Russian cyber-criminal (known as “Oleras”). New York firm Cravath Swaine & Moore (which also has an office in London) confirmed that its systems had been breached the previous summer.
Just a few weeks later news emerged of a major document leak from the off-shore Panamanian-based law firm Mossack Fonseca. This is the biggest document leak in history – bigger than the 2010 Wikileaks and the 2013 Edward Snowden disclosures combined. More than 11.5 million documents – or 2.6 terabytes of data – were leaked to German newspaper Süddeutsche Zeitung, which went on to share the leaked information with the International Consortium of Investigative Journalists. The fallout from the leak is significant and continues to bring headline news on a near-daily basis: so far, Iceland’s prime minister Sigmundur Gunnlaugsson resigned after his family was accused of concealing millions of dollars in an offshore account; Uruguayan lawyer Juan Pedro Damiani resigned from his role as an ethics judge at FIFA, and FIFA president Gianni Infantino has been accused of signing off a contract entered into by two businessmen who have been accused of paying millions of dollars in bribes to South American football officials; on Tuesday 5th April and Wednesday 6th April, David Cameron and Downing Street confirmed that the prime minister does not benefit from any offshore funds, and on Thursday 7th April the prime minister revealed that he had owned shares in Blairmore Holdings, an offshore fund set up by his father. The UK Prime Minister, as well as various other ministers in the UK, have now made public their tax returns. And the repercussions continue on a daily basis.
Founding partner of Mossack Fonseca, Ramon Fonseca, has been quoted as saying of the Panama Papers leak that “This is not a leak. This is a hack.”
Whether a leak or a hack, these recent stories raise concerns about the ability of law firms to protect themselves and their clients’ data from data breaches.
In April 2015, the UK Law Gazette reported that in 2014 the Information Commissioner’s Office (the ICO, which is the UK’s national data protection authority) investigated 173 law firms for potential breaches of the UK Data Protection Act 1998. The ICO has noted that data breaches reported by solicitors and barristers increased by 32% from 2013/2014 to 2014/2015, and accounted for 4.5% of all reported breaches. In its 2015 Annual Law Firms’ Survey, PwC reported that 62% of the law firms reviewed had reported being the victim of cyber-attack(s), which represents an increase of nearly 20% from 2014 (45% of law firms reviewed had reported a cyber-attack(s) in 2014).
Why are law firms being targeted by cyber-attackers?
Cyber-attackers attack companies, including law firms, to obtain information for a variety of reasons, including economic (or industrial) espionage, insider trading, holding the victim to ransom, making fraudulent purchases and of course for ideological causes. In the case of the Oleras hack, reports have stated that the hackers were seeking insider information in relation to confidential, undisclosed mergers and acquisitions in order to use this information for insider trading. In 2012, an Anonymous offshoot, “AntiSec,” hacked a Washington law firm claiming to have done so in order to expose “rich and powerful oppressors.” So why go for law firms? The Law Society of England and Wales believes it is because “law firms are particularly attractive sources of information.” Law firms are often considered to be “soft targets,” providing easier access to confidential information about businesses than those businesses themselves due to the fact that, for the most part, they have relatively lax security systems in place.
What can law firms do to protect themselves against data breaches?
The ICO, the Law Society of England and Wales, and the English Solicitors Regulation Authority (the SRA) all recognize the increased threat of cyber-attacks to law firms and have each published guidance setting out practical steps that can be taken to improve security. The Law Society has set up a page dedicated to providing advice to lawyers and law firms on how to avoid cyber-attacks, and the SRA has published a document dedicated to highlighting cybercrime risks to law firms and also its latest Risk Outlook report, both of which provide practical advice for legal practitioners.
The ICO has also published some “top tips” to help lawyers keep the data they handle secure:
- keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use;
- consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand;
- where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen;
- when sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct;
- only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it; and
- if you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.
For UK firms, a cyber-attack could reveal a breach of a law firm’s obligations to the SRA as well as under the Data Protection Act 1998, and is likely to result in damage to a firm’s reputation and its client relationships (both past, current and potential), loss of business, and a huge investment in time and resource to remedy the breach. In light of this and recent events, it is time for firms which have not already done so to assess their data breach risks and put in place appropriate security measures as a business priority.