Consider the costs of a data breach:
- Downtime/loss of billable hours
- Loss of reputation
- Consulting fees to security experts
- Corrupted or lost files
- Breach notifications
- Hardware and software replacement
Most readers will be familiar with the fate of Mossack Fonseca of “Panama Papers” infamy. In 2017, several foreign nationals were charged with insider trading after hacking as many as 48 law firms handling M&A matters. The same year saw a major multinational firm, DLA Piper, institute a temporary network and phone system shutdown because of the global Petya ransomware attack.
The headline makers are just the tip of the iceberg. In a survey for the ABA 2018 TechReport, 23% of lawyers reported their firms had experienced a data breach at some point. There are undoubtedly more who have been hacked, but just don’t know it.
Think it’s a Big Law problem? Adjusted for firm size the percentages are higher for mid-sized and small firms.
Ransomware is a universal threat to all industries. Moreover, law firms and other legal services providers are an especially tempting target because they’re a one stop shop for vast quantities of business and personal information. Data that was collected from a wide range of companies, pre-selected for value and often better organized than the originals.
- Phishing and spear-phishing
- Business email compromise
- Data exfiltration
- Data theft and monitoring for insider trading
- Viruses and malware
Compounding the problem, legal professionals are an easy target for phishing/spear-phishing. We publish our email addresses, phone numbers and extensive biographical information on websites and public social media accounts. The purpose is client service and marketing. The unintended result is a data gold mine for bad actors.
Cybersecurity isn’t something other people do. It’s everybody’s problem. This post is the first in a series setting out three reasons why legal professionals must be vigilant about data security and seven essential steps to guard against cyberattacks.