Despite not being designated as one of the nation’s critical infrastructure sectors, law firms are a veritable treasure trove of high-value and highly sensitive data. Aside from the detailed personal information of your own partners and employees—including financial data, HIPAA data, and other private information residing on your human resources platform and elsewhere throughout your organization’s digital footprint—law firms can be incredibly lucrative cybercrime targets:
- Corporate firms are regularly involved in the closing of deals, whether it’s the purchase/sale of a business, the acquisition of a property, or the transfer of money between two parties;
- Intellectual property attorneys are periodically preparing and filing patents on behalf of high-profile clients that, if stolen, could prove financially devastating; and
- Litigation firms are periodically handling the disbursement of multi-million-dollar settlements to individual clients as well as class action claimants.
There’s not only a massive financial risk to your firm in allowing a security breach that compromises a client’s privacy, financial information, and/or vital intellectual property, but there’s an equally huge (if not larger) reputational risk that would inevitably result from that type of publicized data breach.
“If you were a hacker, would you try to attack a patent creator (who likely has their digital security tightly buttoned up), or would you look for an easier way to grab the IP by attacking their attorney? We’ve seen firms, unbeknownst to them, have criminals hack into their email servers. The fraudsters often lie in wait for weeks or even months, monitoring activity and waiting for the right opportunity.”
– John Wirtz, Principal, Tangent Zero
Sometimes hackers are seeking valuable information that can be sold. More often, however, they’re looking for a chance to divert funds the firm is transferring; by issuing an email request appearing to come from the client to redirect the funds to a different account.
These data security issues certainly aren’t specific to the legal profession or any one industry. They’re simply a byproduct of an ever-increasing reliance on digital living. And threat actors are highly skilled at what they do. What’s most worrisome, however, is the fact that law firms tend to underestimate just what a high-value target they actually are. There’s so much sensitive data flowing through your staff and attorneys’ hands and sitting on your servers; you may not even realize its true value.
Potentially on the Hook
Recently, a lawsuit was filed against an AMLAW 100 firm claiming breach of fiduciary duty relating to the firm’s role in a botched wire transfer where significant funds were sent to a fraudulent client account in Hong Kong based on email instructions which the firm failed to voice verify with the client.
Over the past decade, more and more firms have struggled with the challenge of how to manage safety and security of their infrastructure with a growing number of professionals traveling with laptops and mobile devices and needing to access and transfer critical data while on the go. How do you protect that information in transit, and how do you design an infrastructure that provides a high degree of security without overly burdening your attorneys?
With the onset of the COVID-19 pandemic, however, everything accelerated. For many firms, the need to migrate to a fully remote operation occurred in a matter of days. How could anyone ensure they had everything lined up to manage that type of transition? And even once the transition was made, how do you provide ongoing monitoring and oversight? What sort of strong internal checks and balances on authorization levels need to be established?
2021 technology budget considerations
As you think about your technology budget for the year ahead, it’s important to do so with a clear view of the steps required to shore up your firm’s data lifecycle management security.
1. Know – most of us vastly underestimate the amount of sensitive data we actually possess. Start by conducting a thorough review/evaluation of the type and nature of data that’s stored in every nook and cranny of your firm’s technology infrastructure.
2. Classify – once you have a clearer understanding of all the sensitive information you own (both client and employee data), create a system to classify it according to security level. Which users should have access to it, and at what point in time should the data be destroyed?
3. Protect – have a plan for how you will secure access. Who has access and by what means? How will data be backed up/replicated for continuity of access?
4. Archive – once access to data is no longer regularly required, create a system to archive that information with reduced access that adheres to any Legal Hold duration stipulations that may be mandated.
5. Purge – your goal should be to retain items ONLY as long as needed. The challenge here lies in figuring out how long to keep the data when typically, firm users maintain sensitive data in a single giant “storage pool” that never gets classified or cleaned up.
Corporate law firms with intellectual property, labor and employment, hospital and healthcare, and real estate practice groups (as well as contingency litigation firms) need to be especially vigilant when it comes to potential cybercrime vulnerabilities. Adding further complexity to all of these issues are expanding international “Right to be Forgotten” laws, which afford individuals the right to demand that their personal data be expunged upon request. While this seems relatively straightforward, it quickly becomes an immensely difficult task since data is frequently replicated and can therefore live on different servers residing in different locations. Ultimately, however, the jurisdiction of client data according to the EU’s General Data Protection Regulation (GDPR) is determined by the physical location of the end user/owner. It’s a challenge that will require a whole new approach to managing and tracking the data you store.
While Truist’s Legal Specialty Group professionals aren’t information security experts, the fact that we have such extensive and diverse legal relationships means that we’re closely attuned to trends and developments that extend beyond the scope of financial services. We speak at length and work closely with a number of information security leaders who cater to the legal profession.