When it comes to the security of sensitive legal information, you don’t have to be a Panamanian law firm with star-studded clientele to have a huge target on your back. Recent breaches at some of the country’s most prestigious law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, reveal the growing cyber threats facing the legal industry.
Legal data is at risk because it’s valuable. What exactly is legal data? Legal data can include but is certainly not limited to: contracts, investigation results, patent filings, as well as corporate personnel and financial information. More often than not, legal data is highly sensitive and confidentiality is stressed under attorney-client privilege. Many law firms for example have confidential information about mergers and acquisitions (M&A). If stolen, this information can be used for insider trading or gaining an upper hand in negotiations. A Russian hacker in fact recently targeted 48 of the AM Law 100 firms, specifically seeking data on M&A transactions.
There are a number of reasons why legal data is at risk beyond the value of the data itself. Here are a few considerations partners and legal IT teams should be aware of:
- Hactivists (hacker activists) sometimes attack law firms for social or political causes.
Hacktivists sometimes target law firms because of the clients they represent. For example, in 2012 hactivists associated with the group Anonymous attacked Puckett & Faraj, because the firm was defending a United States soldier who had pleaded guilty in connection with his role in the death of 24 Iraqi civilians.
- Cybersecurity at law firms is often ineffective at countering today’s sophisticated threats.
According to FBI officials and security experts, “law firms remain a weak link when it comes to online security.” IT may be a second or even third priority at law firms, treated as operational support rather than strategic infrastructure. Also, many firms likely lack the expertise to secure their networks and devices, which is only becoming more diverse and complicated with “Shadow IT” applications and a BYOD culture.
- Law firms are vulnerable to attacks from within and without.
Just as Target was breached through one of its partners (an HVAC service), law firms are vulnerable to attack from insiders and partners such as auditors and strategic communications firms. Vulnerabilities in these organizations might eventually be used to attack law firms directly.
- Security attacks are more sophisticated than ever before.
Phishing attacks, ransomware, SQL injections—the list of security attack techniques goes on. These attacks continue to be successful, even in organizations that pride themselves on IT security. As long as these techniques are effective, hackers will continue using them.
Keeping Law Firm Data Secure
To counter these threats, law firms should do the following:
- Make IT security a strategic imperative.
A data breach can easily lead to a breach of attorney-client privilege and ultimately a law firm’s hard earned reputation. IT security therefore must be a partner-level priority.
- Assess vulnerabilities on an ongoing basis.
Law firms should monitor all of their IT assets and use vulnerability scanning and other assessments to identify any vulnerabilities in their network.
- Secure content in transit and at rest.
Law firms need to protect content whether it’s stored on-premises, in the cloud, on a device or in transit between these endpoints. Firms must also ensure their security policies are current with the devices and storage being used
- Educate employees about cybersecurity threats and best practices.
Teach employees about the risks of phishing, social engineering, and other attacks. Best practices for storing and sharing content securely should also be stressed.
kiteworks for Legal
kiteworks is a secure content collaboration solution on private cloud for law firms that enable legal professionals to securely share and collaborate on sensitive legal documents with internal teams, opposing counsel, and clients without risking leakage of confidential client information.
There are a number of security features within kiteworks. These include:
- Encryption of all content in transit, in use and at rest.
- Encryption key ownership.
- Secure containers that shield content from malware or data breaches.
- Leak-proof editing so that employees can access and edit Microsoft documents, and annotate and redline PDFs without jeopardizing data security.
- Role-based access controls for restricting access to and distribution of content.
- Audit trails for all distribution of content.
- Support for digital rights management, such as watermarking, view-only mode, and withdrawing content after it has been shared.
- Integrations with SharePoint, EMC Documentum, Box, and other popular content systems, for single pane of glass access to enterprise content.
- Support for remote wipe on mobile devices and desktop systems should devices be lost or stolen or when employees leave the organization.
Not only does kiteworks help preserve attorney-client privilege, it also helps law firms demonstrate compliance with a number of industry standards such as: ITAR, HIPAA, SOX, GLBA, SOC 2 (SSAE-16), PCI-DSS, and FIPS 140-2. Compliance is more than just good business practice or a show of solidarity with customers. The Department of Health and Human Services for example requires law firms to demonstrate HIPAA compliance.
kiteworks is a trusted secure collaboration solution at a number of leading law firms. In fact, according to the International Legal Technology Association (ILTA), Accellion is the number one choice for file sharing amongst large law firms, its second year in a row.
To learn more about kiteworks for Legal, visit our legal page here.