The Need for Data Security Protection
In March 2021, Formal Opinion 498 was release by the Standing Committee on Ethics and Professional Responsibility of the American Bar Association. These rules guide lawyers, when conducting virtual legal practices, as follows:
“In compliance with the duty of confidentiality, lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation and take reasonable precautions when transmitting such information.”
To make a blanket statement for the world re: most of 2020-2021: if something could be done virtually, it was done virtually.
While the pandemic response drove technology to new heights, it also drove cybercrime to new heights. Not far into the whole situation, worldwide, an exponential number of homes were both a new workplace and a new vector of attack.
In an article from Bloomberg (https://news.bloomberglaw.com/tech-and-telecom-law/kaseya-hack-pushes-companies-to-deepen-attorney-it-relationship), the reporter states the issue, the tension, and the solution:
“An attack on file-sharing company Accellion Inc. affected several law firms earlier this year, and clients are asking more and more questions about the security postures of the law firms they work with…Clients are getting better at managing their own risk, and with that I’m seeing a sharper and sharper look as well as greater scrutiny of providers, including law firms…Don’t just check the box…Have the lawyers and info security teams sit together and really collaborate.” (emphasis mine)
With law firms under increased security guidance and more intense scrutiny, they need to up their game in the protections they provide for the data of both their clientele and their firm.
The Importance of Trust
Trust is important. Even more so when it comes to all the confidential data that law firms must handle.
As an example: After a deponent has accepted the transcript of a deposition, that transcript is stored for permanent record. How important is it to the deponent, even to all parties involved, to keep that document secure? It may be available for distribution, but can it be changed? Part of the process is ensuring that it remains immutable. What could happen if someone was able to get in and change the deposition?
In 2016, over 2.6 terabytes of data (containing 11.5 million files) were extricated from Mossack Fonseca, a law firm headquartered in Panama. The case of the “Panama Papers” was one of the largest breaches of all time and implicated numerous world leaders who participated in forming shell companies for offshore wealth management. (for more recent coverage, research the recent news about “Pandora Papers)”
Two of the primary causes of the breach were:
1) unencrypted emails, and
2) outdated Drupal server.
Additionally, the servers and workstations were not properly segmented.
While the first issue might be more about user training (not encrypting sensitive emails when sending them), the other issue (and other related problems) is technical and just might have been discovered by having a third-party test both the external services and internal setup. The missing controls could have been discovered by internal personnel, but internal staff are prone to underestimate of tone down the severity of issues.
Also consider the case of “Shore et al v. Johnson & Bell, Ltd” (also from 2016). (https://law.justia.com/cases/federal/district-courts/illinois/ilndce/1:2016cv04363/325450/56/)
This was the first class-action suit regarding law firm data security, claiming that the firm Johnson & Bell was guilty of legal malpractice because it allowed information security vulnerabilities which put client information at risk.
The suit did not end in class-action, but it was a wake-up call to law firms to protect both their data and their reputations.
Confidentiality and Integrity
You’re likely familiar with the CIA triad – Confidentiality, Integrity, and Availability. For the jurisprudence realm, Confidentiality and Integrity are of utmost importance. While there are many security components involved in ensuring that information can only be seen and changed by those with the authority to see and change it, an important factor is penetration testing.
Whether you need a penetration test for compliance, for proving to customers that you take cybersecurity seriously, or you simply want to prove to yourself, your partners, and your staff that you have a strong security posture, Cybersecurity Crusaders will help.
The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for customers and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.
Contact us for a free consultation.