Underestimated: Law Firm Data Breaches
Four days ago, the mega-firm of Grubman Shire Meiselas & Sacks (Grubman) was hacked. Now, personal and business information belonging to true A-list artists and athletes such as Madonna, Lady Gaga, Elton John, Robert de Niro, and Lebron James is available for sale on the dark web. And, as for Grubman, its website consists of a sole logo as its prepares to face the legal and financial fall-out.
Without suggesting that celebrities command more sympathy or empathy than the average citizen following a data breach, Grubman’s breach highlights the significant depth of a privacy invasion caused by a successful cyber attack on a law firm.
As most know from a few episodes of Ally McBeal or Law & Order, attorneys and their clients enjoy an almost impenetrable shield of privilege. Anything said between an attorney and his/her client is kept confidential excepting very few circumstances (example: attorney’s advice is used to commit a crime). Understanding the level of sanctity, many people divulge extremely sensitive aspects of their lives to their lawyers. And, attorneys, traditionally being risk-adverse and type-A, take notes on client comments, scan/type these notes, and save them. Therefore, a hack will reveal far more than contracts for musical tours.
Law firm data breaches are likely to include any type of deep, personal secret, including but not limited to the following:
Paternity test results.
The identity of children of which the immediate family is unaware.
Plans to separate from business partners or spouses.
Confidential Settlements (in which either an alleged victim or the accused desires confidentiality).
Admissions against self-interest.
Locations of assets with wiring instructions, account and routing numbers.
Medical records, treatments, and prognoses.
According to a 2019 report authored by LOGICFORCE, which surveyed and assessed more than 200 IT decision makers across small and medium-sized law firms (20-200 attorneys) in the United States, law firms are improving cybersecurity efforts but continue to struggle. The improvements noted by LOGICFORCE seemed attributable to clients, who pushed for better security. Highlights of the report are below:
54% of law firms report being audited by one or more clients at least once – a 13% increase since the last scorecard.
Only 37% of law firms are vetting the cybersecurity and data management policies of their third-party service providers.
55% of law firms surveyed have documented policies and procedures.
54% of law firms have formally documented training programs for staff.
Only 24% of law firms have implemented Security Operations Center monitoring.
39% of law firms use full disk encryption on computers, servers, storage systems, and mobile devices to prevent unauthorized access.
34% retain or have designated personnel to constantly monitor event logs collected from various devices to determine abnormal activity.
Despite the nature of material collected from clients, LOGICFORCE found many firms without a CISO or CIO, an 11% decline in the use of multi-factor authentication, and a 26% decline in the use of data loss prevention technology.
With its New York presence and the March 21, 2020 effective date of the SHIELD (Stop Hacks and Improve Electronic Data Security) Act, Grubman may unfortunately become the test case as the NY Attorney General interprets and enforces the requirement for “reasonable administrative, technical and physical safeguards” for private information.