From the beginning, Information Governance, or InfoGov, has been focused on helping Corporations manage their data, often involving the legal, compliance, and IT departments working together. But what about a corporation’s outside counsel?
More and more, law firms are being targeted in ransomware attacks because they house or have access to their corporate clients’ data but often don’t have the same robust information security measures in place that their corporate clients utilize.
Why Law Firms are Security Targets
As Jake Bernstein, a partner at KL Gates in Seattle, puts it in a recent interview, “Law firms make amazing targets on every conceivable level. They have loads of valuable data, and they are ethically required not to lose that data, which might make them more willing to pay ransoms quickly and quietly. Additionally, attorneys are stereotypically not a tech-savvy bunch, and they have a professional predisposition to move quickly through emails in order to get things done. Even the largest law firms are still small compared to most enterprise-class companies, meaning that their cybersecurity is unlikely to be top-of-the-line.”
Starting with the first major attack against law firm DLA Piper in 2017, law firms have continued to be targets in cyber attacks
In just one recent example, law firm Campbell Conroy O’Neil announced on their website in July 2021 that their “network was impacted by ransomware, which prevented access to certain files on the system.” While they couldn’t confirm if the actor had viewed or accessed files, they did state that the “system included certain individuals’ names, dates of birth, driver’s license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords).”
According to their website, “Campbell Conroy O’Neil represents Fortune 500 and Global 500 companies in more than half our cases” including “Ford, Boeing, Exxon Mobil, Quest Diagnostics, Liberty Mutual, Johnson Johnson, Walgreens, Monsanto, FedEx and Coca-Cola, among others” as reported by CNN.
Also earlier this year, Am Law 100 firm Goodwin Proctor reported a data breach in which “a “small percentage” of the firm’s clients “may have experienced unauthorized access to or acquisition of confidential material” on January 2.
The list goes on and on.
So, what should law firms do?
Natalie Shkolnik, a partner at Wilk Auslander LLP, suggested these tips in a recent interview:
- Law firms should establish protocols for safely transferring files to and from clients, vendors, experts, opposing counsel, and regulators.
- Law firms should consider limiting access to client files within the law firm, whether by actively granting access only to certain people or by tying access to client files to billing a certain amount of time to the client’s account.
- Law firms should conduct annual training for their employees on cybersecurity issues and make all persons aware of new policies and potential threats as well as ensure compliance with those policies.
- Finally, law firms should periodically test for vulnerabilities and immediately address any discovered.
In other words, law firms should create strong Information Governance programs supported by secure technologies which enable those processes.