The hacking of Panamanian law firm Mossack Fonseca last April resulted in 11.5 million leaked attorney-client privileged documents, exposing the widespread use of off-shore businesses by wealthy individuals and corporations around the world and highlighting the imperative need for proactive measures against corruption and other illicit financial activity.
But what it also revealed was just how vulnerable law firms can be to hackers and other cyber criminals.
Daniel Garrie is an arbitrator, forensic neutral and technical special master at JAMS, available in Los Angeles, New York and Seattle. He is executive managing partner of Law & Forensics LLC and head of the computer forensics and cybersecurity practice groups, with locations in the United States, India and Brazil. He is also a Partner at Zeichner Ellman & Krause LLP, where he heads their global cyber security practice, and an adjunct professor at Cardozo School of Law.
Q. Daniel, why do hackers and other cyber criminals target law firms?
First, for information. All kinds of potentially valuable information: M&A information, IP information, real estate information, divorce information; information that can make people money or give them leverage. If you think about the law firms that just do mortgages, for example; getting a fully detailed mortgage package with social security numbers, bank account numbers, wiring information — that’s a pretty interesting piece of information.
Second, because in many cases, the law firm is the weakest link. Take the case of an M&A deal, for example. Why invest money and resources to hack the companies — which are more likely to have robust cyber security frameworks — when you can just hack the law firm, where cyber security resources are fewer and far more fragile?
Q. So law firms are not prepared to deal with these threats?
No, but not because they don’t want to be, but because of how law firms work as a partner profit-sharing entity. There has to be a reason to invest in measures to prevent them.
Q. And what are those reasons?
The consequences of unprotected and disclosed client data are two-fold. Not only do a law firm’s clients face potential reputational, financial, and legal risks when their private information is accessed and potentially distributed, the firm itself faces those same risks.
All law firms are competing for business and firms that don’t protect against cyber security threats run the risk of losing a substantial amount of business. Law firms are becoming acutely more aware of the fact that if they’re hacked, chances are, they’re no longer going to be a law firm.
Q. So what steps can law firms take to get prepared to deal with these threats?
First, focus on cyber hygiene. Do whatever it takes to put the right preventative measures in place in place:encryption, “least access necessary” policies, training and education for staff, etc. Second, find trusted partners.Do business only with those whom you can trust because if they are labeled as “hacked,” it could devastate your business, too.