Cyber risk has been elevated from being solely the consideration of your IT department to a huge concern at all levels of the company, from the Legal Department to the C-suite. Legal Departments handle very sensitive information which makes them prime targets for an attack.
A successful hack of the global law firm Mossack Fonseca in early 2016 led to the release of the Panama Papers, which have implicated individuals and organizations both in Canada and worldwide in tax fraud and other illegal activities. 11.5 million records of offshore holdings were exposed, and the whistleblower who hacked the information using a loophoole within the legacy technology in use at the firm ,was never found. Similarly, Chinese hackers tried to hack the Canadian government and several law firms to get data on the takeover of the Potash Corporation in 2011, specifically with targeted “spear-phishing” emails from firms that claimed to be from people or firms involved in the deal. It was one of the largest corporate hacking attempts in Canadian history.
The Legal Department of your business can be a good entry point for hackers due to what tend to be lax cybersecurity policies. The American Bar Association’s 2018 Legal Technology Survey Report revealed that 23% of surveyed firms had experienced a data breach. It also detailed that “Many [law firms] are not using security measures that are viewed as basic by security professionals and are used more frequently in other businesses and professions” A Legal Department is also a prime target due to the sensitive information it may contain about both your operations and that of other companies contained in contracts, acquisitions, and more.
Negative outcomes of a successful hack for your firm could range from being sued by a client for a data breach to lasting reputational damage from a large-scale attack, as Mossack Fonesca has suffered since the release of the Panama Papers. Cyber insurance, according to the American Bar Association, is not carried by the majority of American firms, with only 34% having this additional protection over and above the usual insurance taken out by law firms to specifically cover the risk of a cyber-attack. Even with cyber insurance, all costs from a data breach may not be covered and the reputational damage is lasting.
Assess Your Risk, But Treat Cyber-Attacks Like They Will Happen
Boughton Law’s information technology manager Rob Walls says in an article from Canadian Lawyer that lawyers should treat attacks as inevitable. Walls is also the British Columbia Legal Management Association technology subsection co-chairman and the International Legal Technology Association’s member liaison for the Vancouver area. According to him, they should have a data recovery plan in place should ransomware prevent access to vital company systems or other cybersecurity incidents occur. Legal Departments should have proper solutions in place to safeguard vital company files and reduce the company’s risk profile. Walls suggests a layered defense system, which involves people, process and technology as a best practice.
There are several steps to building a data recovery plan, and most are best handled by IT security consultants to ensure that all the bases are covered, unless you have personnel with the necessary skills on your IT staff. Generally, the Legal Department’s data recovery plan will be the same as the rest of the organization’s, but it should be updated annually even if you have one in place. Jeff Norris, security officer and head of information security for Managed Services (MTS) LLC, suggests five steps for crafting a recovery plan for law firms:
- What do we need to perform the recovery?
- What are the industry standards?
- What are the components of our recovery plan?
- How does the plan perform in simulation?
- What changes do we need to make to keep the plan current?
This could be easily adapted for Legal Departments as opposed to law firms by ensuring that it fits in with the cybersecurity strategy of the organization, with any special requirements for the Legal Department being taken into consideration. A simulated targeted attack on the Legal Department, as recommended in step 4, performed by a cybersecurity consultant could help inform the requirements of the overall strategy.
Move Files out of Separate Areas and Into a Secure Solution
It is much easier to recover data and keep it secure in the first place if you are using one system to manage all of your Legal Department’s activities. DiliTrust Governance simplifies the business of the Legal Department and makes it easy to manage, with all data being hosted on secure servers in North America, Europe and the Middle East.
It replaces patchwork solutions with files being stored on different servers and in varying cloud applications. Another peril of a patchwork solution is that file access is often granted to low-level employees that don’t require it. DiliTrust Governance provides a full audit trail of who has worked on which file, when they logged in, and many other items that allow for full transparency of who has worked on files and at what time.