Hackers target law firms to access confidential information
Michael C. Naughton, North Coast Technology Consulting, LLC
Copyright March 2018
Law firms are increasingly the targets of hackers and the news is replete with examples of firms’ confidential material exposed by hackers.In a recent hack in Panama City, over 11.5 million documents were exposed from Mossack Fonseca, a law firm in Panama.1 To put that in perspective, the 2013 N.S.A. leak by Edward Snowden involved at least 1.5 million documents. The “Panama Papers” breach is one of the largest leaks in history and its impact was felt around the globe, uncovering the offshore accounts of 140 politicians and public officials.2
There is no 100% fool-proof mechanism to protect organizations from intrusions. However, lawyers must be more cognizant of the security measures in place within their practices in order to better protect their clients and their own information.
Legal practices, as organizations that maintain sensitive data, must be mindful of security threats. The ABA Model Rules of Professional Conduct set forth the duties and responsibilities expected of lawyers. These include providing competent representation that requires legal knowledge, skill thoroughness and preparation. The Model Rules also highlight the duty of a lawyer to not reveal information related to the representation of a client without client consent and should make reasonable efforts to prevent inadvertent/unauthorized disclosure of or access to information related to the representation of a client. Lastly, the Model Rules state that a lawyer shall store clients’ property, in connection with a representation, separate from the lawyer’s own property.
The sensitivity of the information,
The likelihood of disclosure if additional safeguards are not employed,
The cost of employing additional safeguards,
The difficulty of implementing the safeguards, and
Understand the nature of the threat.
Understand how client confidential information is transmitted and where it is stored.
Understand and use reasonable electronic security measures.
Determine how electronic communications about clients matters should be protected.
Label client confidential information.
Train lawyers and nonlawyer assistants in technology and information security.
Accordingly, legal practices ranging from solo-practitioners to multi-national firms are mandated to maintain the confidentiality, integrity and availability of information related to the representation of clients. Lawyers must take appropriate steps to identify and defend against InfoSec events. The CIA-triad and the ABA Model Rules of Professional Conduct provide models that can assist legal practitioners to consider the implications of InfoSec events and tactics to use within their businesses to mitigate problems.
To maintain client confidentiality, a lawyer should understand and apply security measures to protect client information and communications. There are myriad tools including Virtual Private Networks (VPN), adoption of a password manager that utilizes unique and complex passwords changed periodically, utilization of firewalls and antivirus software on devices holding client information and maintenance of hardware by applying security patches to software.
Attorneys should learn about and apply encryption on devices. When an item (such as a device, folder or file) is encrypted, it is digitally transformed into an inaccessible format that can only be accessed once unlocked. Lawyers should encrypt devices that contain confidential information, such as smart phones, tablets, laptops and desktop computers. Encryption should also be used for the transmission of materials via email.
Lawyers should take stock of the data in their possession and mark confidential client communications as “privileged and confidential.” Such disclaimers can be affixed to emails, letterheads and other communication methods to alert third parties that the information in the communication is intended to be confidential.
In order to maintain the integrity of client data, lawyers should fully understand how client confidential information is transmitted and where data is stored. Lawyers should determine whether files are stored on a local computer, a shared network or on a cloud platform and evaluate the security measures in place, including authentication, unique and complex passwords and encryption.
Lawyers should be careful with how he or she communicates with clients. To maintain integrity of communications and information transmitted between parties, lawyers should warn the client about inherent risks in sending and receiving communications on devices or accounts that may be accessible to a third party.
Lawyers will want to ensure their storage mechanisms have robust security in place but also permit access for the lawyer or third party with authorization to access. Access to such data should be limited and monitored to ensure data is not inappropriately accessed.
Now, more than ever, lawyers and the confidential materials held by them are at risk and attorneys must be vigilant. Hackers are increasingly attacking law firms seeking to obtain confidential and proprietary information. However, despite best efforts, no defensive mechanism is completely fool-proof to prevent the leak of confidential materials but measures can be taken to decrease the risk. Regardless of the size of the legal practice, lawyers must be knowledgeable about strategies available to better safeguard confidential client materials. The CIA-triad framework, together with the Model Rules of Professional Conduct, provide conceptual frameworks for lawyers to prevent, prepare, detect and respond to attacks on confidential materials. Failure to do so not only puts clients in peril, but also may be a violation of a lawyer’s ethical duties.
About the author: Michael C. Naughton is a co-Owner North Coast Legal, PLC and North Coast Technology Consulting, LLC. North Coast Legal, PLC and North Coast Technology Consulting, LLC are based in Traverse City, Michigan and represent clients across the country.
1 M. Schmidt and S. Myers, “Panama Law Firm’s Leaked Files Detail Offshore Accounts Tied to World Leaders”, New York Times, April 3, 2016.
3 See December 27, 2016 Department of Justice Press Release at
4 M. Whitman and H. Mattord, “Principles of Information Security”, 4th ed., Cengage Learning, 2012.
5 Y. Cherdantseva and J. Hilton, “A Reference Model of Information Assurance & Security”, SecOnt workshop (2-6 September, 2013, Regensurg, Germany).
6 J. Saltzer and M. Schroeder, “The Protection of Information in Computer Systems”, Proceedings of the IEEE 63(9), pp. 1278-1308, 1975.
7 D. Parker, “Our Excessively Simplistic Information Security Model and How to Fix It”, ISSA Journal, pp.12-21, July, 2010.
8 M. McLaughlin and J. Gogan, “InfoSec Research in Prominent IS Journals: Findings and Implications for the CIO and Board of Directors”, Proceedings of the 50th Hawaii International Conference on System Sciences, 2017.
12 Id. at page 5.
14 Id., pages 6 – 10.
15 M.U. Farooq, M. Waseem, A. Khairi, and S. Mazhar, “A Critical Analysis of the Security Concerns of Internet of Things (IoT)”, International Journal of Computer Applications, Volume 111 – No. 7, February 2015.
16 See NISTIR 7298, Glossary of Key Information Security Terms, at page 17.
17 See pages 9-10.
Share on Twitter Share on Facebook