As the world continues to revolve/evolve around the internet as well as devices that make access to information instantaneous and continuous, major hacks and data leaks are happening with a greater degree of frequency. Some breaches in data security, such as the Wikileaks and Edward Snowden-NSA disclosures, and even to a lesser extent, the Sony hack of last December, can literally change the history of the world. Others, such as Target and Citigroup, have the potential to endanger the financial status of millions of would-be loyal customers. The aftermath of the May, 2011 Citigroup hack which affected about 360,000 accounts, however, may be the catalyst for addressing a much more pervasive problem in the realm of data security.
One result of the Citigroup hack is a recently issued internal report by the company’s cyberintelligence center revealing a major lack in proper security procedures among law firms associated with the company, as well as in the profession in general. The report warned bank employees to be especially aware that data security within the legal profession is well below the standards of many other industries. Calling law firms a “high risk for cyberintrusions,” the report also chastised the profession for its reluctance to report data breaches, as well as the lack of legal requirements to make these breaches public. It does appear that both the banking and legal industry are acting upon the report, agreeing to forge closer ties in order to stay abreast of the increasing danger, but it will likely require a major culture change in order to properly assess and ultimately safeguard the industry from a critical threat.
Law firms are especially vulnerable, of course, due to the sensitivity of the data that they possess. Issues like mergers, acquisitions, and patent applications could be considered especially desirable targets according to the report. Beyond general hacks and cyberintrusions, however, data loss is a growing concern, especially during the discovery process. The pervasiveness of smartphones and other mobile devices serve opportunities for data to be stolen, misplaced, sabotaged, as well as a generality; the more devices that are in use, the more data leaves the confines of the office. The increase of mobile device use comes even though legal protections for this data are slow to evolve. Although firms usually issue a protective order to control data distribution before they disclose sensitive data during this process, a 2014 ruling in the Apple vs. Samsungcase established while firms can issue the protective orders for smartphone data, they are not necessarily legally binding. Additionally, once sensitive data is turned over to opposing counsel, any security procedures regarding information restrictions are no longer applicable. This leaves sensitive data in the hands of a potential adversary to do with what they wish with little recourse.
Beyond these examples, however, there is a much deeper, and more difficult to correct issue that threatens data security in the legal profession. It is the culture of the profession itself regarding the issue. Because there is no legal requirement for firms to report data breaches, it is difficult to determine the actual severity or number of incidents that occur in the profession. Firms are reluctant to damage their reputation by disclosing data loss. As assistant attorney general for national security, John P. Carlin, said at a recent American Bar Association conference, “There are still a lot of companies that try to go it on their own. They try to circle the wagons.” Carlin encouraged firms to not view breaches as a “badge of shame,” but instead, as an opportunity to locate and fix vulnerabilities within a firm’s security infrastructure. Making these breaches public would likely help to fix a security problem for other firms or systems, but some level of altruism is required.
In an attempt to change this culture, leaders of the banking industry and several associated law firms have been working on creating the Financial Services Information Sharing and Analysis Center, a cooperative council to address data security among these professions. Expected to be established by the end of 2015 with the encouragement of Federal authorities, including President Obama himself, this collaborative effort, may be a major component in promoting awareness of the data threat. In addition, security consultants advise law firms to take advantage of the rise in cloud data storage to keep sensitive data centralized and more protected, as opposed to keeping it on cell phones and accessible computing devices. Finally, the legal profession itself must establish more secure procedures during the discovery process and when sharing information between opposing sides of the courtroom. All of these procedures as well as a general change in attitude toward data security within the profession are necessary to bring the legal industry up to the standards of the rest of the professional world.
Bloomberg BNA – Philip Favro
ITPro Portal – Stuart Poole-Robb
New York Times – Matthew Goldstein