Consider it the law firm hack that shook the world. When Mossack Fonseca’s confidential files were released as the “Panama Papers” in April, 2016, the fallout was immediate and extensive. The papers, covering decades of information stolen from the Panamanian law firm, detailed Mossack Fonseca’s work hiding the wealth of some of the richest, most powerful people in the world.
The press, using modern eDiscovery tools, was able to quickly sift through the 11.5 million purloined law firm documents to uncover the questionable dealings of everyone from the Bono, to the Spanish royal family, to Vladimir Putin. The prime minister of Iceland resigned following the law firm data breach. The prime minister of Pakistan was forced from office and barred from politics in part because of the leaks. The New York Times alone published more than 350 stories on the Panama Papers—or approximately 50,000 column inches.
Like a cybersecurity Chernobyl, the fallout continues even today. Last week, the world’s most significant law firm hack to date claimed another victim: Mossack Fonseca itself. The firm will shut down by the end of the month, according to a recent announcement.
“The reputational deterioration, the media campaign, the financial siege and the irregular actions of some Panamanian authorities have caused irreparable damage," a statement from the firm explains, "the required consequence of which is the total cessation of public operations at the end of this month, after 40 years of growth and social, cultural and economic contributions to our country."
We could spend days dissecting the grizzly consequences of the Panama Papers’ release. (This ground is well trodden. If you’re interested in more background on eDiscovery’s role in the revelations, start with this excellent piece by Greg Bufithis. If you’re looking for in depth investigations into the papers, the International Consortium of Investigative Journalists has a wealth of resources. If you’re interested in the role the Panama Papers and Microsoft’s Calibri font played in Pakistan’s political upheaval, this piece is a good place to start.)
But with hackers increasingly targeting law firms, the more urgent issue isn’t what happened to Mossack Fonseca and its clients. It’s how to prevent such a disaster from happening to you and yours.
Protecting Your Documents and Data
It’s no surprise that law firms are increasingly targets of cyber attacks, whether orchestrated by cyber criminals, publicly minded “hacktivists,” or nefarious insiders. The typical legal professional is sitting on tens of thousands of highly sensitive, potentially lucrative documents. As former United States Attorney Preet Bharara has cautioned law firms, "You are and will be targets of cyberhacking because you have information valuable to would-be criminals." Yet many firms are terribly lax when it comes to cybersecurity.
Law firms looking to protect their documents and data should start with the basics: Is your software regularly patched and updated? Cloud-based services can be automatically updated to roll out new features and respond to emerging threats, so that you’re always on the latest version of the software. Other programs, such as your operating system and network software, will need regular patches and updates to make sure that you’re correcting any potential software vulnerabilities.
Does your firm enforce strong password policies? Strong password standards aren’t difficult to comply with once you have the infrastructure in place (read: password management software).
Are you using two-factor authentication where available? 2FA can be a powerful shield against unauthorized access, making sure that even if one form of authentication, such as a password, is compromised, your accounts will still be inaccessible to anyone without a second form of authentication, such as an authenticating app on your phone.
Are you encrypting your files and systems? Encryption means that even if someone should access your data, that data would be of little use. And though encryption might bring up images of international espionage and Cherokee code talkers, full-disk encryption is easy enough that even unsophisticated computer users can accomplish it. Windows 10, for example, comes with a built-in encryption tool, BitLocker, which can encrypt your entire device.
Protecting Your Data When It’s Out of Your Hands
Data protection doesn’t end at the law firm door, though. You’ll need to pay attention to what is happening to your data when it is off your devices as well—that is, when it is with vendors, opposing counsel, and in the cloud. Some of the worst data breaches ever have been caused by third-party vendors, for example, including the massive Target hack in 2013, which costs the company tens of millions of dollars and was eventually traced back to system vulnerabilities in the retailer's—wait for it—HVAC contractor.
In the discovery process, particularly, it’s important to ensure that your partners can protect the data in their possession. The typical discovery process, after all, involves taking large volumes of data and whittling them down to the most valuable documents. Further, in most discovery processes, data is frequently moved between parties, with each transfer increasing the risk that data will be exposed.
For example, in the image above, each red lock represents a potential risk point in discovery, as data is passed from the client, to the law firm, to internal and external partners, and ultimately to the requesting party.
The more of that data you can keep in a secured, central repository, the better. With Logikcull, for example, data can be uploaded by the client, shared with the law firm, reviewed by legal professionals, and produced out to the receiving party. Data transfer is limited to movement into the platform during the initial upload and movement out at the time of production. While in Logikcull, that information is protected by bank-level encryption both in motion and at rest, while permission-based user controls make sure that documents are only available to those who need to access them. When it comes time to produce documents, Logikcull’s ShareSafe feature lets you transfer documents through a secure download link, rather than, say, a hard drive sent off with an unknown courier.
Once your data is in another party’s hands, protective orders can add another layer of security. These agreements, which can be negotiated between parties and entered as a stipulated order, govern the treatment of data during the discovery process and through the case. They can require assurances that parties, and their vendors and partners, take reasonable measures to protect data and may even set forward technical safeguards that must be met to secure the information produced.
Taking precautions today can help make sure that your law firm doesn’t become a cybersecurity victim tomorrow. The Panama Papers may be the biggest law firm data breach so far, but it will not be the last one. Smart firms will act now to ensure that their data, their processes, and their future are safe and secure, lest they follow in Mossack Fonseca’s footsteps.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org or on Twitter at @caseycsull.