PRO Partners

Consequences of a security breach at a major U.S. law firm?

Jeff BrandtNote to readers: this is a column, not a news story

I've written a fair amount of late about law firm information security.  I have engaged with many clients and former colleagues on the subject.  But even so, I was surprised when I opened the express mail envelope complete with the infamous 1060 West Addison return address (Was the sender also a Blues Brothers fan?).  It contained a short, unsigned handwritten note and a printout of an internal memo sent via email.  I thought it was somewhat odd as I held the physical copy, but as I read it the memo, the reason why was soon made clear.  

I agreed with the anonymous source that there was value in sharing it with the larger community.  I scanned and OCR'ed the printout and eliminated the names and other pieces of information that might identify the firm.  Right now I don't want to be the one to "out" the firm. 

Security is something we at [law firm name] take very seriously.  As you know the firm represents [US defense industry], [global banking concern], [several hi-tech companies] and numerous other sophisticated, high profile clientele.

While it was not widely disclosed, you may know that agents from [banking/securities firm] have been working with the firm on an information risk assessment.  The firm routinely answers periodic client security audits from many of our clients around the world.  This however, was not a routine audit.

Download complete memo (a new window will open) 

Pretty intense memo wouldn't you agree?  I'm not sure there is any other way to adequately describe it - being hacked sucks.  Having your client data stolen and posted in a not so friendly foreign country ruins your day.  The ramifications of the loss of a big, long time client is bad enough.  While there is a call for media control at the end, there is no way something like this can be contained for long.  Nor that it can be spun, not when the FBI has confirmed to you and your client that their data is out there.  I would bet that GC has already spoken to a few of his close GC friends and given them a warning.  The potential loss of confidence to the other firm clients is simply mind numbing.

The changes are sweeping and invasive, meaning the breach, on a scale of 1-10, was probably an 11.  The scope is massive and the memo hints that this isn't all of the changes.  The memo has not one signature, but four.  How did this happen you ask?  Honestly, I'm not sure.  The memo would seem to implicate information access via a mobile device.  Many firms relaxed their policies in the rush to support BYOD.  Did they lose control over the devices? Did they fail to monitor the devices?  Were they just unlucky?  Perhaps the device was lost and the attorney had significant information in an unauthorized file sync tool?  Perhaps the cloud sync account was discovered and targeted directly.  The stringent new email policies coupled with mandatory training would indicate to me a successful phishing scam.  It would not surprise me that through some hi-tech trickery, IDs and passwords were scammed from less than vigilant attorneys and used by hackers to further penetrate the firm's system. The firm seems to be coming down very hard on the separation of personal and business communications/information.  I am guessing this might be as a result of input from the former client.  While BYOD is all the rage, there are still industries where multiple devices are mandated for security reasons.

Concept-based content monitoring maybe somewhat creepy and very Orwellian but is not new technology.  Securities and trading firms that have had tools like these in place for years in order to adhere to government regulations.  But I know of no law firms that have ever deployed such a tool. Talk about big brother and culture shock!  The firm seems quite intent on not letting a second breach occur.  I hope they are successful.  Disasters are often motivators to change ones behavior.  I've seen firm poor behaviors motivated by fire, hurricanes, lost connectivity and failed backups.  I've seen other firms learn from their peers without having to experience the disaster directly.  That's why this memo was leaked and why I posted it.  We all need to learn without having to experience it directly.

I know you're saying to yourself, "that didn't happen. He made that up, right?" Did I? Watch the news and let's see. Or just continue reading ...


Copyright © 2019 Legal IT Professionals. All Rights Reserved.

Our Newsletter
All the legaltech headlines in your mailbox once a week? Sign-up now! 

Media Partnerships

We offer organizers of legal IT seminars, events and conferences a unique marketing and promotion opportunity. Legal IT Professionals has been selected official media partner for many events.

A muchbeta site