Law firm security bears one of the softest underbellies within the world of professional services. This alarm was sounded during an ILTA panel discussion surrounding security with Michael Russell of Liberty Mutual, Brian Donato of Vorys Sater, and Natalie Fedyuk of KPMG. The consensus from the group was that law firms have more possible exposure to threats due to their complicated handling of highly sensitive data that crosses the spectrum of (PII) Personally Identifiable Information.
According to the panel, a recent investigation called the Mandiant Report cited one of the largest threats to law firms outside of the United States is China. The evidence supports that the Chinese Army is attacking law firms because of their traditionally low levels of security and their highly sensitive information. In one example a law firm had been attacked and the email addresses released of military officers who were being investigated for atrocities in Afghanistan.
With countless successful breaches occurring, the panel focused on how to create better safeguards.
- Manage Vendors: Do a risk assessment of your vendors. Make a security part of the RFP process so that there are tactical steps to support a management strategy.
- Governance: while security software is important it is a small part of the whole. Make sure a process is in place to govern all aspects of data flow, access, audits, and compliance.
Establish informational audits for internal personnel and vendors which include the following:
- Issue Questionnaire
- Conduct Review
- Complete Questionnaire and Report
- QA Review
- Issue Questionnaire and Report
- Closing meeting with Vendor
Ultimately all firms should seek out best practices to protect themselves. They recommended beginning this process by adopting and enforcing a security controls framework. The LegalSEC “Top Ten” was considered the place to start for implementing proper controls as well as audits.
Ultimately to eclipse the mounting threat of cyber assault on law firms, the panel stressed several salient points. They stated that creating a very thorough risk assessment for all parties, and establishing a governance process was most important. They also highlighted that diligently seeking out best practices for data destruction, incident response, and considering a cyber-insurance policy, just in case everything else fails was invaluable.