Law firms are a one-stop-shop for cyber criminals – not only can they get their hands on large financial transactions, but there’s plenty of sensitive, highly valuable client information to be had too. Protecting this confidential information is paramount to law firms keeping their reputation – and the reputations of their clients – intact.
Confidentiality is at the heart of the legal sector, with individuals and businesses alike placing their trust in law firms to transact securely and discreetly on their behalf. A breach of this trust can mean the end of the road for a law firm – just look at Mossack Fonseca, the firm that lost 11.5 million documents (2.6TB of data) in a 2016 breach dubbed the ‘Panama Papers’, due to weaknesses in their client portal which hadn’t been updated. The sensitive information in those documents about wealthy, famous, and public office clients was exposed to the press. Mossack Fonseca never recovered from the massive reputational damage caused by the breach and was forced to close.
Law firms’ reliance on digitised information makes them particularly vulnerable to data breaches. They are accustomed to taking instruction and conducting transactions almost exclusively via email, including the transfer of extensive amounts of confidential, personal, and financial information. The constant movement of this information increases the risk of exposure.
The impact of the media
The affairs of high net worth individuals are temptingly lucrative targets for cyber criminals. Secrets and scandals sell newspapers. The 2017 ‘Paradise Papers’ scandal saw 13.4 million files leaked to the International Consortium of Investigative Journalists. The documents were stolen from Appleby, a major offshore law firm based in Bermuda that “specialises in advising some of the world’s wealthiest individuals”. The files showed the multitude of ways companies and affluent individuals avoid tax and included names and financial information. Needless to say, the press had a field day.
It’s not just the rich and famous who are at risk of having their confidential information stolen. Enlisting the services of a law firm normally involves sharing a small library of personal information which, in the wrong hands, could easily lead to identity theft and fraud. Clients’ names, addresses, dates of birth, financial records, and sometimes medical information are all held by law firms, and usually transferred by email.
Law firms need to be particularly careful with this level of sensitive personal information, not least because of the further crimes it could be used for if stolen. The introduction of the GDPR in 2018 has already seen eye-watering fines making the headlines for Marriott and BA. Any breach of personal information must be reported, and fines are levied against the company that held the data for not adequately protecting it.