What the Panama Papers mean for law firm cybersecurity

What the Panama Papers mean for law firm cybersecurity

Talk about a shot heard ‘round the world.  The so-called “Panama Papers” – a trove of data on money laundering and other financial shenanigans by the world’s wealthiest people – has already claimed several careers.  The Prime Minister of Iceland had to resign.  Russian oligarchs are scrambling for cover.  Chinese authorities are blocking foreign news articles about the case.  And more casualties are sure to come – most of the information contained in the documents has yet to be fully digested.

Where did all of this damaging data come from?  Shoddy cybersecurity at a Panamanian law firm.  A source reportedly within the Panamanian law firm Mossack Fonseca sent 11.5 million individual files (2.6 terabytes of data) to a German newspaper over the course of several months.  How did the source get those files?  Nobody really knows…yet.  It is widely assumed that the files came from an insider – someone who knew exactly which files would be most damaging.  Founding partner Ramon Fonseca, has said something rather different, however:  “This is not a leak. This is a hack.”

Regardless of how the Panama Papers came to be in the public sphere, it’s clear that they weren’t meant to be there.  Law firms handle some of the most sensitive information around.  The data held by lawyers is almost by definition contentious material which is critical to the wellbeing of clients.  In other words, if any information is of value to hackers, it’s what a lawyer has.  That’s why Mossack Fonseca is only the latest in a string of recent cybersecurity incidents to hit law firms around the world.

Even so, many law firms remain woefully ignorant of the need for cybersecurity.  According to Legal Week, only 35% of law firms have a cybersecurity plan in place.  (This is compared to 52% of non-legal firms which have cybersecurity mechanisms to protect their data.)

This is a clear vulnerability which demands attention.  The Panama Papers may be a blockbuster cybersecurity case which garners a lot of press, but it is neither the first nor will it be the last time that lax law firm I.T. controls lead to serious damage.  Whether the information is obtained by outside hackers or disgruntled insiders, law firms without a robust cyber defense are opening themselves up to liability and a severe stain on their brand.

After all, most people come to lawyers to handle the most sensitive and contentious parts of their lives.  They are looking for discretion, confidentiality, and even secrecy.  The mere possibility that this sensitive or contentious information would leak is more than enough to send most clients packing.

Cybersecurity isn’t just a matter for the largest firms, either.  Cyber criminals are increasingly agnostic about the size of companies they attack.  Given the strong value of legal documents, law firms of all sizes and specialties are prime targets.  Cyber criminals will look for the most vulnerable systems – the low hanging fruit which will give them the easiest route to profit.  As we’ve mentioned before, it’s not about being perfect at cybersecurity.  It’s just about being slightly more secure than everyone else.

Does your firm have its cybersecurity vulnerabilities under control?  Talk to ECHO about a complete cybersecurity assessment.