Preventing Law Firm Data Breaches

Volume 38 Number 1


About the Authors

The authors are the President and Vice President of Sensei enterprises, Inc., a legal technology, information security and computer forensics firm based in Fairfax, VA. 703-359-0700;

Another day, another data breach. Data breaches have proliferated with amazing speed. Here is a roundup of some of the largest victims making the list in 2011: Tricare, Nemours, Epsilon, WordPress, Sony, HBGary, TripAdvisor, Citigroup, NASA, Lockheed Martin and RSA Security. Clearly, there are some mighty big names on this list.

Don’t be lulled into thinking that law firms (large and small) aren’t being attacked by hackers or suffering actual data breaches just because their clients do not seem to be affected. On November 1, 2009, the FBI issued an advisory warning to law firms that they were specifically being targeted by hackers. Rob Lee, an information security specialist who investigates data breaches for the security company Mandiant, estimated that 10% of his time in 2010 was spent investigating law firm data breaches.

Matt Kesner, the CIO of Fenwick and West LLP, who has lectured at ABA TECHSHOW and acknowledged that his law firm has been breached twice. He noted that it is very unlikely that we are aware of most law firm data breaches since firms have a deeply vested interest in keeping breaches quiet. This may be less true in the future now that 46 states have data breach notification laws. In fact, by the time you read this, it is possible that a federal data breach notification law will have finally been enacted, as several bills were winding their way through the laborious legislative process in late 2011.

Shane Sims, a security practice director at Pricewaterhouse-Coopers, has said, “Absolutely we’ve seen targeted attacks against law firms in the last 12 to 24 months because hackers, including state sponsors, are realizing there’s economic intelligence in those networks especially related to business deals, mergers and acquisitions.”

Matt Kesner has noted that China is often responsible for state-sponsored hacking—and that the country doesn’t waste its “A” squads on law firms because their security is so dreadful. The rookies on the “C” squads are good enough to penetrate most law firms.

While we agree, don’t be misled: garden-variety cybercriminals are interested in law firm data as they engage in identity theft. This is as true of solos and small firms as it is for the big guys. For example, imagine the amount of financial data that may be contained in separation agreements drafted by family lawyers, most of whom are solos or small firm practitioners. Those who engage in the black arts of business espionage are also interested, and perhaps hired by a client’s business competitor, or the opposing party in litigation.

We hope we’ve piqued your interest in law firm data security and that your own firm is secure. We wish there was a silver bullet for law firm security, but the truth is that there is no magical cloak to protect your data. You can be the first kid on your block to be infected with some sort of malware in what’s known as a “zero day exploit,” meaning that you were infected by the malware before the security companies had a chance to muster a defense against it.

There are some security basics that every lawyer should be familiar with and heed. Be very careful not to accept the word of your IT provider that you’re secure. You need to do your own checking or hire an independent third party to do so. There are legions of stories where law firms have relied upon the word of an IT provider that data was secure, but came to find later that the advice was faulty and actually contributed to subsequent data breaches.

So away we go: Our Top Practical Security Tips:

  • Have a strong password of at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Use a passphrase so you can remember the password: “EyEluv@B@TeCH- SHOW2012!” would be a perfect example.
  • Don’t use the same password everywhere. If they crack you once, they’ve got you in other places too.
  • Change your passwords regularly. This will foil anyone who has gotten your password.
  • Do not have a file named “passwords” on your computer. And do not have your password on a sticky note under your keyboard or in your top right drawer (the two places we find them most often)!
  • Change the defaults. It doesn’t matter if you are configuring a wireless router or installing a server operating sys- tem. In all cases, make sure you change any default values. The default user ID and passwords are well known for any software or hardware installation. Apple isn’t immune either, since there are default values for their products as well.
  • Your laptop should be protected with whole disk encryption—no exceptions. Stolen and lost laptops are one of the leading causes of data breaches. Many of the newer laptops have built-in whole disk encryption. To state the obvious, make sure you enable the encryption or your data won’t be protected. Also, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe to power on. Failure at that point leaves the computer hard drive fully encrypted.
  • Backup media, a huge source of data leaks, should be encrypted. If you use an online backup service, which means you’re storing your data in the cloud, make sure the data is encrypted in transit and while being stored. Also, be sure that employees of the backup vendor do not have access to decrypt keys.
  • Thumb drives, which are easy to lose, should be encrypted. You may want to log activity on USB ports, because it is common for employees to lift data via a thumb drive. Without logging, you cannot prove exactly what was copied.
  • Keep your server in a locked rack in a locked closet or room. Physical security is essential.
  • Most smartphones write some amount of data to the phone. Opening a client document may write it to the smart- phone whether or not you save it. The iPhone is particularly data rich. Make sure you have a PIN for your phone. This is a fundamental protection. Don’t use “swiping” to protect your phone as thieves can discern the swipe the vast majority of the time due to the oils from your fingers. Also make sure that you can wipe the data remotely if you lose your phone.
  • Solos and small firms should use a single integrated product to deal with spam, viruses and malware. For solos and small firms, we recommend using Kaspersky Internet Security 2012, which contains firewall, anti-virus, anti-spyware, rootkit detection, anti-spam and much more. For larger firms, we are fans of Trend Micro.
  • Wireless networks should be set up with the proper security. First and foremost, encryption should be enabled on the wireless device. Whether using Wired Equivalent Privacy (WEP) 128-bit or WPA encryption, make sure that all communications are secure. WEP is weaker and can be cracked. The only wireless encryption standards that have not been cracked (yet) are WPA with the AES (Advanced Encryption Standard) or WPA2.
  • Make sure all critical patches are applied. This may be the job of your IT provider, but too often this is not done.
  • If software is no longer being supported, its security may be in jeopardy. Upgrade to a supported version to ensure that it is secure.
  • Control access. Does your secretary really need access to Quickbooks? Probably not. This is just another invitation to a breach.
  • If you terminate an employee, make sure you kill the id, and immediately cut all possible access (including remote) to your network. Do not let the former employee have access to a computer to download personal files with- out a trusted escort.
  • Using cloud providers for software applications is fine, provided that you made reasonable inquiry into their security. Read the terms of service carefully and check your state for current ethics opinions on this subject.
  • Be wary of social media applications, as they are now frequently invaded by cybercriminals. Giving another application access to your credentials for Facebook, as an example, could result in your account being hijacked. And even though Facebook now sends all hyperlinks through Websense first (a vast improvement), be wary of clicking on them.
  • Consider whether you need cyber insurance to protect against the possible consequences of a breach. Most insurance policies do not cover the cost of investigating a breach, taking remedial steps or notifying those who are affected.
  • Have a social media and an incident response policy.
  • Let your employees know how to use social media as safely as possible, and if an incident happens, it is helpful to have a plan of action in place.
  • Dispose of anything that holds data, including a digital copier, securely. For computers, you can use a free product like DBAN to securely wipe the data.
  • Make sure all computers require screen saver passwords, and that the screen saver gets invoked within a reasonable period of inactivity.
  • Use wireless hot spots with great care. Do not enter any credit card information or login credentials prior to seeing the https: in the URL.
  • For remote access, use a VPN or other encrypted connection.
  • Do not give your user id and password to anybody. This includes your secretary and even the IT support personnel. None of these safeguards are hard to implement. Unfortunately, even if you implement them all, new dangers will arise tomorrow. The name of the game in information security is “constant vigilance.”


  • LP on the Web

  • 2016-2017 Editorial Board