Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
U.K. Law Firm is Hacked, E-mail Exposed, May Face Data Breach Fines
October 6, 2010
Should I get a Lamborghini or a Ferrari? Yes, this is the sort of question that we all ponder (hah!). The owner of ACS:Law in the U.K. had his private musings on this subject (he settled for a Jeep Compass 2) exposed by hackers along with angry missives to his former wife and (far worse) personal information of defendants sued by the firm.
John and I lecture constantly on the subject of information security for law firms and never fail to be amazed at how lackadaisical firms tend to be about security. Forget the data breach laws, which are horrifyingly stiff in their own right – we have an ethical duty to safeguard our client's confidences. If we fail to take reasonable security precautions, we place our law licenses in jeopardy. Even if we are slapped with no more than a reprimand, any disciplinary action will be forever immortalized on the Net. And as sloppy as some law firm security is, we might as well send out engraved invitations to file a malpractice suit.
According to press reports, ACS:Law was targeted by a group known as 4Chan, which attacked the firm's website, after which the firm's e-mail was exposed through a technical snafu in restoring the website and then exploited by hackers. ACS:Law sues people that are alleged to have engaged in illegal file sharing, hence the targeting. The firm is also alleged to have used improper tactics in pursuing alleged file sharers, something the British government is investigating. The exposed e-mails were posted on Pirate Bay and other file-sharing networks, where they have been eagerly devoured by the press and the public.
The data breach could result in a fine by the U.K. Information Commissioner's Office of as much as 500,000 pounds, not exactly chump change. Privacy International has also announced that it intends to sue the law firm for the breach.
A string of law firm data breaches has occurred in the last year. Hopefully, more firms will scrutinize their information security carefully. Sensei offers infosec assessments for law firms and corporations, as do many other qualified companies. Why an outsider? For several reasons. Insiders in IT have a vested interest in not revealing deficiencies. Most do not hold the security certifications appropriate to making an assessment. A trusted third party has seen a wide range of security problems and has a broad range of tools and techniques to assess the state of a law firm's security. It will provide a detailed report of vulnerabilities along with remedial recommendations.
Almost all of the states now have data breach laws. In a world where employees leak or steal data regularly and where hacking, identity theft, cyber business espionage and cyber warfare are daily threats, it is past time for law firms to batten down their hatches.
http://twitter.com/sharonnelsonesq
Listen to the Podcast
