Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
Did King & Spalding Suffer a Data Breach?
May 23, 2011
In the recent HBGary data breach, tens of thousands of HBGary e-mails were leaked by Anonymous and are posted online. When the incident happened, I noted that several press reports referenced a possible data breach at King & Spaulding, but there didn’t seem to be further information – and King & Spalding refused to comment.
Since I’m giving a presentation to the Organization of Legal Professionals tomorrow, I began thinking about this when preparing my PowerPoint. I intrigued colleague and friend Dave Ries who pointed me to this e-mail which appears to be an internal HBGary e-mail (this is a screen capture – the full e-mail may be found here):
Note that there appears, at the very least, to be an “incident” and that 30-40 systems are “identified as compromised.”
So why the cone of silence? To avoid clients worrying that their data might have been compromised – or might be in the future? Has anyone investigated whether client data was compromised and whether King & Spalding might be under both an ethical obligation and a legal obligation to notify clients? Did King & Spaulding provide any notice?
I can only ask the questions, but it sure seems like an enterprising member of the Fourth Estate might want to investigate this further. Feel free to pass this on.
I know from other friends in the infosec business that most law firms they’ve dealt with are rabid in their desire to keep their names from being affiliated with a data breach. My own concern is that this attitude might result in failure to abide by ethical or legal duties. I am absolutely not saying that this happened here, but the failure to comment has got to lead folks to wonder.
If anyone hears anything further regarding this “incident,” let me know.
Listen to the Podcast
