Page 10 - Cybersecurity
P. 10
S10 | MONDAY, JUNE 5, 2017 | Cybersecurity
| NYLJ.COM
Is Your Discovery Process Setting You Up for a Data Breach?
one front in the battle for firms’ confidential data. The really valuable information is often stored elsewhere.
Consider the typical e-discovery process. At the outset of the discovery process, data is collected on the client side, often with mini- mal removal of sensitive information. Broad collection means that the discovery reposi- tory or litigation database is full of highly sensitive data—data that’s been flagged for litigation but not yet culled of confidential material. It is, therefore, an enticing target for cybercriminals. At this point, you’ve basi- cally pulled together a treasure trove of a company’s most valuable information.
But e-discovery repositories aren’t the only place where data security risks are raised dur- ing the discovery process. Indeed, in typical discovery, there are multiple points at which data may be vulnerable.
Data is most at risk when in transit, as the FCC notes, and in all discovery workflows, data moves a lot.
A typical e-discovery undertaking might unfold as follows: There’s the initial collec- tion of documents and data, which is then usually sent from the client to the law firm. The firm transfers that data to its internal and external tech teams, or vendors, who prepare it for review. That information is then loaded onto the review platform, where it is reviewed for relevance and privilege. Then, that data is produced to requesting parties—maybe through a secure FTP portal or over email, or perhaps through a hard drive in the mail.
Finally, once produced, the information is at the mercy of the other party’s security protocols, whatever those may be.
Every time that information changes hands, it’s put at risk.
E-discovery data breaches are already hap- pening, according to Lael D. Andara, patent litigation partner at Ropers Majeski Kohn & Bentley PC. “We just haven’t necessarily identified the hacks,” Andara recently told Inside Counsel.
Hackers are only part of the picture, too. Some discovery-related data security injuries are self-inflicted. During the long-running pat- ent dispute between Apple and Samsung, for example, an associate at one of Samsung’s outside law firms failed to properly redact a sensitive and confidential Apple contract, to which Samsung should not have had access, acquired during discovery. The attorney then uploaded the contract to Samsung’s intranet, where 200 Samsung employees, including high-level executives, gained access to it. That disclosure ended up costing Samsung more than $2 million in sanctions imposed by a San Jose federal court.
Many firms are woefully behind when it comes to addressing, even assessing, these risks. Three out of every four firms have not looked into the costs or risks associated with a data breach, according a 2014 survey of law firm cybersecurity by Marsh. Nearly 40 percent of firms and corporations haven’t assessed data security risks during e-discov- ery, according to Kroll. Large firms spend less than 2 percent of their gross annual revenues on data security. All this, despite the fact that over a quarter of large firms have fallen victim to security breaches.
These risks don’t just implicate cyber- security concerns—they could lead to
BY ERIC PESALE
AND CASEY C. SULLIVAN
I magine you’re a cybercriminal looking to steal some lucrative corporate informa- tion—valuable trade secrets, perhaps, or
maybe insider securities material. You could try hacking into a bank, but their security measures are increasingly strong. A phishing attempt may work, but again, many compa- nies are growing more sophisticated. Instead, if you’re smart, you’ll go after the lawyers. Law firms, due to the nature of their business, are swamped with sensitive documents and many have notoriously poor data security, making them tempting, and potentially lucra- tive, targets.
It makes sense, then, that hackers are increasingly targeting law firms. One out of every 10 advanced cyberattack is aimed at a law firm, according to the Harvard Journal of
ERIC PESALE is the founder of Write for Law and regu- larly covers e-discovery, cybersecurity, and other legal topics. CASEY C. SULLIVAN is an attorney in Califor- nia who leads education and awareness efforts at Logikcull, a provider of cloud-based legal intelligence.
Whatever approach attorneys take, it is beyond debate at this point that e-discovery will be fertile hunting ground for hackers in the days and years to come.
Law & Technology, with the Ponemon Insti- tute estimating that the average data breach costs $7.2 million, or $214 per client record.
The most notorious example of a law firm data breach disaster comes from Mossack Fonesca, the law firm at the center of the Panama Papers. Last April, the firm made headlines around the world after its internal files were released to the public. The extent of the breach was breathtaking—11.5 million documents covering more than 200,000 enti- ties, many with sensitive and privileged infor- mation, that cast a harsh light on how both the firm and its clients allegedly exploited shell corporations and offshore tax shelters. This data breach was so devastating that the firm now operates a separate website solely dedicated to conducting damage control on the incident.
Some of the most prestigious U.S. firms have also fallen victim to cyberattacks. Both Cravath Swaine & Moore and Weil Gotshal
& Manges have said they experienced data breaches, the Wall Street Journal reported last year. The intruders purportedly were looking for insider information for publicly traded companies. Then, last December, the Department of Justice filed charges against three Chinese men accused of trading insider information hacked from major law firms, a scheme that allegedly netted $4 million in illegal profits. The events are assumed to be related.
“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” U.S. Attorney Preet Bharara said at the time. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.”
Email was the source of the insider informa- tion in that case, according to the DOJ, with the hackers purloining partner emails after breaking into the firm’s internal networks. But email and law firm networks are only
SHUTTERSTOCK