Data Security in the Legal Sector- A Guide to the Risks and Compliance Involved

An extremely popular New York-based Entertainment and Media Lawyers’ firm- Grubman Shire Meiselas & Sacks, fell victim to a ransomware attack in May 2020. The attackers demanded a huge ransom of over $20 million. They threatened to leak over 750 GB of sensitive information belonging to popular celebrities, such as AC/DC, Robert De Niro, Lady Gaga, and many more if the firm denied to pay up the ransom. The attackers even doubled the ransom amount soon after and threatened to leak dirty secrets about President Donald Trump.    

Data-centric attacks are fast becoming commonplace in the legal industry given the huge amount of sensitive information that it handles. As seen in the above case, when attacks are launched at such big-name firms that service a long list of international celebrities, the ransom amount also goes up.

Every other industry that collects and handles sensitive information needs a data security system in place. But lawyers and law firms constantly handle critical client information that forms the very foundation of their business. The onus of keeping such critical information safe is on the firms and they are also bound by ethical and commercial obligations. This makes them all the more vulnerable to data-centric attacks and hence an efficient data security system is vital to their industry.

Why does the industry attract hackers?
As mentioned above, every industry that manages sensitive data is prone to data security attacks. Now let’s find out why the legal industry is all the more vulnerable to such attacks:

  • The industry handles troves of extremely sensitive information: Like every other industry, the legal industry also stores critical information like social security numbers, financial information, etc. But what makes it a high-value/lucrative target is the following types of information that when accessed by devious hackers can cause problems that are more devastating than financial losses:

-criminal records of clients

-financial information pertaining to their clients (corporates, high-profile clients, etc.)

-confidential attorney-client privileged documents

-critical patents

-evidence in the form of documents

-confidential emails containing private client information that can be damaging if compromised

-tax files

-trade secrets

-litigation documents, and many more.

The aforementioned information is available in every law firm’s electronic device (laptops, personal computers,etc.) and network. Data hackers either hack into their networks or steal such devices that are full of organized and categorized sensitive information.  

Data hackers launched attacks on five law firms between October 2019 and January 2020. The hackers also leaked the stolen data which consisted of extremely sensitive information, such as veteran’s injury and mental trauma entries, healthcare records, legal fee documents, privacy consent documents, etc.

Below is an example of one such entry-

Snapshot of a veteran’s compromised pain dairy

         

  • Outdated Security Standards: Oftentimes legal firms do not update their data security practices and standards, rather they run their business with outdated standards that give way to disastrous data breaches.

One such 2015 landmark data breach compromised around 11 million documents from Mossack Fonseca- a law firm in Panama. More than 100 investigations were launched in more than 70 countries due to the disclosure of some of the world’s wealthiest assets due to this data breach.

The primary reason behind this massive leak was cited to be outdated security practices in the law firm’s websites. The firm hadn’t updated its mail services since almost 6 years before the incident and didn’t encrypt emails.

Mossack Fonseca ended up closing shop two years post the breach owing to heavy reputational and monetary loss. The magnitude of the breach was such that the case was even made into a film that hit the screens in 2019, titled “The Laundromat”, and starred Meryl Streep in it.

  • One-stop-shop: Law firms are considered the one-stop-shop for hackers as they store sensitive information of multiple clients. The clients may be celebrities, politicians, corporates, individuals, etc.
  • A misplaced sense of security among small- and medium-sized firms: Most small- and mid-sized firms do not consider investing in quality data security solutions as they falsely assume that hackers may not attack them. Hackers target firms with poor data security practices regardless of the firm’s size.

In 2016, hackers hacked into the email account of a small law firm in Texas and sent out an email that contained malware. The malware could access the financial records of the recipients and cost the sensitive information of thousands of individuals.  

Motives behind data breach in Legal firms

Data hackers share a set of common motives behind hacking information from any industry, and financial gains often tops the list. Whilst the attacks to the legal industry also carry the same motive, let’s also understand the other specific reasons that motivate hackers to target this sector. They are:

  • Insider Trading: In mid-2017, a U.S-based international law firm’s former partner, Walter C. Little, and his neighbor were charged by the Securities and Exchange Commission with minting over one million dollars through insider trading. The perpetrator took unfair advantage of his data access and stole sensitive information from the law firm’s internal network and traded it for huge amounts of money.

Insider threats are notoriously common across industries and are committed by former employees or disgruntled workers who carry a grudge against the company.

  • Hacktivism: Hacktivists are often motivated by one or many political or economical reasons. The infamous case of the Paradise Papers is a good instance of hacktivism. Two leading offshore finance firms- Appleby and Asiaciti, were the epicenter of this incident. Around 13 million documents stemming from the firms were leaked by the International Consortium of Investigative Journalists (ICIJ). The leak revealed to the world how wealthy individuals and big corporates conduct their businesses by cleverly evading taxes. The leak even publicized the financial wrongdoings of highly popular individuals such as Queen Elizabeth II, Prince Charles, Singer Madonna, and 120,000 others.
  • Financial Motives: As stated above, financial reasons are one of the primary motives that encourage hackers to launch attacks at legal firms.

In a string of attacks launched in 2016 at more than 45 law firms situated at the Wall Street- USA, the hackers minted over $4 million. A few of the most notable firms that fell prey to these attacks were Cravath, Swaine & Moore, and Weil Gotshal & Manges.

The aftermath of a data breach in the legal sector

A law firm that has gone through a data breach has to face a variety of consequences- the major one being the compromise of sensitive data. The others are

-reputational damage

-loss of client trust and brand value

-loss of current and prospective clients

-destruction of attorney-client privilege

-financial loss

-disciplinary legal action

-criminal charges

-penalty

-malpractice allegations by clients

-unplanned downtime

-loss of productivity and billable man-hours

-replacement of electronic devices/internal network

-business disruption, and many more.

An efficient data security system can save you from all of the above by discovering, securing, and monitoring your sensitive data at all times.  

How can you secure your firm against hackers and data-centric attacks?

Take a look at what a few of the most promising practicing lawyers and data security experts have to say about safeguarding a law firm’s data:

Perhaps the easiest thing law firms can do is to put data in the hands of experts (and understanding that those experts are not attorneys).”- Jared Staver- Attorney and Managing Partner at the Chicago-based Staver Law Group.

Second, there are now some good products available for tagging and controlling the data themselves, rather than merely providing network defense. These programs help classify information assets and then provide various levels of protection.”- Jeff Stollman- supports the United Nations Commission on International Trade Law (UNCITRAL) and a member of Mentors Guild.

Now that we’ve understood and recognized the importance of an expert, comprehensive data security solution in legal firms regardless of their size, let’s take a look at the laws and regulations that govern the data privacy and security at these firms:

Among the many regulations that govern the privacy and security of sensitive data in law firms, the following are the major ones-

  1. Health Insurance Portability and Accountability Act (HIPAA)

The Legal Industry must also comply with the Health Insurance Portability and Accountability Act (HIPAA) as it also collects PHI/ePHI (Protected Health Information/electronically Protected Health Information) of its clients, and partners among others. A HIPAA audit assesses your institution’s ability to protect the PHI/ePHI against its compromise.

Since the legal sector handles a variety of health data, it is a must that it complies with HIPAA to avoid violation and therefore huge penalties that come along with it. Kogni discovers, secures, and monitors your PHI/ePHI regardless of its location in your data landscape and can help accelerate HIPAA compliance.

Below are the key HIPAA requirements that Kogni can address to achieve compliance-

  • Access Control- A covered entity must execute technical policies that limit access to ePHI to authorized personnel.

Kogni discovers all your HIPAA-related sensitive data regardless of their location. It then classifies the data under preset groups created by Kogni or custom groups created to suit your institution’s unique needs. It makes identifying the data location simple at any given point of time by adding tags to your data and mapping it across users, folders, and permission. May your PHI/ePHI be in a database, filesystem, No-SQL, Big Data, or anywhere across your institution’s data landscape, Kogni helps you locate it in no time. Kogni also supports data in various formats like structured, semi-structured, and unstructured.

Kogni monitors both data at rest and real-time data no matter where they reside and offers unified single-pane visibility to your data. It is also uniquely positioned to identify and report on your critical data that reside in SaaS (Slack, Jira, Salesforce) and other hosted services.

  • Audit Controls- Under HIPAA, a covered entity must deploy hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.

Kogni monitors various enterprise channels such as files, folders, emails, etc. This allows entities visibility into how authorized business units interact with their HIPAA database. Our enterprise data security tool continuously monitors for deviations based on risk patterns and alerts your institution to prevent data misuse from turning into a full-blown data breach.

  • Integrity Controls- To validate HIPAA compliance, a covered entity must have in place the required policies to ensure its ePHI is not improperly handled or destroyed.

Kogni helps your institution architect a robust analytics process. It tracks your HIPAA-related data’s activities like location, state, alterations it goes across your entity’s data landscape, its interaction and activities when in your cloud environments, etc. It then logs the potential threats attached to your PHI/ePHI and notifies by sending out appropriate alerts.  

Kogni also offers other expert capabilities to accelerate your HIPAA compliance-

  • Kogni alerts users

-when an authorized user accesses your ePHI from a different geographic location

-when they interact with a never-before-accessed HIPAA-related information

-when they log in from a system that does not have the required client-based certification or when in an unsafe network zone

  • Kogni offers high precision data analytics with a number of data points to ensure the accuracy and actionability of the information.
  • Kogni is built on advanced machine learning capabilities and other data mining and heuristics analytics techniques that bring down false positives to negligible numbers.

2. Gramm Leach Bliley Act (GLBA)

GLBA regulates the security of customers’ information in the financial sector. Since the legal sector stores and handles troves of financial information, be it of its clients, partner firms, or employees, it must also comply with this act.

The Financial Privacy Rule under the act requires all organizations collecting sensitive financial information to provide customers with a privacy notice detailing

-the type of information collected about the customer

-where it is being stored

-how it is used

-where and with whom it is being shared, and

-how it is being protected

The notice also requires firms to notify customers of their right to opt-out of sharing their sensitive information.

All of the above and more can easily be executed with Kogni’s expert data security solution by your side. Anytime a consumer requests to access/opt-out of sharing their data, organizations leveraging Kogni’s powerful data discovery feature can pull up the data instantly from all available data sources.

Under GLBA’s Security and encryption requirements, organizations collecting financial data must encrypt their sensitive data to mitigate the risk of data compromise or tampering when stored or transmitted. Encrypting your sensitive data is a robust step against data compromise. Even if hackers manage to hack into your system, without a decryption key, they will not be able to decode the information that lies within. Read our blog on Why is Data Masking imperative to your Data Security Strategy? to understand the importance and types of data masking.

3. Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that applies to organizations that collect, store, and use sensitive financial data such as the legal sector.

Your payment card information could be at considerable risk when you make a payment through your mobile, internet, or at an e-cash payment counter. When you make a payment by swiping your card, the card information passes multiple systems to transfer the payment. There are significant chances that the unencrypted information in your card gets exposed while navigating through multiple phases of the money transfer process, such as storage, processing, and transmission.

The identification of this unencrypted data is an important clause under 3.1 of the PCI DSS Standard. It is imperative that firms adopt the right solution to discover data such as card details, that may reside in undisclosed locations within their data landscape. Kogni, a powerful data discovery and security solution can help organizations pull up sensitive data from anywhere across their data landscape.

Also, per requirement 3.1 of the PCI DSS Standard, organizations, on a quarterly basis, must discover and erase cardholder data that exceeds defined retention parameters in a secure manner. To achieve this, they must ensure the following-

-Organization-wide data scanning and discovery: An organization’s data landscape may contain many undisclosed data storage pockets. An effective data discovery solution, such as Kogni carries enterprise-wide data scanning capability and leaves no storage area unscanned. It collects sensitive information (cardholder data, in this scenario) from all available data sources and not just the ones that contain information related to payment cards.  

-Data discovery across data formats and sources- A comprehensive Data Discovery Solution must have a 360-degree data identification range. This enables the solution to identify sensitive data from anywhere, any data source, format or type across your data landscape.

Kogni’s Sensitive Data Discovery Software explores different repositories including cloud, on-premise, and third-party controlled storage centers, for unknown, sensitive and critical information.

Its predefined data sources include Amazon S3 bucket, Amazon RedShift, Oracle, Sybase, SQL Server, Informix, Postgre SQL, Office365,  MySQL, MongoDB, Google Drive, and many more.

4. General Data Protection Regulation (GDPR)

The European parliament’s efforts to protect its citizens’ data, gave birth to the much-awaited General Data Protection Regulation (GDPR). The law applies to each member state under the European Union and aims to create a data protection strategy that covers both consumers (parents and students in this case) and their personal data.

Kogni, the data-centric software’s GDPR-compliant features enable institutions in the legal sector to discover sensitive data in their data sources, secure data as it is ingested and continuously monitor data sources for possible breach and policy violations.

Kogni, with its automated sensitive data discovery, is uniquely positioned to help institutions adhere to GDPR within an accelerated time frame. Its data loss prevention mechanism for GDPR helps institutions secure their sensitive data.

5. The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a much-needed law that favors customers’ right to data privacy. The law gives customers rights concerning the collection and usage of their personal information.

CCPA applies to any organization, all over the globe, that collects and uses the data of California inhabitants.

Institutions must take a comprehensive approach to CCPA compliance by implementing an all-inclusive enterprise data security tool, such as Kogni. Kogni can help them track the location and purpose of their customers’ personal information. It helps customers exert their rights to information, portability, erasure, etc., They can also manage opt-outs when they no longer consent to the sale of their personal information.

Kogni’s uncomplicated and cost-effective Sensitive Data Security Solution is easy to implement and is a comprehensive approach to your Data Security strategy. Leave it to Kogni to efficiently automate your Data Discovery, Classification, Security, and Compliance!

Explore Kogni’s 24/7/365 expert sensitive data discovery, security, and monitoring capabilities for free for 90 days.