You might think that after the Panama Papers breach in which the law firm of Mossack Fonseca was hacked and 11 million documents exposed – including ones that forced the prime minister of Iceland to resign and the prime minister of Pakistan to be removed from office – that law firms around the world would have stepped up their cyber security efforts.
I am sure that some have improved their security while others have made minor efforts to improve it, but it is not working. Until clients of these same law firms start conducting frequent cyber security audits of those firms, it is unlikely that significant changes will be made in the industry.
Remember that security and convenience oppose each other and security costs money. If their clients are not demanding that they spend money on security, they likely will spend that money elsewhere.
So what is this week’s news?
The Bermuda based law firm Appleby, with 10 offices around the world and around 470 staffers admitted this week that they had been hacked. The hack, they said, occurred last year. That hack was not disclosed at the time and legally they were probably not required to do so. The only reason they are talking about it now is that the international investigative journalist group ICIJ was given at least some of the documents and has been pouring through them and asking embarrassing questions.
Apparently, clients of the firm include the rich and the famous, especially in Britain, possibly including some Royals. While the firm says that try to do things lawfully, “no one is perfect”. Whether what the two prime ministers who were exposed in the Panama Papers breach were doing things legally or not, the court of public opinion didn’t think what they were doing was appropriate.
When members of the rich and the famous get exposed doing things that may be legal or may be shady or may be perceived as illegal by the masses, that is not good for their public image.
The apparent threat that these documents are now going to be published probably scared the poop out some of the firm’s clients, which forced them to admit the breach.
This brings us to an important point. In the United States (and the firm has no offices in the U.S.; their offices are mostly in tax havens), companies that are hacked are required to disclose that fact ONLY UNDER SOME, LIMITED, CIRCUMSTANCES. If personally identifiable health care information is breached, if payment card information is breached and if non-public personal information as defined in the various state’s laws is breached, for example – then, assuming the data wasn’t encrypted, etc. etc. – the companies have to fess up to the breach.
If, however, if the breach did not expose that kind of information – say it exposed your company’s not yet filed patent applications or information regarding a merger or information regarding an off-shore business transaction – then maybe that information does not have to be disclosed – either publicly or even to the client.
For U.S. based law firms, the American Bar Association has created model ethics clauses for states to adopt – some have been adopted and others not – that says that attorneys should try to protect client information, but the wording is a bit loose.
As a client of a law firm, your CONTRACT with that firm can certainly be a tight as the two parties agree for it to be (assuming the terms are legal, of course). You, as a client of a law firm, for example, can say that if you want me as a customer then if you suffer a breach and my information is exposed, then you must notify me within, say 72 hours. That would put the onus on the law firm. For small clients that is a difficult issue to force. For larger clients, it is less difficult. That doesn’t mean that lawyers, as good negotiators, won’t try to make the terms more favorable to them and you can’t blame them for wanting to do that. Still, you have a say in the matter and you can always choose to find another firm. There are lots of law firms in the country.
While there are probably thousands of clients of the Appleby law firm that are currently holding their breath, this, along with the multiple other law firms that have been hacked, should act as a wake-up call to clients to push their law firms to improve security.
I would think that most reputable law firms REALLY don’t want to have their client’s information compromised, independent of ethics rules or client contracts, but security is both inconvenient and expensive.
However, so is being hacked, as is having your name dragged through the mud and losing clients.
Since many of the largest breaches in the U.S. are the result of vendors being hacked (think Target or Office of Personnel Management, for example), we work with clients to create a vendor cyber risk management program to tighten up the parameters of their vendor contracts and cyber security programs.
Stay tuned; there is likely to be more fallout from this breach.
Information for this post came from The Register.