PHILADELPHIA – In the wake of a recent FBI report that said 80 percent of large law firms have experienced a data breach, a Philadelphia firm is beefing up its internal security.
However, according to security experts, even this nominative measure, while certainly beneficial, may not be enough – firms must also enact substantial internal security reform to keep hackers at bay.
“Historically, law firms probably have the lowest level of security when it comes to data breaches and data privacy security,” said Stephen Ward, the vice president of East Coast USA at Pinkerton, an international risk management and security firm.
“You could name anyone to be in charge of your cyber security, but unless they are following procedures and methodology, what does that mean?”
One of the first firms to take on the issue of data security, Fox Rothschild has recently taken the first step in securing client information, naming partner Mark G. McCreary as the firm’s first Chief Privacy Officer (CPO) in September.
Naming someone specific to manage data security, according to Ward, while “progressive,” won’t give firms any type of “silver bullet response” if they are hacked – which, due to cyber-crimes ever-evolving nature, is always a possibility.
“By naming someone, it’s a dual-edged sword,” Ward said. “You’re taking the problem seriously, but now you have to address that problem. Naming someone alone doesn’t mean that your network is secure.”
According to the firm’s press release, McCreary will review the firm’s policies and practices regarding confidential information, as well as implement new policies and standards, respond to client concerns, and develop educational training for the firm internally.
“Policies and procedures are only effective to the extent they are followed, so there must be a commitment to follow those policies and procedures. Having personnel dedicated to addressing privacy and security issues by any measure is a positive step. Fox Rothschild’s appointment demonstrates clear leadership in this space, and I applaud that,” Jason Maloni, Levick’s Senior Vice President & Chair of Litigation Practice, told the Pennsylvania Record.
Law firms are often targeted by hackers for the sensitive client information that they house, which Maloni says can be sold on the black market for a quick profit.
“Most critically, [a firms holds] trade secrets related to business, a client’s plans for a new product, a possible merger or valuation information,” Maloni said.
According to Ward, his information, in the wrong hands, can seriously harm the profits for large clients involved in mergers and acquisitions.
“If a public company is buying a competitor in a cash deal, and someone were to hack and release that… you know their stock is going to drop based on the fact that they are going to be laying out large amounts of cash in the acquisition,” Ward said.
The hackers targeting such sensitive information aren’t amateurs – the attacks on law firms are state-sponsored, specifically coming from countries like China, according to Ward.
Despite the high levels of sensitive information centrally located on the firm servers, firms face little-to-no penalties regulated by the government for data breaches.
Instead, Ward said, firms that lose sensitive client information are subject to a tarnished “brand and reputation,” which could effectively cost them millions.
“A lot of clients are saying that if you are going to handle our work in the future, you have to show us and demonstrate to us how you secure your network,” Ward said.
Securing a network means actively updating security practices, including conducting quarterly audits by third parties, identifying and remediating vulnerabilities in the network, and doing gap analysis, Ward said.
Despite the responsibilities that come along with it, both Ward and Maloni agree that Fox Rothschild’s naming of a CPO is socially responsible.
“It’s good to see that a firm is taking steps to put people and processes in place to better safeguard information,” Maloni said.
“I think it’s a great idea that they are taking it seriously enough to identify one person to deal with it,” Ward said.
“But, when you’re dealing with cyber crime, there is one thing to keep in mind: you can have the best plan in place, the greatest, best rules available to you today, but it is an ever-evolving world. What seems secure today may not be secure tomorrow."