Last month a catastrophic data breach happened to the leading law firm in the offshore market, Appleby. The data breach included roughly 13.4 million leaked documents from the years 1950 to 2016. Among the files were loan agreements, financial disclosures, email correspondence, deeds, and other sensitive documentation. This data breach has compromised the privacy of several clients including politicians, companies, celebrities, and even the Queen of England.
The 1.4 terabytes of data was handed over to the publication Süddeutsche Zeitung. Some of the documents turned over to Süddeutsche Zeitung were from another organization called Asiaciti Trust. The newspaper has reasonably taken precautions to protect the leaker. Appleby has released a statement acknowledging that the data breach happened. In Appleby’s statement they said “we have reviewed our cyber security and data access arrangements following a data security incident last year which involved some of our data being compromised.” Of course “some” data in this case is an understatement. On top of that Appleby did not notify their clients when they initially learned about the data breach last year.
Public Relations Nightmare
The fallout has caused Appleby to release numerous statements attempting to clarify what has happened or reassure their clients that everything is alright now. Money is being spent to reassure clients and the public that everything is okay. There is a desperate attempt to ensure that everything goes back to normal before it was revealed there was a cyber security breach. However, things will not be back to how they were before the leak for Appleby. In the midst of the public debates that have happened since the publication of the leak, cyber security and insider threats.
Cyber Security Issues & Implications
In Appleby’s public statements, as stated above, “data access arrangements” were apparently reviewed and revised. It is best not to speculate until more details come out the data breach; however it is easy to infer that an insider threat may have played a role. Among law firms this is one of the most anxiety inducing security topics. What happens if an insider, for whatever reason, decides to leak information? It could completely destroy any law firm’s standing with any present or future clients.
According to the American Bar Association roughly 26% of law firms with more than 500 attorneys have experienced a cyber security breach. That is one in every four firms that have been breached in 2016 alone. Law firms handle some of the most sensitive data that people entrust them with. The information age has catalyzed the digitization of all physical documents that had previously been secured within law firms themselves.While digitization has increased the efficiency of sharing data and reproducing documents, it has also made very sensitive data increasingly vulnerable to data theft.
While malicious hackers are one cause of concern, most hackers know that it is tough to breach the layers of security designed to keep them out. This is why hackers often phish credentials from negligent insiders from your organization. In worse cases there is no external hacker, just a malicious insider who may have a wealth of access to sensitive information. Perhaps they are acting based on a political motivation or they have a financial motive to sabotage your law firm. If one a lawyer who is part of your organization begins collecting documents they shouldn’t be, do you have a system to alert you as it happens? What about software that can automatically lock down their account when such behavior is detected?
How You Can Reassure Your Clients
Clients who may not have paid much attention to cyber security before will do so now. The clients of Appleby are often very well networked. One client’s word about your ability to secure sensitive data could mean the loss of hundreds of other potential clients. While Appleby is managing a nightmare scenario right now, your law firm can take reasonable steps and security investments ensure you avoid their fate.
Transparent Security Policy
Be upfront with clients about what happens in the event of a data breach. What processes are in place to prevent one and if one does occur how soon you will notify them. Appleby made a fatal mistake by withholding information about the data breach. Many other organizations make this mistake as well. People appreciate honesty, and will react in a more measured manner if you provide them immediate notice of a data breach and its cause.
User Behavior Analytics (UBA)
One of the technologies available now is UBA which allows you to watch for deviations from “normal” behavior. The technology establishes a baseline of network behavior and a baseline for each user on your network. From there if a user starts to deviate from normal behavior and let’s say begins access large amounts of data not relevant to their job, you will be notified and can take action. This also allows you to establish real-time risk analysis reports about users and determine who is the highest security risk within your organization.
While the incident at Appleby is regrettable so too is poor cyber security practice. You can ensure you are protected by using Teramind’s tailored offering for law firms. You can find out more here today!