10 Apr 2016

Panama Papers Leak Shows Inherent Weakness of Law Firm Cyber Security

Panama Papers leak



The 11.5 million leaked documents from Panamanian law firm Mossack Fonseca have placed some of the world’s rich and famous under scrutiny about how they hide their wealth.
The so-called Panama Papers breach is an incredible story, but I expect to see more data breaches at law firms in the future.
Irrespective of the data itself and its implications, I have witnessed a general increase in the cyber defense readiness of many law firms in the USA.  Outside the USA, however, there has been little interest by law firms to invest in cyber security and mount competent cyber defense capabilities. That fact is of great value to many criminal hackers and nation-state attackers looking to exploit weak security within law firms.
What’s the value of confidentiality with a law firm, if a hacker or nation state penetrates their perimeter and gains full administrator access to all the systems within a company?  Further, how could a law firm provide for their client’s defense if the breach was caused by their neglect, incompetence and greed?
We have seen in many cyber attacks that the force majeure defense (an unanticipated and impossible to protect against event) only applies in a tiny fraction of companies that have excellent cyber defense capabilities.  As lawyers are gleeful to explain: ignorance of the law is no defense. But this case provides a new maxim. Ignorance of proper cyber defense processes and technology is no excuse for allowing criminals and nation states access to your clients’ data.

Law Firms are a Ripe Target for Hackers

The implications of law firm data breaches are mind boggling since parties within lawsuits provide full disclosure about their chosen law firms as a matter of public record.  It is a simple step for a criminal to move on to attacking that law firm to harvest their files.  For a criminal this could mean the ability to manipulate stocks, access the personal records of principals within the companies, and blackmail people based on information not publicly known.
In the case of foreign or illegal transactions, the files of law firms may contain account numbers, pin codes, passwords and other elements of accounts that may be exploited in a cyber attack.

Lessons Learned from the Panama Papers Leak

The lesson from the Panama Papers leak is that it is up to the client to inspect the cyber warfare capabilities of their law firm. If there is little to show, then they should consider their confidentiality blown.
Clients should not be comfortable with assurances that everything is fine or that the law firm has passed their audits.  Audits do not test the ability of a law firm to sustain its cyber security when attacked.
Clients should ask their firms about whether they are regularly penetration tested by different firms, have segregated networks, use multiple levels of cryptography, have air gapped networks, and use an automated privileged identity management system to rotate all sensitive credentials on every system, every 2-24 hours worldwide.
There are some law firms with excellent automated and adaptive cyber defense capabilities. However, too many are stuck in the dark ages of wigs, candles to read by, and quill pens to write with.
It is inevitable that there will be a law firm data breach that will result in the bankruptcy of one or more firms for gross incompetence, negligence, and malpractice.  In the future, law firm partner disbarment could occur as a result of a lack of fundamental cyber security.  It will be for the courts to determine what normal and reasonable care should be for attorneys who use Internet-connected systems.
Until then, clients deserve modern cyber defense capabilities from their law firms. They are certainly paying more than enough to expect proper security.

identityweek