Photo by Susana Gonzalez/Bloomberg
Photo by Susana Gonzalez/Bloomberg

Perspective: 15 Security Lessons From the Panama Papers

Editor’s Note: The author of this post works at a legal process outsourcing company.

By Caragh McGovern Landry, Global Head of Onshore Managed Review, Integreon

Since the first article was published about the Panama Papers scandal last weekend, much has been said about the likely players, the issues, the alleged fraud and corruption, the money laundering and how the leak could have happened. Much has also been said about the data itself — the size, the types of documents and how the International Consortium of Investigative Journalists (ICIJ) was able to analyze that many documents so quickly.

For the eDiscovery community, this is a fascinating scandal because at its root are all the issues we face every day — data privacy, data security, large amounts of structured and unstructured data, finding out as quickly as possible what you have and building a strategy with ongoing information revelations.

IT Security

Although there was initial speculation that the data may have been internally leaked by a firm employee, Ramon Fonseca , co-founder of Mossack Fonseca,  recently stated that it was an outside hack. Much has been said about Mossack Fonseca’s lack of IT security by professors and IT professionals alike.  They have hit the blogosphere to decry their shock at the lax and outdated security protocols in place at such a high profile law firm. (Read more here on Wired.)

As an eDiscovery specialist, I can’t say I am surprised by a law firm having security gaps that would allow for an interested hacker to get through. For years, law firms have been a target of hackers specifically because it is pretty well known that it is easier to break past a law firm’s firewall than say, a Google or Facebook. As a hacker, why would you try to surmount the layers of security in place at a major corporation when you can find the same data, with less effort, inside a law firm who represents that corporation?

Law firms have realized the need for increased and improved security, but implementing the levels of security necessary is difficult and costly and maintaining those security measures is a full-time gig. Large corporations with dozens of IT staff struggle to keep pace with software and hardware updates. So it should be of no surprise that law firms, with much smaller IT support, are a few steps behind. Adding to the staffing and expertise issues is the ongoing difficulty of managing an increasingly mobile workforce and an ever-changing market offering of technology, including mobile technologies, cloud storage and BYOD (bring your own device), all of which create additional layers of security concerns and risk management issues that most companies are unable to adequately manage. And that includes law firms.

Despite security enforcement being difficult to implement and maintain, law firms do have an ethical responsibility to take every reasonable measure to safeguard their clients’ information and data. In today’s email/IM/text-heavy workplace, this responsibility extends to implementing adequate security measures to protect against cyber-attacks. Every law firm, and its employees managing client data stores, has a duty to understand the risks associated with storing data and implement processes and technology to sufficiently defend that data. Hackers may still attack, but they shouldn’t always succeed.

Believing the statement by Ramon Fonseca and taking him at his word that the Panama Papers leak, reportedly the largest leak of any kind at 2.6 TBs is a result of an outside hack, I would like to revisit some strategy tips for law firms to ensure that they are, in fact, taking every reasonable measure to secure their clients’ data.

15 Tips for Safeguarding Client Data

  1. Hire or designate a full-time Information Security officer (or multiple officers if you have the budget for this). An Information Security officer is someone’s whose sole job is to maintain security on client and company data. Ideally this person should have a background in IT and have good working knowledge of law firm and corporate infrastructure.
  2. Consider your employees morale, but not at the expense of the security of your client’s data. Making your employees happy in the workplace should always be a concern, but data leakage and security breaches pose a bigger threat. Your employees can and will get used to data security protocols, not matter how inconvenient they may be.
  3. Create a security policy and train employees on that policy. Employees often don’t know what the policies are or why they were created. Policies should include:
  4. Password policies — Passwords should be complex, never re-used and changed often. They should not be shared, and that includes being written on a Post-it Note and stuck to the computer monitor.
  5. Download guidelines — Stranger Danger! Don’t open files that are out of the ordinary or are from unknown addresses.
  6. Installation restrictions — Safeguard who at the firm is able to run installation packages. Malware is often hidden in executables and fake updates sent to everyday users in email.  Clicking to install unknown software can load viruses and open doors on the network.
  7. BYOD policies — You can say no, but you don’t have to anymore. There are a lot of tools out there that will allow you to monitor and safeguard data on personal and/or mobile devices (data partitioning, wipe switches, access controls, Apps that you control, etc.)
  8. Encryption policies — Make sure data is always encrypted when being sent anywhere and that logins/passwords are sent through different mediums. I can’t tell you how many times I will get a login in one e-mail immediately followed by a second e-mail with the password. How is that safe? If someone broke into my e-mail, they can read both e-mails.
  9. Update your policy quarterly. Technology changes fast (especially apps and iOS updates) and you need to update your policy frequently to keep up.
  10. Think outside the box; hackers do. Find where you are most vulnerable and add more security to that area. One creative way to determine weaknesses is to hire hackers yourself to do intrusion testing.
  11. Understand that even if data isn’t interesting to you, that doesn’t mean hackers don’t want it. Protect everything, even if your client manufactures screws.
  12. Consider outsourcing your data storage. As I said before, security is tough and it’s not your core business. There are dozens of companies out there who only do data storage. Rely on their expertise and data will likely be safer and your IT costs will be lower.
  13. Have backup, retention, and deletion plans. Depending on legal holds and industry mandates, data should be managed and purged on a regular basis. Storing data past the date when you are reasonably required to have it means that data is unnecessarily vulnerable.
  14. Keep yourself up to date. Stay knowledgeable on trends, data security breaches, new security safeguards and new mobile workforce tools.
  15. Educate everyone. Educate your clients on potential threats and how you are safeguarding against them. Educate your staff on why security is paramount and client data protection is as important as Privilege protocols. Educate yourself and your peers. Data is serious business. And did I mention that it’s hard, too?

Corporations, their outside law firms and their third party vendors all need to be equally vigilant in implementing and maintaining adequate security protocols and measures in order to prevent embarrassing and damaging data leaks like the Panama Papers, which will likely have significant and detrimental impact on dozens, if not hundreds, of high profile people and organizations. This will also change the level of trust corporations have in their law firms’ ability to protect their data and may constitute many law firms failing audits mandated by their clients and losing business.  The above outlined steps can be costly and challenging, but they are but a drop in the bucket compared to the losses they could suffer from a revenue perspective if they do not put these steps into play.

Related posts