Canadian lawyers are among those in the global legal community who may be looking closer at their information security procedures after the revelation of a massive hack of international documents from a Panamanian law firm.
They ought to, according to an Ontario cybersecurity lawyer.
“Generally speaking I think there is some vulnerability in Canadian law firms, if I had to base it on past experience,” said the lawyer, who asked not to be identified. “There have been instances of Canadian law firms being breached in the past.” (see below)
“To be completely frank I think some law firms struggle with the concept of what cybersecurity is. They may correlate that with disaster recovery or other concepts which are not exactly cyber. They’ll rely on outsourcing this to third parties without doing all the verifications they need. I think the larger law firms are aware of this issue and they need to work on it, but when you get to the three or four or 10-man shops I think it’s less of a priority or focus.”
Because they hold sensitive corporate and personal information law firms are logical targets of attackers.
However Ray Boisvert, a former assistant director of intelligence at the Canadian Security Intelligence Service (CSIS) and now president of the advisory firm I-Sec Integrated Strategies, said in an interview they may not appreciate what they hold.
“Sometimes organizations, law firms, some government relations firms and lobbyists and others don’t always recognize how valuable their information assets are,” he said. “I think they see their role and quality and value as provisioners of advice — and that’s true — but they also have great repositories for stuff.”
In this country attention on cybersecurity has mainly been focused on organizations related to critical infrastructure — banks, utilities, governments and law enforcement agencies, and transportation companies.
Outside of these sectors retailers and related consumer businesses — such as Ashley Madison — have been in the news as victims, but so have Canadian law firms:
–in 2011 it was reported by an IT consulting security firm that several firms were among those targeted here by someone allegedly trying to get information about a takeover of Saskatchewan’s Potash Corp;
—according to LawPro Magazine, a publication of Ontario’s legal insurer, in 2012 a law firm’s bookkeeper was the victim of a virus that infected her computer when she clicked on a link on a popular news Web site. The firm apparently wasn’t directly targeted. However, the virus led to a spoofed bank Web site that seemed to be down. She called a number on the screen and a “support person” had her enter the two passwords necessary — one of which, for security reasons, was from a key fob password generator. Ultimately several hundred thousand dollars was wired by fraudsters from a trust account to an offshore account;
Details are scarce on how the Panama law firm was attacked. Presumably, because according to news reports it involved over 2 TB of data and 11.5 million documents, it was a data rather than paper theft.
Nor is it known whether the law firm was hacked from the outside, whether it was done by a law firm employee with a grudge against the employer or a staffer who didn’t like what the firm was doing. So far no one has taken credit.
The head of the Panama law firm is describing the incident as a hack, according to CBC news.
According to news reports the hacker initially went with the data a year ago to a German newspaper. Other news organizations were notified. UPDATE: According to this morning’s Toronto Star, the hacker justified the leak because the law firm was “doing real harm to the world” by facilitating tax avoidance by the wealthy.”encrypted documents.”
Ultimately more than 100 newspapers and TV news organizations in 76 countries under the directing umbrella of the Washington-based International Consortium of Investigative Journalists reviewed the documents. They began publishing stories starting April 3 about the Panama law firm setting up offshore accounts and paper companies over 40 years — some set up legitimately, others possibly for tax evasion or money laundering.
Lawyers are obliged to protect client information and communications. The Canadian Bar Association, which offers many professional development courses, has few resources available to lawyers here on IT security for their firms. An association spokesperson couldn’t put her hands on any when asked Tuesday.
Provincial law societies are responsible for disciplining lawyers and also offer professional development including law practice management resources, which range from province to province. For example. the British Columbia law society offers this page on technology. The Ontario’s Law Society of Upper Canada has this page of technology podcast practice tips. LawPro, which insures Ontario lawyers, offers this page of technology-related advice. The Nova Scotia Barristers’ Society and the Lawyer’s Insurance Association of Nova Scotia refers lawyers to this site for advice on data security policy.
The American Bar Association has several resources, including a cybersecurity handbook.
Certainly law firms — like any other organization — have to think about security awareness training for staff, network segmentation, encryption, enforcing strong passwords and access control — including, perhaps, denying the ability of staff using USB sticks or CDs for copying data.