Mossack Fonseca: Lessons for Small Law Firm Security (First in a Blog Series)
If Your Law Firm Security Online Is Breached, You Better Have a Good Story To Tell Your Clients (Unlike Mossack Fonseca)
If you’re an attorney, law firm online security is a must: you need to protect your clients’ data with the latest software updates and security protections. Your clients assume that you are up-to-date with your law firm’s security. Are you? Are you vulnerable to an online breach or hack to your law firm’s data?
Eleven and a half million documents were taken from the Panamanian law firm, Mossack Fonseca – an online breach with the consequences reverberating worldwide: the Prime Minister of Iceland resigned and controversy tracks world leaders including the UK’s David Cameron and Russia’s Vladimir Putin.
While Mossack Fonseca claims to be the victim of a vicious hack, they have yet to take responsibility for their startlingly lax approach to security. Following are just a few examples of their lackadaisical attitude toward online security:
- Their web server was not behind a firewall.
- Emails were not encrypted.
- Their web server was on the same network as their mail servers based in Panama.
- They were serving sensitive customer data from their portal website which includes a client login to access that data.
- Their Outlook Web Access login has not been updated since 2009.
- Their client login portal has not been updated since 2013.
I could go on, but you get the idea. They had clear negligence in protecting the online security of their clients and now that we understand how unprofessionally they ran their law firm, we can come to our own conclusions about their culpability in the affair.
Regardless, you can do everything in your power to protect your clients’ data and still get hacked. The difference: if you are able to demonstrate that you took law firm security seriously and made every effort to be up-to-date and locked down, my guess is that your clients will be more understanding. It can happen. To anyone.
It’s only if you leave the key under the front door mat and then get robbed that people are likely to be annoyed with you.
How can you prevent a data breach? If you have no established protocol for a security breach in your law firm, you have not begun to take the necessary steps. Someone at your law firm needs to be in charge of this process. That person could be a law partner, a staff member – doesn’t matter. What matters is that that person needs to own the process and be responsible for getting a plan together. For more understanding, call your webmaster, call LeanLaw, call a security expert – immediately – and get to a place where you understand how to make your data secure and what to do in the event of a hack.
Data security is your ethical responsibility to your clients. The good news is that it will also make your small law firm more productive and even save you money in the long run. Three birds, one stone. Go do it.
If you contact LeanLaw about your security before April 22, we will give you a free initial consultation — no strings attached – so that you have an understanding of your law firm security online and its vulnerabilities. Mention this blog post.
Next week, I will write about the five immediate steps you can take once you realize your online data has been breached.
Join the Movement!
Gary Allen, Founder and Practicing Attorney
