Common consequences are loss of intellectual property, brand damage, customer attrition and loss of new business—as well as identity theft affecting your customers. There may also be customer notifications, system upgrades, regulatory agency fines, and individual or class action law suits. The latest Ponemon Institute study put the average cost of a data breach at $5.4 million in 2011.
When public relations disasters strike, heads have a tendency to roll. No one thinks they can really lose their job over a data breach, but it has happened—recently and very publicly. In May 2012, the director of Utah’s Department of Technology Services was forced to resign after a data breach exposed 280,000 healthcare records.
Gambling With IP and Client Data
According to an article in the Wall Street Journal Law section in June, “Few law firms will admit publicly to a breach. Thefts of confidential information strike at the core of the legal profession’s obligation to safeguard clients’ secrets, and can do considerable harm to a firm’s reputation.”
As a result, there are only a handful of recent examples of IT security breaches in the legal profession. Still, they should serve as cautionary tales for all of us in the many ways confidence can be violated and information pilfered:
- In Chicago, the Passen law group website was crashed by hackers using a common SQL injection attack, and was offline for three weeks.
The firm of Samuels Green & Steel’s login credentials were hacked and used to siphon customer credit data from the network, which was then used to steal client identities.
- In Los Angeles, Gipson Hoffman & Pancione was attacked by hackers traced to China as it represented a software company in a law suit against the Chinese government and several software manufacturers.
Electronic documents supporting a medical malpractice suit were lost by a traveling employee of Baxter, Baker, Sidle, Conn & Jones, a Baltimore firm.
Electronic data, including Social Security numbers, was compromised when a hard drive was stolen from Wheeler & Associates in Florida.
Was human negligence a factor in some of these cases? Absolutely. Criminal intent? In most of them. Would you have been embarrassed had your firm’s name appeared here? My guess is yes.
We are all vulnerable, and yet we continue to roll the dice— not only with our own property but with our clients’ as well. Everyone has data, from case files and client receivables to vendor payables and personnel information. Most firms have intellectual property to protect and client privilege to safeguard, yet many have undertrained, overworked or even disgruntled employees. Compounding the problem, many practices have security programs that range from poor to woefully inadequate.
Any of these elements can result in a data breach. Together, they create a perfect storm of opportunity for cybercriminals, who won’t hesitate to exploit them.
Failure to Act at Our Own Peril
Richard Clarke, long-time counterterrorism czar and former cybersecurity advisor to three presidents, was a controversial figure for his strong positions on security and terrorism and his prophetic statements based on U.S. security intelligence. He has also become famous for some memorable quotes.
For example, after citing abysmal statistics about corporate security budgets at a security conference in 2002, Clarke concluded, “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”
A few months ago, in an interview with Smithsonian, Clarke concluded that U.S. businesses are in a state of denial when it comes to cyberthreats and the importance of information security. “I think we’re living in the world of non-response,” he said. “Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial.”
Is denial your security strategy?