25 Tips to Prevent Law Firm Data Breaches

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.wisbar.org/AM/Template.cfm?Section=Wisconsin_Lawyer&template=/CM/ContentDisplay.cfm&contentid=114269

By Sharon D. Nelson & John W. Simek
Wisconsin Lawyer
Vol. 85, No. 11, November 2012

Another day, another data breach. Data breaches have proliferated with 
amazing speed. Here is the roundup of some of the largest victims in 2011 
alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary, TripAdvisor, 
Citigroup, NASA, Lockheed Martin, and RSA Security. Some mighty big names 
on that list.

Don't be lulled into thinking that law firms (large and small) aren't 
suffering data breaches just because they don't have millions of clients 
affected. On Nov. 1, 2009, the FBI issued an advisory, warning law firms 
that they were specifically being targeted by hackers. Rob Lee, an 
information security specialist who investigates data breaches for the 
security company Mandiant, estimated that 10 percent of his time in 2010 
was spent investigating law firm data breaches.

Matt Kesner, the CIO of Fenwick and West LLP, has lectured at ABA TECHSHOW 
and appeared on a podcast acknowledging that his law firm has been 
breached twice. As he has also noted, it is very unlikely that we know of 
most law firm data breaches because the firms have a deeply vested 
interest in keeping breaches quiet. This may be less true in the future 
now that 46 states, including Wisconsin, have data breach notification 
laws. But as of October 2012, there is still no federal data breach 
notification law.

Shane Sims, a security practice director at PricewaterhouseCoopers has 
said, "Absolutely, we've seen targeted attacks against law firms in the 
last 12 to 24 months because hackers, including state sponsors, are 
realizing there's economic intelligence in those networks, especially 
related to business deals, mergers, and acquisitions." Matt Kesner has 
noted that China is often responsible for state-sponsored hacking ? but 
that China doesn't waste its "A" squads on law firms: because law firm 
security is so dreadful, the rookies on the "C" squads are good enough to 
penetrate most firms.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.