Thursday, June 27, 2013

Consequences of Security Breach at Major U.S. Law Firm

Here's another fascinating article from former AmLaw 100 CIO and CKO Jeffrey Brandt. He writes of receiving a "...a short, unsigned handwritten note and a printout of an internal memo sent via email," in "Consequences of a security breach at a major U.S. law firm?" --
  • "I agreed with the anonymous source that there was value in sharing it with the larger community.  I scanned and OCR'ed the printout and eliminated the names and other pieces of information that might identify the firm.  Right now I don't want to be the one to "out" the firm."
    • "Security is something we at [law firm name] take very seriously.  As you know the firm represents [US defense industry], [global banking concern], [several hi-tech companies] and numerous other sophisticated, high profile clientele."
    • "While it was not widely disclosed, you may know that agents from [banking/securities firm] have been working with the firm on an information risk assessment.  The firm routinely answers periodic client security audits from many of our clients around the world.  This however, was not a routine audit."
    • "Within a week, not only did we have confirmation of a cyberattack a significant breach to our internal systems, but collaborating information from the FBI that highly sensitive client/matter data was posted and available to [foreign market]. By [state] breach and notification laws, as well as our own ethical responsibilities, the client was immediately notified. A special team organized by [client] has been working with us to assess the damage."
    • "As a result of the study, conversations with the FBI, internal discussions at the highest level, as well as input from our former client, the firm has decided to undertake some significant changes to our information governance and most specifically, our information access and security."
  • "Pretty intense memo wouldn't you agree?  I'm not sure there is any other way to adequately describe it - being hacked sucks.  Having your client data stolen and posted in a not so friendly foreign country ruins your day.  The ramifications of the loss of a big, long time client is bad enough.  While there is a call for media control at the end, there is no way something like this can be contained for long.  Nor that it can be spun, not when the FBI has confirmed to you and your client that their data is out there.  I would bet that GC has already spoken to a few of his close GC friends and given them a warning.  The potential loss of confidence to the other firm clients is simply mind numbing."
  • "The changes are sweeping and invasive, meaning the breach, on a scale of 1-10, was probably an 11.  The scope is massive and the memo hints that this isn't all of the changes.  The memo has not one signature, but four."
See the complete article for more detail and the scrubbed version of the memo Jeff references.

Update (6/28): Jeff has published an update to his essay, confessing that the exercise was a creative fiction designed to draw attention to these issues by spinning a plausible story, ala "War of the Worlds."

No comments:

Post a Comment