Thursday, January 8, 2015

Will Big Breaches Create More Trickle Down Impact for Law Firms?

A reader sent in world of today's report in the Wall Street Journal: "Puzzle Forms in Morgan Stanley Data Breach." (With additional detail here.) The articles dig into the details of an internal breach (and associated allegations of what did or did not happen next):
  • "... [A] financial adviser named Galen Marsh started to sift through the account records of some 350,000 of the firm’s clients. Virtually none of them were his own. In what some security experts are saying is likely the biggest data theft at a wealth-management firm..."
  • "By December, some of that account information appeared on a text-sharing website, with the offer to trade it for an obscure virtual currency." ["Speedcoin" for the cyptocurrency geeks out there.]
  • "Twelve days later, a different item provided a sample of the information that was available, giving details from 1,200 accounts that Morgan Stanley said were tied to 900 clients."
  • "Already, the episode is having ramifications within Morgan Stanley: On Tuesday, people familiar with the matter said the firm has tightened access to its client database so that individual advisers no longer have access to such wide swaths of account data."
  • "It isn’t uncommon in the wealth-management industry for advisers to squirrel away information about clients before leaving for another firm, since a stable of wealthy clients is the lifeblood of any successful advisory practice."
Two potential thoughts flow from this situation. Firstly, when Bank of America feared it was about to see internal information shared via Wikileaks in 2011, it (and others) went on an OCG and law firm audit push that sent ripples across the legal industry. (Background and refresher on our coverage of that here and here.)

Will we see even greater focus on the firms that hold and manage this sensitive data? Morgan Stanley has already hired: "an outside consulting firm to increase its capacity to take calls from clients concerned about the breach and provide credit and identity-theft protective services." Will it feel the need to similarly demonstrate its commitment to security by announcing additional 'belt tightening' that will trickle down to its outside counsel and other vendors?

Secondly, this highlights the very real impact of unfettered internal access to sensitive information.

There has been a growing legal industry shift towards adopting "members only" internal security models, where only individuals that are members of a particular matter team can access sensitive client data, or "hybrid" models where matters in specific practice groups or geographies default to closed access, while others remain open.

According to the just-published ILTA technology survey, the number of firms moving to a "pessimistic" security model grew by 50% in the past year. (Though, for context, we note that the survey reports that 6% of firms have embraced the closed or hybrid confidentiality model.)

(For more information about how technology can be used to implement closed or hybrid models, to read a white paper on OCG trends, or to access a recorded webinar on this topic, see Intapp's resources on client confidential matters.)

No comments:

Post a Comment