Wednesday, April 6, 2016

Feeling a Little Insecure about Information Security? (Lawsuits Coming?)

It looks like the source of the 'Panama Papers' was external: "'Panama papers' came from e-mail server hack at Mossack Fonseca" --
  • "The staggering, Wikileaks-beating “Panama Papers” data exfiltration has been attributed to the breach of an e-mail server last year... Bloomberg says co-founder Ramon Fonseca told Panama's Channel 2 the leaked documents are authentic and were 'obtained illegally by hackers.'"
  • "According to The Spanish, the whistleblower (here in Spanish) accessed the vast trove of documents by breaching Mossack Fonseca's e-mail server, with the company sending a message to clients saying it's investigating how the breach happened, and explaining that it's taking 'all necessary steps to prevent it happening again.'"
This story comes on the heels of reports last week of other hacked law firms. The Recorder notes: "Law Firm Data Practices Draw New Scrutiny" --
  • "Several of the nation's largest law firms acknowledged this week that a cyberhacker seeking highly valuable details of M&A deals in the works had sought to breach their computer systems. No one was surprised. For years, law enforcement agencies, security consultants and legal experts have warned that law firms and their electronically stored records are potential treasure troves for criminals eager for an edge in the stock market or a particularly sensitive batch of data to sell or ransom."
  • "But when it comes to overseeing the information-handling practices of lawyers and law firms, regulators have largely shied away. The Federal Trade Commission and the U.S. Department of Health and Human Services police businesses' health record practices. The Federal Reserve has pages and pages of rules governing financial institutions. Securities broker-dealers and investment advisers must register with the U.S. Securities and Exchange Commission. Law firms, however, with their own corporate structures and unique ethical obligations, don't fall neatly under the jurisdiction of those regulatory agencies. And those agencies don't appear to be scrambling to add legal practices to their oversight duties."
  • "Law firms could be subject to a limited scope of data regulatory scrutiny soon. The Department of Health and Human Services' Office of Civil Rights announced in March that for the first time it will audit a small number of business associates of entities covered by the Health Insurance Portability and Accountability Act, or HIPAA. Law firms, in some instances, will qualify as those targeted associates."
  • "[Days before the Panama Papers incident,] John Reed Stark, a former SEC enforcement lawyer who now runs a consulting firm in Bethesda, Maryland... said that he could foresee a breach so catastrophic that "given the expense, and given the damage they could incur ... it may very well be the death knell of a law firm. 'I'm not sure that law firms truly appreciate that,' he said."
And then comes: "BigLaw In Crosshairs As Firm Plans Data Breach Litigation" --
  • "Following reports that Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP suffered data breaches at the hands of hackers, a plaintiffs law firm said Thursday that it plans to bring class action legal malpractice litigation against legal industry players over the exposure of client information."
  • "Law firms have a professional duty to protect the privacy of client information, but most of them are not doing a good job when it comes to protecting that information from hackers, according to Jay Edelson, founder and CEO of privacy class action law firm Edelson PC, which nearly a year ago began investigating class action litigation against as-of-yet unnamed law firms over client data breaches."
  • The planned class action litigation will involve claims for breach of contract and legal malpractice, Edelson said. 'There's no question the firms have a legal duty to take reasonable protections to protect data, and if they're not doing that they’re breaching their standard of care,' he asserted.
  • He added that, according to the firm’s research, he believes that many law firms targeted by hackers do not inform clients about resulting data breaches in a timely manner. 'We’ve heard story after story from our friends on the defense side — it’s a worst-kept secret that there are data breaches all the time at law firms, and there are a ton of state laws which require notification of data breaches, and the law firms seem to not care about those laws,' Edelson said."

No comments:

Post a Comment