data protection

The Panama Papers leak in 2015 was the largest in history: 11.5 million files from one of the world’s biggest offshore law firms, Mossack Fonseca. The worst part about the incident—aside from the innocent businesses and individuals who were caught out and compromised alongside the corrupt—was the fact that it could have been easily prevented.

The law firm’s security at the time of the breach has been referred to as “laughably bad” by security professionals. Their client portal was horribly outdated, its last update having been applied in 2013. Its webmail portal had not seen an update since 2009.

And the firm’s data systems were maintained with a shocking amount of negligence—Mossack Fonseca had no visibility into its files and no effective means of preventing unauthorized access. It even lacked basic encryption.

However, Mossack Fonseca isn’t necessarily an outlier.

There are many law firms that don’t fully understand the importance of protecting digital data. Maybe yours is among them. If so, that needs to change. In this article, I’ll explain why—and what to do if you find out that your firm isn’t as secure as possible.

Law Firms are Targets
At the end of the day, no matter what sort of law you work in, your firm is probably susceptible. There’s a reason so many of the top law firms have dealt with at least one data breach in their history. Assuming there’s no way anyone will come after you is effectively a guarantee that they will.

“Law firms are the subject of targeted attacks for one simple reason,” explains John Sweeney, the president of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, and even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

At the bare minimum, your firm should have the following security measures in place:

  • Network monitoring tools and access controls that include a firewall and intrusion detection systems
  • Some form of secure remote access such as a HTTPS (or VPN for older, client-server systems)
  • Antimalware software
  • Automated backups
  • A secure file sharing solution
  • Processes and protocols for secure access and acceptable use

Your Obligation Goes Beyond The Letter of The Law
Let me ask you something:  If you brought your vehicle to a mechanic and returned a few days later to find that they’d let your car get stolen, would you trust that mechanic again? Obviously not.

Well, it’s the same with law firms.

You’re no doubt aware that you need to comply with certain data protection and breach disclosure regulations (depending on where you are). However, it isn’t just a matter of following the law that should motivate you to keep your data safe. It’s an obligation to your clients: It is your job to do whatever necessary to prevent hackers from gaining unauthorized access to your client information.

How do you do this?  There’s a methodology in cybersecurity known as Zero Trust. In essence, it’s precisely what it sounds like. In the digital realm, never assume that anything is trustworthy.

Verify every email before you open it, every link before you click it, and every file and app before you download it. Approach everything online with caution. Train yourself to recognize common social engineering tactics, such as phishing emails and scam calls. And make sure every single employee on your staff does the same.

It might surprise you, but it’s not sophisticated hacking tactics or cutting-edge malware that’s responsible for the vast majority of data breaches. It’s simple human carelessness. Hackers know that many businesses, particularly large enterprises, have decent security in place. That’s why they target individual people instead.

Your IT Department Is Critical
More than any other industry, law seems prone to toss aside cybersecurity for convenience. Many senior partners at top law firms are unwilling to even budge an inch in the interest of cybersecurity if they feel it would impede upon their experience. This attitude is both toxic and dangerous–it puts your data at risk, and it needs to stop.

Mind you, at least some of the onus here is on your IT department, which is critical to keeping a firm secure. Chances are, your tech professionals are trying to do everything they can to ensure your systems are hardened. But there’s also a good chance they don’t have the necessary tools.

Work with them. Ask them what they need to protect your business and its data, and seek a compromise that still allows you to work effectively. And understand that ultimately, you might need to give up a bit of convenience—but it’s in the interest of keeping your firm secure and ensuring satisfaction on the part of your clients.


Ryan B. Bormaster is the managing attorney at Bormaster Law in Houston, Texas. The law firm practices in a number of areas but specializes in 18-wheeler accidents, accidents with commercial vehicles such as work trucks, and catastrophic injuries of all kinds.