The newspaper industry is in full freakout mode, with revelations that Chinese hackers have been targeting U.S.-based newspapers. The New York Times recently revealed Chinese hackers gained entry to the newspaper’s internal systems and accessed the personal computers of 53 employees- including David Barboza, Shanghai bureau chief and author of an exposé about the wealth of outgoing Chinese premier, Wen Jiabao. As can be expected, this is leading to a lot of hand-wringing and obsessing over how to defend the confidential sources and intellectual property of the newspapers.
Meanwhile, the legal industry is acting as if it is nothing is happening.
You Are a Target…
Who has more sensitive and more confidential information than a law firm? Rule 1.6 in the American Bar Association Model Rules of Professional Conduct makes it clear lawyers have to take every precaution possible to protect the confidentiality of client information. As we’ve discussed before, the FBI has warned law firms that they are not only known targets of hackers, but are “easier quarry” than corporations.
Mary Galligan, special agent in charge of cyber and special operations for the FBI’s New York office, addressed the recent Legal Tech trade show in New York, trying to shake law firms out of this complacency. Galligan encouraged law firms to cooperate with the FBI in identifying and thwarting hackers. As she noted in her talk, “We have hundreds of law firms that we see increasingly being targeted by hackers. ”
…and Have Something to Lose
Newspapers are terrified that they will lose confidential sources who are afraid that reporters will be helpless to protect their identity. Likewise, every law firm partner and IT manager should be terrified their clients will want to know what they are doing to protect confidential client information. And it’s not just hackers from foreign interests that should give lawyers concern. It’s already known that the CIA is likely eavesdropping on lawyers at Guantanamo Bay. And of course, there is always a threat that unscrupulous opposing counsel might not be averse to using information obtained through surreptitious means.
Law Firm Data Security
Addressing the problem is complicated. According to Law.com, Galligan’s suggestions for law firms include, “having up-to-date network diagrams, physical access logs… Firewalls, intrusion detection systems, remote access servers, virtual private networks, and web servers all also should be logged.”
That’s a lot to ask of any law firm. In fact, there are few organizations on Earth that have the resources to consistently maintain that type of infrastructure. That’s why our services are hosted in Amazon Web Services data centers, which provide industry-leading physical and operational security processes. We use 256-bit SSL encryption to protect data in transit, but otherwise, any client data is hosted by Amazon, one of the few companies that can in fact maintain the kind of infrastructure Galligan recommends. They also subject their systems to the most stringent security audits, such as the SAS70 Type II audit. Even if a hacker does enter your systems, the data is not stored on premise. It’s encrypted (even at rest) and stored in a server on a cloud network.
Hackers will always be a concern in our digital world, and combating the threat demands real attention from law firms. But no law firm should be expected to be as good at security as a cloud provider like Amazon or Google , especially when Amazon and Google make their expertise available at a low cost.