Litigator’s Brief: 5 Lessons from the Anthem Security Breach

Litigator’s Brief: 5 Lessons from the Anthem Security Breach

Litigator’s Brief: 5 Lessons from the Anthem Security Breach 150 150 Rakesh Madhava

In February, Anthem Blue Cross revealed it had been the victim of a cyberattack.

The attackers breached a database that contained over 80 million records of past and current customers, and Anthem employees. Anthem is the largest for-profit health care insurer in the Blue Cross and Blue Shield Association, formerly known as Wellpoint. Anthem is comprised of the “Blues” from a number of states including California, Georgia and Wisconsin. What can be learned that will protect you from a law firm security breach?

No Small Hack

The hack was one of enormous proportions. The database records contained names connected to Social Security numbers, birthdays, addresses, e-mail, income data and other employment information. Potentially millions of children have had their personal information compromised or stolen, greatly increasing the likelihood of identity theft, and unleashing the potential of “waves of financial crime” as result.

The perpetrators of the cyberattack are believed to be a Chinese government-sponsored group known informally as Deep Panda. Officials theorize the hack was originated when a number of domains were registered using the url ‘we11point[dot]com’. Note that the number ‘1’ was substituted for the letter ‘l’ in order to run fake subdomains such as myhr.we11point[dot]com, hrsolutions.we11point[dot]com, and extcitrix.we11point[dot]com.

Investigators believe Deep Panda used these sub-domains as part of a ‘phishing’ operation to trick Anthem employees into providing security credentials. It is reported that there were at least five employees whose credentials were used to access Anthem’s network.

Though discovered by Anthem in January of this year, it is believed the breach originally occurred in April of 2014.

Secure Data Encryption

The failure of Anthem to encrypt its data has become a significant issue, potentially exposing Anthem to large-scale legal liability on a number of fronts. Some legal experts have posited that Health Insurance Portability and Accountability Act of 1996 (HIPAA) could in this situation be interpreted to have required encryption of this data as it was 1) highly sensitive data and 2) clearly at risk. Regardless of the potential HIPAA implications, which won’t be decided for some time, Anthem also faces a range of litigation as a result of the breach.

5 Lessons for Litigators

1. Data encryption is the minimum ante for lawyers

Getting serious about law firm security is a necessity today. The ABA has published an article detailing recommendations on how law firms can improve their processes today. The first step to improving law firm security is clear: Encrypting data where its stored and while it’s being transferred. If your firm is not currently using encryption technology, it is time for a serious re-think of your data management process.

2. Failing to segregate data is a mistake

Law firms, like healthcare companies, have been slow to adopt measures to segregate highly confidential information into separate and unique databases. Once inside a firewall of a consolidated corporate network, all of the information within that network is compromised.

In essence, attempting to secure all of a law firm’s data behind a single firewall is a ‘bet the firm’ approach to security. A single breach of the firewall and all of the firm’s data (and more importantly, its clients’ data) is exposed.

3. Law firms are soft targets for cyber-attackers

Soft targets are organizations that: a) Do not invest heavily in information technology infrastructure and security, b) Do not have data security as a competency, and c) Under-invest in standardized systems and processes to improve their security posture.

Sounds all too familiar.

4. Soft targets storing confidential data are particularly attractive to hackers

Many lawyers I’ve spoken with mistakenly believe that their client’s data has no value to hackers, therefore security is less important. This argument is a thin one. Data that is confidential, particularly subject to attorney-client confidentiality, obviously has tremendous value.

Confidential data is any data that’s value is compromised if it becomes public – that’s why it kept confidential. Confidential data is at the very core of the company/law firm relationship. It’s the essence of what makes law firms enticing targets for cybercriminals. They don’t really want your firm’s data. They want your clients’ confidential information.

5. Law firms should meet the same security standards as their clients’ industry

Law firms providing counsel to healthcare organizations or handling litigation involving individuals’ health care records are held to HIPAA security standards to maintain that data. The same applies for firms who work for insurance companies and financial services companies.

But regardless of whether federal regulations require specific protocols, it’s clear that attorneys have a responsibility to maintain their clients’ information with appropriate care. Clearly this will require changes to existing workflows and technologies that law firms utilize, but in the long term, this heightened awareness can only serve to benefit the legal industry.  

Learn how to speak to your clients about litigation data security in our previous blog post, Four things to tell your clients about data security.