Thanks to Doug Austin for sharing this story on eDiscovery Daily –
According to the lawsuit, cybercriminals were able to “easily” access the data due to Spear Wilderman’s alleged failure to password protect a database of personal data.
I’ve said this for years, law firms are in possession of quite a bit of data that isn’t actually their own data. Sometimes this means they don’t have the same expertise about what is in the data and how it needs to be protected. I usually use medical information or other data that could be part of a litigation case, as examples. It’s easy to have a litigation team reviewing documents about a workplace injury that isn’t super aware of the requirements to protect medical records. As such, sometimes hackers can gain access to some very sensitive information through an organization’s law firm that they couldn’t get directly from the organization.
Over the years I think many firms have started to understand that and taken steps to improve their own security posture.
And then along comes a story like this. This isn’t even a situation where I can give them the benefit of the doubt about a lack of expertise when dealing with data that is outside their normal day-to-day operations. This is, as Doug mentioned, embarrassing. I agree that the reputational harm alone should be devastating to this firm. I suspect there will be some reputational harm by association with other law firms as well. Clients might be reaching out to get some details on how you’re protecting their information and wanting the details from your IT staff instead of platitudes from partners.
Can we blame them?