The size of the data breach at the law firm of Mossack Fonseca in Panama comprised over 2.6 terabytes of data – 11.5 million documents detailing financial and attorney/client information for more than 214,000 offshore companies. The scale of the leak – or hack, as Mossack Fonseca prefers to term it – is astounding, and still developing. On May 9th, the International Consortium of Investigative Journalists (ICIJ) released a searchable database with detailed information on the entities that are part of their ongoing Panama Papers investigation.
The ICIJ and its global media partners will certainly continue to publish additional stories in the weeks, months, perhaps years, to come. But one part of the Panama Papers story has been relatively ignored by the popular media. That is, whether it was an outside hack or internal leak, the breach may have been prevented if Mossack Fonseca had implemented reasonable measures to secure its clients’ data.
Let’s take Mossack Fonseca’s position, and deem it an external hack. According to several reports, the computer systems of Mossack Fonseca were riddled with security flaws. For instance, Wired UK noted that the firm’s client portal was vulnerable to the DROWN attack, a security exploit targeting servers supporting the obsolete and insecure SSL v2 protocol. Also, we learned that the client portal, which runs on the Drupal open source content management system (CMS), apparently hadn’t been updated with a new version of Drupal since 2013. The version of Drupal that was used by the portal at the time of the breach has at least 25 known security vulnerabilities, including a high-risk SQL injection vulnerability, all potential entry points for hackers.
The Need to Secure Client Information
Whether the information is for an individual estate plan, a startup’s patent application, or a merger and acquisition, clients expect their lawyers to keep information secure. Indeed, in the United States, as in most countries, legal practitioners are required to keep client information confidential and secure, as noted in the ABA Model Rules of Professional Conduct:
Client-Lawyer Relationship
Rule 1.6 Confidentiality of Information
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, confidential information relating to the representation of a client.
Yet, despite the need to protect client information stored digitally, data security is often an afterthought for many firms. Many have no dedicated IT resources and outsource the creation and maintenance of their data management and security services with the assumption that someone else will effectively manage the data and ensure its security.
But, even when not managing their own IT, law firms still have an obligation to make sure that data is properly secured. This means quizzing vendors about security measures and ensuring that the vendor is implementing reasonable security measures upfront and keeping guard, on an ongoing basis, against potential security vulnerabilities.
Implementing Security Measures to Protect Client Data
Whether managed internally or through a vendor, implementing reasonable security measures means continuous and real-time monitoring of both your proprietary and open source code for vulnerabilities. Software audits are a concept that most lawyers involved in merger and acquisition deals should be familiar with. As part of the process, lawyers usually advise clients to run a scan of the target company’s codebase to understand code integrity, identify any applicable open source licenses and surface any security vulnerabilities. Even if you are on the sell side of a transaction or strategic deal, you and your client need to anticipate those questions from buyers in order to avoid surprises.
There are a variety of available tools for scanning proprietary code to identify and mitigate vulnerabilities, but often left out of the equation is the need to take the same measures for open source code. Open source makes up 35 percent to 50 percent of the average code base in applications, and open source is widely incorporated into programs used by law firms around the world. Complicating matters is that many tools used for scanning proprietary code do not detect security vulnerabilities in open source.
While most open source code tends to be high quality and useful, you can’t reap the benefits of open source usage without managing the potential risks. Think of Mossack Fonseca’s use of the Drupal CMS, and the vulnerabilities that the firm opened itself to simply by not taking reasonable steps to keep the system updated and secure with the latest version of that open source project.
When a security vulnerability is identified in open source, it is publicly announced – often with examples of how the vulnerability can be updated and patched – but also how it can be exploited. Sometimes there is even a sample code or YouTube video providing a roadmap for bad actors. But unlike most proprietary code, open source updates are often not “pushed” out to users. Instead, the burden of keeping the code up-to-date and secure is left to those using the code.
This is often easier said than done. Even when firms know open source software is being used in their systems, client portal, website and the like, it can be difficult to know exactly where it is being used. Without visibility into what open source is being used by their systems and where, security updates aren’t of much use to anyone. This is why it’s critical for law firms – all firms, for that matter – to identify all open source code they have in use, inventory it, and continuously map it to a known vulnerability database. When a vulnerability is announced, the firm can decide from a business standpoint if a vulnerability is material and requires action.
Whether law firms have IT departments or outsource to a service provider, they should use products that automate the inventory and vulnerability mapping process, monitor the software, and send out automatic alerts when any new known security vulnerability is identified.
Become Part of the Solution or Become the Next Mossack Fonseca
It’s really not difficult to secure data when the right policies, procedures and products are in place. The Panama Papers hack provides a clear warning to legal firms about the dangers of being lax with the security of client information. And the danger is increasing. In late March, The Wall Street Journal reported that hackers had gained access to the computer networks of several law firms working on M&A deals, including Cravath, Swaine & Moore and Weil Gotshal & Manges. Crain’s Chicago Business later reported that dozens of law firms were targeted by a Russian hacker seeking information on M&A deals, prompting at least one to ask its technology services vendor to conduct an immediate audit of its systems and tighten up its data protection systems.
More attempts and actual data breaches of legal firms are sure to come to light, and now is the time for you to review what measures you’ve taken to protect your client data, or what steps you still need to take. Those who don’t could become the next hacking victim — or may already be and just don’t know it yet.
About the Author: Matthew Jacobs is Vice President and General Counsel at Black Duck Software, Inc. Organizations worldwide use Black Duck Software’s industry-leading products to secure and manage open source software, eliminating the pain related to security vulnerabilities, compliance, and operational risk. Matt oversees the worldwide legal affairs of Black Duck including managing licensing and contract negotiation, managing the company’s intellectual property portfolio and advising senior management on day-to-day legal affairs. In addition to a frequent speaker on open source related topics, Matt routinely advises Black Duck’s customers with respect to leading edge open source adoption, use and compliance matters. Prior to joining Black Duck in 2009, Matt was with Bernstein Shur where he counseled companies on a variety of intellectual property matters, including open source compliance. Before that, he held in-house positions with Cabletron Systems and Standex International. Matt earned his law degree from the University of New Hampshire School of Law and holds a master’s degree in business from Plymouth State University.
