The recent Panama Papers leak, caused by a data breach in the Panamanian law firm Mossack Fonseca, underscores what we've long known: the legal industry needs to make cybersecurity a priority. (There are some lessons about abetting corruption to be learned from the Panama Papers as well, but that's for another blog.) And it's not just Mossack Fonseca that's struggled with cybersecurity; just recently, Cravath confirmed it had been hacked, while the FBI warned firms in Chicago that they were being targeted.
But not all data breaches are made the same. Here are the five most common types of law firm data breaches, and their causes.
1. Human Error
Let's start with the least sexy but most important cause of data breaches: human error. Human error and negligence are the most common cause of data loss. A 2015 survey from Baker Hostetler, one of the nation's largest intellectual property focused law firms, found that more than a third of all data breaches were caused by employee negligence.
In law firms, this kind of data loss can include everything from accidentally emailing confidential work product to the wrong person, to failing to properly encrypt documents, to losing a laptop full of confidential information. Such errors can be potentially devastating, destroying privilege in some cases, and putting clients at risk in others.
2. Hackers After Insider Information
Law firms hold onto a wealth of valuable, confidential information, making them a prime target for hackers looking for some insider info. And that desire to gain confidential knowledge, then game the market, seems to have been behind several recent hacking attempts against large firms.
The Russian hacker Oleras is currently targeting firms for insider mergers and acquisition information, the FBI warned early last month. And just last week, news broke that major M&A firms, including Cravath, Swaine & Moore and Weil, Gotshal & Manges, may have had their computer networks compromised.
3. International Cyber Espionage
When it comes to international espionage, law firms aren't immune to some cloak and dagger cyberattacks. In 2010, the California firm Gipson, Hoffman & Pancione, faced phishing attacks from Chinese hackers after it filed a piracy lawsuit against the Chinese government, according to Legaltech News. Just two years later, more Chinese were behind a data breach at Wiley Rein, during the firm's anti-dumping suit against the country.
4. Information Ransom
Some hackers steal your information to play the market, some use it to undermine your international litigation, and others just hold it hostage. "Ransomware" is a growing form of malware that infects your computers and encrypts important files -- all Office files, for example, or all .pdfs. The program then demands online payment, from a few hundred to a few thousand dollars, in order to return access to your information. Consider it low-level hostage taking -- a type that's becoming increasingly common.
It's an uncommon form of law firm hacking, but it's one that has repeatedly made the headlines: "hacktivism," or politically-motivated, activist-minded hacking. The classic example is Puckette Faraj, the former firm which, in 2012, was hacked while defending Sergeant Frank Wuterich against charges that he'd killed 24 unarmed civilians in Iraq's Haditha Massacre. The hacktivist group Anonymous broke into the firm's computers, dismantled its website, and leaked hundreds of emails about the case.
And then, of course, there's Mossack Fonseca. While the details of the firm's data breach are still emerging, the firm claims that the Panama Papers were taken by an external hacker, not a whistleblowing insider.
FindLaw has an affiliate relationship with Indeed, earning a small amount of money each time someone uses Indeed's services via FindLaw. FindLaw receives no compensation in exchange for editorial coverage.