Sony Pictures Entertainment is a very large company. Right now, it’s suffering a very large, and very embarrassing data breach. Hackers purportedly gained access to 100 terabytes of data. Thus far, they’ve only released 40GB of data.
Sony Pictures Entertainment issued the following statement to its employees:
While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession . . . . While we would hope that common decency might prevent disclosure, we of course cannot assume that.
But as embarrassing as this incident is for Sony, this hack and others should be a big wake up call for lawyers. Pure and plain, if this can happen to Target, Home Depot, and Sony Pictures Entertainment, I’m confident that hackers could easily access most law firms’ data.
I’ve talked about this subject plenty of times, but the simple truth is that attorneys aren’t vigilant when we talk about data. Either we’re too afraid to use cloud services — because of incidents like Sony’s — or we’re not willing to invest the time or money into properly using technology and security services.
The time for talking has passed
It’s too late to consider how you’re going to protect your law firm data. You should be implementing a treatment plan, and investing the time and money to learn the appropriate systems and hire the right consultants. If you’re on the fence about cloud services, it’s time to really consider options.
Sony stored its information on unencrypted servers at SPE headquarters. Moreover, a lot of information sat in unprotected folders. I’m fairly certain that a lot of solos, small firms, and even mid-sized firms aren’t encrypting information stored in-house. I know I’m not. Quite simply, firewalls are good, and nothing’s perfect, but lawyers simply don’t know how to protect against these risks. We’re also quite limited on developing the knowledge on how to protect ourselves.
To the cloud
If the Sony Pictures Entertainment breach shows anything, it’s establishing precedent for moving information to the cloud. Regardless of your opinions of cloud providers, one thing is certain, we haven’t heard of security breaches at Google, Microsoft, Dropbox, or similar services. These information security lapses seem to have a common element: locally stored data accessed by third parties through internet loopholes. If that’s the case, then the more prudent, more risk adverse — i.e. complying with Model Rules 1.1 and 1.6 — behavior is to use services that appear penetration free.
And the argument for the cloud is simple. Cloud providers work hard to protect their clients’ data because they don’t want these embarrassing setbacks. Cloud services work on helping fight the backend battles by enacting end-to-end server encryption, redundant backups, and a host of other IT simplification tools. Personally, I feel safer knowing that my clients’ information is backed up regularly and protected by encryption from the point of upload. Or I guess I could keep storing confidential documents on my in-house computer that I purchased from Costco and just hope I’m doing enough. (At least I’m comforted knowing that if I have a breach I only need to provide a year’s worth of credit monitoring to my clients.)
Perhaps instead of crucifying Google, Microsoft, and others for “shady” behaviors, we might want to hoist them up as examples for appropriately handling and protecting their clients’ information.