Jeffrey Brandt reported an interesting story yesterday on Legal IT Professionals. It involves a global law firm that has been BADLY breached and reacted by terminating its BYOD policy and banning personal devices from the network. The personal use of firm e-mail was also banned and real-time scanning of e-mail was implemented.It included an internal memo of the law firm and remember that the typos may be explained by the OCR process. However, there were other things that made me question the story.
After chatting with Jeff via e-mail, the story turned out to be a hoax by Jeff to stir up conversation about information security. A badly needed conversation and the best fodder for a CLE I've seen in a long time.
Here is one of the e-mails I received from Jeff, posted here with his permission:
I have attacked the law firm security angle in multiple posts from multiple angles, earnest education, humor, etc. but firms are still barely moving or not moving at all (there are exceptions of course). I was reading some Above the Law posts that included memo leaks and was inspired. Since law firms are such herd animals I figured a story about a massive breach would get them buzzing - everyone wondering who it was and what they did in response. And of course, what they needed to do to make sure they weren’t next. Apparently it did. I got many emails and even direct calls – one that pretty much went “Hello Jeff. Was it [name of firm]?” Some former colleagues told me I made several of the private CIO listservs, that it was sent to the FBI and more.
King & Spalding was the first that I know of to step outside the comfort zone and mandate a security policy that was intrusive and inconvenient to the partners. That made firms talk. So I figured I’d pick some intrusive counter measures and (hopefully) make them think outside the box. My hope is that it continues and isn’t just a flash in the pan, especially after people figure out it wasn’t real.
I join Jeff in the hope that law firms will continue conversations and make hard decisions about the steps necessary to secure their data.