First, Happy New Year!
Second, there is so much news that it will take me weeks to catch up. But I wanted to start with a study that many readers will not have seen. While I will give you the link, you need to subscribe to see the story. Hat tip to our colleague Sean Harrington for sending this story along.
However, here is the essence of the story about a recent survey conducted by the ABA.
"Fully 70% of large firm respondents reported that they didn't know if their firm had experienced a security breach," according to the 2013 survey, entitled "Security Snapshots: Threats and Opportunities" conducted by the ABA's Legal Technology Resource Center. Of course, the fact that they don't know does not indicate a breach (easy to overlook that point).
According to the survey, 15 percent of survey respondents had experienced a security breach, and respondents of mid-size firms (10-99 attorneys) were most likely to know about the breach. That makes sense because mid-size firms are more attuned to anything major happening that might affect the firm.
The survey highlighted the increased risks from bring-your-own-device policies which allow attorneys to access firm networks through their smartphones , tablets or other devices. The report found that "34% of respondents reported that their firms allowed them to connect their personal mobile devices to the network without restrictions."
Our own experience, and conversations with other friends in information security, confirm how often law firms don't tell their attorneys that there has been a breach. They seem to operate on a "need to know" basis concluding that their attorneys don't need to know. We often hear "we have no proof that anything was done with client data" in spite of the fact that the intruders had full access to their network. Our encounters with these breaches indicate that if law firms can keep the breach quiet, they will.
They will spend the money to investigate and remediate the breach, but they will fail to notify clients under state data breach laws and they won't tell their own lawyers for fear the data breach will become public. Is that unethical? Probably. Unlawful? Probably. But until there is a national data breach law with teeth, that approach to data breaches is unlikely to change.