At one time it seemed the gaming industry was a target with Sony and Microsoft famously failing to keep hackers at bay. Then retail bore the brunt with eBay and Target being high profile victims. Healthcare organisations were a high value target for attackers in 2015 and the latest industry in the spotlight is the legal sector.
In March 2016, it was reported that hackers broke into the computer networks of some of America’s most prestigious law firms – including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, both of which represent some of the biggest companies in the world.
According to the Wall Street Journal, which first reported the news, hackers usually steal large amounts of data and then analyse it to see how it can be used. Personally identifiable information has a much longer shelf life for cyber-criminals and it easy to see how information stolen from a legal firm could be used to disrupt merger and acquisition activities or sold at a premium. As such, there is still uncertainty as to whether it will be used for insider trading – a worrying prospect.
Law firms will go to great lengths to keep attempted and successful cyber-attacks a secret as any sign that customer data is not secure can result in huge reputation issues. But the issue is, many bosses don’t realise their systems have been compromised until it’s too late.
Can data regulation help?
While law firms are reluctant to be publicly identified, soon bosses will have to admit to data breaches whether they like it or not. The new EU Data Protection Regulation launched by the European Commission will help businesses become more proactive with regards to their hosting and data storage strategies. It means that service providers will be able to fulfil their role as a data processor, protecting the information it handles and stores on behalf of its customers, who as owners of the data, remain the data controllers.
Businesses should also provide advice and guidance on the interpretation and protection required to meet the new harmonised data protection requirements, to avoid data breaches and violations of the law. The tougher fines and raised awareness should create a much better understanding in the C-suite of what data they hold, its value to the business and the controls required to protect these valuable assets.
Read on to find out whether this is enough.
Share this story