Above: Law firms are one of the prime targets of computer hacking

By Inderjit Badhwar

The continuing nationwide controversy over the vulnerability of electronic voting machines (EVMs) to manipulation—an issue which had forced no less a person than former President Pranab Mukherjee to issue a cautionary warning to the Election Commission (EC) even as the polling for the last general election was in progress—has once again focused universal attention on the growing menace and evil of computer hacking as a whole.

After all, an EVM is essentially a computer. And anybody who can hack a computer, notwithstanding protestations to the contrary from the EC, can hack an EVM unless data is scrupulously and pro-actively protected. Techopedia describes the process as unauthorised intrusion into a computer or a network. The person engaged in hacking activities is known as a hacker. This hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system. It can also refer to non-malicious activities, usually involving unusual or improvised alterations to equipment or processes.

According to Techopedia, hackers employ a variety of techniques for hacking, including vulnerability scanner: checks computers on networks for known weaknesses; password cracking: the process of recovering passwords from data stored or transmitted by computer systems; packet sniffer: applications that capture data packets in order to view data and passwords in transit over networks; spoofing attack: involves websites which falsify data by mimicking legitimate sites, and they are therefore treated as trusted sites by users or other programmes; root kit: represents a set of programmes which work to subvert control of an operating system from legitimate operators; Trojan horse: serves as a back door in a computer system to allow an intruder to gain access to the system later; viruses: self-replicating programmes that spread by inserting copies of themselves into other executable code files or documents; key loggers: tools designed to record every keystroke on the affected machine for later retrieval.

There is no information whether the EC employs “good” hackers (as against the “bad” ones) as part of its support staff. These legitimate hackers can be used to find flaws in the security system, thus preventing identity theft and other computer-related crimes. But large corporations and organisations worldwide are becoming increasingly sensitive about the protection of data security and digital assets. This, in view of the continuous suspicion surrounding the fairness of the EVM-related electoral process in India, has become an increasingly prominent and important risk area for all professions.

The legal profession not just in India but globally is particularly vulnerable. A few years ago, in a prescient report published in the Business Law Journal of the Legal Practice Division, the International Bar Association (IBA), honed in on this all-important subject. The research paper, “Data Security and the Legal Profession: Risks, Unique Challenges and Practical Considerations” was written by Anurag Bana, senior legal adviser, and David Hertzberg, an intern at IBA.

The authors argue that, compared to other businesses, law firms are perceived to have particular data security vulnerabilities. And they sound the alarm, that despite this, in-house counsel is also considered to be critically lacking in data security expertise. “Lawyers in all jurisdiction and practice settings,” they observe, “need greater engagement with the issue of data security to protect the interests of their clients, their firms and the general public, and to discharge their professional ethical obligations.”

In fact, a recent Bloomberg poll ranked hackers and data breaches fourth out of five enumerated threats to law firms. Data security, in effect, has emerged as a key area of risk for all members of the global legal profession. While it is difficult to quantify the extent and number of security breaches that have occurred to date, it is, the report says, “a pressing issue that will increasingly be a priority for law firms and business, generally”.

Four years ago, market analyst firm Juniper Research predicted that the global cost of data breaches would reach a staggering $2.1 trillion by 2019. That was roughly the 2015 FGD of India! The Juniper report also predicted that the average cost of a single data breach would exceed $150 million by 2020 as businesses increase their connectivity.

Bana and Hertzberg spell out some of the dire consequences of a law firm data security breach: financial loss to the firm’s clients, third parties and the firm; reputational damage to the firm’s clients, third parties and the firm; damage to the reputation and standing of the legal profession; in some cases, damage to economic infrastructure or threats to national security; possible questions of professional misconduct or failure to meet the minimum statutory standards for data protection.

Some years ago, a Citibank internal assessment from its cyber intelligence centre, leaked to The New York Times, cautioned that law firms are at high risk for cyber intrusions and that bank employees should be aware that digital security at law firms “remains generally below the standards for other countries”.

Why are law firms attractive targets for those who would steal digital assets? Bana and Hertzberg cite two main reasons: One, they hold a high concentration of sensitive and valuable information such as intellectual property (like trade secrets and draft patent applications), business strategies, financial account details, assets inventories, litigation strategies, IPO details and a wide variety of personally identifiable information and protected health information relating to employees of the law firm, clients, employees of clients and third parties.

Two, they are relatively easier targets because they have weaker data security than their clients of third parties such as banks. Clients tend to be larger companies with more resources to devote to information security. The authors note: “Law firms have variously been described as low hanging fruit, or the soft underbelly, the Achilles’ heel, or the weakest link, for hackers.”

Whatever the metaphor, the authors say, the message is clear: law firms are prime targets. They conclude that in view of the information now available, data security should be a risk priority for all members of the global legal profession: “There is a pressing need for greater proactivity and engagement by all lawyers. Lawyers cannot rely on their IT department or assume that technology will look after itself. As an initial step management must take a leadership role in promoting attention and vigilance at every level of a law firm’s business.

“It will be important for bar associations and international organisations like the IBA to raise awareness and provide education, training and other resources to assist lawyers in all jurisdictions and practice settings to protect their digital assets.”