From Huffington Post
The data breach at the law firm of Mossack Fonseca in Panama sent shock waves around the world recently with the prime minister of Iceland stepping aside, Swiss authorities raiding the headquarters of the Union of European Football Associations, and relatives of the president of China linked to offshore companies. The size of the breach was also shocking with 2.6 terabytes of data leaked. That’s 30 times bigger than the WikiLeaks release or the Edward Snowden materials. However, the most shocking part of the “Panama Papers” story is that the breach and exploit of the popular open source project Drupal was totally preventable.
Everyone knows that law firms manage large amounts of highly sensitive information. Whether the data involves an individual’s estate plan, a startup’s patent application, or a high-profile merger and acquisition, clients expect their information to be secure. Indeed, lawyers are required to keep this information both confidential and secure. Yet, despite the very high level of security owed this information, many firms lack an IT staff and outsource the creation and maintenance of their data management and security services. Once outsourced, there is an assumption that someone else will effectively manage the data and ensure its security.
This is many firms’ first mistake. Even if they aren’t managing their own IT, law firms still have an obligation to make sure that data is properly secured. This means asking frequent questions about security and ensuring that the vendor is implementing reasonable security measures.
This level of diligence is critical today, as law firms are increasingly under threat of attack. In March, the international firms Weil Gotshal & Mangers and Cravath, Swaine & Moore reported data breaches, highlighting the risks for law firms and their clients. With the amount of confidential information retained by firms about business deals and strategies, there is an expectation of future attacks. Confirming this is a 2015 Citigroup Cyber Intelligence Center report cautioning big firms about the threat of attacks on their networks and websites.
Implementing reasonable security measures means continuously monitoring both proprietary and open source code for vulnerabilities. This is a notion that lawyers should be familiar with. In most M&A deals many lawyers advise clients to run security scan of the codebase to understand the code integrity and surface any vulnerabilities.
This is a particularly important M&A exercise for open source usage as much open source is not supported in same way proprietary software is — through automated updates and patches that are pushed out proactively. Still, open source code is the way software applications are built today and open source makes up 35 percent to 50 percent of the average code base so managing and securing it is vital. It is widely incorporated into programs used by law firms around the world. Open source tends to be high quality and offers powerful tools. However, you can’t reap the benefits of open source programs without managing their risks.
Read the full post at The Huffington Post.
Lou Shipley is a Lecturer at theMartin Trust Center for MIT Entrepreneurship at the MIT Sloan School of Management.