​At the annual eDiscovery Institute conference yesterday, Susan Wortzman spoke about eDiscovery and Information Governance issues in the news. The panel also featured Iris Fischer from Blakes and John Ratchford of Navigator Ltd. Mr. Ratchford mentioned a survey his firm conducted last year that asked Canadians about how well they believed their personal information was being protected by retailers, financial institutions, technology providers and government agencies. The findings were interesting.
 
Almost three-quarters of those asked were not only aware of recent cyber-attacks, but could name specific North American retailers and Canadian government agencies that had been subjected to a data breach. The fact that specific data breaches were recalled shows that cybersecurity is of major concern to the general public.
 
Retailers were clearly held accountable by consumers, In the case of stolen credit cards, for instance, while most people conceded that the criminal hackers were primarily responsible for the breaches, 65% also assigned blame to the retailers rather than the banks, payment systems or credit card issuers whose technology was actually compromised.
 
Although survey respondents are concerned about organizations that hold their more detailed private information, such as government agencies and banks, the vast majority of them were confident that these organizations had sufficient security processes in place to safeguard the data.
 
Almost two-thirds of the people said that the government should impose much stricter rules around the security of personal and customer information held by others. They also want immediate public disclosure of any compromising of their data.
 
Protecting data is certainly important. However, as we have often said, walls can and will be breached. When this occurs, having an information governance and cybersecurity response plan in place will address the immediate demand from the public for disclosure and remediation, and may even keep your organization out of the headlines.

​Far too many people are cavalier about password security.  Perhaps knowing what cyber-thieves do once they have your password will encourage better practices.  Fortunately, as reported on the BBC News website, two computer scientists from the University College in London, England recently released the findings of a study on this very topic.
 
The duo created 100 fake Gmail accounts and then “accidentally” shared their credentials on forums and sites that nefarious data traders are known to frequent.
 
What they found was that there are three main types of data thieves:
 

• Those looking to exploit the user’s information for financial gain checked that the credentials were valid, and then appeared to sit back and monitor the email traffic, presumably looking for something lucrative to steal, such as emails to and from banks and other online services. After a while, if nothing interesting appeared in a mailbox, the hackers moved on. 
• Spammers would check that the accounts are for real people, and would then use them to send out thousands or millions of spam emails from the user, on the assumption that the user’s email address had not been blacklisted (yet).
• Malicious hackers would use the address list of the account holders to send malware, relying on the social engineering aspect that a person is more likely to open an attachment in an email from someone they know.

 
Password theft is increasing.  Yahoo, MySpace, Twitter, LinkedIn, Dropbox and Tumblr have at least two things in common. They are all widely used social networking sites (well, maybe not MySpace anymore), and they have all had their user accounts stolen in the past couple of years. Yahoo has the dubious honour of having the most user accounts stolen – over 500 million were acquired by thieves in 2014.
 
If you have a user account on any of these sites, you ought to change your password. In fact, changing your password for any user account, on a regular basis, is a good habit to pick up. Not only will you protect yourself, you will help to protect all of your contacts from becoming victims as well. 
 
Information security should be at the top of everyone’s list of Internet habits. The better protected you are, the less likely you are to be the victim, and tool, of a data thief.

​Six-and-a-half months ago, the news broke that almost 50 BigLaw firms in the U.S. were targeted by Russian hackers. From what could be determined, the hackers did not succeed in obtaining anything useful. Nevertheless, it seemed to rattle the legal industry at the time.
 
Yesterday, ALM, an information and intelligence company, released their second annual Law Firm Cybersecurity Report. The paper, available for purchase from ALM’s site at http://at.alm.com/almintelligence-cybersecurity, contains information derived from interviews with law firm leaders over the past year.
 
So, have law firms taken the hack attempt last March to heart? Sort of.  Although most law firms claim to be more confident than last year that they are able to withstand a cyberattack, very few have implemented well defined protocols that would provide appropriate responses to data breaches, and less than 50% of those who have protocols in place do not regularly conduct “fire drills” to test if the systems actually work.
 
The report cited that more than 70% of law firm clients have exerted pressure on the firms to increase internal data security. While this is certainly a strong incentive to implement better cybersecurity, lawyers need to get out of the mindset where they believe that no one is going to come after them. According to speakers at the 2016 ABA Techshow, “80% percent of law firms have already been hacked, and the other 20 percent are either lying to or don’t know that they have been hacked”.
 
It’s not a matter of if, but when, the hack will occur. Time to be serious about law firm cybersecurity.