Remember, back in 2016, the legal world, from around the globe, was rocked by the scandal from a cyber attack on a small, quiet Panamanian law firm known as, Mossack Fonseca & Co. It was reported, by International Consortium of Investigative Journalists (ICIJ), the cybercriminal grabbed and fled with 2.5 terabytes of data and 11.5 million files. Which also included, but was not limited to client bank records, invoices, and emails.

Nearly 40 years of legal documentation gone. Cyber-hacked and stolen. And in case you missed it or did not know, the files taken, date back to the year 1977. The same year the company opened.

How could this happen? Were they ISO 27001 Certified? And why Mossack Fonseca? They were just a tiny unknown law firm tucked away in Panama.

Or Were They?

When the world’s eyes, turned to inquire. Mossack Fonseca, that small, obscure law firm in Panama, (now defunct), was reportedly one of the world’s biggest creators of shell companies. Their clients were some of the wealthiest individuals, companies, and politicians from all over the world.

The information they housed had details on:

  • 200,000+ offshore entities
  • Connections to hundreds of politicians
  • Information on Billionaires, Companies, a President, two Prime Ministers, and a King.
  • It also had the U.S. blacklist on 30+ people, companies, Mexican drug lords and terrorist groups.

How Could Billionaires, Companies, Politicians, and Royalty Be So Vulnerable?

Believe it or not, Mossack Fonseca & Co. left their company’s back door, wide open for attack, breaking the cardinal rule of cybersecurity. So elementary, a teenager with search engine skills could have quickly taken them down.

Their breach was due to ignoring five basic, ISO 27001 compliance, practices. Instead of protecting their client’s data, they had:

  1. Company website server not behind a Firewall
  2. Using old versions of WordPress and Drupal software
  3. Web server software not updated or checked in months
  4. Website server kept and shared the same network as the email server
  5. Giving clients sensitive information through a weak, unprotected website portal

The law firm, Mossack Fonseca sent this initial response to queries from ICIJ and its media partners.

“Our firm, like many firms, provides worldwide registered agent services for our professional clients (e.g., lawyers, banks, and trusts) who are intermediaries. As a registered agent we merely help incorporate companies, and before we agree to work with a client in any way, we conduct a thorough due-diligence process, one that in every case meets and quite often exceeds all relevant local rules, regulations, and standards to which we and others are bound.”

Through the course of performing their due-diligence, multiple steps skipped. Every “t” crossed. Every “i” dotted when they conducted law firm business. When it came to securing the data, here is where the cybersecurity diligence, never happened. Clients were exposed. Data snatched and stolen.

Mossack Fonseca never fully recovered. Their clients left them. Their reputations shattered. International markets no longer trusted them. With overwhelming evidence uncovered, through a thorough and in-depth investigation, the doors to this little law firm, tucked away in Panama, went out-of-business, two years after the breach.

But, Their Breach, Brings You a Silver Lining And a Warning.

After the dust settled, law firm clients sat up and took notice first. They realized there is a higher possibility of their information or attorney consultation getting exposed. Possibly used against them in a courtroom setting.

Clients began pushing and scrutinizing their lawyers and law firm’s cybersecurity practices. If the firm chose not to become certified, the client moved their business to a firm which embraced ISO 27001 Certification.

In the legal world, clients come to you to solve their legal problems. They, if not all, have heard that attorneyclient privilege, protects most communications, between clients and their lawyers. Which leads clients, wanting deep confidence in you and your law firm. Whatever is discussed or kept on file will be secure and not slip into the wrong hands.

Since that terrible day, not all, but many U.S. law firms have listened to their clients. They are moving forward and obtaining ISO data security certification. Doing so has opened the door to new business previously absent from their law firm.

Clients want ISO 27001 Certified Law Firms, or they will move on. You want more business and don’t want them to leave you. This demand for more excellent data protection, for them, sets you up for building a thriving law firm. The client is telling you what they want. By you giving your clients what they want, allows you to set higher rates, to cover your costs of certification.

Parkway Tech can assist you with setting up your Culture of Information Security with ISO 27001 Certification. To learn more about ISO 27001 Certification for your Law Firm, give Parkway Tech a call at (336) 310-9888 or email us to speak to one of our ISO 27001 Certification Specialists.

Published By : Chris Michalec   On: 5 May 2018


The Best In Law Meets...The Best In IT.

Learn how Parkway's Legal IT Services helps firms across North Carolina achieve better results.

Click Here
Download Our Free Report
IT Support for Law Firms

Engage With The Legal Industry’s Top Technology Solutions and Computer Services Company

Parkway Tech offers technology management, help desk services, and strategic IT consulting to law firms and legal practices across North Carolina.

We offer a completely customized technology support services for large and small law firms, law offices and law practices.

Contact Your Legal IT Team:

615 St. George Square Ct. #300,
Winston-Salem NC 27103

IT Services for Law Office