Non-ISO 27001 Certified Law Firms – Equals Fewer Clients and a “Panama Papers” Scandal

Remember, back in 2016, the legal world, from around the globe, was rocked by the scandal from a cyber attack on a small, quiet Panamanian law firm known as, Mossack Fonseca & Co. It was reported, by International Consortium of Investigative Journalists (ICIJ), the cybercriminal grabbed and fled with 2.5 terabytes of data and 11.5 million files. Which also included, but was not limited to client bank records, invoices, and emails. 

Nearly 40 years of legal documentation gone. Cyber-hacked and stolen. And in case you missed it or did not know, the files taken, date back to the year 1977. The same year the company opened.

How could this happen? Were they ISO 27001 Certified? And why Mossack Fonseca? They were just a tiny unknown law firm tucked away in Panama.

Or Were They? 

When the world’s eyes, turned to inquire. Mossack Fonseca, that small, obscure law firm in Panama, (now defunct), was reportedly one of the world’s biggest creators of shell companies. Their clients were some of the wealthiest individuals, companies, and politicians from all over the world. 

The information they housed had details on:

  • 200,000+ offshore entities
  • Connections to hundreds of politicians
  • Information on Billionaires, Companies, a President, two Prime Ministers, and a King.
  • It also had the U.S. blacklist on 30+ people, companies, Mexican drug lords and terrorist groups.

How Could Billionaires, Companies, Politicians, and Royalty Be So Vulnerable? 

Believe it or not, Mossack Fonseca & Co. left their company’s back door, wide open for attack, breaking the cardinal rule of cybersecurity. So elementary, a teenager with search engine skills could have quickly taken them down. 

Their breach was due to ignoring five basic, ISO 27001 compliance, practices. Instead of protecting their client’s data, they had:

  • 1Company website server not behind a Firewall
  • 2Using old versions of WordPress and Drupal software
  • 3Web server software not updated or checked in months
  • 4Website server kept and shared the same network as the email server
  • 5Giving clients sensitive information through a weak, unprotected website portal

The law firm, Mossack Fonseca sent this initial response to queries from ICIJ and its media partners.

“Our firm, like many firms, provides worldwide registered agent services for our professional clients (e.g., lawyers, banks, and trusts) who are intermediaries. As a registered agent we merely help incorporate companies, and before we agree to work with a client in any way, we conduct a thorough due-diligence process, one that in every case meets and quite often exceeds all relevant local rules, regulations, and standards to which we and others are bound.”

Through the course of performing their due-diligence, multiple steps skipped. Every “t” crossed. Every “i” dotted when they conducted law firm business. When it came to securing the data, here is where the cybersecurity diligence, never happened. Clients were exposed. Data snatched and stolen.

Mossack Fonseca never fully recovered. Their clients left them. Their reputations shattered. International markets no longer trusted them. With overwhelming evidence uncovered, through a thorough and in-depth investigation, the doors to this little law firm, tucked away in Panama, went out-of-business, two years after the breach.

But, Their Breach, Brings You a Silver Lining And a Warning. 

After the dust settled, law firm clients sat up and took notice first. They realized there is a higher possibility of their information or attorney consultation getting exposed. Possibly used against them in a courtroom setting. 

Clients began pushing and scrutinizing their lawyers and law firm’s cybersecurity practices. If the firm chose not to become certified, the client moved their business to a firm which embraced ISO 27001 Certification.

In the legal world, clients come to you to solve their legal problems. They, if not all, have heard that attorney–client privilege, protects most communications, between clients and their lawyers. Which leads clients, wanting deep confidence in you and your law firm. Whatever is discussed or kept on file will be secure and not slip into the wrong hands. 

Since that terrible day, not all, but many U.S. law firms have listened to their clients. They are moving forward and obtaining ISO data security certification. Doing so has opened the door to new business previously absent from their law firm. Clients want ISO 27001 Certified Law Firms, or they will move on. You want more business and don’t want them to leave you. This demand for more excellent data protection, for them, sets you up for building a thriving law firm.

The client is telling you what they want. By you giving your clients what they want, allows you to set higher rates, to cover your costs of certification. 

Parkway Tech can assist you with setting up your Culture of Information Security with ISO 27001 Certification. To learn more about ISO 27001 Certification for your Law Firm, give Parkway Tech a call at (336) 310-9888 or email us to speak to one of our ISO 27001 Certification Specialists.

Can Your Legal IT Services Firm Keep Law & Order With Your Practice’s Technology?

Practice's Technology

Learn how Parkway’s Legal IT Services helps firms across North Carolina achieve better results.
Click Here
Download Our Free Report

Written by Chris Michalec posted on May 5, 2018

If you are thinking of switching IT companies but aren’t sure where to start, contact us now.