45
I L T A N E T . O R G
T
here was a time when lawyers and law
firms were much more comfortable
keeping client records and data
indefinitely than they were destroying
them. But that time has now passed.
As Chris Giles and Kandace Donovan explain in this
white paper, in today's legal landscape data minimization
has become essential. Firms that don't practice data
minimization have greater exposure through security
breaches. They also run the risk of some dire cost,
performance and reputational consequences.
Did you know that around 2.5 quintillion bytes worth
of data are now being generated every day? In 2019, there
were 4.4 zettabytes (ZB) of data in the digital universe.
By 2020, that figure had increased tenfold to 44 ZB
1
and
is forecast to reach 200 ZB by 2025.
2
This is a landscape
in which data must be tamed or it threatens to overwhelm
us or trip us up. It's one in which data minimization is
critical for everyone, not least law firms which otherwise
risk falling foul of cybercriminals, inefficiency, clients and
regulators. The problem is that all too often firms aren't
doing data minimization well – which could be very costly
for them in all sorts of ways.
Cybercriminals are coming to get you
A significant danger is the growing incidence of cybercrime
targeted at law firms. This has led to a number of high-
profile attacks hitting the media with the attendant negative
reputational impacts. And it's safe to assume that many more
breaches will have occurred that haven't made the press.
Among the nightmare scenarios that couldn't be
kept out of the news, a high-profile entertainment law
firm in the US suffered a ransomware attack in 2020. To
exert pressure, the attackers leaked information about a
world-famous client, and asked for a ransom payment of
$42 million to prevent the release of further documents
about further celebrities. News outlets reported that the
criminals eventually received USD$365k.
3
In the same year a leading UK criminal law firm
become the victim of a ransomware attack on its archive
servers. Nearly 100,000 individual files were encrypted
by the attackers and 60 court bundles exfiltrated and
published on an underground market site. The bundles
included sensitive personal data including medical files,
witness statements, and victim and witness names and
addresses.
4
The monetary and reputational cost to the firm
isn't known but we do know the UK regulator – the ICO –
fined the firm 3.25% of their annual revenue.
5
Nor are the risks receding. According to ABA's 2021
cybersecurity report, ransomware is: "An increasing
threat to attorneys and law firms of all sizes".
6
And
unfortunately, the low ebb in international relations
between the West and Russia and China only exacerbates
the threat, since the Russian and Chinese governments are
not currently minded to clamp down on their homegrown
cybercriminals. Quite the oppositive.
1. A zettabyte is one trillion gigabytes, see:https://explodingtopics.com/blog/big-data-stats
2. https://cybersecurityventures.com/the-world-will-store-200-zettabytes-of-data-by-2025/
3. https://arcticwolf.com/resources/blog/top-legal-industry-cyber-attacks
4. www.dataguidance.com/news/uk-ico-fines-tuckers-solicitors-llp-£98000-data-breach
5. https://ico.org.uk/action-weve-taken/enforcement/tuckers-solicitors-llp-mpn/
6. https://www.americanbar.org/groups/law_practice/publications/techreport/2021/cybersecurity/
