I’m a current events junkie. I’ll admit it. And I work with law firms. Thus, my favorite podcast? “Stay Tuned with Preet.” Yes, this is Preet Bharara, the former U.S. Attorney for the Southern District of New York. Check out an episode. Preet takes a few questions about the law at the beginning of each episode. Then he has a guest. Preet is not only smart, but surprisingly personable. It’s a fast-moving hour.
A recent guest was John P. Carlin, former Assistant Attorney General for the National Security Division at the Department of Justice and Chief of Staff to Robert Mueller at the FBI. He is currently a partner with Morrison & Foerster. Carlin is an international cybersecurity expert.
One of the things which caught my attention in this episode was Carlin’s story of the US subsidiary of a German company whose data was stolen by hackers in the Chinese military. The company, SolarWorld, in Hillsboro, Oregon, made solar energy components.
How was the data stolen? Email. Carlin said, “Email. It is the least protected part of the system, usually. Not like Intellectual Property which is encrypted or where special measures are taken to protect it. They stole email traffic.”
Oh. “…the least protected part of the system.” Overwhelmingly true. Carlin said that the Chinese military found data which allowed them to figure out the exact price point of the solar panel components which would cause pain to SolarWorld. The Chinese dumped the China-origin solar energy product, selling at below market prices. Eventually this forced SolarWorld into bankruptcy. They are still operating in Hillsboro today.
John Carlin went on to say, “To add insult to injury, when SolarWorld sued for unfair trade practices, the Chinese military stole the litigation strategy.”
Arghh.
It’s a lesson to us all. Email is not as secure as it must be. Some law firms have a way for attorneys to send encrypted email to clients on as-needed basis. The reality is that these techniques are awkward for both the attorney and the client and are not used as often as they should be.
The day is probably a few years off when much of business email will be encrypted. Encrypted email must become easier to use for both parties for it to be widely adopted.
But don’t be caught doing nothing. There are straightforward actions which you can take today:
- aUse your “trusted sanctuaries,” e.g., in legal technology, Document Management systems. Have a discipline of capturing and recording data in the sanctuary – this allows IT to manage the data.
- When possible, send document links, rather than attachments. Ideally send secure links or use Information Rights Management.
- Leverage DMS for data classification. Use the classifications to restrict outbound emailing of sensitive data.
- Apply pattern-based content filters to avoid emailing Social Security Numbers or other identifiable sensitive data.
- Provide education on phishing.
Take-way: Avoid being an example in John Carlin’s next book. 😉
Here’s a link to this episode of Stay Tuned with Preet.
–Maureen Blando is the President and COO of Mobile Helix, makers of the LINK Encrypted App for Lawyers
John P. Carlin, cited in the post, is the author of “Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat.”
