The "Panama Papers" hack at law firm Mossack Fonseca may have shown hackers that law firms can be soft target for stealing information rather than an organisation, says New Zealand IT lawyer Michael Wigley.
In an article on CIO New Zealand, Mr Wigley says lawyers typically hold valuable crown jewel type of information.
"Why waste time trying to crack into the organisation when the organisation's law firm less securely holds the information?" he asks.
"The Panama Papers illustrate this so well, with their huge reach across hundreds of thousands of the law firm's clients."
He says in the last few weeks a sizeable New Zealand law firm has been held to ransom by cyber attackers ("and they paid the ransom by bitcoin"), and a phishing email led the finance manager at a large New Zealand law firm to pay funds to a hacker, based on an apparent email from the managing partner directing her to do so.
"Law firms may have weaker cybersecurity than their client organisations, making them a prime target, given the valuable information they hold," he says.
"As former head of the FBI's cyber branch in New York, Austin Berglas, recently told The American Lawyer, 'law firms are traditionally understaffed in cybersecurity, compared with large corporations andf banks'."
Mr Wigley, who is the principal of Wigley & Company, says large organisations are increasingly recognising this problem and some are requiring stronger defences by law firms.
Many countries put legal duties on organisations to take steps to ensure that their information held by third parties such as suppliers is not placed at undue risk of being hacked, he says. The organisation can't just rely on the third party (such as the law firms) to ensure it takes the right steps.
He says New Zealand's data protection regulation - the Privacy Act 1993 - requires that "everything reasonably within the power of the [organisation] is done to prevent unauthorised use or unauthorised disclosure of the information."
The New Zealand Law Society's Practice Briefing Protecting Clients' Personal Information, states that the Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 require lawyers to protect and hold in strict confidence all information concerning a client which is acquired in the course of the professional relationship.
Information about the Mossack Fonseca hack indicates that the firm had failed to update its Outlook Web Access login since 2009 and had not updated its client login portal since 2013.