White Hats & “Vulnerability Scans” Touted As Security Ploys

This article begins with a discussion of a cyber-liability lawsuit that targets a law firm: Shore v. Johnson & Bell, in the Northern District of Illinois. Managing partners and other corporate stewards would be well advised to read that case carefully. The plaintiffs – clients of the firm – argue that the firm is contractually obligated to protect their data, that its security was inadequate, and that its information infrastructure is “a data breach waiting to happen.” Importantly, they don’t allege it’s happened yet. Their claims include breach of contract – essentially that part of the money they paid for services was supposed to go toward securing their information and it never happened. The intended audience for this article is accounting firms, but what it has to say should be of interest to any professional services firm. In particular firms may want to consider the article’s concluding recommendations for protection strategies. They include retaining the services of a  an experienced “vulnerability scanner”; hiring and turning loose a “white-hat” hacker; and – an easier lift for a law firm – revisiting the firm’s engagement letter and if necessary rewriting it, to require mandatory arbitration or mediation in the event of a breach.