Westlaw Suffers Security Breach

Late last week, the legal research service Westlaw announced that it had suffered a security breach. In response to the breach, Westlaw required its users to reset their passwords by telephone; users could not reset their passwords online. Many companies use a call-in requirement to introduce an additional layer of security when users reset their passwords.

The Westlaw case reinforces the point that every company that does business online is a potential target for hackers and online criminals. Companies should acknowledge the risk and work to prevent breaches, but should also implement procedures that allow the company to swiftly respond in the event of a breach.

Earlier this year, Westlaw’s Corporate Counsel blog wrote an article in response to the Target security breach that recognized these basic principles:

• Assume that Security Breaches are Inevitable and Act Accordingly;
• Implement and Update Information Security Policies and Procedures; and
• Adopt Plans for Actions in Response to Security Breaches.

Presumably, Westlaw has taken its own advice and has already moved to limit the risk of loss from its recent security breach. The rest of us should learn from the case and prepare the best we can.