The FBI began warning law firms back in 2013 that they were targets.
We have hundreds of law firms that we see increasingly being targeted by hackers.”– Mary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office.
According to an American Bar Association report, about 25 percent of law firms with 100 or more attorneys said they suffered a data breach.
Why are they targets?
Simple: They have rich amounts of data (sensitive information about corporate clients, trade secrets such as pending patents, undisclosed mergers and acquisition data and much more) and they are not always prepared to protect it. The ABA’s Legal Technology Resource Center (which surveyed 90,000 attorneys in private practice) found that almost half of the practice attorneys polled said their firms had no data breach response plan in place.
Examples
Hacktivist
Puckett & Faraj, a Washington-area firm, was hacked by activists associated with the group Anonymous, who were angered by the firm’s representation of a U.S. soldier who pleaded guilty in connection with his role in the death of 24 Iraqi civilians. (more)
Cyberespionage
Gipson Hoffman & Pancione, based in Los Angeles, was hacked because of a software piracy lawsuit it filed against the Chinese government. (more)
To collect confidential client information for financial gain
A broker named “Oleras” living in Ukraine was detected attempting to hire hackers to break into firms’ computer systems so he could trade on insider information at Flashpoint, a New York threat intelligence firm. (more)
To collect confidential information for the purpose of insider trading
Hackers broke into the computer networks at some of the country’s most prestigious law firms (including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP). Federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. (more)
Causes
There are 47,563 law firms serving the U.S., according to the American Bar Foundation, and 76 percent of them have five or fewer attorneys.
- Most law firms tend to be small or mid-market businesses and cannot invest heavily in advanced cyber security protection. Advanced cyber security protection can be expensive. Purchasing intrusion detection, Security Information and Event Management Systems, Threat Intelligence and end point technology can run into the hundreds of thousands of dollars, not to mention hiring security analysts to manage the technology.
- Just running a tight network can be expensive as well… Can you afford IT personnel or a managed services provider to keep all the systems patched and to upgrade the firmware on all the hardware (like the corporate WIFI and ISP router/firewall)? What about all the recommended employee policies and cyber awareness training? Is that affordable? What about disaster recovery plans? And having third party audits (penetration testing etc.)? Is that affordable?
Commercial—The technology doesn’t have to be expensive. Check out http://netwatcher3.wpengine.com
- Lawyers tend to be mobile and work from home, from coffee shops or at client offices. A firm’s IT group can do a better job protecting corporate assets if they are inside the network, but once they leave, it’s more challenging. Public WIFI’s are dangerous and home networks tend to have few protections. Do your lawyers ever send case files or contracts to their home emails to work on later that evening? Yikes!
- Lawyers use mobile devices heavily. Yes, these are computers too and are easy targets to exploit. Better yet, hackers can see where you are via your GPS, use your camera, listen to your calls and view your text messages. (more)
- The legal industry has no regulatory oversight that forces cyber security compliance. Lawyers do have state breach laws, client compliance mandates and ethical rules of professional conduct but the industry still has no security mandates such as HIPAA’s privacy and security
- Lawyers are getting and opening attachments from multiple sources. Let’s face it, documents are they key mechanism for communication with clients (contracts, etc.) and most are Word documents. These documents are great places to hide malware (more).
- Lawyers tend to be the last ones to attend cyber security employee training – opting out because of their importance to the firm and their need to accrue billable hours. In many firms, lawyers are the senior executives and unfortunately senior executives feel that cyber security training (or any corporate training) is beneath them. (more)
The last thing you want
Your firm’s reputation is all it has. You never want to have to put out a release such as this:
“Last summer, the Firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter, and we are not aware that any of the information that may have been accessed has been used improperly. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants.
Client confidentiality is sacrosanct. We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class.”
– Cravath, Swaine & Moore LLP
