The FBI began warning law firms back in 2013 that they were targets.
We have hundreds of law firms that we see increasingly being targeted by hackers.”– Mary Galligan, the special agent in charge of cyber and special operations for the FBI’s New York Office.
According to an American Bar Association report, about 25 percent of law firms with 100 or more attorneys said they suffered a data breach.
Simple: They have rich amounts of data (sensitive information about corporate clients, trade secrets such as pending patents, undisclosed mergers and acquisition data and much more) and they are not always prepared to protect it. The ABA’s Legal Technology Resource Center (which surveyed 90,000 attorneys in private practice) found that almost half of the practice attorneys polled said their firms had no data breach response plan in place.
Puckett & Faraj, a Washington-area firm, was hacked by activists associated with the group Anonymous, who were angered by the firm’s representation of a U.S. soldier who pleaded guilty in connection with his role in the death of 24 Iraqi civilians. (more)
Gipson Hoffman & Pancione, based in Los Angeles, was hacked because of a software piracy lawsuit it filed against the Chinese government. (more)
To collect confidential client information for financial gain
A broker named “Oleras” living in Ukraine was detected attempting to hire hackers to break into firms’ computer systems so he could trade on insider information at Flashpoint, a New York threat intelligence firm. (more)
To collect confidential information for the purpose of insider trading
Hackers broke into the computer networks at some of the country’s most prestigious law firms (including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP). Federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. (more)
There are 47,563 law firms serving the U.S., according to the American Bar Foundation, and 76 percent of them have five or fewer attorneys.
Your firm’s reputation is all it has. You never want to have to put out a release such as this:
“Last summer, the Firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter, and we are not aware that any of the information that may have been accessed has been used improperly. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants.
Client confidentiality is sacrosanct. We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class.”
– Cravath, Swaine & Moore LLP