Law Firms Under Cyber Attack – Revisited

Some of you may be aware that earlier this year the FBI outed two major New York based law firms – Cravath, Swaine & Moore (500 attorneys) and Weil, Gotshal & Manges (1,000 attorneys) – as being hacked.  But they did not give a lot of details.  Now some of the details are coming out, but you have to connect the dots yourself.

The New York Law Journal reported today that three Chinese nationals have been charged with hacking into two unnamed law firms.

The three hacked into the law firms systems and stole information about pending deals.  They used that information to trade stocks in these pending deals and made about $4 million in profits.

According the the charges, one law firm, called Law Firm 1, advised Intel on their acquisition of Altera and the other law firm, called Law Firm 2, represented a company (unnamed) that was in deal talks with InterMune, which sold to Roche.

Roche’s press release on the InterMune acquisition said that Cravath was acting as legal counsel to InterMune.  The Law Journal article said that Weil represented Intel in their acquisition.

The Law Journal article concludes that Law Firm 1 and Law Firm 2 are Cravath and Weil.

U.S. Attorney Preet Bharara of the Southern District of New York said that the hackers attempted to hack at least 5 other law firms on over 100,000 occasions during 2015.

Once they got in, they watched email traffic as the deals came to an announcement so that they would know when to buy the company stock.

As I have said before, the theft of intellectual property is the prime target for many hackers for a couple of reasons.  First, unlike credit cards, the odds of getting caught the very first time you use stolen IP is almost zero.  It is not clear how many trades the $4 million in profits represented, but I am guessing several.

Secondly, if you are not greedy, the odds of ever getting caught is low.  If, instead of trying to make $4 million on these two deals they tried to make, say $250,000, it likely would have flown under the radar.

Third, your ability to make a profit is often not dependent on the victims doing something or not doing something,  Depending on your own ability to time the trading, in this case, of the stocks, you can make a lot of money – or not.

Of course Bharara gets to stand up and claim that the problem is solved once he decides to charge someone.

Reality is a little different.

One defendant has been arrested in Hong Kong and is awaiting extradition.  Whether the Chinese will ever extradite him is unclear.  The second defendant is from Macau and the third from China.  Those two are at large.  I think it is unlikely that the Chinese will extradite these guys, but who knows.

So, of the millions of attacks a year, the U.S. Attorney caught one of them and does not have any of the defendants in custody.

THAT is why the legal system is more than a little bit challenged in dealing with cyber crimes.  For a crime that happened in 2014 and 2015, it is now almost 2017 and one person has been arrested, no one has been extradited, two people are at large, no one has been brought to trial and no one has been convicted.

It is a REALLY challenging problem.

From a law firm’s standpoint, their reputation is again being dragged through the mud and if any of these defendants ever come to trial, their reputation – and possibly their technical competence – will get dragged through the mud again.  And, the law firms really have very little ability to cut a deal and make this go away.  The defendants might plead to avoid a trial, but they might not.  If there is a trial, more dirty laundry will come out.

While I am sure (I hope) that Weil and Cravath have improved their cyber security practices, other firms probably have not.

This is why we tell clients that they need to ask their law firms some very pointed cyber security questions – preferably before engaging them – and they should not take arm waving as a replacement for clear answers.  Contact us if you need advice in this area.

Information for this post came from the New York Law Journal and Roche’s web site.

Leave a Reply

Your email address will not be published.