It is always rewarding when well respected people write published articles supporting an argument that you have been making for years. I guess I was just slightly ahead of my time.
In this case, my point has been that law firms are a huge target for hackers – and not just the large law firms. In fact, the smaller firms, because their security is likely not as good as the larger firms, may be at greater risk.
When hackers attack law firms, they are not going after credit card numbers or health information. Instead they are going after intellectual property. Law firms collect all sorts of sensitive, private information about their clients. In the case of small firms, that would be hundreds to thousands of clients. In the case of medium size firms, that would be many thousands of clients and in the case of large firms, it might be tens of thousand clients.
The article I am talking about (see link below) was written by Randy Evans and Shari Klevens, two partners in the international law firm, Dentons. According to Wikipedia, Dentons has over 7,000 attorneys, making it the world’s large law firm by number of lawyers.
According to Randy and Shari, and I agree with them, what hackers are going after is information on confidential business deals, bank account numbers, patent applications, Social Security numbers of clients, employees and members of a class, sensitive information related to the discovery process prior to a trial, client and client’s competitors trade secrets, insider information and trust accounts that contain client’s money.
Again, according to the Dentons’ partners, due to the explosion of electronically stored information, even solo practioners are vulnerable.
You may remember the breach at J.P. Morgan Chase where an insider stole information on 75+ million clients. The thieves made over $100 million before they were caught. They did that not by selling stolen credit cards, but rather by trading on stolen insider information. I think they only got caught because they got greedy.
And of course people remember the Panama Papers law firm that hit the news a few months ago. They had the equivalent of 2 billion pages of client documents stolen. Do you think they are keeping current clients or attracting new clients? I don’t think so. Come do business with us and your documents will wind up on the front page of the Wall Street Journal. That doesn’t play well.
This spring a Russian hacker BOASTED that he was TARGETING 48 top law firms to steal insider information. That’s pretty brazen.
Citigroup, according to the article, issued an internal report in 2015 saying that “digital security at many law firms, despite improvements, generally remains below the standards for other industries.” That kind of statement tends to attract lawsuits, so I don’t think they made it lightly.
The American Bar Association said that around 25 percent of all U.S. law firms with more than a hundred employees had experienced a data breach in 2015.
Right after the Panama Papers breach the FBI announced that two huge U.S. law firms, Cravath and Weil, both were breached.
In my opinion, many law firms would not even know if hackers were inside their networks right now. The reason that hotel breaches are in the news so much these days is that when the crooks steal your credit card and use it, you complain to your bank. After enough complaints, the bank can figure out the common merchant that must be the source of the breach. If a crook steals your intellectual property from your attorney and uses it to buy or sell your stock, your competitor’s stock, your supplier’s stock or your acquisition target’s stock, unless they do it in a way that calls attention to themselves, the odds of getting caught are extremely low.
In addition to the risk of losing clients or being sued due to a breach, attorneys run the risk of being hit with ethics charges. While each state implements the ABA model ethics rules their own way, model rule 1.6 says that attorneys have an obligation to protect their client’s information.
So, for attorneys, Dentons says that law firms need to recognize the risk and not put off dealing with it until another day.
For clients of law firms, you can have a huge impact on the speed with which attorneys improve their cyber security.
Be proactive. Ask your attorneys questions. Don’t be satisfied with vague platitudes in answer to your questions. If you don’t know what questions to ask, check out our recommended questions with our explanation of what to look for in the answers on our web site. And if you don’t know how to evaluate the answers, come talk to us.
For larger clients, we are beginning to see the clients conducting a risk assessment of the law firm. Firms that don’t agree to that are removed from the list of prospective law firms to hire. Smaller clients don’t have as much clout, but you can compare the answers of different firms to see who seems to be most on the ball when it comes to cyber security. Granted, that is only one factor in choosing a firm, but consider the consequences of a breach to YOUR business.
Can a law firm make you whole after a breach even if they wanted to? Sometimes it is hard to put that genie back in the bottle.
Information for this post came from The Recorder.