Law Firms Are Weak Link for Corporate Security

By Casey C. Sullivan, Esq. on December 30, 2016 | Last updated on March 21, 2019

The Department of Justice announced earlier this week that it was charging three Chinese citizens with insider trading, after they traded on info obtained by hacking into the emails of M&A lawyers. The trio was able to purloin insider information after using the credentials of firm employees to gain access law firm servers. The news was another in a long series of revelations that hackers were targeting law firms -- and often succeeding in gaining access.

Consider it a reminder that, when it comes to keeping information secure, you can't always count on outside counsel.

Law Firms Are Frequent Hacker Targets

In the most recent case, the hackers-turned-insider-traders were able to gain access to at least two major New York law firms, according to a press release by the DOJ. The DOJ hasn't released the names of the firms affected, nor have they revealed the methods the hackers used to obtain the employee credentials they used to access firm servers. But we do know that at least seven firms in total were targeted, with the hackers attempting to gain access to firm computers at least 100,000 times.

This isn't the first time hackers have made their way into law firm computers, either. In March, Cravath and Weil Gotshal were both reported to have suffered breaches to their security systems, by hackers allegedly looking for insider information. Just weeks later, Crain's reported that Russian hackers had been targeting BigLaw firms in Chicago. Again, insider information was the likely target.

Then in April, the Panama Papers were released, revealing the inner workings of the law firm Mossack Fonseca and its tax-dodging clients.

Firms' Valuable Information Keeps Hackers Coming

"This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world," United States Attorney Preet Bharara said when announcing the charges against the Chinese hackers. "You are and will be targets of cyberhacking because you have information valuable to would-be criminals."

Of course, it's not the first time the cybersecurity alarm has been sounded for U.S. law firms. For years, firms have been warned about the risks hackers could pose, yet many in the legal industry still have not taken the warnings to heart.

"Law firms have been identified as the weakest link, and it is great to see the U.S. attorney taking an interest," Daniel Garrie, a law firm security consultant, recently told the New York Times.

Your Lawyer's Cybersecurity Problems Are Your Problems Too

Weak security isn't just an issue outside counsel need to be concerned with. "The vulnerabilities that this creates for corporations are law firms being a weak link in their data security posture," Jordan McQuown, Chief Information Officer at LogicForce Consulting, told Inside Counsel earlier this year. "Security is only as strong as its weakest links, and with law firms maintaining contracts, business agreements, PHI, PII, and other intellectual property they have the same data as their corporate clients."

"A law firm breach can open a client up to significant financial and reputational loss," warns Kate Duchene, CLO at the consulting firm RGP. "The firm then risks losing its greatest asset -- its client."

Related Resources:

Copied to clipboard