Hackers are increasingly painting a bullseye on the cyber defenses of law firms, attempting to gain access to a “treasure trove” of sensitive, material and confidential information on everything from mergers and missteps to patents and punitive lawsuits, say analysts.
The concern by law firms is an acknowledgement of the ever increasing aggressiveness of cyber assassins – in recent years puncturing many of the nation’s largest retailers and banks, including Target, Home Depot and JPMorgan, and government data nodes, such as the Office of Personnel Management – and the reality that the response to such incursions has at times been fragmented by the key stakeholders attempting to create stalwart systems to keep them at bay. Law firms, particularly smaller operations, may also be hampered by a lack of budgets, staff or expertise on the cyber front.
“Law firms are a bigger target for hackers because of the sensitive information that they hold,” said Richard Bortnick, senior counsel in the New Jersey office of Traub, Lieberman, Straus & Shrewsberry LLP and publisher of cyber industry blog, Cyberinquirer.com. “And not only for client information, but also business and financial information.”
Even detailed healthcare information that a law firm may have on someone can be a valuable commodity for a hacker, he said.
Criminals can use the identity details along with the health information to engage in fraud by over-billing the government and creating fictitious invoices tied to the person that would mirror past treatment modalities, Bortnick said.
In 2012, Bloomberg reported that the large Washington firm Wiley Rein was targeted by hackers linked to China’s military in connection with a trade dispute it was handling for a maker of solar panels. McKenna Long & Aldridge lost Social Security numbers and other employee data recently when one of its vendors was targeted, the firm reported, according to Bloomberg.
Experts, however, say that law firms may not be doing enough to stop these inevitable incursions, though some operations are improving systems, training and devoting staff exclusively to cyber defense efforts.
Many Wall Street banks, including Bank of America and Merrill Lynch, are now requiring law firms to fill out up to 20-page questionnaires about their threat detection and network security systems. Some clients are even sending their own security auditors into firms for interviews and inspections, according to Bloomberg.
Risks, costs of hackers breaching law firms rising:
Records: The cost of a data security breach averages $204 per record for a total of up to $6.5 million per incident, according to published reports. Those costs can go higher for attorneys that lost medical information that breaches privacy laws.
Enforcement: The Securities and Exchange Commission, Federal Trade Commission and even the Consumer Financial Protection Bureau have either issued guidance, warnings or penalties against companies for failing to enact proper cyber protections, something law firms should be aware of, lest they find their policies in the cross-hairs after a breach.
No one safe: Cybersecurity firm Mandiant stated in a recent survey that at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011, while additional answers reveal that seven percent of respondents comprising the country’s largest law firms were breached in the last three years.
‘Unique repository of data’
Law firms getting punctured by hackers is “not a new trend,” said Chad Pinson, a managing director at Stroz Friedberg, a New York-based cybersecurity firm, noting that in most instances law firms are not legally required to publicly report a hack, though they must contact affected clients. “They are getting targeted just like everyone else.”
What is different about law firms, however, is they are a “unique repository of data” that would be of interest to hackers of all stripes, from “thrill seekers, to those engaging in economic espionage, foreign nation states or those with a personal agenda looking to embarrass” an individual or company, he said.
Since at least 2009, the FBI, the U.S. Secret Service, and other law enforcement agencies have attempted to warn the managing partners of large U.S. firms that their computer files were targets for cyber attackers, spies and thieves in China, Russia, and other countries, including the U.S., looking for valuable information about potential corporate mergers, patent and trade secrets, litigation plans, and more, according to published and media reports.
Because law firms, particularly large, full service firms, represent such a wide array of clients on such a diverse range of legal issues – including criminal charges, acquisitions, annual reports and even patents – that draws an equally colorful panoply of illicit cyber actors, Pinson said.
“If a client operates in a controversial industry, then the law firm representing the client could be exposed to hacktivists,” he said.
Or if the client has great wealth, then the law firm could be at risk for economic espionage, Pinson said. Or if the client is very important on the international geopolitical stage, the law firm representing the person could be at risk of attacks by interested or opposing state-backed hackers.
Hackers likely see law firms as a “treasure trove” of some of the most valuable and sensitive, material non-public information, Pinson said.
Here are some examples of information hackers would find attractive at a law firm and why:
- Financial disclosures: law firms typically review quarterly and annual reports and information on behalf of clients. This information is sensitive and secret until it is publicly released. If a hacker gets their hands on those financials, they could use it for insider trading, espionage, and blackmail. The hackers could also just sell the secret technical information directly to a competing company, or provide the information for free on the internet to harm the company.
- Litigation leak: This could be part and parcel of an annual report as well, but if hackers can get details on the status of current or upcoming litigation, either outcomes, strategies or costs, the groups can blackmail the company or sell secrets to opposing legal teams, particularly if the issues could have a material effect on the bottom line.
- Purloined patents: “A lot of companies use law firms to seek patents,” Pinson said. “But until the company obtains a patent and it’s protected, all they are are trade secrets. If someone could gain access to non-patented trade secrets, it could be a race to the patent office.” The hackers could also just sell the information to a company directly who wants to use the technology without having to pay for rights to use it or give credit to the originating company.
- Nosy negotiations: Another example would be, say, when a company is negotiating for lease rights tied to development of a natural gas field or similar such deal where multiple firms are bidding for a slice of a potentially profitable pie. If one entity can get insight into the monies available to other companies, their negotiation strategies or even some of the secret, attorney client information a firm doesn’t want getting out, it could give a major advantage to an operation.
Hackers have concluded that “to get the dirt on everyone, their fathers, sisters and brothers, then break into the local law office,” said John Walsh, chief executive officer of Sightspan, a consultancy.
Moreover, they could be softer targets to penetrate than banks because many law firms are “naïve when it comes to cybersecurity and their defenses are very weak,” he said. “They don’t understand the value of the information. They are trained to protect client assets, but they may not realize that extends to anything about the client,” including the legal records about the clients themselves.
Some of the most in demand records are also the most morbid and macabre, including death records, or records on children, simply because they “will be around for a while more than older people,” he said.
The main goal for these hackers is not to steal, say, a credit card or even bank account number, but to create a “synthetic identity,” that has everything, including medical and financial records, Social Security Numbers and even details about family members and residences, Walsh said.
A fully formed synthetic identity can garner hundreds of thousands of dollars in criminal assets, from maxing out credit cards, taking out home and car loans and other tactics, he said, adding that these illicit identities can be controlled from regions foreign secrecy havens and through shell companies, making them nearly impossible to uncover and prosecute.
Tips for law firms to keep the hackers out:
- Tactical Training: Train all members of the firm, from assistants to top partners, about classic and emerging cyber attack patterns. These would include email scams, phishing, spear phishing and business email compromise attacks so they will think twice about clicking on a unknown link or wiring funds to a strange foreign locale, even if the email seems to come from the CEO.
- Systems, software: Ensure that all computers linked to the network have stout and updated anti-virus systems and programs and operating systems have all the latest patches installed. Tarrying on these can allow outstanding vulnerabilities, in some cases that have already been secured by the companies that created the systems, to persist, allowing easier access for criminals.
- Access monitoring, restrictions: Mirroring what many large banks and corporations are doing, law firms should consider limiting access to systems to only a small handful of IT professionals so it can be very difficult for rank and file employees to get into the broader system, or criminal who steals their login credentials. As well, law firms should potentially invest in networking monitoring systems that can reveal if one person’s terminal has been corrupted and is hemorrhaging client data to an unknown, foreign IP address.
- Vulnerability assessment: Currently, financial institutions, and even government and other entities considered critical infrastructure pieces are under significant pressure to improve cyber defenses, resilience and recovery programs. To do this, many institutions are engaging with outside consulting firms to do a “cyber risk assessment,” that will gauge company systems, weak points and current illicit attack vectors. The goal is to find the gaps before the bad guys do and try to shorten the gulf between what the network is and what it should be. Law firms should consider a similar strategy and even take a gander at the widely available and lauded NIST framework.
- Separation of duties: The IT was typically the one who kept the Internet up, phones working, email coming in and going out and ensure the data was secure. When it came to cybersecurity, many law firms just put another hat on that person and say, oh yeah, by the way, make sure to keep hackers out too. That dynamic may not be enough anymore. More large companies are creating divisions separate from IT that are devoted full time to monitoring for network threats, cyber attacks, data breaches and even attempts to crack systems that are not fully perforated. That is something law firms should also consider.
- Physical security: Lawyers are no stranger to the trials and tribulations of data mining, electronic discovery and generally having to sift through mounds of information. But the same security procedures for the online world need to be undertaken for the physical world. Attorneys also routinely have to get boxes and boxes of records, including, say, medical records. What is stopping an insider, or janitor, or someone else from waltzing in after hours, photo copying the documents, and putting the box back where they found it. Law firms should consider restricting access to sensitive physical records and even adding cameras.
One great irony in the virtual battles between hackers and law firms is that attorneys routinely advise their clients to bolster online access portals, but are remiss to do it.
“I always wonder why lawyers don’t practice what they preach with regard to cybersecurity,” Bortnick said. “They are always advising their clients to implement the most complete end-to-end cybersecurity protocols, but are themselves not adherent to their own advice. Why? They think they are the smartest people in the room and too important to be hit.”
The information at law firms includes “some of most frank, open and honest conversations” between a company and their legal counsel, chiefly because clients trust and rely on the fact that those secret, sensitive details are shielded behind the bastion of attorney client privilege, Pinson said. “But hackers will cut right through that.”