Like virtually all law firms, Dallas-based Locke Lord probably thought its computer system was safe enough – that is, until two days in December 2011. That was when Anastasio Laoutaris, a former IT engineer who worked for the firm for five years before leaving in August 2011, accessed Locke Lord’s computer network without authorization and, according to a press release from the U.S. Attorney’s office for the Northern District of Texas, “issued instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts.”1 But the 1,000-lawyer firm was lucky. Laoutaris was caught, convicted of hacking by a Dallas jury last October, and in April was sentenced to more than nine years in prison and ordered to pay $1.69 million in restitution.2 And most importantly, according to Locke Lord spokeswoman Julie Gilbert, client information was “never compromised.”
Yet even this close call underscores what has been a dirty little secret of the legal field for years, albeit one the profession has been reluctant to accept: law firms represent the latest target for cybercriminals, a soft underbelly rich in valuable information that can be stolen and monetized. More and more firms are falling prey to schemes as simple as “phishing” tactics and “spoofing” emails, or as sophisticated as a coordinated cyberattack, exposing client data that could include everything from sensitive financial information to market-influencing mergers and acquisitions intelligence to the sensitive IP in a patent filing. A 2012 study from security firm Mandiant Corporation reported that 80 percent of the nation’s 100 largest firms were victims of hacking.3 In 2015, the ABA Legal Technology Survey Report revealed that 15 percent of the responding law firms had experienced security breaches ranging from a lost or stolen phone to hacking, break-ins, or website disruptions. Of the law firms reporting such attacks, 30 percent said they resulted in loss of billable time, 18 percent reported suffering destruction or loss of files, and 3 percent said it led to unauthorized access to sensitive client data, yet despite this nearly half of the law firms questioned had no response plan in place to deal with such security hackers.4 Most, in fact, lacked security measures beyond rudimentary tools like firewall software, spam filters, and virus scanners. In April 2016, ALM Legal Intelligence and crisis communications firm Infinite Spada released the results of their own national survey of law firms. While about two-thirds of the firms responding were comfortable with their firms’ ability to resist a cyberattack, closer inspection revealed that most of these same law firms were lacking in the best practices of cybersecurity, like holding periodic “fire drills” and security assessments. And even though 87 percent of the law firms surveyed require their vendors to carry cyber liability insurance, only about a third of the firms carried such coverage themselves.5
If recent headline-making news is any indication, law firms are going to have to step-up their cybersecurity game. The Panama Papers scandal, in which millions of documents pertaining to offshore shell companies and financial dealings of numerous individuals and corporations were exposed, was the result of a hack at the Panamanian law firm Mossack Fonseca, according to its founding partner Ramon Fonseca.6 Earlier this year, the New York-based threat intelligence firm Flashpoint issued an alert that a Russian cybercriminal and information broker known as “Oleras” was the mastermind behind a plot to hack into nearly 50 of the largest law firms in the U.S.7 The plan, according to Flashpoint, was to infiltrate the law firms’ networks, use keywords to locate and obtain such information as drafts of merger agreements, letters of intent, confidentiality agreements, and trading activities, and then engage in insider trading using the ill-gotten data. The firms that were targeted read like a who’s who of the nation’s most prestigious firms, including Texas firms like Baker Botts, Vinson & Elkins, and Akin Gump, as well as a number of national firms with Texas offices like Weil Gotshal & Manges, Jones Day, and Gibson Dunn & Crutcher. Both the FBI and the Manhattan U.S. Attorney’s office are investigating the hacking plot, and it is still unclear whether breaches actually occurred and whether any confidential information was stolen.
While such recent headlines have shined a light on law firms’ vulnerability to cyber threats, it is hardly a recent phenomenon. In 2010, the California law firm of Gipson Hoffman & Pancione began receiving malware-riddled phishing emails just days after the firm filed a lawsuit against several Chinese companies and the Chinese government, alleging misappropriation of its client’s software. In 2012, Chinese hackers were again blamed for a breach suffered by Washington, D.C. law firm Wiley Rein, which had represented a renewable energy company, SolarWorld, in an antidumping case against China.8 That same year, Chinese hackers also targeted several Canadian law firms working on the $40 billion acquisition of the world’s largest producer of potash (a valuable agricultural and industrial chemical), stealing strategic data and bidding information from the firms.9
Yet the threats to law firms from cybercriminals are not limited to large firms engaged in multibillion dollar M&A deals. In April, the small Clarendon, Texas office of probate and estate planning lawyer James Shelton began receiving thousands of calls a day from all over the U.S. and as far away as Canada and the United Kingdom.10 Apparently, unknown hackers had gained access to and used one of the law firm’s email accounts to send emails to an unknown number of recipients with the subject line “lawsuit subpoena.” The company-specific email asks if the “legal department” has received the “subpoena” yet, and it includes a Word document attachment. Those who clicked on the attachment, however, downloaded a form of malware, that relies on macros in Microsoft Office to infect systems and steal banking credentials and access financial records of a user. Once aware of the scheme, James Shelton and his IT professionals disabled the email account and posted a bright red warning banner on the firm’s website directing individuals “not to click on any links or download any attachments.”
So why are law firms such inviting targets for cybercriminals? There are a number of reasons. First, hackers are drawn by the sheer quantity and quality of valuable documents available in law offices, including descriptions of technical secrets, business strategies, and due diligence material on transactions, financing, and mergers. Second, data thieves may target law firms as a way of filtering out low value information. While large corporations store so much data that it may be difficult for a hacker to sort the digital wheat from the chaff, a corporation’s outside counsel usually receives and stores a smaller, more carefully- selected set of documents. And finally, cybercriminals target law firms because they often have worse data security than the clients they represent. Why is that? According to Dallas cybersecurity and data protection attorney Shawn Tuma of Scheef & Stone, “lawyers are under significant pressure to do things quickly and efficiently, which makes them resistant to anything that will slow them down. This makes it difficult for law firm IT and security departments to implement some of the more robust security precautions, such as encryption, for information that their lawyers use on a regular basis.”
Since the cornerstone of our profession is maintaining client confidences and safeguarding client information, law firms with lax cybersecurity risk more than just the loss of a valued client; they also risk malpractice exposure and disciplinary actions. In 2012, the ABA updated its Model Rules of Professional Responsibility, adding a new section requiring lawyers “to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Many states have similarly adopted more modern standards for the storage and protection of electronic client files, particularly in an era of cloud computing. In April, New York real estate lawyer Patricia Doran was sued by two clients alleging that the attorney’s use of a “notoriously vulnerable” AOL email account that was hacked by cybercriminals resulted in the loss of nearly $2 million from the couple.11 According to the lawsuit, Doran’s computer negligence allowed hackers to not only intercept and read all of the lawyer’s communications, but also to then impersonate the attorney for the sellers of real estate that the couple was buying. Doran allegedly forwarded bogus emails from the hackers to her clients without confirming their authenticity, resulting in funds being wired to an account controlled by the cyberthieves. And in May, noted class action boutique Edelson, P.C. filed a putative class action lawsuit against a “John Doe” Chicago-based regional law firm premised on the firm’s alleged “significant data security vulnerabilities” that have exposed “a whole host of sensitive client data”.12
So what steps can you take to protect your law firm from cyberthreats? First, regardless of the size of the firm, security basics need to be followed. That means requiring strong, regularly changed passwords; using disk encryption on all devices; backing up your data-early and often; using reputable antivirus software and a firewall; and staying current with updates on your computers. Second, educate everyone at the office about cybersecurity, since one weak link (such as someone clicking on a link or attachment that is actually malware) is all it takes. Social engineering (using deception to gain access or information) consistently ranks as the most frequently-employed means of attack, regardless of whether the victim being exploited is a law firm, other business or an individual. Part of this education may involve assembling a data security response team ready to respond to a breach. Third, acknowledge your limitations and don’t try for the “DIY” approach. Even for solos and small firms, try to find a reputable, qualified vendor that will understand your particular security needs – as well as your budget.
For firms with more resources, more advanced intrusion detection/prevention systems are a must, along with internal controls on who can access certain data, and more sophisticated backup and business continuity systems. Fourth, consider cyberinsurance. Policies that law firms typically carry – like professional liability coverage, general liability coverage, or property insurance – may leave you without coverage for data breaches or other cyber risks. Cyberinsurance can help cover not only the cost of cyber forensic services and help in responding to a security incident, but also the loss of revenue and any lawsuits resulting from an attack that involves the loss of data. The number of firms providing cyberliability policies has been increasing steadily each year. While policies and each law firm’s needs will vary, a general rule of thumb is that a policy with at least $1 million limits will run in the range of $10,000 or so. Finally, encrypt all files containing client data that is especially sensitive. There are any number of encryption technologies available to consider, including more secure alternatives for encrypted file storage and backup than widely-used services like Dropbox.
The stakes are higher than ever when it comes to law firm cybersecurity. In the current environment, a lawyer’s professional standing and client relationships are as vulnerable as data to cyberthreats, and ignorance is no longer an excuse.
John G. Browning is a shareholder at Passman & Jones in Dallas, Texas, who has over 26 years of experience in trying cases. His experience encompasses a broad range of civil litigation, including personal injury, product liability, premises liability, professional liability, commercial litigation, employment and trade secrets cases, media law, and intellectual property litigation. Mr. Browning is also an award-winning legal writer and the author of the books "The Lawyer’s Guide to Social Networking: Understanding Social Media’s Impact on the Law" and “Social Media Litigation Practice Guide." He is a Charter Fellow of the Litigation Counsel of America.
4 ABA Legal Technology Survey Report (2015)
5 http://www.legaltechnews.com/printerfriendly/id=1202755908313 (April. 25, 2016)
7 http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/Russian-cyber-criminal-targets-elite-Chicago-law-firms?X-IgnoreUserAgent=1 and http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504
8 "Into the Deluge: The Evolution of Cyberthreats to Law Firms"http://www.legaltechnews.com/printerfriendly/id=1202756324005 (April. 29, 2016)
9 Alan Ezekiel, "Hackers, Spies, and Stolen Secrets: Protecting Law Firms from Data Threat" in Vol.26, No.2 of the Harvard Journal of Law & Technology (Spring 2013)
10 www.vogelitlawblog.com (April. 22, 2016)
12 Allison Grande, Law 360 ,"Edelson Targets Chicago Law Firm Over Lax Data Security" (May 5, 2016)