Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers
Shutterstock
Corporate litigator Jane Doe sat down at her desk Monday morning and logged on to her computer. She opened an email appearing to be from a client that read: “Hi. Could you please take a look at this document? It’s urgent.” Doe clicked on the attachment. Two weeks later, a hacker website published confidential documents that one of her most important clients had given the firm in connection with a lawsuit alleging environmental violations. Doe’s client called, furious, to inform her that she was discharged, and that the client was considering a lawsuit against her firm.
Every week brings news of major new cyberattacks—the stealing of personal information from Equifax and the federal Office of Personnel Management, the Petya and WannaCry ransomware worms, the Russian hacking of the Democratic National Committee’s emails, to name a few. Indeed, the cyberthreat from criminals, hacktivists and state actors is growing. The costs associated with these malicious activities are staggering: Last year, the Commission on the Theft of American Intellectual Property estimated that the annual cost of IP theft in three major categories may be as high as $600 billion and that the low-end total exceeds $225 billion, or 1.25 percent of the U.S. economy.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Law firms have not been immune. In fact, they have been a ripe target:
- Several major New York City law firms working on public mergers and acquisitions were hacked in 2014 and 2015 as part of a sophisticated insider-trading scheme.
- In 2012, hackers believed to be linked to the Chinese government obtained confidential documents related to solar panel designs by hacking into a prominent Washington, D.C., firm.
- A Panama-based law firm was the target of the largest data theft ever by volume: A hacktivist website obtained 11.5 million individual documents stolen from the firm (2.6 terabytes of data), which contained confidential financial information about the firm’s clients.
- Among the many entities victimized by the Petya ransomware attack this past year was a BigLaw firm that was forced to take some of its email servers offline for an extended period.
John Carlin
The nature of their work and the resulting sensitive data make law firms enticing targets. Law firms conduct due diligence and internal investigations, negotiate settlements, provide advice on regulatory issues, and handle important contractual negotiations and litigations. In the course of their representations, they often have access to a wide range of confidential client information, including trade secrets and other intellectual property, financial data, business strategies and national security information. All of this can be valuable to criminals seeking monetary gain, to businesses seeking a competitive edge or to foreign intelligence services.
Technology enhances the risk. Records that a law firm once kept on physical pieces of paper in file cabinets now reside on data servers or in the cloud. Lawyers increasingly communicate using mobile devices or email. Firms’ use of a growing number of devices that are connected to the internet—the “internet of things”—creates new vectors of vulnerability. While these developments may have made the logistics of legal practice easier, they have also introduced additional opportunities for illicit access.
John P. Carlin is a partner at Morrison & Foerster. Robert S. Litt, of counsel at Morrison & Foerster, is a former general counsel for the director of national intelligence. Hayley R. Curry and R. Taj Moore are associates at the firm.
