Dallas-based Locke Lord probably thought its computer system was safe—that is, until two days in December 2011. That was when Anastasio Laoutaris, a former IT engineer who worked for the firm for five years, accessed Locke Lord’s computer network without authorization and, according to a press release from the U.S. Attorney’s office for the Northern District of Texas, “caused significant damage to the network.” But the 1,000-lawyer firm was lucky. Laoutaris was caught, convicted of hacking by a Dallas jury last October, and in April was sentenced to more than nine years in prison and ordered to pay $1.69 million in restitution. Most important, according to Locke Lord spokeswoman Julie Gilbert, client information was “never compromised.”
This close call underscores what many in the American legal sector have been reluctant to accept: law firms represent the latest target for cybercriminals. More firms are falling prey to schemes as simple as “phishing” tactics or as sophisticated as a coordinated cyberattack, exposing client data that could include sensitive financial information, market-influencing mergers and acquisitions intelligence, and IP from a patent filing. Despite the danger, law firms have been guilty of a head-in-the-sand approach. A 2012 study from security firm Mandiant Corp. reported that 80 percent of the nation’s 100 largest firms were victims of hacking. In 2015, an American Bar Association survey revealed that even though one in four firms with at least 100 lawyers had fallen victim to a breach, nearly half had no response plan. Most lacked security measures beyond rudimentary tools like firewall software, spam filters, and virus scanners. In April, ALM Legal Intelligence and crisis communications firm Infinite Spada found that although about two-thirds of respondents were comfortable with their firms’ ability to resist a cyberattack, most were lacking in the best practices. And even though 87 percent of the law firms surveyed require their vendors to carry cyber liability insurance, only about a third of them carried such coverage themselves.
Law firms will have to step up their cybersecurity game, if recent headline-making news is any indication. The Panama Papers scandal, in which millions of documents pertaining to offshore shell companies and financial dealings of numerous individuals and corporations were exposed, was the result of a hack at the Panamanian law firm Mossack Fonseca, according to its founding partner Ramon Fonseca. Earlier this year, the New York-based threat intelligence firm Flashpoint issued an alert that a Russian cybercriminal and information broker known as “Oleras” was the mastermind behind a plot to hack into nearly 50 of the largest law firms in the U.S. The plan, according to Flashpoint, was to infiltrate the law firms’ networks, use keywords to locate and obtain sensitive information, and then engage in insider trading. Targeted businesses read like a who’s who of the nation’s most prestigious firms, including Texas’ Baker Botts, Vinson & Elkins, and Akin Gump, as well as national firms with Dallas offices like Weil Gotshal & Manges, Jones Day, and Gibson Dunn & Crutcher. The FBI and the Manhattan U.S. Attorney’s office are investigating, and it is still unclear whether breaches actually occurred.
“Lawyers are under significant pressure to do things quickly and efficiently.”
Shawn Tuma, Scheef & Stone
This is not a recent phenomenon. In 2010, California Gipson Hoffman & Pancione began receiving malware-riddled phishing emails days after the firm filed a lawsuit against several Chinese companies and the Chinese government, alleging misappropriation of its client’s software. In 2012, Chinese hackers were again blamed for a breach suffered by Washington, D.C. law firm Wiley Rein, which represented renewable energy company Solar World in an antidumping case against China. That same year, Chinese hackers also targeted Canadian firms working on the $40 billion acquisition of the world’s largest producer of potash (an agricultural and industrial chemical).
Cyber threats are not limited to large firms engaged in multibillion-dollar M&A deals. Just last month, the small Clarendon, Texas law office of James Shelton began receiving thousands of calls a day from across the U.S., Canada, and the United Kingdom. Apparently, hackers had used one of the law firm’s email accounts to message recipients with the subject line “lawsuit subpoena.” The company-specific email asked if the legal department has received the subpoena yet, and includes an attachment with malware that infects systems, steals banking credentials, and accesses financial records. The firm disabled the email account and posted a warning on its website advising against clicking any links or downloading any attachments.
So why are law firms being increasingly targeted? First, hackers are drawn by the sheer quantity and quality of valuable documents, including descriptions of technical secrets, business strategies, and due diligence material on transactions, financing, and mergers. Second, data thieves may target law firms as a way of filtering out low-value information. Although large corporations store a ton of data, outside counsel usually keeps a smaller, more carefully selected set of documents. Finally, firms often have worse data security than their clients. According to cybersecurity and data protection attorney Shawn Tuma of Frisco’s Scheef & Stone, “lawyers are under significant pressure to do things quickly and efficiently,” making it difficult for IT teams to install robust security systems.
Law firms with lax cybersecurity risk more than just the loss of a client; they also risk malpractice exposure and disciplinary actions. In 2012, the ABA updated its model rules of professional responsibility, requiring lawyers to make “reasonable efforts” to prevent the disclosure and unauthorized access to client information. Many states similarly have adopted more modern standards. As recently as April, a New York real estate lawyer, Patricia Doran, was sued by two clients who allege that the attorney’s use of a “notoriously vulnerable” AOL email account resulted in their loss of nearly $2 million. According to the lawsuit, Doran’s computer negligence allowed hackers to not only read all of the lawyer’s emails, but also to impersonate the attorney for the sellers of real estate that the couple was buying. Doran allegedly forwarded bogus emails from the hackers to her clients, resulting in funds being wired to cyber thieves.
With the stakes raised, what can law firms do to improve their cybersecurity? Tuma recommends that firms adhere to security basics, such as requiring strong, regularly changed passwords, using disk encryption on all devices, implementing a firewall and reputable antivirus software, keeping software updated, and storing regular backups of data. Firms with more resources, he says, “should have more advanced intrusion detection and prevention systems in place, internal controls on access to data, and detailed logging for their servers.” Tuma also advises against small firms going the DIY route, urging them to find a reputable vendor instead. All firms, he counsels, should encrypt files containing sensitive client data, and have an incident response plan and cyber insurance coverage that protects their clients and their firm.
Lawyers can no longer profess ignorance of the risks or their ethical duties to take steps to protect their clients’ data. Failure to do so could be catastrophic for attorney and client alike.
