Arkansas bankruptcy filings.
Data breaches don’t just affect retailers and banks. Most big law firms have been hacked, too.
While cybercrime has plagued U.S.-based law firms quietly for close to a decade, the frequency of attempts and attacks has been rapidly increasing. Numbers aren’t available, since unlike hacking at financial institutions, law firms have no legal obligations to disclose cybercrimes to the public.
But experts say these crimes are on the upswing, particularly at firms whose practices involve government contracts or mergers and acquisitions, especially when non-U.S. companies or countries are involved.
“Law firms are very attractive targets. They have information from clients on deal negotiations, which adversaries have a keen interest in,” according to Harvey Rishikof, co-chairman of the American Bar Association’s Cybersecurity Legal Task Force. “They’re a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.”
While Cisco Systems Inc. ranks law firms as the seventh-most-vulnerable industry to “malware encounters” in its 2015 Annual Security Report, other statistics are more striking.
At least 80 percent of the biggest 100 law firms have had some sort of breach, Peter Tyrrell, the chief operating officer of Digital Guardian, a data security software company, said in a telephone interview.
Stewart Baker, a partner at Steptoe & Johnson LLP, said the number may be even higher. In an interview last week, he recounted what an agent from the FBI told him: Virtually all of the biggest firms have faced some sort of data breach.
According to Richard Bejtlich, the chief security strategist of data-security company FireEye Inc., law firms’ susceptibility grew as hackers became more adept. The biggest increase, he said in an interview, comes from hackers hired by foreign nations, especially China.
“If you’re doing business in China or representing clients in China, you will get hacked,” he said. “And they’re not just stealing intellectual property for reproduction. They’re interested in mergers and acquisitions as well. It’s the way they conduct due diligence.”
After all, Bejtlich said, “what better way to negotiate than to have access to redlined documents from the other side?”
Five members of the People’s Liberation Army of China were indicted in May on charges that they had hacked into computers at six companies, including Alcoa, U.S. Steel and Westinghouse, to get at confidential information.
No law firms were listed as victims of those attacks, although the indictment alluded to the interception of privileged attorney-client communications. However, Wiley Rein LLP, which represented SolarWorld, one of the companies named as a target, was itself hacked around the time SolarWorld’s computers were compromised, Bloomberg’s Michael Riley and Dune Lawrence reported in 2012. Firm spokesman Patricia O’Connell declined last week to comment on the breach.
Some firms haven’t had their systems breached. Emily Yinger, the managing partner of the Washington-area offices of Hogan Lovells LLP, said her firm has been spared, although she noted that “we constantly intercept attacks.”
The problems stem from the hapless lawyer who clicks on a fake email purporting to be from the U.S. Postal Service to much more intricate, pervasive breaches.
Baker, for example, said he personally faced one a few years ago when a hacker impersonated him, setting up a Yahoo account under his name and emailing lawyers at Steptoe with a link to a report that was similar to documents he had sent. But his firm was lucky — only one person clicked and “the link didn’t take,” he said.
Firms typically are loathe to disclose breaches. Leo Taddeo, the special agent in charge of the Cyber and Special Operations Division for the FBI’s New York office, said in a telephone interview last week that he hasn’t heard of any law firms affected. “Either the firms have perfect security, have been hacked and don’t know, or they’ve been hacked and don’t tell.”
FBI agents have spoken to some senior partners about cybersecurity risks, but, he said, “it’s been a one-way street with information. We’ve not gotten the two-way interaction that we are looking for.”
And there’s a reason why the FBI wants more communication. Because of its continual investigation of cybercrime, the FBI has developed technical expertise as well as knowledge of who the hackers are and how they infiltrate. Taddeo stressed that, as a result, the FBI can both help law firms take precautions and aid them if there is a breach.
And, to allay any privacy concerns a firm might have, Taddeo said, the FBI “knows how to keep things confidential.”