Legal Executive Institute
A New Focus on Law Firm Cybersecurity
January 11, 2017
By Daniel B. Garrie
Law firms have long held a hallowed position in the corporate world, as the preeminent keeper of confidences. But the frequency with which law firms are falling victim to data breaches and hacks should leave clients questioning their firm’s data security. Due to their trusted position in the business world, law firms have become a prime target for cyber criminals, and without adequate data security confidential client information can fall into the hands of a wide variety of bad actors.
Consider the following hypothetical about a top global firm. It has attorneys working with companies and individuals in virtually every industry in the world. These attorneys are privy to a wide variety of highly sensitive and confidential financial information — information that would be of great value to cyber-criminals. A senior mergers and acquisitions partner chose to use his smartphone for both work and personal use. As a senior partner, no one was willing to require the need to segregate data and users. The senior partner regularly let his son use the smartphone to surf the Internet and download games. One day, the son downloads a game which has malware code attached to it. The malware infiltrated the firm’s email server. This silent intrusion allowed a cyber-criminal to monitor all emails in the senior partner’s practice group. The cyber-criminal was able to access confidential financial information, which allowed him to engage in insider trading, making millions of dollars off of the information, and causing serious harm to the firm’s client by driving up the price of the stock.
While the above hypothetical may seem like a doomsday scenario, it can happen, as revealed in a recent indictment in the Southern District of New York. The indictment alleged that three criminals gained access to a top law firm’s email server through undisclosed means. On multiple occasions, these criminals were able to gain confidential inside information about pending M&A deals. The criminals were then able to trade on that information, making more than $4 million before being caught. The criminals were charged with insider trading, wire fraud, and violations of the Computer Fraud and Abuse Act. While the facts are little known for how the criminals in the above case broke into the firm’s mail servers, it’s likely that the criminals exploited a lawyer with access to the email server — a much easier pathway — rather than attacking the system directly.
To read the full article, go to Legal Executive Institute