Skip to content
Thomson Reuters
Law firms

Are law firms the weakest leak in cybersecurity?

Daniel Garrie

18 Jan 2017

Law firms have long held a hallowed position in the corporate world, as the preeminent keeper of confidences. But the frequency with which law firms are falling victim to data breaches and hacks should leave clients questioning their firm’s data security. Due to their trusted position in the business world, law firms have become a prime target for cyber criminals, and without adequate cybersecurity confidential client information can fall into the hands of a wide variety of bad actors.

Consider the following hypothetical about a top global firm. It has attorneys working with companies and individuals in virtually every industry in the world. These attorneys are privy to a wide variety of highly sensitive and confidential financial information – information that would be of great value to cyber criminals. A senior mergers and acquisitions partner chose to use his smartphone for both work and personal use. As a senior partner, no one was willing to require the need to segregate data and users. The senior partner regularly let his son use the smartphone to surf the Internet and download games. One day, the son downloads a game which has malware code attached to it. The malware infiltrated the firm’s email server. This silent intrusion allowed a cyber-criminal to monitor all emails in the senior partner’s practice group. The cyber-criminal was able to access confidential financial information, which allowed him to engage in insider trading, making millions of dollars off of the information, and causing serious harm to the firm’s client by driving up the price of the stock.

While the above hypothetical may seem like a doomsday scenario, it can happen, as revealed in a recent indictment in the Southern District of New York. The indictment alleged that three criminals gained access to a top law firm’s email server through undisclosed means. On multiple occasions, these criminals were able to gain confidential inside information about pending M&A deals. The criminals were then able to trade on that information, making over $4 million before being caught. The criminals were charged with insider trading, wire fraud, and violations of the US Computer Fraud and Abuse Act. While facts are few and far between for understanding how the criminals in the above case broke into the firm’s mail servers, it is likely that the criminals exploited a lawyer with access to the email server, rather than attacking the system directly.

This example is not meant to scare law firms out of engaging in important work, and it is not meant as a prompt for law firms to radically overhaul their policies and procedures in an attempt to pursue perfect cybersecurity. What this example should do, is highlight the risk of poor cybersecurity, and serve as a conversation starter for thinking about how to develop a strong cybersecurity infrastructure and culture within a law firm.

Why then, if these steps are cost effective and simple do firms still face a significant threat of cyber-attack? The answer is simple: culture.

There are several useful, cost effective, tools available to all law firms, whether a solo practice or multinational firm, to help secure the firm’s data. These tools include email encryption services, secure file management and transfer solutions, multi-factor authentication, mobile device management and integrated malicious code detectors that operate across both computers and mobile devices. Often times, for a small premium, these individual tools can be bundled into a single solution that is managed by external third-parties. Taking these relatively simple steps will significantly hamper all but the most serious cyber-criminals and nation-state actors. Why then, if these steps are cost effective and simple do firms still face a significant threat of cyber-attack? The answer is simple: culture.

The above discussed tools, are for all intents and purposes, a sophisticated alarm system. Defeating an alarm system can be a difficult task for a criminal, but the alarm system requires that the homeowner properly follow the alarm’s procedures in order to work. If a homeowner chooses to leave the front door open, no matter how effective the alarm system is, it cannot prevent a criminal from breaking in. Consequently, law firms must pay serious attention to developing a security conscious culture, and must be sure to close their digital front door.  Training is a start to developing an effective cybersecurity culture.  However, training should not just be checking a box.  Every employee of the firm must be committed to taking the steps necessary to protect the firm’s information and systems, even if there is some measure of inconvenience.  The stakes are too high to do otherwise.

These are a few of the measures that law firms must begin and continue to implement in order to achieve meaningful data security. Not only is it their responsibility as fiduciaries of their clients’ data, but the decision not implement these measures will become an untenable business decisions as clients begin auditing their firms. With that being said, there is no one size fits all approach to cybersecurity, and every firm must carefully consider the risks, costs, and benefits, and make an informed decision as what solutions to implement to protect themselves and their clients.

The Practical Law year in review: selected themes from 2021 and looking ahead to 2022, part 2 The Practical Law year in review: selected themes from 2021 and looking ahead to 2022, part 1 The Hearing: Episode 89 – Special *2021 Yearbook* Episode Best practices when preparing to adopt a contract review and analysis solution New report shows growth amid change for region – 2021 State of the Legal Market in Europe Time for change — insights into environmental, social and governance Identifying opportunities and embracing challenges for small UK law firms What is legal project management maturity? The Hearing: Episode 81 – Stanley Litow (P-TECH) A new framework for client engagement: Access, Awareness, and Action