Reports on Wednesday that both Weil Gotshal & Manges and Cravath, Swaine & Moore as well as other firms have suffered data breaches in recent months, put new attention on the potential consequences for law firms with lax security.
“We’ve been saying for a long time that law firms are major targets,” said Jay Edelson, founder of Edelson, a plaintiff’s side class-action firm that focuses on privacy-related suits.
Edelson said his firm has conducted a year-long investigation and identified 15 major law firms with inadequate cybersecurity. It is planning to file a series of class-action lawsuits against the firms that will seek injunctive relief on behalf of all clientele and lay out specific preventive steps necessary to harden their security systems.
He declined to name the law firms or specific claims, but said he already has a handful of corporate clients who are concerned that outside counsel are not protecting their sensitive data — such as trade secrets, business process, financial information — and are ready to file suit to trigger better practices.
Many of the law firms have “impressive” policies in place, but are not enforced, so partners often email sensitive information from personal email accounts, use public wifi at coffee shops and take other risks, he said.
“What our investigation has shown is that many law firms have had breaches, which they’ve kept quiet,” Edelson said.
He added, “Our view is [law firms] clearly have a legal duty to send out breach notification letters, and to the extent they’re declining to even state whether they did that, that is incredible.”
Both Cravath and Weil declined to answer questions about whether they have sent out breach notification letters. Cravath confirmed the breach but declined to answer any questions; and Weil initially forwarded calls to the firm’s general counsel Mindy Spector, but then used a spokeswoman to decline comment.
The Wall Street Journal reported that Weil and Cravath, as well as other unnamed law firms, suffered data breaches and that federal prosecutors in Manhattan are investigating whether hackers used any stolen information for insider trading purposes, citing “a person familiar with the matter.” It follows other reports in recent weeks that law firms are in the crosshairs of hackers.
Earlier this month, Big Law Business reported that the FBI issued an alert after agents discovered a post on an undisclosed “cyber criminal forum,” in which someone was seeking to hire hackers to break into international law firms computer networks and harvest data for an insider trading scheme. The threat detection company Flashpoint Security also issued a client alert in February, obtained by Big Law Business, which described a character named “Oleras” who wanted to harvest data from law firms for insider trading, and provided a spreadsheet with a list of 48 law firms including both Weil and Cravath.
Lawyers who work in the cybersecurity space said many other major law firms have suffered data breaches, but those have not reached the public.
“Undoubtedly, there are many examples of law firms compromises that have gone under reported, including at big firms,” said Joe DeMarco, of DeVore & DeMarco. “I’ve been involved in others that have not been public. I can’t go into details obviously.”
DeMarco, the former head of the cyber crime division of the U.S. Attorney’s Office in Manhattan, said there have been other federal criminal investigations in response to a law firm breach, but those were either under seal or never reached an indictment stage.
The incident underscores the fact that professional service firms, whether law, accounting or consulting firm are all aggregating data of significant value, which provides “one-stop shopping” for many companies’ sensitive data and makes them attractive targets. In March 2015, the New York Times reported on an internal Citigroup report that warned of law firms’ vulnerability.
One lawyer at a major firm, who requested anonymity, said the reports about law firms being more vulnerable than other companies are unfair. “Frankly, clients get hacked all the time,” he said, adding that his firm has completely revamped its practices in recent years. Passwords are changed on a regular basis and the banks audit their practice, the lawyer said.
David Siegal, a Haynes & Boone partner and former federal prosecutor who worked on cyber crimes, said law firms understand that they need to maintain their client’s confidence to stay viable as a business, which provides strong incentives to protect data.
“Law firms take the threat of cyber attack and intrusion very seriously, and they have to these days — it’s an enterprise risk not to,” said Siegal.
In its statement, Cravath downplayed the impact of its breach:
“Last summer, the Firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter, and we are not aware that any of the information that may have been accessed has been used improperly. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants.
Client confidentiality is sacrosanct. We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class.”
Chris Pogue, senior vice president of cyber threat analysis at Nuix, a data processing vendor, said his firm works with many major law firms, some of which have in his view inadequate security. Pogue attributed that laxity to the lack of regulatory oversight.
He also took issue with Cravath’s response.
“When someone gets breached they always overstate the complexity of the attack and then understate the impact,” said Pogue. “That’s kind of textbook.”