Major U.S. law firms have become more vigilant in recent years about the risks of cyberattacks, but revelations this week of a major hack on two New York firms are a reminder that the industry remains vulnerable.
The Manhattan U.S. attorney’s office unsealed a criminal indictment Tuesday against three Chinese men accused of using stolen law-firm employees credentials to access troves of internal emails at two law firms. The men, according to prosecutors, used details they obtained in law-firm partner emails about pending deals to make more than $4 million in illegal stock trades.
Legal-industry experts say law firms often lag behind corporate clients in data-security measures, even though they are entrusted with valuable trade secrets, market-moving deal news and other sensitive information that is attractive to hackers.
The reason behind the gap is twofold: Lawyers have only felt the treat recently, and law firms traditionally lag behind other industries in tying to become more efficient through technology, largely because they bill their services based on time.
“Law firms aren’t necessarily committed to things that don’t make them money per se,” said Neil Watkins, the senior vice president of security, risk, compliance, and privacy at legal-services company Epic Systems. Mr. Watkins said law firms are at least three years behind what’s become standard of data security in finance and other industries, though he says awareness is improving.
Starting a few years ago, large banks began requiring their top law firms to undergo data-security audits and meet stringent standards.
That level of scrutiny is now being applied by other sectors. Marsh, and McLennon Cos. general counsel, Peter Beshar, said that in recent months, he’s begun requiring his top 10 outside law firms to meet six cybersecurity standards, including using encrypted transmissions when sending messages externally, having detailed incident-response plans and securing $5 million in cybersecurity insurance coverage.
To help stay ahead of a breach, law firms have formed an information-sharing group to learn about new potential threats and system weaknesses from both each other and government agencies. The group, which so far counts more than 100 firms, helped disseminate information on a potential threat a few months ago and thwarted a hack, said Bill Nelson, chief executive officer of the Financial Services information Sharing and Analysis Center, which oversees the legal group and similar entities that focus on other industries. Los angeles family-law lawyer Stacy Phillips said the need to protect the personal information of her clients was at the top of her mind earlier this year the she merged hr boutique law firm into Blank Rome, LLP, a 600-lawyer firm based in Philadelphia. Investing in adequate data-security technology was becoming “prohibitively expensive” at the smaller firm, she said. “It was very much a stress,” she added.
Now at Blank Rome, she said the matrimonial practice, which holds extremely private information from client divorces and custody battles, has a double layer of security to ensure no one else at the firm can access their files.
As read in the Wall Street Journal
Written by Sara Randazzo