This article was originally published on December 9, 2016, in the wake of headline-making cyberattacks on some of the nation’s most prestigious law firms. Given the recent wave of cybersecurity incidents in the legal industry, we’re republishing the piece again today. After more than three years, the risks it identifies have only grown more urgent—and more perilous.
Bad news for some Big Law clients: those emails partners are charging $800 an hour to draft are also finding their way into foreign intelligence apparatuses.
If there was ever a question that law firm data security, in its sad state, is a national security issue, yesterday's startling exposé by Fortune drove that home. While it had been widely reported that a handful of top U.S. firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, suffered data breaches in 2015, the extent of those hacks and their ramifications are only now coming to light.
According to Fortune, cybercriminals apparently working on behalf of the Chinese government broke into law firm email servers and relayed potentially hundreds of thousands of messages of several firm partners as they were sent. In the case of one firm, the attack appears to have transpired over the course of 94 days beginning in March of last year, when hackers would steal email in one-hour increments before leaving firm systems and later returning. It is not clear from the Fortune report which firm was compromised, or if more than one firm suffered the type of protracted attack described. It is also uncertain if either Cravath or Weil, which had been the focus of an earlier Wall Street Journal story, was the subject of the Fortune account, though that is the implication the article drew.
Regardless, it is not a great leap of faith to think that the emails at issue included potentially sensitive information pertaining to discreet business deals, corporate secrets and intellectual property. In fact, it is more than likely. At least some of the attorneys whose emails were intercepted were members of their respective firms' IP and M&A groups, according to Fortune.
Law firms have been notoriously close-lipped about data breach, and generally don't report them at all. To that end, Cravath had said, when the story emerged last fall, that the breach was limited and that it was not aware that any of the information that had been accessed had been used improperly.
Yesterday's revelations cast doubt on accounts such as these, painting a picture instead of a sustained intrusion that went on for months without the firms' knowledge.
Cravath and Weil Gotshal, among the most highly regarded corporate law firms in the world, represent the creme de la creme of US industry. Weil's clientele alone includes Apple, Proctor & Gamble, Exxon Mobile, General Electric, CISCO, Bank of America, UnitedHealth, and Verizon, just to name a few. Together, these two firms along with a half-dozen of their peers have their hooks in, for all intents and purposes, almost every major corporation in the United States -- and hold the keys that unlock sensitive business secrets underpinning the U.S. economy.
Given their reputations, Big Law firms and others are widely assumed to be, if not leaders in security, at least safe havens for client data. But nothing could be further from the truth. Law firms are, instead, a one-stop shop for pillaging high-value information, as experts have pointed out. In an interview with Logikcull in July, Eli Wald, a former Big Law attorney who now teaches cyber-ethics at the University of Denver School of Law, explained it this way:
Suppose one hacker could target a client — perhaps a large, Fortune 500 company. Even if the hacker can succeed into hacking into the systems of the client, there might be vast amounts of information, significant components of which could be useless and worthless to the hacker... Law firms, by the very nature of the services they provide, only hold, maintain and handle the very valuable information. Hacking a law firm, then, is much more efficient than hacking the client itself.
Confirming the worst fears of many, the "Panama Papers" attack cast this academic hypothesis as real-world, front-page news, and with global consequences. Last year's breach of the large Panamanian law firm resulted in what Edward Snowden called the greatest breach in the history of data journalism and went far in airing the illicit dealings of many of the firm's high-profile clients, including world leaders.
As we wrote when news of the Cravath and Weil breaches surfaced, e-discovery is the next frontier for cybercrime, whether its perpetrators know it now or not. Whereas hackers may lay in wait for days or months on end to intercept sensitive messages from a firm's internal systems, discovery, as is its nature, pulls all that material together quickly, often hastily, and in confined cyberspace. The law firms and vendors tasked with executing this process, then, act as clearinghouses for all of their clients' most valuable information, and, in fact, confidential material is only removed from the discovery process after it is identified by the databases into which it is corralled. Often, the tools themselves lack the security safeguards to keep out intruders and, by and large, do not encrypt data that is stored at rest.
But the changing of hands from client to law firm to vendor and back, not to mention the disclosure of these materials to opposing parties once they've been reviewed, presents perhaps the biggest opportunity for cybercriminals, who can pick off this data in the clear. Given the proliferation of information volumes and the acceleration in the complexity of types of data subject to legal discovery, much of which is now created and resides in the cloud, the security problem for law firms and their partners only grows more dire. The rise of cybercrime adds an urgent new wrinkle.
Data security is one of the main reasons Logikcull exists. You can read a letter from our CEO addressing law firm data breaches here.
