Please ensure Javascript is enabled for purposes of website accessibility
(Photo illustration by Maximilian Franz)

Targeting law firms

Data breaches don’t just affect retailers and banks. Most big law firms have been hacked, too.

While cybercrime has plagued U.S.-based law firms quietly for close to a decade, the frequency of attempts and attacks has been increasing substantially. Numbers aren’t available, since unlike hacking at financial institutions, law firms have no legal obligations to disclose cybercrimes to the public.

But experts say that these crimes have increased, particularly at firms whose practices involve government contracts or mergers and acquisitions, especially when non-U.S. companies or countries are involved.

“Hackers use third parties like law firms or accounting firms as vehicles into major companies and corporations,” said Matthew A. S. Esworthy, a partner at Shapiro, Sher, Guinot & Sandler in Baltimore and a member of the American Bar Association’s Cybersecurity Legal Task Force. “They’re being used as an unwitting vehicle to get in there, and sometimes they don’t even need to go beyond the firms, because the firms have all of this sensitive information.”

While Cisco Systems Inc. ranks law firms as the seventh most-vulnerable industry to “malware encounters” in its 2015 “Annual Security Report,” other statistics are more striking.

At least 80 percent of the biggest 100 law firms have had some sort of breach, Peter Tyrrell, the chief operating officer of Digital Guardian, a data security software company, said in a telephone interview.

Stewart Baker, a partner at Steptoe & Johnson LLP, said Wednesday the number may be even higher. In an interview this week he recounted what an agent from the Federal Bureau of Investigation told him: Virtually all of the biggest firms have faced some sort of data breach.

That may not be the case for smaller firms, however. William W. “Bill” Carrier III, managing partner at Tydings & Rosenberg LLP in Baltimore, said the mid-size firm has not had any problems with its data security, and has taken measures to protect both electronic and hard copies of documents.

“We have firewalls and passwords — stringent password requirements,” he said. “A lot of it is ethical consideration-driven; a lot of it is client-driven. Some of it has to do with statutes and other laws like HIPAA. My sense is that law firms are pretty sophisticated places, maybe not as sophisticated as financial institutions, but I think we all have a keen appreciation of the risks, and I know we have to be proactive to stop it.”

Because lawyers are bound to keep client information confidential, Carrier said, the firm is “very, very concerned” about keeping its information private.

“I don’t know whether intensification of the efforts is an indication of increased sophistication or just increased focus, but for us, so far so good,” he said.

According to Richard Bejtlich, the chief security strategist of data-security company FireEye Inc., law firms’ susceptibility grew as hackers became more adept. The biggest increase, he said in an interview last week, comes from hackers hired by foreign nations, especially China.

“If you’re doing business in China or representing clients in China, you will get hacked,” he said. “And they’re not just stealing intellectual property for reproduction. They’re interested in mergers and acquisitions as well. It’s the way they conduct due diligence.”

After all, Bejtlich said, “what better way to negotiate than to have access to redlined documents from the other side?”

Five members of the People’s Liberation Army of China were indicted in May on charges that they had hacked into computers at six companies, including Alcoa, U.S. Steel and Westinghouse, to get at confidential information.

No law firms were listed as victims of those attacks, although the indictment alluded to the interception of privileged attorney-client communications. However, Wiley Rein LLP, which represented SolarWorld, one of the companies named as a target, was itself hacked around the time SolarWorld’s computers were compromised, Bloomberg’s Michael Riley and Dune Lawrence reported in 2012. Firm spokeswoman Patricia O’Connell declined Tuesday to comment on the breach.

Some large firms haven’t had their systems breached. Emily Yinger, the managing partner of the Washington-area offices of Hogan Lovells LLP, said her firm has been spared, although she noted that “we constantly intercept attacks.”

The problems stem from the hapless lawyer who clicks on a fake e-mail purporting to be from the U.S. Postal Service to much more intricate, pervasive breaches.

Baker, for example, said he personally faced one a few years ago when a hacker impersonated him, setting up a Yahoo account under his name and e-mailing lawyers at Steptoe with a link to a report that was similar to documents he had sent. But his firm was lucky — only one person clicked and “the link didn’t take,” he said.

As attacks have increased in recent years, the FBI has provided outreach, Baker and other lawyers said. And firms are receptive as law firm leaders and chief information officers attempt to understand the severity and complexity of the problem.

“Law firms are being targeted, and the scary thing is that half the time, they don’t even know it, and when it’s discovered, it’s often too late — the damage is done,” Esworthy said. “There’s a growing body of law that is encouraging small businesses, including law firms, to be prepared and take some steps to protect this information.”

Daily Record reporter Lauren Kirkwood contributed to this article.