Cyber Attacks Upend Attorney-Client Privilege

Security experts say law firms are perfect targets for hackers
Illustration: Dan Woodger

“Dear Clients,” began the letter that law firm Ziprick & Cramer sent out in late February. “It is almost a daily occurrence that we read about cyber attacks in the news. Unfortunately, on or around January 25, 2015, our firm was the victim of a single cyber attack, by a relatively new variant of a Cryptolocker-type virus.” Cryptolocker is a kind of ransomware used to encrypt files so they’re unreadable; hackers then demand money to restore the data.

A security breach is one of the last things a lawyer wants to admit to a client. But the small firm in Redlands, Calif., faced it head-on, reporting the attack to the FBI and calling on its IT specialist to assess the damage and install safeguards to thwart future attacks. Partner Robert Ziprick says clients have been sympathetic and understand hacking is a problem for lots of businesses. “A lot of them are trying to figure it out, too,” he says.

Law firms of all sizes are vulnerable. Cybersecurity firm Mandiant says at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011. In 2012, Bloomberg reported that the large Washington firm Wiley Rein was targeted by hackers linked to China’s military in connection with a trade dispute it was handling for a maker of solar panels. McKenna Long & Aldridge lost Social Security numbers and other employee data last year when one of its vendors was targeted, the firm reported.

Since at least 2009, the FBI, the U.S. Secret Service, and other law enforcement agencies have warned the managing partners of big U.S. firms that their computer files are targets for cyberspies and thieves in China, Russia, and other countries, including the U.S., looking for valuable information about potential corporate mergers, patent and trade secrets, litigation plans, and more. “If you’re a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim,” says Chad Pinson, a managing director at Stroz Friedberg, a New York-based cybersecurity firm. “The question is, what are you doing to mitigate it?”

Pinson and other providers of cybersecurity services say law firms aren’t doing nearly enough. But that’s changing as firms come under pressure from clients to bolster defenses. Many Wall Street banks, including Bank of America and Merrill Lynch, typically require law firms to fill out up to 20-page questionnaires about their threat detection and network security systems. Some clients are even sending their own security auditors into firms for interviews and inspections.

Scott Angelo, chief information officer at law firm K&L Gates, says client scrutiny is helping to “move the needle” on cybersecurity across the industry. “Firms that are serious about their business are all taking it seriously,” he says. His firm recently enhanced its security measures and has two full-time staffers who spend most of their workday monitoring the network for potential threats and testing its defenses. Angelo regularly hires consultants to run “white hat hacking exercises”—tests that simulate real attacks to try to identify vulnerabilities. Protecting the firm doesn’t come cheap. “If you’re not spending seven figures on security,” he says, “you’re not spending enough.”

Some law firms have brought in consultants to help them upgrade security policies and systems and then certify that their networks are safe. At Shook, Hardy & Bacon, CIO John Anderson says his IT team recently spent 18 months and $60,000 to obtain ISO/IEC 27001 certification, a sort of Good Housekeeping seal for compliance with globally recognized security standards. The firm now promotes the certification in marketing materials and client pitches, he says.

Rival law firms are even banding together to address the problem. An alliance of leading firms in New York and London—including Linklaters; Paul, Weiss, Rifkind, Wharton & Garrison; and Sullivan & Cromwell—will share information about threats and work with financial institutions to devise best practices for the legal industry. “No one entity has the complete picture,” says Carl Leonard, an analyst in London with Websense, a security consulting firm in Austin, Texas. “When these groups are willing to come together, that really talks to the difficulty that they’re having protecting their data.”

To mitigate potential damage, some firms are buying cyberinsurance in the event of a major data breach. The market is relatively small, but more firms are asking for quotes and demand is picking up, says James Rhyner, a vice president at Chubb, which offers such plans.

Even the most sophisticated security systems will never be completely hackerproof, says Shane McGee, chief privacy officer at Mandiant parent company FireEye, especially if the hackers are backed by a foreign government. “When you’re dealing with state actors, if they want in, they’re going to get in.”

The bottom line: Client pressure and scrutiny are forcing law firms to beef up their cyber defenses.

    Before it's here, it's on the Bloomberg Terminal.