A December 12 article in Fortune Magazine titled “Cyber Espionage Is Reaching Crisis Levels” begins, inauspiciously:
“Trade secret theft costs companies billions of dollars every year. Traditionally, these crimes took the form of bribing, dumpster-diving or, as in one famous case, aerial photography. These days, industrial espionage has gone digital, introducing new threats and magnifying the impact of established techniques.”
The article was authored by a corporate partner at the law firm Cravath, Swaine & Moore, which represents some of the largest corporations and financial institutions in the world, and, as the Wall Street Journal reported this morning, was recently the victim along with Weil Gotshal & Manges of high-profile cyberattacks by hackers apparently seeking intel for the purposes of insider trading. Weil, for its part, houses its own Cybersecurity group, which attests to drawing on “best-in-class corporate governance… and technology practices.”
These ironies are not highlighted to shame either firm, which are widely regarded as among the best in the world. But they do underscore the fact that even the premier law firms who routinely handle the most sensitive IP, trade secrets and business information in the world are vulnerable — perhaps the most vulnerable, given their prominence — to data breach. Their specialty is law. Not cybersecurity.
To that end, the Wall Street Journal article, which has lit the legal blogosphere abuzz, should come as a surprise to no one. The security failings of law firms and legal providers in general have been widely known for some time. The New York Times reported early last year that the security company Mandiant was advising no fewer than half a dozen law firms who had been victims of data breach. Also around that time was the publication of a high profile report by Citigroup that took law firms to task for their “high risk for cyberintrusions” and stated they would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.” The FBI has been pressing law firms to bolster security since 2011.
That law firms are bullseyes for cybercriminals should go without saying. The topic has been covered ad nauseam in this very space. Perhaps the only thing unusual about today’s report is that it was reported at all. Generally, due to restrictive confidentiality codes and the absence of formal disclosure requirements within the legal industry, law firm breaches only come to light anecdotally and cloaked in anonymity.
What has been less discussed is the fact that within the domain of litigation, investigations, M&A, and all the other delicate legal activities law firms and other service providers are entrusted to carry out, eDiscovery is perhaps the most at risk to the kind of intrusion the Journal article describes.
As many legal professionals and corporate clients have experienced, eDiscovery is the increasingly fraught and complex process by which parties gather, review, and exchange sensitive information for evidentiary purposes. As law firms and vendors are often tasked with executing these tasks, they essentially act as clearinghouses for all of their clients’ most valuable assets — from trade secrets, to IP, to details of the most furtive business dealings and private exchanges.
Given the explosion of data volumes and the acceleration in complexity of types of data subject to legal discovery, much of which now is created and resides in the cloud, eDiscovery poses an ever-growing technical and security challenge for law firms and service providers.
It is a challenge they have by and large not met. eDiscovery is risky enough without the specter of cybercriminals. It is not uncommon, for example, for law firms and other handlers to expose client data to the public through so-called inadvertent disclosure, technology malfunctions, or simple technical error such as redaction failures. Apple found this out the hard way in its legal battles with Samsung.
The emergence of cybercrime only adds another, more menacing wrinkle to eDiscovery.
When we asked security expert Bruce Schneier if hackers increasingly targeted law firms, he responded: “Certainly it would make sense. You know that some of these cases have discovery with millions of documents, which are all being transported electronically. And, yes, that information would be a treasure trove for someone going after it.”
As Schneier also suggested, law firms are often easier targets than their clients, not just due to the concentration of data they handle from many clients, but because their security and technical expertise rarely matches that of the corporate heavyweights they service, many of which operate in highly regulated industries or are otherwise incentivized to put a premium on data security due to the nature of their business (cloud services, for instance). Law firms are operated by attorneys, not technicians, and their investment in security rarely goes beyond outsourcing the security function itself to legal technology providers who themselves often lack adequate protocols.
It can be argued that the potential targets for cybercriminals are only getting bigger and more valuable, as some law firms have increasingly moved to store client data within their own walls. A recent survey by HBR Consulting reported that 71% of large law firms are continuing to invest in internal eDiscovery processing capabilities. The vast majority of that spending funds on-premise solutions and storage capacity, the security and maintenance for which the law firms themselves are responsible.
But where client data is perhaps most vulnerable is when it is transit — for instance, moving from the client to the law firm, and from the law firm to the vendor, which is a common eDiscovery workflow. Data transfer generally occurs over insecure connections, such as email and FTP. Shipping of physical media, such as hard drives, and sharing of public links to file-sharing services to which discovery data has been uploaded, is also not uncommon. Use of SSL encryption is rare in law firms. Encrypting data at rest is almost unheard of.
It is unclear whether the attacks on Cravath and Weil Gotshal targeted discovery data, or whether they were even successful. What is beyond debate at this point is that corporate clients and others entrusting law firms and legal services vendors to handle eDiscovery will be fertile hunting ground for hackers in the days and years to come, if they aren’t already.
To learn more about how you can secure your discovery data with Discovery Automation, download the Logikcull whitepaper below.