Investigators predicted Cravath hacking in 2012

Lest the recent admissions from Cravath, Swaine & Moore and Weil Gotshal that they’d suffered data breaches from hackers apparently seeking intel for the purposes of insider trading come as a surprise, consider a Wall Street Journal article from June 2012 titled “Lawyers Get Vigilant on Cybersecurity.”

The article’s primary subject is Eric Friedberg, the former federal prosecutor who heads the high-profile investigative firm, Stroz Friedberg. According to Journal reporter Jennifer Smith, Friedberg predicted that:

For hackers bent on insider trading, targets could include lawyers at top law firms that handle mergers and acquisitions, such as Cravath, Swaine & Moore LLP, Skadden, Arps, Slate, Meagher & Flom LLP or Davis Polk & Wardwell LLP.”

The article goes on say to say that, according to law enforcement officials, law firms are increasingly the targets of sophisticated cyberattacks aimed at gaining access to sensitive client information. Firms, it continues, may generally be unaware of the intrusion until law enforcement “shows up on their doorstep.”

Again, this was nearly four years ago!

Has anything changed since then (aside, of course, from the increasingly feigned “shock” observers muster in condemning firms that clearly don’t seem to care)?

Cravath and Weil was deja vu all over again — all the way down to the calls for the bar to impose stricter obligations. From the Journal article:

“[I]nternal vigilance could soon become a professional duty for lawyers. A handful of bar associations across the country have told their members that keeping up with technology and taking reasonable steps to protect client information from being stolen are part of lawyers’ ethical obligations.

And have you heard this one before?

“Law firms are stepping up programs to educate lawyers and staff on the potential pitfalls of complacency and teach strategies to ensure confidential information stays that way.”

Clearly the reported cases of data breach since JUNE 26, 2012 have done little to stir most firms from their slumbers. Maybe that’s because, unlike with breaches at Sony, Target, Home Depot and many other major corporations, the material harm to the law firm clients, if any, has been hard to discern. Victims almost always play down the impact of the breach, and it is unclear how forthcoming these firms are when disclosing the breaches to their clients.

If these conversations unfold as they do through media statements, then they likely go something like: We regret to inform you that hackers stole most of your sensitive business secrets. But stay cool. We’re not aware that any of the data that may have been accessed was used improperly. 

And really, how could a firm be aware? Awareness does not seem to be a strong suit.

Thus far, the response, reaction and fallout from the Cravath and Weil admissions has just been more of the same. But in this age, it seems like only a matter of time before a high-profile firm guarding the secret sauce of a mega-client has that trove stolen and strewn indiscriminately across the internet. What hell would break loose if iPhone source code was published on Reddit?

Maybe then law firms and their corporate clients would get serious about security.

To learn more about what you can do to help secure your clients’ data, check out the whitepaper below.