About four years ago, on this very blog, we published a post entitled: Law firms' inability to protect client data is a national security concern. Scaremongering? Some said so.
But on the heels of reports in the Wall Street Journal and Fortune that Chinese state actors had hacked the email accounts of multiple Big Law partners, it would’ve been tough in the moment to mount an opposing argument.
In that instance, cybercriminals methodically siphoned valuable business intelligence an email per hour to external servers. And while the victim firm said that the breach was “limited” and that it was not aware that any of the accessed information had been used improperly, it also didn’t realize the breach had even occurred until day 93 of the ongoing attack.
So believe what you will.
In the spirit of “told you so,” but also in the spirit of “please, just listen this once,” we call your attention to the many, many high-profile attacks in the intervening years that have brought law firms of all sizes and their dumbstruck clients to crippled halts.
There was the ominous “Dark Overlord” attack last January that targeted New York-based firms dealing with 9/11 litigation, which followed the DLA Piper ransomware hit that brought that global law firm to its knees for days. Jenner & Block accidentally exposed social security numbers and tax information of more than 800 employees in a February 2017 incident that went unreported until October of last year. And the offshore firm Appleby admitted a breach in the fall of 2017 after the Consortium of Investigative Journalists revealed it had suffered what amounts to Panama Papers Lite.
"If lawyers knew more about cybersecurity, they would be less confident in their own infrastructures.”
Then all these one-offs were put in context by a startling finding by the ABA that nearly a quarter of all firms had experienced a cyberattack or breach in 2018, up from 14% two years before—mind-boggling numbers that at least one deep-pocketed insurance company took note of. And on the heels of that came a report six months ago by Law.com that found 100 more firms had been compromised, though few if any of these events had been reported in the media.
Then the calendar turned to 2020 and all hell broke loose.
Today, the actors know where to look—in discovery databases—and their means are more efficient than ever. The latest example of such a collective is Maze, the online terror that is seemingly holding law firm data—including discovery files—hostage at random, threatening to spill stolen client information onto the internet if hefty ransoms aren’t paid. And doing it anyway even if they are. “Introduce a little anarchy. Upset the established order, and everything becomes chaos. I'm an agent of chaos,” their actions seem to say.
As we wrote last week, with a Maze attack, data isn’t just encrypted as is common with run-of-the-mill ransomware. It’s in fact stolen first and then parceled out a bit at a time like a cut-up hostage until the victim pays multiple 7-figure sums. How a subject of attack can even muster that much cash in such a short period is a logistical nightmare for another post.
“From the perspective of hackers, exactly because lawyers handle such valuable and sensitive information belonging to clients, law firms become a one-stop shop,” Eli Wald, an attorney and ethics professor at Denver University’s Sturm College of Law told us several years ago, when things looked comparatively rosy. "If lawyers knew more about cybersecurity, they would be less confident in their own infrastructures.”
We had initially reached out to Wald to assess the impact on professional obligations and standards of care that a data breach may pose, and now those chickens, too, are coming home to roost. Just weeks ago, a federal court in Washington, D.C., ruled that a malpractice suit brought by a Chinese dissident against an AmLaw 100 firm for failure to protect his personal data against hackers may go forward.
“Unfortunately for all parties involved, Plaintiff’s warnings of a cyber attack... proved prescient,” reads the February 20 opinion. “[T]he firm’s computer system was ‘hacked’... ‘apparently without great difficulty.’”
And, of course, service providers are not immune either—as the “but for the grace of God go I” events of last week made starkly clear—though they are at least in the business of technical expertise and, in theory, securing data.
To be clear, there’s much to lose here. On the one side, corporate clients, many of whom are gleefully unaware that the outside lawyers to whom they trust their deepest business confidences are generally unfit to keep them, are letting their most sensitive assets hang in the wind.
And on the other are their law firms, some of which already realize that they’re ill-equipped to handle highly technical matters of data security, but are unwilling to break from standard operating procedure or forfeit the profits that might entail.
“Corporate clients, many of whom are gleefully unaware that the outside lawyers to whom they trust their deepest business confidences are generally unfit to keep them, are letting their most sensitive assets hang in the wind.”
In both camps are exceptions. We work with them and pick their brains. We ask them, before we fire flare guns like this, if they think we’re going too far or are overreacting, or if the warning signs that seem to be appearing at an alarming rate are not warning signs at all.
No. They know what’s at stake—professional livelihoods, corporate empires, the potential to embarrass and expose clients—and are taking the appropriate steps to guard against disaster.
It’s a simple question: Where is my data? If you don’t know the answer for dead certain, it’s time to cry for help. Because you sure as hell need it.