Frustrating Law Firms: Face Up To Hacking Threats

Regulators and corporates are frustrated by the law profession’s unwillingness to acknowledge the problems they face with hacking issues.

A hacked database of clients that results in the theft of client information is a major concern, but it is something that law firms have generally hidden.

The NY Times Dealbook reports that frustration bubbled over in a recent internal report from Citigroup’s cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms.

“Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise,” according to the report, a copy of which was reviewed by The New York Times.

The report, issued last month, said it was reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies. The report said bank employees should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries.

It said law firms were at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”

The bank’s security team also highlighted several ways hackers had intruded on law firms, by directly breaching their systems, attacking their websites or using their names in so-called phishing efforts to trick people into disclosing personal information.

The Citigroup team issued the report as other Wall Street banks are putting pressure on the legal profession to do more to prevent the theft of confidential client information. For nearly a year, banks and law firms have talked about forging a closer partnership to share some information about hacking incidents. Banks are also demanding more documentation from law firms about online security measures as a condition of retaining them for assignments.

In the last several months, Mandiant, the security firm that is a division of the security consultant FireEye, has been advising a half-dozen unidentified law firms that were victims of a breach or other attack, said a person briefed on the matter who spoke on the condition of anonymity.

Federal law enforcement authorities are urging law firms to be more open about reporting incidents. Agents with the Federal Bureau of Investigation have met with law firm leaders in the last few years to discuss online security. Top federal prosecutors at the Justice Department have begun to do the same.

Read more here
[table id=9 /]