SECURING THE LAW FIRM
25th January 2024
Hackers turn up the heat on the legal sector
This year has seen a slew of high-profile attacks around the world: what can we learn?
The cyber threat to the legal sector has increased so much that the UK’s NCSC this year released an updated version of its 2018 report on the cyber threat to law firms. The update follows a string of law firm data breaches reported in the past 12 months, most of them outside the UK, but all with lessons for everyone.
Firms including Kirkland & Ellis, K&L Gates and Proskauer Rose lost data through breaches, while Gibson Dunn & Crutcher and Loeb & Loeb also reported system breaches.
Proskauer Rose was hacked via a third-party Cloud vendor, while an attack on Cave Leighton Paisner exposed the personal data of more than 50,000 current and former employees of food company Mondelēz International – illustrating the extent to which law firms represent a key third-party threat to the world’s largest firms, including systemically important entities such as banks.
And an attack on Cadwalader, Wickersham & Taft, the oldest continuously operating legal practice in the United States, put the personal information of over 90,000 clients at risk.
The increasing reports of data breaches across several large law firms have come alongside increased attention from states’ national security agencies, with both the U.K.’s GCHQ and France’s ANSSI recently releasing reports of cyber-attackers targeting the legal sector.
As well as the obvious damage to their clients and to their reputations, data and systems breaches also expose law firms to litigation themselves.
At least five class action suits have been filed against law firms mentioned above, with plaintiffs claiming variously that they didn’t sufficiently guard against the possibility of cyberattacks or that they failed to make timely disclosures to the ultimate owners of the data.
So, are law firms learning lessons? Well, there are concerning signs that they are not.
First, as the class action suits suggest, firms seem not to be taking sufficient precautions and also dragging their feet on disclosure. When they do disclose they often refuse to give any details of the attacks.
And in at least one case, a firm is even refusing to disclose to a regulator the extent to which a breach has harmed its clients. The Securities & Exchange Commission subpoenaed Covington in January over a 2020 hack that may have resulted in client data being stolen. The firm claims client confidentiality stops it from revealing the facts and 83 US law firms are backing it in its fight.
None of this seems consistent with the idea that information sharing is key to defeating the hackers. And secrecy only adds to the impression that not enough is being done at some firms to prevent these kinds of data loss.
It’s not just the US. Recently Australian commercial law firm HWL Ebsworth has fallen victim to a ransomware attack, with Russian-linked hackers claiming to have obtained 4TB of client information and employee data, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map.
So, what can law firms do better? What are the key challenges? And where are the key problems?