Blog & Tools

Immunity from hacking has not been granted to law firms

Law Firms & Cybersecurity

National news reports last spring indicated that some of the nation’s most prestigious law firms had been hacked. The victims included Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which are prominent firms that represent Wall Street banks and other large companies.

Speculation at the time was that hackers might have been looking for confidential information that they could use to make money through insider trading.

It wasn’t surprising that hackers had gone after another data-rich industry. National retailers, financial services and health care services are among the other prominent American businesses hackers have targeted.

Law firms are a different kind of target, though. They accumulate information about legal disputes and regulatory plans more than consumer credit card and Social Security numbers.

Law firms realize they are not immune from attack. Last year the industry formed the Legal Services Information Sharing & Analysis Organization, which was modeled after an organization that helps the financial-services industry. Members share and evaluate information about cyber threats and alert other members to credible threats.

As the Wall Street Journal said last spring in reporting the cyberattacks on firms with big-business clients, hacking tools and hackers for hire are proliferating.

“The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading,” the Journal reported.

Big law firms that serve well-to-do clients seem like inviting targets for hackers. But judging from the experiences of other industries, bigger targets aren’t necessarily hackers’ first choice. In some instances hackers prefer smaller businesses because they might lack the resources to employ a well-trained staff to help implement and maintain a good security strategy.

Not all hackers are after data, of course. Some try to make money through extortion by infecting business and personal networks with ransomware, a form of malware. Hackers use ransomware to make computer files unreadable or block legitimate users from accessing information. Then, the hackers demand payment in untraceable online currency to free the information.

With more than two dozen law firms, Sioux Falls has plenty of potential targets. Local law firms – some of them anyway – are aware of the challenge.

“We do have a lot of sensitive information, and we take that (cybersecurity) very seriously. Data security is a very important thing for us,” said Douglas Hajek, a partner at Davenport Evans Hurwitz & Smith LLP, one of the biggest law firms in Sioux Falls and the state. The firm employs 33 lawyers.

Other staffers at Davenport Evans include a full-time IT professional “who keeps the motors running and the network up,” said Mitch Peterson, another partner at Davenport Evans. He says the IT pro also helps keep the other staff members up to date on cyber threats.

The use of electronic files vs. paper files varies from one lawyer to the next. Peterson considers himself among the firm’s heaviest users of electronic options.

He recognizes the importance for firms of size to dedicate the appropriate resources to cybersecurity while smaller firms might have to contract with outside services. Either way, Peterson points to two primary reasons law firms need to be secure:

  1. Client information must be protected.
  2. Losing data costs a firm money.

Davenport Evans uses products such as firewalls, spam filters, protective software and a Virtual Private Network to protect its network and electronic information. Employees also change their passwords regularly.

A special feature on employees’ mobile phones is worth noting. Smartphones time out after a relatively short period of inactivity, Peterson said. That helps protect the company’s network in case someone’s phone is lost or stolen.

Law firms that haven’t stepped up their cybersecurity practices might want to remind themselves of the unpleasant experience of firms such as Cravath Swaine and Weil Gotshal.

SDN Communications is the leading regional provider of broadband connectivity and cybersecurity services to businesses and institutions in the Sioux Falls region.