Unprepared law firms vulnerable to hackers
Computer hackers are targeting top international law firms, including Pittsburgh-based K&L Gates, to steal intellectual property data and trade secrets, the Tribune-Review found.
Cyber criminals stepped up attacks against lawyers to get around defenses set up by their corporate clients, who became more protective of their computer systems, legal and cybersecurity experts said.
Too often, law firms do not employ the same high level of cybersecurity precautions that many major corporations practice, experts told the Trib. In addition, experts said these hackers increasingly work on behalf of foreign governments — or at least with their implicit protection.
With offices in Beijing, Moscow and nearly two dozen foreign cities, some of the biggest corporations in Pittsburgh and the world — Alcoa, Starbucks, Halliburton and Viacom among them — place their confidence and their trade secrets with K&L Gates. Its annual revenues top $1 billion.
A K&L Gates spokesman confirmed hackers “at times” attempt to infiltrate the company's information technology systems or introduce malware, as they do at other companies.
“As a global legal service provider, K&L Gates has in place highly advanced security and monitoring measures in connection with the firm's IT system,” spokesman Mike Rick told the Trib.
Rick declined to provide specific information about the law firm's cyber defenses, but he said K&L Gates determined that client information has not been “compromised or extracted from our IT system.”
Legal experts agree the risks are real and the stakes enormous for an industry built on trust.
“Law firms are a rich target,” said Patrick Fallon Jr., the FBI's assistant special agent in charge of the Pittsburgh field office. “They don't have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it's a vulnerability that the bad guys are trying to exploit, and are exploiting.”
Federal prosecutors in Pittsburgh charged Chinese military hackers this year with stealing attorney-client communications from SolarWorld, an Oregon-based solar panel manufacturer.
Computer attacks on law firms happen every day, Fallon said, and the FBI warns attorneys about the threat.
Many law firms don't do enough to protect their computer systems, especially against an attack sponsored by a foreign government, agreed Thomas Hibarger, managing director of the Washington office of Stroz Friedberg, a global business intelligence, investigations and security risk management company based in New York.
“Protecting against state-sponsored hackers is a big undertaking, and many firms have not devoted adequate resources to address this threat,” Hibarger said. “Nation-state hackers are very, very sophisticated and targeted in their approach, and it is likely they will succeed.”
Chinks in the armor
Law firms must constantly look for signs of intrusions, said Timothy Brightbill, a partner at Wiley Rein, a Washington firm specializing in international trade disputes. Though the firm was hacked in 2011 and represents SolarWorld, he said the incidents were unrelated.
“We have to be extremely vigilant because these cases involve business proprietary information,” Brightbill said. “So we are constantly on guard. ... And oftentimes, we see the attempts as they're made and make sure they are unsuccessful.”
For corporate clients with strong computer defenses, a poorly prepared lawyer can be like an unlocked back door into an otherwise secure operation, said Vincent Polley, a lawyer in Bloomfield Hills, Mich., who co-wrote the American Bar Association's cybersecurity handbook.
Because of the high cost of cybersecurity and the hassle of protecting documents, firms often are reluctant to invest in necessary technology.
“Lawyers aren't technologically adept. They're not particularly interested in technology, and they're loathe to spend the resources — both time and money — to harden data” protection, Polley said.
In the wrong hands
Too many law firms believe, mistakenly, that no one would want their clients' data, said Joseph DeMarco, former chief of the Manhattan U.S. Attorney's cybercrime unit office and now a partner at the New York law firm of DeVore & DeMarco.
There's actually a lively trade in stolen legal data. The information — corporate financial reports, “secret sauce” recipes for software, industrial designs and CEO emails — can end up for sale on anonymous black market websites, said Daniel Garrie, founding editor of the Journal of Law & Cyber Warfare , a peer-reviewed publication based in New York City.
It could end up in the hands of opposing counsel, business competitors or a foreign government. SolarWorld alleges in complaints filed with the Commerce Department that its stolen data benefited Chinese solar panel competitors.
“Law firms represent, in today's information security environment, the easiest and richest target to go after,” Garrie said.
Just as retailers became more aware of hackers when Target sustained a high-profile breach in December, lawyers might need to witness an enormous cyber theft at a top law firm before the industry gets more serious, insiders said.
“Law firms have no incentive to protect themselves from being attacked because, to date, there has been no meaningful financial impact to the law firms' bottom line,” Garrie said.
Silence of the lawyers
Attorneys rarely discuss breaches publicly. Unlike the health care industry, which has strict privacy rules for protecting patient data, state bar associations have varying guidelines for what lawyers can and should do with client data.
Law firms are not obligated to tell the public about breaches, said David Ries, a lawyer with Clark Hill in Pittsburgh who co-wrote “Locked Down: Information Security for Lawyers,” a book on information security for the American Bar Association. Security incidents probably happen a lot, even if nothing is taken, he said.
“It is really hard to tell ... where confidential information has actually been taken,” Ries said.
The American Bar Association says attorneys should keep abreast of changes in the law and its practice, “including the benefits and risk associated with relevant technology.” However, the ABA Cybersecurity Handbook does not require lawyers to notify clients of a data breach: “... Law firms have no bright-line requirements and are undoubtedly disinclined to report cyber incidents to a client.”
Lawyers should talk with clients about how they store information, and they absolutely need to notify them when information is taken, said Daniel Siegel, a Havertown lawyer who wrote the Pennsylvania Bar's formal opinion on cloud computing, which uses networks of Internet computers to store data.
Some data might be too sensitive to store on remote servers, it says.
“Every business is at risk that has information that someone else wants,” Siegel said.
Lawyers worry that clients will lose faith in their ability to keep secrets, Polley said. Even though he and others believe firms must be getting hacked, he recently spent several weeks trying to find a lawyer who would admit experiencing a data breach.
None spoke up.
“There's no doubt that there's a huge effect for the clients, but I think the lawyers are more concerned about the even bigger effect for them,” Polley said. “The reputational hit for a big law firm, I think, could be an extinction-level event.”
Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or firstname.lastname@example.org.