Unprepared law firms vulnerable to hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://triblive.com/news/allegheny/6721544-74/law-firms-information#axzz3DPS5QSCI

Computer hackers are targeting top international law firms, including
Pittsburgh-based K&L Gates, to steal intellectual property data and trade
secrets, the Tribune-Review found.

Cyber criminals stepped up attacks against lawyers to get around defenses
set up by their corporate clients, who became more protective of their
computer systems, legal and cybersecurity experts said.

Too often, law firms do not employ the same high level of cybersecurity
precautions that many major corporations practice, experts told the Trib.
In addition, experts said these hackers increasingly work on behalf of
foreign governments -- or at least with their implicit protection.

With offices in Beijing, Moscow and nearly two dozen foreign cities, some
of the biggest corporations in Pittsburgh and the world -- Alcoa,
Starbucks, Halliburton and Viacom among them -- place their confidence and
their trade secrets with K&L Gates. Its annual revenues top $1 billion.

A K&L Gates spokesman confirmed hackers "at times" attempt to infiltrate
the company's information technology systems or introduce malware, as they
do at other companies.

"As a global legal service provider, K&L Gates has in place highly advanced
security and monitoring measures in connection with the firm's IT system,"
spokesman Mike Rick told the Trib.

Rick declined to provide specific information about the law firm's cyber
defenses, but he said K&L Gates determined that client information has not
been "compromised or extracted from our IT system." Legal experts agree the
risks are real and the stakes enormous for an industry built on trust.

"Law firms are a rich target," said Patrick Fallon Jr., the FBI's assistant
special agent in charge of the Pittsburgh field office. "They don't have
the capabilities and the resources to protect themselves. Within their
systems are a lot of the sensitive information from the corporations that
they represent. And, therefore, it's a vulnerability that the bad guys are
trying to exploit, and are exploiting." Federal prosecutors in Pittsburgh
charged Chinese military hackers this year with stealing attorney-client
communications from SolarWorld, an Oregon-based solar panel manufacturer.

Computer attacks on law firms happen every day, Fallon said, and the FBI
warns attorneys about the threat.

Many law firms don't do enough to protect their computer systems,
especially against an attack sponsored by a foreign government, agreed
Thomas Hibarger, managing director of Stroz Friedberg, a law firm in
Washington.

"Protecting against state-sponsored hackers is a big undertaking, and many
firms have not devoted adequate resources to address this threat," Hibarger
said. "Nation-state hackers are very, very sophisticated and targeted in
their approach, and it is likely they will succeed." Chinks in the armor
Law firms must constantly look for signs of intrusions, said Timothy
Brightbill, a partner at Wiley Rein, a Washington firm specializing in
international trade disputes. Though the firm was hacked in 2011 and
represents SolarWorld, he said the incidents were unrelated.

"We have to be extremely vigilant because these cases involve business
proprietary information," Brightbill said. "So we are constantly on guard.
... And oftentimes, we see the attempts as they're made and make sure they
are unsuccessful." For corporate clients with strong computer defenses, a
poorly prepared lawyer can be like an unlocked back door into an otherwise
secure operation, said Vincent Polley, a lawyer in Bloomfield Hills, Mich.,
who co-wrote the American Bar Association's cybersecurity handbook.

Because of the high cost of cybersecurity and the hassle of protecting
documents, firms often are reluctant to invest in necessary technology.

"Lawyers aren't technologically adept. They're not particularly interested
in technology, and they're loathe to spend the resources -- both time and
money -- to harden data" protection, Polley said.

In the wrong hands Too many law firms believe, mistakenly, that no one
would want their clients' data, said Joseph DeMarco, former chief of the
Manhattan U.S. Attorney's cybercrime unit office and now a partner at the
New York law firm of DeVore & DeMarco.

There's actually a lively trade in stolen legal data. The information --
corporate financial reports, "secret sauce" recipes for software,
industrial designs and CEO emails -- can end up for sale on anonymous black
market websites, said Daniel Garrie, founding editor of the Journal of Law
& Cyber Warfare , a peer-reviewed publication based in New York City.

It could end up in the hands of opposing counsel, business competitors or a
foreign government. SolarWorld alleges in complaints filed with the
Commerce Department that its stolen data benefited Chinese solar panel
competitors.

"Law firms represent, in today's information security environment, the
easiest and richest target to go after," Garrie said.

Just as retailers became more aware of hackers when Target sustained a
high-profile breach in December, lawyers might need to witness an enormous
cyber theft at a top law firm before the industry gets more serious,
insiders said.

"Law firms have no incentive to protect themselves from being attacked
because, to date, there has been no meaningful financial impact to the law
firms' bottom line," Garrie said.

Silence of the lawyers Attorneys rarely discuss breaches publicly. Unlike
the health care industry, which has strict privacy rules for protecting
patient data, state bar associations have varying guidelines for what
lawyers can and should do with client data.

Law firms are not obligated to tell the public about breaches, said David
Ries, a lawyer with Clark Hill in Pittsburgh who co-wrote "Locked Down:
Information Security for Lawyers," a book on information security for the
American Bar Association. Security incidents probably happen a lot, even if
nothing is taken, he said.

"It is really hard to tell ... where confidential information has actually
been taken," Ries said.

The American Bar Association says attorneys should "keep abreast of changes
in the law and its practice, including the benefits and risk associated
with relevant technology." However, the ABA Cybersecurity Handbook does not
require lawyers to notify clients of a data breach: "... Law firms have no
bright-line requirements and are undoubtedly disinclined to report cyber
incidents to a client." Lawyers should talk with clients about how they
store information, and they absolutely need to notify them when information
is taken, said Daniel Siegel, a Havertown lawyer who wrote the Pennsylvania
Bar's formal opinion on cloud computing, which uses networks of Internet
computers to store data.

Some data might be too sensitive to store on remote servers, it says.

"Every business is at risk that has information that someone else wants,"
Siegel said.

Lawyers worry that clients will lose faith in their ability to keep
secrets, Polley said. Even though he and others believe firms must be
getting hacked, he recently spent several weeks trying to find a lawyer who
would admit experiencing a data breach.

None spoke up.

"There's no doubt that there's a huge effect for the clients, but I think
the lawyers are more concerned about the even bigger effect for them,"
Polley said. "The reputational hit for a big law firm, I think, could be an
extinction-level event."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!