Law Firms Face Large Liability from Data Breaches

Scales of JusticeChinese hackers were recently charged with making millions of dollars conducting illegal insider trading. This case highlights the exposure law firms may face for lax data security.

The US Attorney for the Southern District of New York, Preet Bharara, issued an indictment on December 25, 2016, for three Chinese nationals, Iat Hong, Bo Zhen, and Chin Hung, for hacking into the networks of several leading US law firms that provide merger and acquisition advisory services. Hong, a resident of Macau, was arrested in Hong Kong and is facing extradition to the United States.

According to the Department of Justice’s press release on the case, the hackers used the “unlawfully obtained credentials” of a law firm employee to access the firm’s email server and plant malware that would allow them to access the server. They then logged into email accounts of partners at the firm to glean details of pending mergers, including pricing information. They then traded on that information before the deals were made public. The hackers targeted 7 firms, traded in 5 public companies, and made profits of over $4 million in the process.

This is not the first high-profile hack of a law firm this year. Back in April the “Panama Papers” scandal erupted around the Panama-based law firm Mossack Fonseca. It could be the first time a data breach has led to the resignation of the head of a country. The prime minister of Iceland, Sigmundur Gunnlaugsson, stepped down when the data breach revealed that he and his wife owned an offshore company that he failed to declare when he entered Parliament. Eleven other current or former world leaders were named in the leak. We imagine that Mossack Fonseca has lost a lot of its influential clients as a result of the leak. The firm shut down several offices and resigned as registered agent for over 1,000 companies in the wake of the breach.

Law firms are particularly favorite targets for hackers because they aggregate a lot of very sensitive client data in one place. The opportunities for mischief with such data are enormous. If the person who stole the Mossack Fonseca data were interested in making money he or she could have blackmailed some of the richest and most powerful people on the planet.

As Bharara said regarding the insider trading breach by the Chinese hackers,

This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.

Law firms have a fiduciary and ethical responsibility to take all appropriate measures to protect client data. A major data breach can expose a law firm to substantial liability if it can be shown that the leak happened because the firm wasn’t following proper security procedures.

Existing methods for securing data are too reliant on humans following proper procedures: all too often, they don’t. And even when they do, cybercriminals are increasingly sophisticated and are finding ways to breach even firms following industry standard practices. A new approach is needed that does away the vulnerabilities in existing approaches to securing sensitive data. PACid’s Bolt-on Strong Security (BoSS) provides a completely new paradigm for securing data that would make these type of breaches a thing of the past.