The names Heartbleed, Snowden, Target and Neiman Marcus have recently grabbed headlines, but if you are in the legal industry, it is Mayer Brown that should have grabbed your attention. In February, a top-secret document revealed by Edward J. Snowden showed that Mayer Brown's communications with its client the Indonesian government had been intercepted by an Australian intelligence agency and given to the U.S. National Security Agency. The circumstances indicate that Mayer Brown was not inadvertently hacked; it was targeted — even though it was well-known that “information covered by attorney-client privilege may be included.” Why? Because the Indonesian government was in trade negotiations and the information was "highly useful intelligence for interested US customers."
As noted in the New York Times:
“Duane Layton, a Mayer Brown lawyer involved in the trade talks, said he did not have any evidence that he or his firm had been under scrutiny by Australian or American intelligence agencies. ‘I always wonder if someone is listening, because you would have to be an idiot not to wonder in this day and age,’ he said in an interview. ‘But I’ve never really thought I was being spied on.’”
You probably have wondered on a few of your matters too. But wondering is no longer enough, because in 2012 the American Bar Association amended Client-Lawyer Relationship Rule 1.6 by adding specific language that:
"A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
And Mayer Brown was not the first law firm to be hacked and make the press. In 2011, the hacker network “Anonymous” accessed and published case documents from a case in which Puckett & Faraj represented a U.S. Marine. In 2012, Canadian law firms, working on a chemical product acquisition, were attacked by Chinese hackers who stole valuable data. In late 2009, the Federal Bureau of Investigation (FBI) issued an advisory to law firms warning of potential attacks.
Since 2011, government representatives and industry stakeholders have recognized New York City’s 200 largest law firms as “the soft underbelly” of countless corporations. In 2011, Mary E. Galligan, former special agent in charge of cyber and special operations for the FBI’s New York office, began organizing meetings with managing partners from top law firms to impress upon them the importance of cyber security. In 2012, Mandiant, a security consulting firm, estimated that 80 percent of the 100 largest American law firms suffered a malicious computer breach in the prior year.
With their affinity for paper, a lack of information technology (IT) investment and an overemphasis on convenience, highly valuing time as the only commodity, firms have left themselves exposed. According to the American Lawyer's 2013 Technology Survey, 86 percent of technology directors and chief technology officers (CTO)s from AmLaw 200 firms say they are more concerned about security threats now than they were two years ago. In the same survey 46 percent of the respondents also said that capital expenses in IT increased last year. With increased investment in cybersecurity as a strategic imperative, the second and more fundamental issue to address is the cultural change that comes with a secure environment.
Several steps should be considered. First, the convenience of easily accessing data remotely cannot be allowed at the expense of data security. The first small step for each firm, and a giant leap for the legal community, is to reject the notion that associates or partners with no corporate experience or data systems training should make IT decisions and be given ready access because "they need it." IT professionals should make the decisions in consultation with the IT professional at their clients.
Second, crown jewels should be protected differently than every day internal correspondence. Law firms should stop having a single level of security, as if it were so that all data is equally sensitive. Highly confidential information should be treated with special care, and access restrictions and logs should be kept. Secure data environments should be created with limited access and multi-factor authentication. Cutting-edge encryption software to protect data transmission, full disk and file level hardware encryption, and multi-factor authentication are just a few of the hardening techniques companies are using to protect data.
Third, considering that today, for example, an associate can connect to an e-discovery platform over public WiFi and instantly endanger a client’s intellectual property, corporate clients should benchmark and reassess law firm security protocols and infrastructure as a part of the panel selection process. This process must have teeth, as all customers and shareholders deserve strong and secure legal vendor relationships.
Fourth, data should be returned or destroyed at the end of an engagement. An extra copy is an extra risk. Lastly, vendors and internal IT teams should be empowered to challenge and train in-house and outside counsel. Education is a powerful arrow in your quiver. There is much to teach.
Corporate clients that fail to ensure the security of their law firms put their corporate data at risk. Law firms that fail to secure client data risk ethical violations, data protection law violations, damages, and reputational loss. Of course, in the “bet the company” case, your law firm is critical. But in today’s digital world, securing your corporate data is equally critical.