Corporate clients are now checking to ensure their law firms are taking steps to secure valuable information.
In April, the Association of Corporate Counsel issued its first-ever guidance on what data security measures in-house counsel should expect from their firms, Bloomberg BNA reported.
Aristedes Mahairas, special agent-in-charge in the cyber division of the New York City’s FBI field office, has spoken with many Big Law firms about their security vulnerabilities and believes the reported cases are just the tip of the iceberg.
“A lot of this takes place without a lot of public scrutiny, but there’s no doubt that someone out there is compromised and in pretty bad shape,” he told Big law Business during a recent interview at the FBI’s downtown Manhattan office. “They should be concerned because there’s nothing saying a law firm can’t be sued either for breach of fiduciary duty.”
Though law firms haven’t dominated cybersecurity headlines, recent data breaches against Mossack Fonseca, Cravath, and Weil Gotshal have sent a clear signal that lawyers — and the client data they possess — are real targets.
Mahairas, who earned his J.D. from New York Law School, began working at the FBI in 1996 as an undercover field officer in New York City. After stints in Bulgaria and Greece and on the Joint Terrorism Task Force, he was appointed special agent in charge of the Special Operations/Cyber Division of the New York Field Office in 2015.
The following interview has been edited for length and clarity.
Big Law Business: What have you seen in the field — are law firms being targeted, and if yes, how so?
Mahairas: We know that state sponsors are targeting where they can to gain an economic or competitive advantage. What can a law firm possibly have that a nation state could possibly want? Well, a lot of law firms have intellectual property, trade secrets that are within their holdings, from corporations or defense contractors or pharmaceuticals. Well, what about the criminals? Criminal syndicates tend to operate for money, doing what they do for an economic advantage. So what do law firms have to make them a target for criminal groups? The law firm also has a lot of information [criminals] can capitalize on, which is M&A information, negotiations, strategy, policy. Maybe one company X hires hackers to get into company Y’s lawyers holdings so they can see what is the strategy, what is the discussion, how can I gain an advantage?
We’ve seen law firms specifically targeted.
So what are we seeing? We’ve seen law firms specifically targeted. There was one case where three individuals hacked into a law firm looking for and targeting specifically M&A information on which they traded, making anywhere between $4-$5 million. We were informed of the suspicious trading activity working with the SEC and did forensic analysis and a cyber investigation. We identified three people who were behind it, there may have been more. The Panama Papers is another more recent example.
BLB: Where are law firms most vulnerable?
Mahairas: To the extent that law firms are relying on global interconnectedness and speed of communication is essential to conduct their business effectively and efficiently, that’s their vulnerability. In the communications. So you have a law firm that’s headquartered, let’s say, here in New York City, but they have offices in London, Tokyo, Beijing, and they’re communicating. Sometimes it’s one law firm with satellite offices and sometimes it’s one law firm working with others as partners. So they may have two different communication platforms. The point of communication is probably the largest attack surface for them.
Of course, I have a server, the server has ports, those ports are being scanned for points of entry. Those are all technical means for compromising a firm’s network, but really, that’s not the way the majority of this gets done. Most of the time we’re seeing it as the result of spearfishing, specific social engineering targeted email that gets the end user to take some kind of action, which is normally clicking on a link, usually in an email purporting to be from someone you know. That gives me access in and once I’m in I can do a whole bunch of things.
There’s a lot for things that can be done to mitigate that exposure. The type of communication.
Here’s another question we ask: how is the law firm holding on to their information? We have data at rest, which is information that resides on the network and is not moving, and data in motion, which is when I send it across a communication line. When we have data at rest, is it encrypted? Do we have full disc encryption, where even if you get in it it’s more difficult to see it? And when I send information from point A to point B, how do I send it? Is that information encrypted as well? Are we using a transport layer security system that ensures the pipe where the information goes through is secure? But here’s the key to that: if I’ve somehow compromised your end unit and I see it here as you’re writing it, it doesn’t’ matter if it goes across the line encrypted.
The insider threat is a real threat.
I think [law firms also] need to be thinking about the insider threat piece. A lot of people don’t consider this. We spend a lot of time thinking about how to layer our defenses, but what about that one person who’s inside the fence? The insider threat is a real threat. I distinguish between witting and unwitting. The individual who writes a script that says if you see my name get deleted from payroll, delete everybody, that’s witting. The unwitting employee may be all about the company and wants to do their work, maybe they want to impress a boss or meet a deadline, but in exchange for that they compromise security protocols. The insider threat is something that needs to be looked at a little more carefully.
BLB: Big Law sometimes gets a bad reputation for being behind the curve. Do you think the legal industry is behind on cyber security?
Mahairas: I don’t think the legal industry is behind any more than any other industry. It really depends which law firms we’re speaking of. You can’t open up a newspaper or turn on the TV and not hear something about cybersecurity, so I think it’s on the forefront of everyone’s mind. I think also the unfortunate examples of law firms that have been compromised has had a positive impact in that it raises awareness. The issue becomes one of resources and money. Value is a factor of risk and reward. The question is, does [security] generate revenue in the sense of savings in the event of a compromise? It’s hard to quantify it.
Just your client information is valuable.
Major law firms recognize the significance of cyber security and have done a lot to harden their defenses and layer it. You can’t just put up one iron dome. In any security posture, you need concentric circles and the further away you get, the more security you have.
The mom and pop law firms, maybe not so much. However, it doesn’t mean they don’t have valuable information as well. Just your client information is valuable. What about these law firms that also do taxes and have thousands and thousands of tax returns? That has value.
I think if a nation-state actor is going to come after you, they’re probably going to try to get the biggest bang for their buck. That’s going to be the major law firms. The medium sized law firms are targets for the criminal actor. The criminal actor is unbiased towards everyone. If there’s a way to make a dollar, they’re going to try that.
We’re hearing that there are law firms paying the ransom after having fallen victim to a ransomware attack.
BLB: Are there any patterns you’ve seen in terms of the types of cyber attacks on law firms?
Mahairas: I don’t know that there’s enough information out there to say we have a pattern, but what we have seen more often than not, is that when a law firm is being targeted, they’re being targeted because they’re believed to have valuable information.
But what I know of and what I’m aware of is only that which is reported. I suspect there’s a lot more that’s going on that’s not being reported and law enforcement is not getting involved. Ransomware attacks have steadily increased in number. We’re hearing that there are law firms paying the ransom after having fallen victim to a ransomware attack so they can posture appropriately to clients and say they did everything to get their information back. We don’t advocate for that at the FBI. We believe it not only perpetuates the activity but in many instances you don’t receive the promised decryption code, and if you do fund it you don’t know if you’re funding further criminal activity. The best way to deal with [these attacks] is to be properly prepared.
BLB: What specifically can law firms and lawyers do to prepare?
Mahairas: The first way of preventing a ransomware attack is recognizing that the majority of people who fall victim to ransomware attacks have allowed the malicious actor to come in somehow. They’ve opened the door. So practice good computer hygiene, don’t be quick to click on something. Make sure your [software] patches are up to date. Make sure your operating system is on the latest version. If you’re working at home, make sure your WiFi is password protected. But the best thing you can do is to have proper off-line back-ups. Take what you have on your computer and image it to an external hard drive and unplug it.
BLB: Is there anything else law firms need to be considering, given their role as fiduciaries?
Mahairas: I think attorneys need to be thinking about their clients, and in doing so, the fiduciary obligation they have to their clients, and recognizing they’re responsible for their information they have in their holdings. It’s also about those who they allow to connect into their system. Do they have external vendors? It’s not just about the iron dome above their servers, it’s about who they’re connecting to. That information they hold for their clients, they’re responsible for. We haven’t seen it, because a lot of this takes place without a lot of public scrutiny, but there’s no doubt that someone out there is compromised and in pretty bad shape. They should be concerned because there’s nothing saying a law firm can’t be sued either for breach of fiduciary duty.
BLB: You’ve mentioned before that you encourage law firms to reach out to you as soon as they suspect a breach. What would you tell firms that might be wary of contacting law enforcement so soon?
Mahairas: We at the FBI are not regulators, we’re investigators. If we are called in, we recognize that continuity of operation is essential, and we’ll do what we can to get you up and operating as soon as possible, using all of the resources of the federal government. To do that, I don’t need to see the content of those servers, or the content of email. I need that data points that will help me find out who is behind the attack, and all of that is metadata. So there’s no reason for me to see sensitive company information.
Write to Big Law Business at firstname.lastname@example.org.