David Johnson had just finished meeting with a cybersecurity consultant about beefing up the company’s protections when he learned the servers had been hacked.
As general counsel of Global Cash Access, a company that manages cash on hand for casinos, Johnson was highly concerned about protecting the company servers: Literally, millions of dollars were at stake. Hiring a consultant to sniff out vulnerabilities had been the first step taken by the company’s new senior vice president of IT, and everyone at the meeting had agreed the consultant should take the next few months to see if he could penetrate their computer system.
But it didn’t even take that long: The consultant walked to his car outside their office, opened his laptop and immediately hacked into their servers.
“It was kind of like, ‘Oh. This isn’t good,” said Johnson, now a Duane Morris partner, who said the IT department made several major changes as a result. “Needless to say, a couple people lost their jobs.”
The incident, which took place in 2013, illustrates how difficult it can be to accurately assess the vulnerability of one’s system and why General Counsel consistently rank cybersecurity as a top concern in surveys. And yet even as lawyers position themselves as experts who can advise companies on cybersecurity threats, many law firms are being targeted and experiencing data breaches.
“Our law firm clients report being extorted or threatened with denial of service and being held hostage,” said Mark Greenwood, managing director with Aon Risk Solutions, which sells cyber insurance to several dozen law firms.
Greenwood declined to disclose which firms had reported a breach, but said the minimum cost of hiring a consultant to identify the hole in a cybersecurity system and to then fix it is $500,000. He further estimated that the largest law firms are paying for $5 million to $40 million in coverage, mid-size firms are purchasing up to $10 million in coverage, and smaller firms are buying up to $5 million in coverage. The insurance provides firms with a “coach” who can take the lead if a breach occurs, crisis communication and PR specialists, as well as online training and support from IT professionals, according to Greenwood.
In the last year alone, his group has signed up 30 new law firms for cyber insurance, he said.
But most data breach incidents at law firms have not publicly surfaced, although there have been a few incidents — at least one small law firm in Southern California was forced to send letters to clients after a breach and there have been reported incidents of other larger firms being targeted.
In May, the New York Times obtained and published an article about an internal report at Citigroup that suggested law firms are likely vulnerable targets for hackers, but that it was difficult to tell if data breaches are on the rise or not because there is no regulatory reporting requirement for the legal industry.
Judy Selby, co-leader of BakerHostetler’s Information Governance practice, said that it’s not unusual to hear law firms described as “soft targets.” This is partially because, unlike banks, they face no formal regulation, Selby said, even though they hold repositories of confidential information about impending merger plans, patent applications and litigation strategies that would be attractive to hackers.
“In some ways, it’s almost cultural,” said Selby, explaining that law firms do not think of themselves as vendors which would be targeted.
But she argued law firms are taking steps such as removing access to web-based email which has little protection and implementing new policies to maintain tighter control over mobile devices. “I think the security is markedly different now,” she said.
Although many law firm clients, such as Citigroup, have started implementing audits of law firms to ensure they are taking adequate steps to protect data, some leading lawyers have called for a formal policy. At the inaugural Big Law Business Summit last week, Sullivan & Cromwell’s senior chairperson H. Rodgin Cohen called for a new cabinet, the department of cybersecurity.
“I do not believe I am exaggerating when I say we are jeopardizing the future of this country unless we adopt and implement a comprehensive program to deal with cyber risk,” said Cohen, adding “it is the one truly existential threat.”
Juliette Fairley contributed to this report.