Asked why he’d robbed banks, a notorious American gangster from the Great Depression era famously replied: ‘If they kept money in candy stores, I would rob candy stores.’  Is there any connection between old-style robbers and the plight of modern l law firms? On the surface, not really. After all, what can you steal from a law firm? Printer cartridges, paper clips?

Those who think along these lines , and they are legion in the global legal world, are dead wrong. In the digital world, law firms are particularly vulnerable to hackers, as a 2015 report by Verizon confirmed back in 2015. Still, unlike medical companies or financial institutions, the legal universe has long been stuck in the blissful belief that it is not worth their collective while to waste resources on things like cybersecurity.

Then, starting less than ten years ago, the heads of such US legal giants as Cravath and Weil Gotshal, but also the owners of small law firms, became aware that the safe happy times were over. The enemy was already pushing beyond the gates. Crucially, it wasn’t their safe deposit boxes that were being broken into, but rather the law firms’ corporate IT systems, email servers, and online bank accounts. And it wasn’t cash that was at stake, but something much more valuable today: business information.

The burglars were particularly interested in the data on ongoing merger and acquisition deals. With insider information in hand, the principals of the hacks were able to enrich themselves with impunity, whether by investing in the stocks at issue or by reselling sensitive transaction data. Databases containing the personal information and bank records of law firm clients also were (and still are, increasingly so) the preferred kind of their coveted loot.

Another type of digital crime is extortion. In 2016, the global law firm DLA Piper fell victim to a computer virus aptly named Petya, or Peter. As the virus locked down all of the firm’s systems and data, making the business lose hundreds of thousands of dollars a week, DLA owners had to pay a huge ransom (transferred securely in digital currency). Only then did the legal world in the US get serious about keeping its data safe. Market regulators have joined that effort, going after both the malefactors and some negligent law firms. In 2020, for example, the Securities and Exchange Commission had launched a case against the large law firm Covington & Burling, accusing it of, among other things, failing to adequately protect its clients’ data.

The perpetrators of cybercrimes are not always sophisticated hackers. In March 2020, the law firm of Young, Cohen, and Durett lost a server along with the data of hundreds of clients when a burglar fished the box out through a broken window in an office building. Small law firm owners are increasingly falling victim to common “phishing,” which involves trawling law firms for sensitive data or getting key passwords from staff, either directly or over the phone. Now, several years later, the industry journalists at American Lawyer warn that it’s only going to get worse.

Are similar scenarios possible in relatively safe, smaller law firms in Europe? Certainly so. The heist concerning the DLA Piper data began in that firm’s Kiev office, but rapidly spread to its other branches. Are Central European law firms aware of such threats? Theoretically yes, at least since the widely reported 2015 attack on the data of the Warsaw law firm Drzewiecki Tomaszek. While there is little media coverage of similar, the reoccurrence of such cases should come as no surprise. Lawyers prefer to keep quiet about their mishaps involving hackers, because their credibility in the eyes of their clients is at stake. But then what is the real position of law firms regarding cybersecurity in 2023?

The answer is: not great. For one thing, it is not possibly to by cyber- and IT protection as an off-the-shelf product. For any law firm, big or small, effective defenses require a change in the organization’s culture, making all employees – from the managing partner to the cleaners – aware of the continuing threat, and, lastly, a constant supervision by external experts. All this effort also involves an extra cost and lost productivity, i.e., the billable hours. Why bother if, for now, all seems in order and the IT systems are operating normally?

The question is, “how long is the safety bliss going to last?” Zbyszek Konieczny, a well-recognized IT expert and advisor to many law firms from Warsaw, states matter-of-factly: “A regular, periodic review of all your systems, for example annually, is simply essential. At my consultancy, we aim at confirming our clients’ digital maturity and identifying the necessary recommendations.”

This kind of digital audit, aimed at identifying weaknesses in law firm IT systems, consists of running an inventory of IT assets, followed penetration testing, vulnerability tests and threat analysis. The audit is followed by the introduction of revamped IT rules and regulations, staff training, hardware and software recommendations, the development of contingency plans, and more and more often, the assignment of remote oversight of system integrity to an external expert (known as the CISO, for Chief Information Security Officer).

Plainly, it’s never enough to purchase a box of magic software. To feel (relatively) safe, law firms need to invest time and money. Most importantly, they need to change their mindset reflecting a worrying piece of wisdom: “today, no one is safe.” When asked about the cybersecurity prospects for the sector, Lukasz Wojcik, a cyber security expert from NaviRisk firm, states bluntly: “The longer you try to wait it out, the longer it takes for us to pick up the pieces.”

But what about those law firm partners who are unwilling to make the effort, in the blissful belief that somehow things will work out without any action taken? By the same token, they should avoid their annual medical check-ups and stop buying insurance. Avoiding the problem is also a plan of sorts. However, as the boxing champion Mike Tyson said once: “Everyone has a plan until they get punched in the face.” In 2023, the legal industry cyberspace is rife with such punches from hackers and worse. It’s high time, then, even for staid attorneys-in-law, to call in the experts.

Piotr Siemion; PhD, JD, Head of Legal and Compliance

Photo: Unsplash