From: WSJ

Pressure Grows as Mobile Devices, Email Make Sensitive Data More Vulnerable

By JENNIFER SMITH

As hackers step up attacks on law firms, attorneys are being forced to master a subject few of them studied in law school: cybersecurity.

Lawyers, who increasingly rely on email, smartphones and other mobile devices to handle deals and other confidential matters, are being asked to encrypt messages, resist using free Wi-Fi connections, which can allow hackers to eavesdrop on communications, and regard even text messages as potential security threats.

Hackers who target smartphone users have been known to put links in text messages that, when clicked, activate malicious software, or malware, that can log keystrokes or even record phone conversations, says Eric Friedberg, co-president of Stroz Friedberg, a digital risk-management and investigations firm.

For hackers bent on insider trading, targets could include lawyers at top law firms that handle mergers and acquisitions, such as Cravath, Swaine & Moore LLP, Skadden, Arps, Slate, Meagher & Flom LLP or Davis Polk & Wardwell LLP, says Mr. Friedberg, a former federal prosecutor.

“Half the time people post their cell numbers on their v-card,” he says, referring to the downloadable business cards posted on most law firm websites.

It’s difficult to know how many law firms have been targeted by hackers. The Federal Bureau of Investigation doesn’t track individual breaches or keep statistics on the types of businesses attacked, an FBI spokeswoman says.

But current and former law-enforcement officials say cyberattacks against law firms are on the rise, as criminals and state-sponsored hackers launch increasingly sophisticated sorties aimed at gaining access to the valuable information entrusted to law firms.

“We’ve seen specific documents from law firms on specific deals being exfiltrated from cyberattacks,” the FBI’s Mary Galligan said in April at a law-firm conference in New York.

The perpetrators “know exactly what they are looking for and, as a result of that, there is some undercutting of bids in those deals.”

Few law firms will admit publicly to a breach. Thefts of confidential information strike at the core of the legal profession’s obligation to safeguard clients’ secrets, and can do considerable harm to a firm’s reputation.

Moreover, many firms may not be aware that they were hacked until a law-enforcement agent shows up on their doorstep, says Shawn Henry, a 24-year FBI veteran and former executive assistant director of the agency’s criminal, cyber, response and services branch.

“All of this is underreported,” says Mr. Henry, who left the FBI this year to become president of CrowdStrike Inc., a security start-up that investigates breaches. “Law firms have incredibly valuable and sensitive information, and the Internet just provides a whole other methodology through which the information can be accessed and pilfered.”

Last year several large Canadian law firms were attacked by hackers linked to computers in China, according to a Canadian security consultant who investigated the incidents.

The attacks appeared to be connected to a potential takeover of a Chinese state-owned chemical and fertilizer group, though it wasn’t clear who was behind them or the extent of the breach.

In 2010, the Los Angeles law firm Gipson Hoffman & Pancione reported receiving emails that purported to be from members of the firm but which were really designed to retrieve data from its computers. The firm said these Trojan emails, which were traced to Chinese servers, were similar to those sent to a software company that it was representing in a $2.2 billion lawsuit against the Chinese government and several computer manufacturers.

“About 11 Trojan emails came in, just days after the filing of the lawsuit,” says Gregory Fayer, one of the lawyers representing the software company, who says the FBI investigated the matter. “We did not believe that there was any compromise of the system,” says Mr. Fayer, now a partner at Fayer Gipson LLP. “That’s largely due to the alertness of the attorneys who got the email.”

The FBI declined to comment.

That sort of internal vigilance could soon become a professional duty for lawyers. A handful of bar associations across the country have told their members that keeping up with technology and taking reasonable steps to protect client information from being stolen are part of lawyers’ ethical obligations.

Later this summer, the American Bar Association is expected to weigh in on whether to incorporate such requirements into its model rules of professional conduct, which aren’t binding but often serve as a guide for state bar associations.

Such rules might be challenging, especially for technophobes. “Many lawyers have a hard enough time just figuring out how to work their BlackBerry or iPhone,” says Jason P. Gonzalez, counsel in the privacy and data-protection and white-collar crime groups at Nixon Peabody LLP.

Law firms are stepping up programs to educate lawyers and staff on the potential pitfalls of complacency and teach strategies to ensure confidential information stays that way. But a constant stream of new apps and gadgets complicates the issue.

Some attorneys now use online file-storage lockers such as Dropbox Inc. to store files that users can then access from multiple devices.

This so-called cloud storage is convenient for attorneys on the go, but raises questions about who else might gain access.

Dropbox’s privacy policy says the company might remove its own encryption and turn over files to comply with legal or regulatory requests.

Some law firms don’t let their attorneys use such services, citing confidentiality concerns.

“There is a huge pressure on lawyers to use all the technology and exchange information quickly and seamlessly with clients,” says Jim Brashear, general counsel for ZixCorp, ZIXI -3.85% which provides email encryption services. “But lawyers also have a fiduciary and ethical responsibility to protect that information. Balancing those two is the challenge.”

Sometimes the push for cybersecurity vigilance comes from clients, including big financial institutions, which regularly conduct their own on-site security audits at law offices to make sure their secrets are protected by the latest firewalls and other digital defenses.

Still, security experts and technology directors say the weakest links at law firms of any size are often their own employees, including lawyers and others who lose devices, open up phishing emails from hackers or use the same easy-to-crack password for all their devices, as well as email and social-media accounts.

“For me the worst-case scenario is just having a significant amount of very confidential information that somehow gets lost into the public domain,” says a chief information officer at an elite New York law firm. “If someone leaves a laptop in the trunk of the car and it’s not password-protected, all of a sudden somebody has access to a bunch of M&A information.”