Cybersecurity horror stories tend to focus on government agencies, retail outlets, health care institutions, and other companies serving consumers. But business professionals such as lawyers, accountants and business managers are increasingly at risk of attack, and may be less prepared to handle a cyber assault.
Late last year, three Chinese citizens were criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of two prominent law firms, reported to be Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, working on sensitive and highly confidential mergers. This was market-moving data, including information on Cravath’s work and information on an acquisition of its client, Pitney Bowes.
Prosecutors said the hackers gained access to the law firm’s computer system using an employee’s credentials. The hackers then installed malware on the firm’s servers to access emails from lawyers, including a partner responsible for the Pitney deal. Similarly, the hackers obtained information about an Intel acquisition from the IT system of its counsel, Weil Gotshal. The hackers made millions of dollars trading on the confidential information about the deals, and exposed the danger law firms and other professional service firms face.
What’s worse, consider this: in all likelihood, there are probably dozens of professional service firms that have experienced cybersecurity breaches and don’t even know it.
Preet Bharara, then the US Attorney for Manhattan, said the case “should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”
Professional service firms are not highly regulated industries, but they deal every day with those that are. They often hold some of the most sensitive data available. This includes not just social security numbers, but personal and corporate financial data, health data, business plans, tax filings, regulatory audit and compliance reports, as well as confidential and privileged communications. This is high-value data that goes to the core of their clients’ businesses.
Professional firms often have lax security policies compared to technology companies, with everything from lackluster passwords, a free and wide-ranging spread of data within the organization, no encryption, open systems and open offices in general. Often partners and employees work from home, taking valuable data out of the office protected by little (if that) more than a password of someone’s birthday or the name of a childhood dog.
Moreover, professional firms often work in relatively open systems for ease of communication. Professional firms place an emphasis on accessing data easily, outside of heavily secured systems with multiple passwords and clearances. By focusing on ease of use, professional service firms inadvertently set themselves up for a host of problems.
In fact, the impact on business professionals is greater than many typical firms. They deal with clients in highly regulated industries, with numerous and specific security regimes. Clients are often high-profile individuals and companies for whom the disclosure of sensitive data would be devastating. This often leads to issues that aren’t visible until there is a crisis.
And while lawyers, business advisors and accountants are lightly regulated, there are specific confidentiality laws for lawyers and accountants that could require, in certain cases, limiting certain exchange of data and communications that are not otherwise in place. Firms tend to know their ethical requirements governing segregating information to avoid conflicts, but don’t nearly as often understand the deep data requirements for sequestering this and other information.
The hallmark of any relationship with a professional service provider is trust and security. Loss of trust destroys relationships and reputations. Ransomware, impersonations and denial of service attacks can have an outsize impact on professional service firms. It’s difficult to recover one’s brand following a breach. Unlike in consumer cases, no amount of credit checks for possible identity theft can restore and recompense a client with valuable data that’s been lost.
Professional service firms need a C-level executive in charge of information and data security. This duty cannot be cordoned off and delegated to the IT department. The best defense involves a fully integrated approach, both within the organization and among the professionals the firms hire to ensure their data and their clients’ data is secure. And this cannot be done just internally; professional service firms owe it to their clients to work with outside professionals with deep experience in the field.
Brands and reputations are easily sullied. Professional service firms must walk the walk in order to advise clients to do the same.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.