Pando

Why aren't law firms required to disclose when they've been hacked?

By Nathaniel Mott , written on March 27, 2015

From The News Desk

Citigroup has warned against trusting sensitive information to law firms, which aren't required to reveal data breaches and often cover them up.

The New York Times viewed a copy of the report published by Citigroup's cyber-intelligence center, which works to identify threats before they can affect financial institutions and their customers. Key among its findings was:

Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.

[...]

It said law firms were at 'high risk for cyberintrusions' and would 'continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.'

The Times adds that several security companies are working with law firms:

In the last several months, Mandiant, the security firm that is a division of the security consultant FireEye, has been advising a half-dozen unidentified law firms that were victims of a breach or other attack, said a person briefed on the matter who spoke on the condition of anonymity.

John Hultquist, a manager at iSight, said it had gathered data on [hacks at Puckett & Faraj and Gipson, Hoffman, and Pancione] from various sources but declined to provide specific details. He said hackers were targeting a wide range of professional services firms in many ways.

Information stolen from law firms might also allow hackers to conduct phishing attacks, which trick people into sharing sensitive information by emulating friends, loved ones, and other people the target is known to trust.

Hackers aren't just targeting retailers or financial institutions. They've also been stealing information from health insurers and other medical groups. It wouldn't be a stretch to assume they also target law firms and their clients.

The fear is that law firms won't reveal data breaches because they aren't required by law to do so. And considering most companies don't want to work with lawyers who can't keep secrets, it's in the firms' favor to stay silent.

[illustration by Brad Jonas]