David Blumental, a Shanghai partner with Vinson & Elkins, also says he’s not particularly worried about the findings of the Mandiant report. "I think firms are taking the normal precaution, but there is no compelling evidence showing that this is a common phenomenon," he says. Blumental allowed, however, that there may be many more hacking incidents against law firms that have not been made public.
According to the Mandiant report, much of the Chinese hacking activity is aimed at stealing intellectual property. Hackers also appear interested in ferreting out information about companies’ stances in negotiations over commercial contracts or mergers and acquisitions.
"We frequently see competitive information being misappropriated by attackers," says McGee. "That information is often later misused to influence or sabotage transactions."
While law firms might certainly be in possession of such sensitive information, Lin thinks hackers are more likely to target the relevant companies directly. Law firm data drives, he says, have too much other information that hackers will not want to wade through. "Just reading about fund formations," he says, "their heads would explode."
But Shoesmith says his impression as an adviser to information technology companies that focus on data mining is that information processing has become a "piece of cake" for dedicated specialists.
"It has become a fantasy to think that hackers these days cannot just pull out the information that they are after," says Shoesmith. "And hackers are way ahead of the defenders. Unless I am being protected by my firm, if someone wants to hack into my [personal] computer for information, they are going to get it."
He also says law firms cannot be seen to be responding less robustly than their clients to the potential hacking threat. "Clients are going to say, 'We have taken relevant measures to protect our sensitive information. What will you do to protect our information if we give it to you?' "
*Correction, 2/28/13: An earlier version of this story mistakenly reported in the sixth paragraph that Shoesmith called for a firmwide meeting instead of a meeting with IT staff. We regret the error. The paragraph has also been altered to clarify that Shoesmith was referring to all firms potentially affected by hacking, not just his own.
This article originally appeared in The Asian Lawyer.
