()

Imagine you’re a cybercriminal looking to steal some lucrative corporate information—valuable trade secrets, perhaps, or maybe insider securities material. You could try hacking into a bank, but their security measures are increasingly strong. A phishing attempt may work, but again, many companies are growing more sophisticated. Instead, if you’re smart, you’ll go after the lawyers. Law firms, due to the nature of their business, are swamped with sensitive documents and many have notoriously poor data security, making them tempting, and potentially lucrative, targets.

It makes sense, then, that hackers are increasingly targeting law firms. One out of every 10 advanced cyberattack is aimed at a law firm, according to the Harvard Journal of Law & Technology, with the Ponemon Institute estimating that the average data breach costs $7.2 million, or $214 per client record.

The most notorious example of a law firm data breach disaster comes from Mossack Fonesca, the law firm at the center of the Panama Papers. Last April, the firm made headlines around the world after its internal files were released to the public. The extent of the breach was breathtaking—11.5 million documents covering more than 200,000 entities, many with sensitive and privileged information, that cast a harsh light on how both the firm and its clients allegedly exploited shell corporations and offshore tax shelters. This data breach was so devastating that the firm now operates a separate website solely dedicated to conducting damage control on the incident.

Some of the most prestigious U.S. firms have also fallen victim to cyberattacks. Both Cravath Swaine & Moore and Weil Gotshal & Manges have said they experienced data breaches, the Wall Street Journal reported last year. The intruders purportedly were looking for insider information for publicly traded companies. Then, last December, the Department of Justice filed charges against three Chinese men accused of trading insider information hacked from major law firms, a scheme that allegedly netted $4 million in illegal profits. The events are assumed to be related.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” U.S. Attorney Preet Bharara said at the time. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.”

Email was the source of the insider information in that case, according to the DOJ, with the hackers purloining partner emails after breaking into the firm’s internal networks. But email and law firm networks are only one front in the battle for firms’ confidential data. The really valuable information is often stored elsewhere.

Consider the typical e-discovery process. At the outset of the discovery process, data is collected on the client side, often with minimal removal of sensitive information. Broad collection means that the discovery repository or litigation database is full of highly sensitive data—data that’s been flagged for litigation but not yet culled of confidential material. It is, therefore, an enticing target for cybercriminals. At this point, you’ve basically pulled together a treasure trove of a company’s most valuable information.

But e-discovery repositories aren’t the only place where data security risks are raised during the discovery process. Indeed, in typical discovery, there are multiple points at which data may be vulnerable.

Data is most at risk when in transit, as the FCC notes, and in all discovery workflows, data moves a lot.

A typical e-discovery undertaking might unfold as follows: There’s the initial collection of documents and data, which is then usually sent from the client to the law firm. The firm transfers that data to its internal and external tech teams, or vendors, who prepare it for review. That information is then loaded onto the review platform, where it is reviewed for relevance and privilege. Then, that data is produced to requesting parties—maybe through a secure FTP portal or over email, or perhaps through a hard drive in the mail.

Finally, once produced, the information is at the mercy of the other party’s security protocols, whatever those may be.

Every time that information changes hands, it’s put at risk.

E-discovery data breaches are already happening, according to Lael D. Andara, patent litigation partner at Ropers Majeski Kohn & Bentley PC. “We just haven’t necessarily identified the hacks,” Andara recently told Inside Counsel.

Hackers are only part of the picture, too. Some discovery-related data security injuries are self-inflicted. During the long-running patent dispute between Apple and Samsung, for example, an associate at one of Samsung’s outside law firms failed to properly redact a sensitive and confidential Apple contract, to which Samsung should not have had access, acquired during discovery. The attorney then uploaded the contract to Samsung’s intranet, where 200 Samsung employees, including high-level executives, gained access to it. That disclosure ended up costing Samsung more than $2 million in sanctions imposed by a San Jose federal court.

Many firms are woefully behind when it comes to addressing, even assessing, these risks. Three out of every four firms have not looked into the costs or risks associated with a data breach, according a 2014 survey of law firm cybersecurity by Marsh. Nearly 40 percent of firms and corporations haven’t assessed data security risks during e-discovery, according to Kroll. Large firms spend less than 2 percent of their gross annual revenues on data security. All this, despite the fact that over a quarter of large firms have fallen victim to security breaches.

These risks don’t just implicate cybersecurity concerns—they could lead to claims of malpractice as well, as a recent dispute over law firm data security reminds us. The case, Shore et al. v. Johnson & Bell, Ltd., is the first of its kind: a cybersecurity malpractice suit stemming from a Chicago firm’s representation of a digital currency exchange website. The firm handled client trade secrets and confidential information, but its security measures were obsolete, according to the plaintiffs, such that the law firm “systematically exposed confidential client information”—though the plaintiffs did not allege that an actual data breach had occurred.

While that dispute was ordered into arbitration in February, the mere filing of the complaint serves as a foreboding reminder of the high stakes involved with law firm data security.

The most forward-thinking firms and organizations are starting to recognize not only that e-discovery is risky, but that many of those risks can be mitigated. A secure, cloud-based platform that encrypts data in motion and at rest can provide important protections, housing and safeguarding documents as long as is necessary. Permission-based access can make sure documents are retrievable instantly, avoiding needless reproductions while also ensuring easy access—but only to those who should have it.

By hosting information in one centralized, protected hub, attorneys can entrust much of the security infrastructure to experts. The result is fewer opportunities for data to be put at risk, whether by hackers, sloppy security procedures, or archaic discovery practices.

The cloud isn’t the only solution, however. Attorneys can also safeguard their and their clients’ data by making sure that the data is encrypted in transit. That means ensuring that sensitive data is only exchanged via SSL connections. This security protocol establishes an encrypted link between a server and client; it’s the sort of encryption used by banks and e-commerce websites that often handle sensitive data.

Lawyers should also make sure that data remains safe even when it’s in the other party’s hands. That means insisting that opposing parties abide by the same strict standards attorneys would demand for themselves.

This can be accomplished by asking the court to impose a protective order governing the treatment of discovery materials or by objecting to the production of documents without the other party providing a sufficient data security protocol. Offering a pre-approved list of vendors or technologies can often make such demands more acceptable to the other side.

Whatever approach attorneys take, it is beyond debate at this point that e-discovery will be fertile hunting ground for hackers in the days and years to come. Failing to account for this and to keep abreast of other emerging technology issues relevant to legal practice could put lawyers’ licenses, reputations and clients at risk, especially given the recent crackdown by state bar associations on attorneys who fail to understand technology. Smart firms will start taking action now to make sure they don’t fall victim to the next damaging cyberattack.

Imagine you’re a cybercriminal looking to steal some lucrative corporate information—valuable trade secrets, perhaps, or maybe insider securities material. You could try hacking into a bank, but their security measures are increasingly strong. A phishing attempt may work, but again, many companies are growing more sophisticated. Instead, if you’re smart, you’ll go after the lawyers. Law firms, due to the nature of their business, are swamped with sensitive documents and many have notoriously poor data security, making them tempting, and potentially lucrative, targets.

It makes sense, then, that hackers are increasingly targeting law firms. One out of every 10 advanced cyberattack is aimed at a law firm, according to the Harvard Journal of Law & Technology, with the Ponemon Institute estimating that the average data breach costs $7.2 million, or $214 per client record.

The most notorious example of a law firm data breach disaster comes from Mossack Fonesca, the law firm at the center of the Panama Papers. Last April, the firm made headlines around the world after its internal files were released to the public. The extent of the breach was breathtaking—11.5 million documents covering more than 200,000 entities, many with sensitive and privileged information, that cast a harsh light on how both the firm and its clients allegedly exploited shell corporations and offshore tax shelters. This data breach was so devastating that the firm now operates a separate website solely dedicated to conducting damage control on the incident.

Some of the most prestigious U.S. firms have also fallen victim to cyberattacks. Both Cravath Swaine & Moore and Weil Gotshal & Manges have said they experienced data breaches, the Wall Street Journal reported last year. The intruders purportedly were looking for insider information for publicly traded companies. Then, last December, the Department of Justice filed charges against three Chinese men accused of trading insider information hacked from major law firms, a scheme that allegedly netted $4 million in illegal profits. The events are assumed to be related.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” U.S. Attorney Preet Bharara said at the time. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.”

Email was the source of the insider information in that case, according to the DOJ, with the hackers purloining partner emails after breaking into the firm’s internal networks. But email and law firm networks are only one front in the battle for firms’ confidential data. The really valuable information is often stored elsewhere.

Consider the typical e-discovery process. At the outset of the discovery process, data is collected on the client side, often with minimal removal of sensitive information. Broad collection means that the discovery repository or litigation database is full of highly sensitive data—data that’s been flagged for litigation but not yet culled of confidential material. It is, therefore, an enticing target for cybercriminals. At this point, you’ve basically pulled together a treasure trove of a company’s most valuable information.

But e-discovery repositories aren’t the only place where data security risks are raised during the discovery process. Indeed, in typical discovery, there are multiple points at which data may be vulnerable.

Data is most at risk when in transit, as the FCC notes, and in all discovery workflows, data moves a lot.

A typical e-discovery undertaking might unfold as follows: There’s the initial collection of documents and data, which is then usually sent from the client to the law firm. The firm transfers that data to its internal and external tech teams, or vendors, who prepare it for review. That information is then loaded onto the review platform, where it is reviewed for relevance and privilege. Then, that data is produced to requesting parties—maybe through a secure FTP portal or over email, or perhaps through a hard drive in the mail.

Finally, once produced, the information is at the mercy of the other party’s security protocols, whatever those may be.

Every time that information changes hands, it’s put at risk.

E-discovery data breaches are already happening, according to Lael D. Andara, patent litigation partner at Ropers Majeski Kohn & Bentley PC . “We just haven’t necessarily identified the hacks,” Andara recently told Inside Counsel.

Hackers are only part of the picture, too. Some discovery-related data security injuries are self-inflicted. During the long-running patent dispute between Apple and Samsung, for example, an associate at one of Samsung’s outside law firms failed to properly redact a sensitive and confidential Apple contract, to which Samsung should not have had access, acquired during discovery. The attorney then uploaded the contract to Samsung’s intranet, where 200 Samsung employees, including high-level executives, gained access to it. That disclosure ended up costing Samsung more than $2 million in sanctions imposed by a San Jose federal court.

Many firms are woefully behind when it comes to addressing, even assessing, these risks. Three out of every four firms have not looked into the costs or risks associated with a data breach, according a 2014 survey of law firm cybersecurity by Marsh. Nearly 40 percent of firms and corporations haven’t assessed data security risks during e-discovery, according to Kroll. Large firms spend less than 2 percent of their gross annual revenues on data security. All this, despite the fact that over a quarter of large firms have fallen victim to security breaches.

These risks don’t just implicate cybersecurity concerns—they could lead to claims of malpractice as well, as a recent dispute over law firm data security reminds us. The case, Shore et al. v. Johnson & Bell, Ltd. , is the first of its kind: a cybersecurity malpractice suit stemming from a Chicago firm’s representation of a digital currency exchange website. The firm handled client trade secrets and confidential information, but its security measures were obsolete, according to the plaintiffs, such that the law firm “systematically exposed confidential client information”—though the plaintiffs did not allege that an actual data breach had occurred.

While that dispute was ordered into arbitration in February, the mere filing of the complaint serves as a foreboding reminder of the high stakes involved with law firm data security.

The most forward-thinking firms and organizations are starting to recognize not only that e-discovery is risky, but that many of those risks can be mitigated. A secure, cloud-based platform that encrypts data in motion and at rest can provide important protections, housing and safeguarding documents as long as is necessary. Permission-based access can make sure documents are retrievable instantly, avoiding needless reproductions while also ensuring easy access—but only to those who should have it.

By hosting information in one centralized, protected hub, attorneys can entrust much of the security infrastructure to experts. The result is fewer opportunities for data to be put at risk, whether by hackers, sloppy security procedures, or archaic discovery practices.

The cloud isn’t the only solution, however. Attorneys can also safeguard their and their clients’ data by making sure that the data is encrypted in transit. That means ensuring that sensitive data is only exchanged via SSL connections. This security protocol establishes an encrypted link between a server and client; it’s the sort of encryption used by banks and e-commerce websites that often handle sensitive data.

Lawyers should also make sure that data remains safe even when it’s in the other party’s hands. That means insisting that opposing parties abide by the same strict standards attorneys would demand for themselves.

This can be accomplished by asking the court to impose a protective order governing the treatment of discovery materials or by objecting to the production of documents without the other party providing a sufficient data security protocol. Offering a pre-approved list of vendors or technologies can often make such demands more acceptable to the other side.

Whatever approach attorneys take, it is beyond debate at this point that e-discovery will be fertile hunting ground for hackers in the days and years to come. Failing to account for this and to keep abreast of other emerging technology issues relevant to legal practice could put lawyers’ licenses, reputations and clients at risk, especially given the recent crackdown by state bar associations on attorneys who fail to understand technology. Smart firms will start taking action now to make sure they don’t fall victim to the next damaging cyberattack.