Thank you for sharing!

Your article was successfully shared with the contacts you provided.
On the television show “The Weakest Link,” each round concludes with contestants voting off the person they perceive to be the most vulnerable fellow player. Hackers play a similar game, but it’s neither trivial nor televised. Frustrated by the strong security defenses that corporations have mounted, hackers are probing for a weak link, and they may have found it: law firms. If they can’t break through the corporate walls in cyberspace, perhaps they can attack the advisers and counselors to corporate America. In May, Minneapolis’s 130-lawyer Gray, Plant, Mooty, Mooty & Bennett upgraded its computer system. The firm was clear about why. “The new trend [among hackers] is to go to accounting firms and law firms that handle the corporations, since most likely they’re not as secure from attacks,” wrote James Schewe, an information systems supervisor, in a memo. Gray Plant had been deterring 40 hack attacks a month before upgrading its system. After the upgrade, the number of monthly attacks fell to about five. Others firms aren’t as vigilant. Law firms have a long tradition of maintaining client confidences, but not necessarily in the online world. According to the 1999 ABA Legal Technology Survey Report (the latest available), more than half of firms surveyed did not take any security precautions when communicating online. Legal ethics rules don’t require lawyers to encrypt e-mail, but that doesn’t mean that lawyers shouldn’t. As Alan Brill, senior managing director of New York-based investigative agency Kroll Associates, notes, “E-mail is more like a postcard than a letter. As it traverses the Net, every node it passes through has the capability to read it.” Why are firms more vulnerable than their clients? There are several reasons, says Eric Steele, a lawyer and technology consultant with Chicago’s Steele Scharbach Associates. “Law firms are much more conservative [about technology] — and they’re all small business, by corporate standards,” he says. “They tend to be less sophisticated, less protected.” They also tend to be cheap about things that they can’t expense to clients, like computer security. “I see trouble all over L.A. The partnership model precludes spending a lot of money on IT — any dollar spent [there] does not go into the partner’s pocket,” says Lee Schwing, director of information technology at Century City, Calif., entertainment boutique Ziffren Brittenham Branca. So how many hackers have infiltrated firms? Is this all merely urban legend? All we know is that there is a lot of talk. And when there’s talk, there’s likely action. But the hackers themselves and the firms aren’t fessing up to any mischief. One Los Angeles technology director refused to be interviewed, for fear of presenting a challenge to hackers. Gray Plant’s Schewe doesn’t have any hard proof that his firm has been the target of anything more than random attacks by caffeine-buzzed, Twinkies-fed college kids. But a series of overseas attacks has made him suspicious. One of the greatest vulnerabilities for firms is lawyers who work from home. It’s not the stodgy partner with the slow dial-up connection who’s at risk but the propeller head with high-speed Internet access. High-speed home Internet accounts (whether they are offered via cable modem or DSL service) are different from regular dial-up accounts in two respects. They are always on, and their Internet address doesn’t change. These give hackers both time and opportunity to hack away. Unless the home user has a firewall in place, it is relatively easy to access his or her hard drive and possibly the given firm’s servers, too. “If the underlying concept is the weak-link theory, then home high-speed Internet access may be the weakest link,” says Brill of Kroll Associates. Brill says that clients should insist that their lawyers install basic but powerful firewalls at home, such as Zone Labs’s easy-to-configure (and free for personal use) ZoneAlarm (www.zonelabs.com). Clients are partly to blame. “I would think clients would have insisted on checking [firm security precautions], but I’ve been shocked no one has,” says Ziffren Brittenham’s Schwing, whose firm represents Microsoft Corporation, DreamWorks SKG, and other otherwise tech-savvy companies. Some clients export their savvy to the firms they hire. When a large multinational hired Gray Plant several years ago as trial counsel, the company built a highly secure, firewall-laden system within the firm’s system. Others would rather import their outside lawyers — literally. Michael Roster, the chairman of the American Corporate Counsel Association and general counsel for Oakland’s Golden West Financial Corporation, says that lawyers should be spending more time “getting out of their skyscrapers” and working on-site at their clients’ offices. The security of documents would be greater, and there would be other benefits, too. “A lot of other professionals know it’s better to work at the client’s site — you become far more integrated into their processes. Accounting firms put people on the client’s premises for years,” Roster says. Roster’s remarks go against the trend at many firms to share and collaborate with clients online through private and protected Web sites, known as extranets. In the most recent AmLaw Tech Survey, 90 percent of the respondents reported setting up extranets for clients; nearly one-quarter are running more than 20 each. John Tredennick Jr., a former litigator and current chief executive of Denver’s CaseShare Systems, a firm automation and collaboration vendor, says that his clients are requiring corporate-level security from their lawyers. “I’m not preaching this,” he says. “This is what our [corporate] clients are demanding from us.” It’s a pricey demand. A large firm can easily drop $250,000 on buffing up its security systems. Tredennick says that a professional security audit (including “friendly” hackers hired to probe system’s weaknesses) runs $40,000-$120,000. For bulletproof security, there ought to be two firewalls and three servers — including a dataless “demilitarized zone” in the middle — separating lawyers from the outside world. The setup can cost $100,000, and that’s before the expense of software to patrol for hack attacks. For firms with more modest aspirations, many of the strongest security measures are free. The best defense is an ugly password — composed of lots of random characters. The second best is a password that changes every month, or more often. Schwing recalls hiring a team of hackers to try to penetrate her system. “I said, ‘Oh, by the way, we have 14-character passwords, which must contain upper- and lowercase and nonstandard symbols.’ They said ‘Oh, my God, you’ve almost locked the door on us.’” It also pays to keep an eye on the real world. Are temporary employees given passwords that let them look at key documents? Says Roster: “We go through this craziness of conflict checks on the lawyer side, but no one screens the support staff who are moving around all the time.” It sounds like time for some due diligence. Just don’t plan on billing for it. David Brauer is a free-lance writer based in Minneapolis. His wife is an associate at Gray Plant. E-mail: [email protected].

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.