Cybersecurity: NY's Midsize Law Firms to Face Increased Scrutiny
Big banks put the pressure on Big Law first when concerns about cybersecurity came to the forefront, experts say. But now, midsize law firms that have successfully competed for some of that business will lose those clients if they don't meet the same cybersecurity standards as the big firms do.
March 08, 2018 at 02:39 PM
6 minute read
New York's midsize law firms are feeling the heat when it comes to cybersecurity.
Facing scrutiny from regulators, clients, adversaries and peers, midsize firms are taking action like never before. But experts say the sensitive data they store is still vulnerable to hackers who seek to blackmail firms, investors who want to profit from insider trading and thieves who are out to steal escrow accounts.
“I think it would be hard to find a New York firm of any size that isn't feeling the heat from their clients and hasn't taken some kind of action.” said Jason Straight, senior vice president of cyber risk solutions for UnitedLex Corp., which advises law firms and other clients out of its offices in downtown Manhattan. “The midsize firms just have a lack of understanding about how to approach these issues.”
Big banks put the pressure on Big Law first when concerns about cybersecurity came to the forefront several years ago. But now, midsize law firms that have successfully competed for some of that business since the recession will lose those clients if they don't meet the same cybersecurity standards as the big firms do.
The New York State Bar Association, along with its counterpart in New York City, has taken notice and is working to get its members educated. Since the beginning of 2017, the state bar association has presented 10 cybersecurity CLEs and about 500 lawyers have attended.
“A lot of law firms think no one is going to do that to me but that's not the case. It's happening all over the place,” said Marian Rice, who as the chair of the New York State Bar Association law practice management committee is partly responsible for the educational programming.
In her practice representing lawyers involved in malpractice and disciplinary matters at L'Abbate, Balkan, Colavita & Contini in Garden City, Rice began seeing cybersecurity cases eight years ago. The most common type involved funds being misdirected into the accounts of thieves pretending to be clients or adversaries. While it was possible to claw back some of the ill-gotten gains, attorneys did lose clients' money, she said.
John Sweeney, CEO and managing partner of LogicForce, which puts out a law firm cybersecurity scorecard every quarter, said midsize firms do have some catching up to do.
“One thing I would say about midsize v. Big Law, they're very customer-focused but at the same time with regards to the sophistication and investment necessary for what we believe to be best practices at a well-run law firm from a cybersecurity viewpoint, they're a little behind,” Sweeney said.
Of the law firms evaluated in the fourth quarter of 2017, 62 percent were small or midsize with fewer than 150 lawyers. The report specifically warns such firms to take the threat seriously.
“Law firms should not take comfort in thinking they may be too small or remote to be victimized. The event that impacted DLA Piper and innumerable other businesses would likely have affected thousands of law firms in the U.S. if it wasn't primarily a regional event,” the report stated.
LogicForce evaluates law firms against 12 standards, all of which its leaders consider necessary for true cybersecurity.
Compliance was low: Only 43 percent of the firms have documented policies and procedures, 42 percent conduct some type of penetration and vulnerability testing, 41 percent have cybersecurity insurance, 38 percent have a credentialed information security executive, 32 percent make staff training mandatory and 30 percent have multifactor authentication.
Of those that have designated a person to handle cybersecurity, the experts say the firms often choose the wrong person. Sometimes it's a partner who is more focused on bringing in revenue than cybersecurity or an IT director whose main responsibility is making sure that lawyers can log in from the beach, the train or the airport.
“When a partner's primary responsibilities or pressures are servicing the client and bringing in revenue, how much time can they spend on the cybersecurity of the firm?” Sweeney asked.
Luise Barrack, managing member of Rosenberg & Estis, a New York real estate firm with about 80 attorneys, said a hacker recently got into an adversary's escrow account and switched the wire transfer information. The impostor communicated with a Rosenberg & Estis partner for a couple of weeks and tried to get the escrow money sent to the wrong account. The adversary discovered the hack because while the forgery was good, it wasn't good enough, Barrack said.
“Think about it. It's huge. If you can get into law firm's escrow accounts. Who else has that kind of monies that are being transferred?” she said.
Ronald Shechtman, managing partner of Pryor Cashman, a New York City firm with about 170 lawyers, said there was a similar attempt on his firm. The firm, handling a substantial deal, was asked to send a couple of hundred thousand dollars to an account in the Far East.
The attorney asked for written confirmation and got back a fax from the client on his unique stationery with his unique signature.
“Luckily the account number was wrong or something was wrong on the number,” and the transaction didn't go through, Shechtman said. The attorney called the client to apologize for the mistake and that's when it was discovered that the client's email had been hijacked.
“The first lesson is that written confirmation isn't enough,” Shechtman said. “But in terms of the basic cybersecurity protections that you need it's just not an area where you can economize.”
Richard Haddad, who is chair of the litigation practice at Otterbourg, a 50-attorney law firm in New York City, has been in charge of technology issues since he was the youngest partner 19 years ago.
“We have our IT director meet with the cybersecurity teams of the major financial institutions that are our clients,” Haddad said.
The clients make recommendations on whether attorneys should be allowed to access social media from their work computers, whether the staff can check email from work and whether attorneys can cut and paste from the network into email.
“We're shutting a lot of that down and we're restricting the ability to do certain activities remotely,” he said. “Some lawyers don't like the inconvenience but I liken it to you have to take off your shoes to get onto the airline. You didn't used to have to do this but that's part of the process.”
He gets reports about attempted threats against the firm every week. “We have thus far been able to prevent any damage to the firm or the clients,” he said.
Asked if cybersecurity keeps him up at night, he said, “What keeps me up is the argument I'm going to make in court.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLong Island Midsize Firm and Managing Partner Sued for Sexual Harassment, Discrimination
6 minute readKing & Spalding Adds Veteran Antitrust Litigator From White & Case in New York
3 minute readTroutman Pepper Accused of Inattentive Case Management in $59M Malpractice Suit
7 minute readTrending Stories
- 1LA Judge Anne Hwang Confirmed to the Federal Bench
- 2NY Court Leaders Ask for 10% Judiciary Budget Increase
- 3ClaimClam Wanted to Boost Class Action Claims Rates. But Judges and Attorneys Fought Back
- 4'We Will Sue ... Immediately': AG Bonta Says He's Ready to Spend $25M Battling Trump
- 511 Red State AGs Demand Damages in Antitrust Lawsuit Shaming ESG Climate Investors
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250