Retailers, social networks, health care providers and insurers—each has taken its turn as a favorite target for cyber criminals. Over the past two years health care has assumed center stage, capped by the 2015 attack on Anthem that exposed almost 80 million records. But as we enter 2017, a new—and significantly more cunning—threat is emerging: hacking-facilitated securities fraud.
The tactics differ from case to case, but the strategy remains the same. Attackers seek access to confidential records concerning a public company’s earnings, merger & acquisition plans, or product developments prior to public release and use the information to make illicitly informed trades. But rather than attack the company’s own servers, which would be the most obvious but best-protected target, cyber criminals are identifying weaker links in information chain of custody.
Top of the list? Law firms.
As of this week, three Chinese nationals have been charged for allegedly hacking into two major U.S. law firms in a bid for information related to clients’ pending mergers. The three Chinese nationals charged in this matter, Iat Hong, Bo Zheng and Hung Chin, allegedly used malware to infiltrate the servers of two law firms in 2014 and 2015. The information they stole led to $4 million in illegal profits.
Manhattan U.S. Attorney Preet Bharara said the case “should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”
If Mr. Bharara’s warning is not enough, pending litigation very well might be. In early December, Chicago-based Johnson & Bell was named in the first public data security class action complaint against a U.S. law firm. The suit, which alleges that Johnson & Bell failed to adequately care for confidential client information, is likely to be the start of a string of like-minded cases.
What can law firms do to address this growing threat? Keeping information confidential is a pillar of every law firm’s promise and service to its clients. Investment in cybersecurity is clearly a first step, but as we all know, even the best security is not infallible. Firms must plan for a worst-case scenario. The ability to effectively communicate with law enforcement, clients, and internal audiences in the wake of a cyber breach can save a firm’s reputation and even mitigate its legal liabilities.
