Banks, Law Enforcement Want Law Firms to Disclose Hackings
Download PDF
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Banks and law enforcement are concerned about the breach of sensitive information.

Summary: Many large law firms do not disclose or even acknowledge when their systems are hacked, causing concern for many clients and members of law enforcement.

Although hackings and breaches of Internet security seem more and more common, the legal sector has rarely disclosed such a breach. According to the New York Times, both corporate clients and law enforcement have been frustrated with the failure of major United States law firms to disclose such breaches. According to Bloomberg, such breaches have occurred for the past ten years.


Recently, an internal report from Citigroup’s cyberintelligence center echoed this frustration. The report warned bank employees of the threat of security breaches on the networks and websites of large law firms. The report read, “Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.”

The report from Citigroup was issued in February. It said that it was realistic to expect these law firms to be targeted by foreign hackers and governments since their networks contain so much confidential data on subjects such as corporate deals and business strategies. The report added that bank employees should be mindful that digital security at many firms has improved, but is below the levels of other industries. The report noted that law firms face a “high risk of cyberintrusion” and that they would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”

Last year, the hacker Sabu was granted some leniency in his sentence for his cooperation.

Get JD Journal in Your Mail

Subscribe to our FREE daily news alerts and get the latest updates on the most happening events in the legal, business, and celebrity world. You also get your daily dose of humor and entertainment!!

Citigroup’s team also noted several ways that hackers have already snuck into law firm websites and servers, such as direct attacks on websites, breaching their systems, or using the law firm names in phishing efforts to fool individuals into revealing private information.

Other Wall Street banks are also pushing the legal sector to take further action against hackers and security breaches of client data. For close to a year, law firms and banks have discussed creating a partnership to share information about hacking events. Banks also want more documentation from law firms about Internet security as a condition of their retainer.

Over the past several months, Mandiant, a security firm that is a subsidiary of FireEye, has advised several law firms that were victims of some sort of breach or attack.

Last January, hackers hacked the popular app SnapChat.

Federal law enforcement is also advising these law firms to be more open about reporting a hacking incident when it occurs. The Federal Bureau of Investigation met with the leaders of law firms in the past few years to discuss their online security. The highest-ranked federal prosecutors at the Justice Department have also begun to meet with these firms. According to a separate article by Bloomberg, these breaches may risk compromising the attorney-client privilege.

John P. Carlin is the assistant attorney for national security. Earlier this month, he spoke at an American Bar Association conference in New Orleans, informing lawyers that they need to inform both clients and law enforcement if cyberattacks or Internet security breaches occur. In a recent interview, Carlin said, “There are still a lot of companies that try to go it on their own. They try to circle the wagons.”

Should law firms be required to disclose hackings and other breaches of online security?

View Results

Loading ... Loading ...

Carln had not seen the Citigroup report, but said that law firms need to report such serious incidents, and not view them as “a badge of shame.” Carlin said he planned to relay a similar message to investors and big money managers at a hedge fund conference in Las Vegas in May.

According to Citigroup, Fried Frank suffered a watering hole attack back in 2012. Hackers infected its website with malware, which is an intrusive program that can infect the computers of those who visit the site.

Steve Lewis, the director of information systems at the firm, said that Fried Frank’s data network had “never been breached and client information has never been compromised. Lewis added that the firm’s public website was hosted by a separate vendor and that it “contains no confidential information.”

Covington & Burling, another large law firm, based in Washington, D.C., also suffered an attack in 2012. That attack appeared to have been led by a “China-based” group of hackers who apparently sent fraudulent emails, probably in an attempt to learn more about the firm’s corporate clients, such as energy companies and military contractors. Attorney General Eric H. Holder, Jr., also used to practice there.

In 2013, a Reuters employee was suspended over allegedly helping hackers.

According to Citigroup’s report, the information on the attacks on these two firms was from iSight Partners, which is a security consulting firm in Dallas. It has received financial support from Blackstone. There was no indication that Covington’s systems were compromised.

Citigroup released a statement that distanced itself from the report. An anonymous source said the bank had stopped distributing it. “The analysis relied on and cited previously published reports. We have apologized to several of the parties mentioned for not giving them an opportunity to respond prior to its publication in light of the sensitive nature of the events described,” a Citigroup spokeswoman, Danielle Romero-Apsilos, said.

Two smaller firms, Puckett & Faraj and Gipson, Hoffman & Pancione, also apparently suffered attacks. The hacker group Anonymous retaliated against Puckett after its attorneys represented a solder who pleaded guilty in connection to the death of 24 Iraqi civilians. Gipson said that it suffered an attack in 2010 because of a software piracy lawsuit that it filed on behalf of a client against the Chinese government.

John Hultquist, a manager at iSight, said that it gathered information on the incidents from several sources, and that hackers were targeting many professional service firms. He said, “It’s not only law firms being targeted for cyberespionage and by cybercriminals. Auditors are regularly targeted, even strategic communication firms.”

Source: New York Times

Photo credit: Huffington Post



Associate Attorney


ASSOCIATE ATTORNEY McKenna Snyder LLC, a law firm in Exton, PA has an immediate opening for an ex...

Apply now



Qualifications: HaasCaywood is seeking associate attorneys for our Coldwater and Sturgis, Michiga...

Apply now



Qualifications: HaasCaywood is seeking associate attorneys for our Coldwater and Sturgis, Michiga...

Apply now

Deputy General Counsel / Senior Deputy General Counsel


Cal Cities Culture and Mission Cal Cities is dedicated to creating a collaborative and inclusive ...

Apply now




Search Now

Education Law Attorney

USA-CA-El Segundo

El Segundo office of a BCG Attorney Search Top Ranked Law Firm seeks an education law attorney with ...

Apply Now

Education Law Attorney


Carlsbad office of a BCG Attorney Search Top Ranked Law Firm seeks an education law attorney with 4-...

Apply Now

Education Law and Public Entity Attorney

USA-CA-El Segundo

El Segundo office of a BCG Attorney Search Top Ranked Law Firm seeks an education law and public ent...

Apply Now

Most Popular


To Top