Law Firms Overlook Vulnerabilities to Cyberattacks, Panel Says
While applauding Google’s unprecedented decision to disclose that its networks had been infiltrated by a China-based espionage operation in 2010, panelists at the ABA Annual Meeting in Toronto expressed doubts that law firms would disclose similar breaches to clients—despite possible ethical duties to do so. In fact, although lawyers routinely advise clients of the dire consequences of computer-based attacks, they often overlook their own weaknesses, panelists said at the Saturday session.
“Law firms ignore [cyberthreats] at their own peril,” warned moderator Suzanne E. Spaulding, a principal at Bingham Consulting Group. Despite the media attention on attacks on high-profile companies like Google, it is not uncommon for data hijackers to go after law firms that serve clients they’d like to target; or for them to target federal court computers that house drafts of unannounced yet influential court opinions, added Harvey Rishikof, chair of the ABA’s Standing Committee on Law and National Security.
At that point, the damage to a client’s business—and the reputation of the law firm subjected to the attack—may be irreversible, the panelists noted.
The decentralized nature of law firm governance and the distinct ethical obligations of the legal profession only add to the difficulty of discerning the best methods to protect firms from data breaches and subsequent reporting methods, added panelist Stewart A. Baker, a partner at Steptoe Johnson, and conference attendee Albert C. Harvey, a senior member of Memphis, Tenn.-based firm Thomason Hendrix Harvey Johnson & Mitchell and former member of the ABA Board of Governors who served on the ABA’s Ethics 2000 Commission.
The session, “Foreign Espionage Targets the Private Sector: The Cybersecurity Threat from Nation States,” was sponsored by the ABA’s Administrative Law Section, Section of International Law, Law Student Division and Government and Public Sector Lawyers Division.