by Suzanne Skinner and David Matthews
Here’s a nightmare. Going through your work emails, you notice a confirmation from your bank of a six-figure cash transfer from your client trust account. Your bookkeeper knows nothing about it. You panic. A cy- bersecurity specialist eventually discov- ers that your bookkeeper clicked on a
link that allowed a computer virus to copy account numbers
and passwords as she typed them — giving hackers direct
access to the accounts.
This nightmare became reality for a Toronto law firm last
1 That attack was not unique. Cyberattackers increasingly target law firms.
The Exploding Problem of Data Breaches
Why? Press attention on large-scale cyberattacks has
prompted corporations to beef up their cybersecurity. Hackers, looking for softer targets, recognize that corporations’
law firms store massive amounts of confidential and valuable data — from intellectual property to business secrets
MIND THE BACK DOOR
Protecting Client Information from Cyber Threats
to personally identifiable information — making them a
virtual back door to their clients’ data and funds, as well as
the firm’s. Moreover, law firms aggregate the sensitive in-
formation of many corporate clients, making them “one-stop
shopping” for hackers. And some law firms are still storing
information on a single directory, making mass theft easy.
Law firms have rarely gone public about attacks — for busi-
ness and ethical reasons — and without much press cover-
age of the threat, too many in the profession are ignorant
The threats are real and frightening.
Chinese cybercriminals infiltrated the relatively soft target of seven major Canadian law firms to attempt to derail a
corporate acquisition by destroying data and stealing sensitive client information.
2 More commonly, law firms face
“advanced persistent threats”: attacks that slip by a firm’s
standard firewalls, focus on specific targets, and lurk undetected while collecting intellectual property and other data.
Mandiant, a prominent security consulting firm, estimates
that 10 percent of its recent investigations of “advanced persistent threats” occurred at law firms.
Data leaks, whether intentional or negligent, are another
threat. A data leak by a Seattle law firm grabbed the head- © I S