Don't miss

Why Cybercriminals Attack Law Firms

Craig Petronella

By Craig A. Petronella

Last December, Chinese hackers tried to breach the computer systems at several big law firms including Cravath Swaine & Moore and Weil, Gotshal & Manges looking for data to exploit insider trading deals, according to the The Wall Street Journal.The alleged attackers attempted and succeeded in accessing data over 100,000 times and were never detected. Their network was like a revolving door, the Journal reported.

“This case of cyber … fraud should serve as a wakeup call for law firms around the world. You are and will be targets of cyber hacking because you have information valuable to would be criminals,” said Preet Bharara, the United States attorney in Manhattan.

But it’s not just mega-firms that are at risk. Small and mid-size law firms may be exposed as well. Firms that handle credit cards and firms that are required to meet HIPAA rules and regulations are particularly tempting targets for hackers.

In December of last year, an unsealed lawsuit alleged that 100-partner, Johnson & Bell, a Chicago firm committed “malpractice” through shoddy cybersecurity. While the final outcome of the suit is pending, “the action may be a kind of test case for future law clients looking for leverage over firms they feel carelessly exposed confidential data to hackers,” said Andrew Stickler of

“The plaintiffs alleged the firm’s file and online systems were rife with ‘critical vulnerabilities’ primed for hackers, even as Johnson & Bell presented itself publicly as a cybersecurity expert,” reported Law360. com. “The complaint does not point to any specific data breach or loss of confidential information suffered. Instead, it focuses on a broader alleged failure to reasonably protect sensitive client data, particularly through an online attorney time-tracking system and the use of a virtual private network, or VPN.”

“Notably, the suit (against Johnson & Bell) also refers to newly strengthened professional conduct rules on client confidentiality and electronically stored data. Following ABA Model Rule changes since 2012, some of the changes were adopted in Illinois last year and went into effect in January 1, 2016,” reported

Your firm may already be under attack and you may not even know it. Hacking instances at law firms are rarely reported. Many technology specialists say the problem is likely bigger than the industry realizes because many online attacks go undetected.

“As stricter conduct guidelines are adopted around electronic data, courts will move toward a stricter view of liability of firms with less-than-stellar security practices,” said University of Denver’s Sturm College of Law’s Wald. He also noted that the spread of cyber-attack insurance might be a deep pocket for malpractice claims to target in the event of a known cyberattack.”

Here are some questions to answer to determine what your exposure may be.

  • Have you ever completed a risk assessment?
  • When was the last penetration test completed?
  •  In 93% of cases where data was stolen, systems were compromised in minutes or less. Zero-Day malware gets past any brand firewalls or antivirus. What additional security technologies do you have in place to protect your practice?
  • Do you accept credit cards? If so, you are subject to PCI-DSS compliance. What steps have you taken to ensure PCI-DSS compliance?
  • What data do you store and exchange? Are you confident it’s well protected?
  • Do you use keystroke encryption on all computers and smartphone devices?
  • Do you have security awareness training in place for all staff
  • Do you use a secure website hosting solution with multiple layers of protection such as blocking all countries you don’t do business with?

If you can’t place a confident check-mark by all those questions, you’re at risk. In fact, you may already have been hacked and don’t yet realize it.

We are in the golden age of cybercrime. Hackers seem to up their games on a regular basis. After all, it is their “job.” And they’re always looking for ways to advance in their chosen field.

And don’t underestimate the value of your information to hackers. Even if you don’t store credit card information, even if you’re not subject to HIPAA regulations, your information is still valuable.

A login to a single iTunes account is said to be worth $8.30 to a hacker, so how much more valuable is the client information you’re storing?

Craig A. Petronella is the owner of Petronella Technology Group Inc., a Raleigh managed IT security services provider specializing in cybersecurity, cloud computing, disaster recovery, and regulatory compliance. Craig has spent 30 years showing clients how to leverage their IT technology to increase profits, reduce operating expenses and protect against hackers and other cybercrime. Craig attended North Carolina State University College of Management and has authored multiple books, including “How HIPAA Can Crush Your Medical Practice,” “Peace of Mind Computer Support” and “Cryptolocker – Thieves are After Your Business.” For more information, visit or call 1 (877) 421-1112.