There are only law firms that have been hacked and those that will be

What do the legal departments of Volkswagen, Ikea, Jones Lang LaSalle, Citibank and Caterpillar have in common? Some of their legal work in Russia may have been made public this summer by a hactivist group Anonymous action against the Russian law firm Rustam Kurmaev and Partners, also known as the RKP law.

(Screenshot of the author of the RKPLaw hack announcement on Twitter by @DepaixPorteur)

I had written in harvard business review on the potential of Wikileaks and related groups to “expose your corporate brains” in 2010 before the groups ever did it to private companies. Shortly after, the director of the FBI advance the oft-cited view that “there are only two types of businesses: those that have been hacked and those that will be. And even they converge on a single category: companies that have been hacked and will be hacked again. From where we sit today, that is categorically true.

Law firms find themselves as single nodes under attack in a geopolitical environment with cross-cutting contradictory intentions. In the world of risk, we generally think of threat in terms of intent and capability. Undoubtedly, the ability of groups to breach the IT defenses of law firms is very real. For instance, the hackers who brought down the RKP law told the International Business Times that they spent a month breaking into systems, emailing RKP’s IT team from their bosses’ accounts to taunt them every time they were kicked out.

What really changes is the intention. In this case, the companies described above are victims of the fact that Anonymous aims to remove the main Russian entities following the invasion of Ukraine by Russia. One of these entities turned out to be a law firm that foreign companies have turned to for litigation and anti-corruption work – which they would not want to see in the public sphere.

Of course, this also cuts off the other political track – I wrote recently about Russia sanctioning an unprecedented number of American lawyers, whose law firms are all likely to be targeted by the Kremlin and its hackers. And, of course, companies can become collateral damage without necessarily being the target. It is worth recalling the hit of 2017 Ransomware on Piper DLA who locked down the company’s systems – and allegedly traced to Ukrainian payroll provider hit by fast-spreading Russian malware.

In recent days we have seen China’s forceful response to US House Speaker Nancy Pelosi’s visit visit to Taiwan – everything from missile launches around Taiwan to shutting down collaboration on climate change. Just this week the The United States and Taiwan announced that they are moving towards a mutual trade agreement, which will undoubtedly be the occasion for enormous legal work and lobbying by private companies wishing to influence and prepare such an agreement. It’s not hard to imagine these law firms assisting them, becoming increasingly attractive targets for Chinese hackers.

The good news is that many law firms understand the risk environment they face and have policies in place to do their best to increase the time and effort it would take for hackers to breach their systems. . The American Bar Association (ABA) 2021 Legal Technology Survey Report noted that approximately half of the law firms surveyed have policies in place regarding data retention, use of email, use of the Internet, remote access and social media, with higher scores as practice size increases. Of course, this goes hand in hand with their statistic that 35% of law firms with more than 100 lawyers have experienced a data breach at some point.

The question that interests me most, however, is whether corporate clients are able to properly assess the risk they face in engaging with particular law firms. Traditional cyber assessments aren’t enough in a world where we live under the digital equivalent of the assumption that a burglar can break into any home if they want to. What it really takes is to understand the DNA of the law firms you work with and determine if they are also likely to be a target.

Without this type of analysis, it is particularly difficult to have confidence in a threat or risk assessment. It’s like assuming that the risk of terrorism on an airplane flight is equivalent between different national carriers simply because they all follow the same security protocols. In fact, it makes quite a difference whether adversaries want to cause damage or not, which of course depends on many factors like country of origin in the case of an airplane flight. Or the nature of a law firm’s work in this case.

So, as a corporate lawyer, did you know that more than a third of your major law firms have suffered a breach? Do you have a way to differentiate which law firms you work with are most likely to be targeted and which are not? Are you sure that high-risk partners are processing your data in a way that in the event of an exploit, you can mitigate the damage?

Technological solutions like Thereby can be helpful in learning everything possible about your law firms, but of course traditional approaches like media monitoring the work your outside law firms are doing and forcefully raising concerns can also do a lot.


Portrait of Sean WestSean West is co-founder of Where Technologies, a software company that is transforming the way companies work with external advice. He was previously global deputy managing director of Eurasia Group, the geopolitical consultancy firm. He writes a bi-weekly column in Above the Law on geopolitics and the practice of law. Special thanks to Jacob Shapero for his contribution to this article.

About Marjorie C. Hudson

Check Also

Democrats push for new election law; Key inflation problem for Americans

With the midterm elections just weeks away, Democrats are stepping up a last-ditch effort to …