Leaking information

Law firms are custodians of their clients’ information. As such, they’re expected to ensure that confidential information doesn’t fall into the wrong hands. But are they really doing enough on this front?

Ever since the internet went mainstream, hackers have gone to great lengths to access critical corporate information. Now, in the wake of former U.S. intelligence contractor Edward Snowden’s revelations about National Security Agency eavesdropping, there is growing concern about the prying eyes of governments.

And there’s more to it than the monitoring of online activities motivated by national security concerns. The bigger risk for law firms is cyber-espionage committed by state-sponsored organizations, or governments themselves, looking to obtain corporate secrets for their own benefit.

“If you’re thinking of focus points or hubs of critical and confidential information about [stock] markets, then you can imagine that one of those hubs is going to be a law firm,” says Duncan Card, partner and co-head of Information Technology with Bennett Jones LLP in Toronto. “One of the large law firms in Canada, at any one time, will have numerous confidential transactions going on; and information that is illegally secured about those transactions could have an impact on public markets. As well, confidential information about client strategy, business relationships and all the other confidential information that lawyers have would be an attractive target.”

Several of Canada’s major law firms have already had to deal with raids on their information systems. Between September 2010 and April 2011, hackers traced back to China infiltrated the networks of seven Bay Street law firms in an attempt to derail Australia- and U.K.-based BHP Billington Ltd.’s $40-billion proposed takeover of Potash Corp. of Saskatchewan. The deal later fell through for unrelated reasons, but the episode was telling.

This past February, Virginia-based cyber security firm Mandiant Corp. published a report tracing a series of cyber attacks on 141 companies across multiple industries, dating back to 2006, to a Shanghai-based unit of China’s People’s Liberation Army, known as APT1. Although the report made headlines around the world because of the scale of the cyber espionage operation, it’s what wasn’t published that is cause for greater concern.

“The first thing that gets lost about the report is that this is simply one group, and we’re tracking dozens and dozens of these groups around the world. Most come from China, but many come from other countries as well. This is a very small piece of the overall pie,” says Shane McGee, general counsel and vice president of legal affairs with Mandiant. “And absolutely law firms should be concerned.”

McGee was once a partner and co-chairman of the Internet and Data Protection Group with SNR Denton US LLP. He says law firms pay less attention to security than a typical business of similar size, which is counterintuitive given that law firms have in their possession so much valuable information — the “crown jewels” of hundreds of thousands of their clients. “A law firm is a one-stop-shop [for hackers] because they can break into one network and get everything they need. It could be intellectual property information or other proprietary information about deals,” he says. “And this, in conjunction with law firms’ de-emphasis on security, presents a large and very attractive target.”

Complicating matters, law firms have more to worry about than their own servers. Lawyers have adopted en masse mobile devices and cloud services to work more efficiently. And yet major providers of these services, such as Google or Microsoft, are big targets for hackers.

“I often preach to law firms that they should not be using cloud or online services such as Google or Dropbox for a very simple reason: you have no control over [the data],” says Daniel Tobok, managing director, forensics, with Telus Security Solutions in Toronto, who helped in the investigation of the hacking of Canadian law firms in the Potash breach. “We know many law firms that have gone to the cloud as a backup service. They put everything up there and they have no control over this information or in which jurisdiction it sits, and that’s a big problem.”

In most cases, this information usually resides in a server somewhere in the U.S., as the vast majority of the reputable cloud services providers are based in that country. And that, along with the revelation that under PRISM, the U.S. government is collecting the communications of foreign nationals — including Canadians — is something worth thinking about.

“Lawyers don’t realize how much data sits in servers in the U.S.,” says Barry Sookman, senior partner and former chair of the Technology Law Group with McCarthy Tétrault LLP in Toronto. “Even applications on smartphones that read email to you or translate content into another language, or when you’re using a GPS program for navigation, are cloud-based; and, in theory, all that data goes to the U.S. and is subject to the surveillance applicable to PRISM.”

Even when the data is stored in Canada, it doesn’t mean it will escape the eyes of the NSA if it’s sent online — even through a Canadian-based internet service provider (ISP). “For Canadians, it’s not enough to say make sure you’re using Canadian ISPs,” says Ronald Deibert, professor of political science and director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. “If you look at the physical infrastructure of the internet, almost all communication, even that which is locally networked, transfers through exchange points in the U.S., which is 90 per cent of it.”

So, is there reason for concern if the NSA gets its hands on valuable, confidential information belonging to a law firm or its lawyers? That’s up for debate. “It’s difficult for individual lawyers and firms to assess the risks because the actual operations of PRISM are not public. Orders are confidential and enterprises that are complying aren’t permitted by law to inform the public,” Sookman says. “And with the public and law firms not actually knowing what the risks are, that’s part of the risk itself: How do you operate in a sphere where it’s hard to determine exactly what the risks are?”

But while it’s highly improbable that the U.S. government — or any other from the developed world conducting surveillance for national security reasons — would use that information for business or monetary gains, there are risks that come along with such programs. Deibert explains: “A good instructive case is the Athens Affair that happened in Greece where, for criminal purposes, lawful intercepts that were built into the cellular network were exploited to extort government officials. It shows — when you look at the system that was put in place, the companies that were involved and the technologies that were designed as part of lawful intercepts — how much we secrete and is accessible to third-parties.”»

Still, others such as Card and McGee don’t see any reason for lawyers or law firms to be concerned about government surveillance when it comes to confidential data. “When governments get involved in intelligence gathering, it’s done in accordance with the rule of law,” Card says. “Hacking and illegal penetration of data by illegal enterprises has nothing to do with the activities Snowden was talking about. This has all become very confusing in the press, but these are very different things.”

“I don’t think this is something that would concern me, as a lawyer, as much as another government getting my information,” McGee adds. “Knowing that the Chinese could steal this information and use it against you in a commercial context, that presents far, far more of a danger to any law firm than if your government got a hold of the data.”

What is clear is that keeping a law firm’s information protected is becoming a greater challenge each and every day, as lawyers are compelled to embrace evolving technologies. “It’s quite a challenge that law firms have because on the one hand, they want to protect data, but on the other hand, they want to facilitate innovation among lawyers so that lawyers can take advantage of some of the new technologies that can reduce cost and make practice more efficient,” Sookman says.