The Biggest Threat to Law Firms…?

One of a project manager’s key tasks is to evaluate risks that threaten projects, mitigate them, and prepare contingency plans.¹ It is a task that should be repeated on a regular basis.

In that spirit, I want to look at a risk that threatens firms (and corporate departments), and potentially the legal industry as well.

Let me do that by sharing what happened to Smith & Wollensky LLP in 2014, as told by the managing partner:²

It started in May. We’d just broken into the AmLaw 100, PPP was holding steady, and with the economy continuing to claw its way back we were feeling good about the future of S&W. So when John, a litigation partner, showed me the reference in Above the Law, I dismissed it on two grounds. First, ATL is as much a rumor sheet as a news source, and second, the tip about our largest client’s litigation strategy couldn’t have come from us. Everyone at S&P knows the value of confidentiality and privilege. We even drill it into the outfit that cleans our offices.

Still, a trickle of sweat dripped down my back. Not only would the leak disadvantage us in upcoming settlement negotiations, it would give the client yet another reason to be unhappy about what they were getting for the small fortune they transferred to our account each month.

Sure enough, their litigation DGC called later that morning. “The leak isn’t on our side,” she said. “You’re the ones putting the strategy together.”

John and I smoothed it over easily enough. Small irritants mar the surface of any relationship. There was too much at stake for both the client and us to overplay this minor incident.

I forgot about it until the next Monday, when the Journal’s LawBlog called us for a comment about releasing our client-and-fees list. “I hope you know what you’re doing,” Joe P. said.

“We’re not doing anything.” I pleaded with him to hold the story until we’d had a chance to investigate. He gave us until noon Eastern time.

None of the partners knew anything about it, and most were appalled. The rest, worrying about their jobs, had bypassed appalling for downright scared. I called in our IT director. He reported back an hour later that there  had been no email sent from our system with this information, and that our accounting system hadn’t run such a report since the partner retreat two months ago.

I called in my admin, who’d prepared the report. “Did you re-run this?” I asked.

“No. I never even distributed it. Like you told me, I projected it from my computer and then deleted it.”

I called Joe back and pleaded. He said he had to run the story. I gave him a quote denying both our involvement and the list’s accuracy. I asked him to stick to the noon deadline so I could call clients. He was unhappy, but he’s a good guy and eventually agreed.

I got our practice heads on the phone and told them to call every major client. We spent the rest of the day making and returning calls. It wasn’t pretty, and we had to make a few concessions and adjustments, along with one rebate, but we muddled through.

In the blue car heading home that evening, I finally had time to read the blog report in detail. Both the blog and ATL had published the complete list, each claiming that they couldn’t sit on it for fear the other would beat them to it. The list was accurate. I compared it to some billing notes I had on my computer, and the data matched.

It matched even for BigCo.

BigCo was a client we had landed two months ago. Right after the retreat.

Someone had access to our current data.

In a panic, I called the IT director. He joined his panic to mine. I told the car to turn around. He summoned some experts, and we were all in his office by 8:30 PM.

One of his people ran a quick report on our GL data. The published lists had it right, and had it current.

“Internal leak or external hack?” I asked.

The IT guy shook his head sadly. “Probably a leak, because our systems are secure. I think.”

“Who has access to this information?”

“Check it,” the IT director told one of his team. She typed some stuff into the computer, then sat with a puzzled look on her face. She typed some more. The IT director and I moved to read over her shoulder. I figured I wouldn’t understand whatever arcane script she was using to interact with the machine, but I couldn’t help myself. The expression on her face….

But I did understand it. One window read, Access denied. The cursor was spinning; even I knew that meant the system was busy. Then the cursor stopped spinning.

Back to normal. We breathed a small sigh of relief. She clicked the X on the Access denied window and it went away. She typed a few commands. The screen showed a list of people with access to our GL system.

I was on it. The IT director was on it. So were Porky Pig, Donald Duck, Bugs Bunny, and Mr. Magoo.

We glared at the screen, hoping the collective weight of our anger and frustration would cause the cartoon characters to vanish. The IT director said, “Try again.” His voice was high, tight, thin.

She did. This time it read “Duck season. Rabbit season. Rabbit season. Duck season. Blam. Bye-bye, data.”

Panicked, she typed furiously into the machine. Nothing. It responded to her commands, but there was no data in our GL system. The records were blank.

“Backups,” she said. “We back it up every couple of nights. We’ll be fine.” She didn’t sound fine.

“Try another system,” the IT director commanded.

“Matter management,” I suggested.

The IT pro typed again. No clients appeared.

“Document management?” I whispered.

She picked a case file and ran a list. All the documents that I expected to see were there. Even better, there were no extraneous ones, no scripts from Bugs Bunny cartoons, no absurd names.

“This one’s good, then.” I said. She pointed at the screen.

I looked at the list. It seemed fine. Then I realized which column she was pointing to: the time of the most recent save. All of them had been saved within the past hour.

“That doesn’t make sense,” I said. “Open one.”

She double-clicked, and up came a document. It looked fine, except for the line at the top. “For publication. Smith & Wollensky releases all copyright and waives all priviledge.”

I couldn’t focus on what it meant. Instead, I kept staring at the misspelling. Who in a firm doesn’t know how to spell privilege?

Now, a month later, I know the answer to that question. It didn’t come from the firm, of course. Our systems had been hacked, likely by someone for whom English wasn’t a first language. For all I know, their alphabet wasn’t even the familiar Roman script. But the public didn’t care who did it, or where they were from.

Instead, for two days they feasted on our strategies. They shared some of the questions our clients had asked, inferring illegal activities from the inartfully worded queries. (They were right on a couple of those.)

Thursday and Friday brought schadenfreude from other law firms as S&W dissolved. A few key players were snapped up, some as laterals, some taking a step back to associate or of counsel but letting the promise of a paycheck outweigh any sense of pride. Most of our lawyers had nowhere to go; there was a glut of attorneys on the market, exacerbated by half a dozen well-known firms of two years ago now being nothing but memories and leftover stationery. Truth be told, the absence of a few firms higher in the AmLaw pecking order was the main reason we’d climbed into the first hundred.

Looking back, the good news, if you can call it that, is that we weren’t the only firm killed by hacking. Like bowling pins, one firm a week went down. Or like European bowling, I should say, where they play with nine pins. The destruction stopped after nine weeks, nine AmLaw 100 firms.

It stopped because the public was up in arms. Corporations were paralyzed when it came to legal matters. Class-action suits were filed faster than ants attack a picnic, and there were nearly as many suits as ants. Some judges said privilege was maintained in this extraordinary situation, while others said it was waived. Congress passed emergency legislation, with good intentions but with little effect accompanied by great confusion.

Lots of fingers were pointed. The legal profession itself formed a circular firing squad and began blasting away. The Rabbit Season script had been prophetic.

Our legal system dissolved into chaos.

No, that’s not quite true. Divorces and criminal cases and little-guy-sues-other-little-guy stuff went on as usual. The chaos was at our level, big corporations, BigLaw. Corporations pulled work in-house, dropped any number of formerly critical matters, even sent some work to India when the Indian government promised the full power of its state cybersecurity teams to protect information.

I know the criminal cases are still going on, because I’ve used both my houses to secure bail. I’ll probably lose them to civil suits anyway.

I can’t see what I did wrong, but I understand the public needs a scapegoat. I’ll survive. I think.

But BigLaw may not. Already more than 20 of the AmLaw 100 are gone, between mergers, dissolutions, and simple lack of high-fee business.

And we as a firm prided ourselves on data security. We took internal security seriously. But we never planned on a massive, coordinated cyberattack.

I wish I knew what we — what I as leader — could have done differently.

 This story is fiction. But it’s based on fact.

The cyberthreats are real. Few systems are prepared for it. Consider Stuxnet, which penetrated the ultrasecure Iranian nuclear program. Consider what happened at Aramco in August, where Iran may have struck back.³

How well prepared are your systems? Can you restore backups? Do you know the backups haven’t been compromised as well?

More importantly, what are you doing to stop it before it starts? And how do you square high security with the need for attorneys to actually get to their data and use it?

I don’t have the answers, frankly. Cybersecurity isn’t my field, though through my years at Microsoft and elsewhere I know enough about it to be aware of how severe the threat is… and how easy it is to compromise most computers.

Anyway, this is very scary stuff. I hope firms take it seriously – cybersecurity, not my little story, which after all is a fable. (You can tell because the fictional narrator misstates the name of Chuck Jones’ famous and brilliant cartoon short Rabbit Fire.)

I now return you to your regularly scheduled programming.