Cravath confirms IT systems breach

Cravath Swaine & Moore has confirmed that its IT systems were breached last summer, after a report by The Wall Street Journal this week claimed that both Cravath and Weil Gotshal & Manges are among the prestigious U.S. law firms to have been hacked.

Weil Gotshal declined to comment on the report, which claims that federal investigators are exploring whether hackers stole confidential information for the purpose of insider trading.

In a statement sent to Legal IT Insider, Cravath said: “Last summer, the firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter, and we are not aware that any of the information that may have been accessed has been used improperly. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants.

“Client confidentiality is sacrosanct. We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class.”                                                                                                                                                                                                                                                                                                                            

Both Cravath and Weil Gotshal are in the top 65 of global law firms and among the Wall Street elite, generating revenues of around $648m and $1.15bn respectively in 2015.

Law firms have long been flagged as potential targets for hackers but breaches rarely become public. In its 2015 Annual Security Report, Cisco identified the legal sector as falling in the top 10 of potential targets for web malware encounters, placed at number seven, ahead of the agriculture and mining, insurance and utilities sectors.

Cisco Security Research examined eight types of attack methods to determine whether targeting by adversaries or how people use the web was the key factor for increasing an industry vertical’s risk for malware encounters. They found a “perfect storm”, with the combination of targeted attack methods and careless user behaviour online both having an impact on the level of risk.

In the UK, figures released in 2015 following a freedom of information request to the Information Commissioner’s Office (ICO) by Egress Software Technologies, showed that 173 law firms were investigated for a variety of incidents falling under the Data Protection Act 1998, of which 29% related to ‘security.’

The ICO, which must be informed of all serious breaches, can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act, provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

The European General Data Protection Regulation (GDPR), which is set to come into force in early 2018, will impose increased penalties and fines on companies which fail to protect data adequately, or are subject to a breach.

The GDPR, which comes into play where a breach may pose a risk to the rights and freedoms of individuals, establishes a tiered approach to penalties for breach, with some infringements attracting a fine of up to 4% of annual worldwide turnover.