Data security: Lessons from Foley’s insider trading case

Law firm data security has once again been hurled into the spotlight thanks to the prosecution in May of Walter ‘Chet’ Little, a former Foley & Lardner partner who allegedly used his unrestricted accessed to the firm’s document management system for insider trading alongside fellow defendant Andrew Berke.
Little, a real estate partner, has been charged by the Securities and Exchange Commission with making $1m in illicit profits after repeatedly accessing confidential documents relating to at least 11 impending corporate announcements from seven of Foley’s clients – Hanger; Magnetek; Douglas Dynamics; Pentair; Oshkosh; Harley Davidson; and Whiting – none of which he personally advised or billed for services. Little is then alleged to have traded in advance of those announcements becoming public and tipped off Berke, his neighbour, so he could also make trades.
The SEC claim notes that, while Little didn’t advise on any of the corporate matters in question, his access rights included “both ‘viewing’ and ‘opening’ documents. When Little viewed a document, he could see the contents but did not have the ability to edit or to create a new version of the document in question. When Little opened a document, he had the ability to both edit the documents and to create a new version.”
In a parallel action against Little and Berke, the U.S. Attorney’s Office for the Southern District of New York announced criminal charges against Little for 11 counts of securities fraud and one count of conspiring to commit securities fraud. The criminal charge note that Foley maintained a document management system (which we know is NetDocuments) that recorded the dates and times that users viewed, opened, or printed documents saved on the DMS. Documents contained a document name plus client and matter number to which they related.
In relation to clients such as Magnetek, for example, which Foley was advising in its acquisition by Columbus McKinnon, Little is alleged to have accessed multiple documents named under ‘Project Megatron’ and purchased shares in Magnetek, which went up in value when the acquisition was announced.
The case is the latest high profile known charge of law firm insider trading. Earlier charges were made against Wilson Sonsini Goodrich & Rosati information technology engineer Dimitry Braverman, and Richards Layton & Finger information systems and security manager Jeffrey Temple, who was accused in 2010 of trading ahead of announcements from clients including Google and Disney. In March, Reuters reported that Robert Schulman, an Arent Fox partner formerly at Hunton & Williams, was convicted of securities fraud in a Brooklyn federal court. In 2015 Steven Metro, former attorney and M&A clerk at Simpson Thacher & Bartlett in New York, pleaded guilty to insider trading.
Much like for those firms, the case against Foley is a reputational nightmare. It, alongside a raft of recent or impending regulatory changes, will provide further fuel for the argument that law firms should adopt ‘need to know’ security, whereby files in the firm can be accessed only by those who are working on them. It should also cause firms – which until only relatively recently have fixated on their perimeter firewall – to look closely at solutions that monitor irregular activity from within.

There are few good recent statistics to show how insider threat compares to the risk of an external hack. But in September 2015, Intel Security conducted a high profile survey that found internal employees account for 43% of data loss, around half of which are non-accidental. Ben Weinberger, vice president of solutions at Prosperoware, which sells software to help law firms
compartmentalise their data says: “Of course, we’re all focussed on outside hacks but look at the Panama Papers – that was an inside job. The more likely concern is insider threat.”
Do you need to know?
Need to know security is still unpalatable to many law firms thanks to fears that it will cause logistical and workflow delays and prevent law firms sharing and capitalising on acquired knowledge. When we revealed in September 2016 that Dentons is trialling and likely to adopt need to know or ‘pessimistic’ security, one UK IT director reflected the sentiments of many in saying it was out of the question, commenting: “We could just extract the knowledge but the real knowledge isn’t just about the precedent, it’s how we did the deal in its entirety.”
The global regulatory position has evolved since then and regulation that came into force in March from the New York Department of Financial Services which includes a provision that financial institutions “shall limit user access privileges to information system that provide access to nonpublic information.” Weinberger told Legal IT Insider: “That regulation is interesting because it applies to any financial institution with a presence in New York and any vendor managing data for those institutions, which includes lawyers.”
Guidelines for law firm cybersecurity measures from the Association of Corporate Counsel, which were also published in in March, specify that law firms must limit access to data. The ACC guidelines say: “Outside counsel must have logical access controls designed to manage access to company confidential information and system functionality on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, two-factor or stronger authentication for its employee remote access systems (and
elsewhere where appropriate.Impending European legislation under GDPR – which will affect a post-Brexit UK and the US – is also expected to put firms under pressure to lock down their data. Weinberger, who spoke on this topic at ILTA LegalSEC 2017 to a packed room, says: “Regardless of whether your DMS is pessimistic or optimistic by default it’s all about policy. The technology isn’t the failing: firms used to be afraid that a pessimistic security model would affect their ability to share or be too difficult to manage but there is technology to address that.”
Some suggest that a hybrid model may suffice and at RBRO Solutions, which is an iManage partner and vendor of web-based monitoring solution Sentry, CEO Howard Russell said: “It seems a need to know policy will be unavoidable in highly intriguing matters with high public interest but I don’t know if it’s inevitable for the mundane stuff that doesn’t hold interest for anybody.”
Certainly, most clients would be shocked to learn that in many firms a very junior member of staff in a satellite office can still access its largest clients’ sensitive corporate data, particularly when the technology now exists to lock down files on a matter or client level.
Fetch the baby monitor
The ACC guidelines require a law firm to continuously monitor its networks for “malicious activity” but in a case of internal fraud, only software that monitors irregular behaviour in real time is likely to detect it. Solutions on the market include Threat Manager from iManage, Sentry from RBRO and Mike Lynch-backed cyber startup Darktrace, which counts Irwin Mitchell and Sackers
among its clients.
Russell says: “Sentry tracks usage anomalies based on trends or configured max values. If you’re accessing too much content in particular time period, or based on specific metadata, it will alert the admin and provide possible actions to take. Firms and vendors will continue to look for more accurate ways of identifying such threats.”
Threat Manager, which was formally launched in January, is not volume-based but maps users’ normal behaviour and flags deviations from that.
Insure your life away
Everyone has PI insurance and law firms are starting to buy cyber coverage but in one recent case, a firm was denied coverage because the provision of the policy didn’t include that particular cyber breach. In another case, a firm was denied coverage because they didn’t meet the standard of care, so it was liable.
The standard of care today is fast becoming need-to- know access – if you don’t meet it, be warned, you may not be covered and you may be liable.
Bring in the executive
When we first wrote about need to know security it felt very optional for law firms but that is changing. The position now is that this is no longer an IT decision but an issue that every board needs to be made aware of and take decisive action on. Weinberger said: “There is no cost for switching on pessimistic security, that’s not the problem. The problem is that partners don’t want to do it and CIOs and CISOs may not be empowered to do it. This needs to be an executive-led decision.”
The legal bit
In a prepared statement, Foley said: “Upon learning of trading activity on the part of a Foley & Lardner LLP attorney in June 2016, the firm promptly launched an internal investigation. During that review, it was determined that firm policies were violated, which led us to immediately take action. As a result, the partner is no longer at the firm. We also reported our findings to the relevant authorities and cooperated fully with them throughout their investigation. We take this matter very seriously, and we have zero tolerance for actions that violate our core values and the
trust our clients place in us. We will continue to hold all of our people to the highest standards of professional and ethical conduct.”
Todd Foster and Natalia Silver with the Todd Foster Law Group in Tampa are representing Little and Little maintains his innocence.
This article first appeared in the June Legal IT Insider. You can download the newsletter or sign up for your free monthly copy here: