Data Security is Not Just About Identity Theft

By Aaron M. Levine

On March 30, 2016 The Wall Street Journal and The American Lawyer both reported that Cravath, Swaine & Moore and Weil, Gotshal & Manges, two of the largest, most sophisticated and well-respected law firms in the U.S., were the victims of hacking attacks dating back to the summer of 2015.  Cravath and Weil were not alone in being targeted.  Further details provided by the The American Lawyer and a Crain’s Chicago Business article implicate a Russian cyber-criminal named “Oleras” in an insider trading scheme targeting the M&A practices of approximately 50 law firms.  The plan was designed to attack the law firm systems and also select employees using sophisticated phishing techniques.  Cravath and Weil were targets because they held extremely valuable trade secrets that could be misappropriated by accessing documents residing in their systems – merger agreements, letters of intent and share purchase agreements.   

These latest revelations should serve as a wake-up call not only to law firms but to other U.S. businesses.  Data security is not only about identity theft – although customer healthcare and financial information will always remain a target.  Increasingly, data security means protecting extremely valuable intellectual property from economic espionage.  While not reported in the articles, the potential dollar value of the information sought by these law firm attacks could easily dwarf the $290M price tag of the 2015 Target data breach.  In this instance, the intellectual property at risk was business, financial and strategic in nature; however, technical research and development information can be even more valuable.  For example, imagine the value of learning before the public that a company’s critical drug was failing its FDA trials.  This further highlights the need for companies to maintain vigilance and act proactively to protect their systems and their employees. 

Polsinelli attorneys understand how important data security should be to a business.  Whether your company is an established Fortune 500 company with an adaptive cyber-security policy or a startup with no plan in place, Polsinelli’s Data Security team has the knowledge and experience to assist you in creating and following a robust security program.  For assistance in developing data security policies and training programs and proactive breach response plans, please contact the author or a Polsinelli Privacy or Data Security team member.