© Maxim Kazmin - Fotolia.com
The blockbuster report on Chinese hacking released last week by U.S. cybersecurity firm Mandiant has focused attention on the security of data held by governments and big corporations—and by law firms.
The report linked hacking of 141 entities, mainly in the United States, to a Chinese military unit based in a suburban Shanghai neighborhood. Four of those entities were law firms. Mandiant general counsel Shane McGee declined to name them, but says law firms, which store all kinds of sensitive information for a wide variety of clients, make ideal targets for hackers.
"By targeting large law firms, hackers can obtain information about hundreds or thousands of companies by breaching a single network," says McGee. "To some extent, it’s a one-stop shop for the attackers."
The Chinese government has denied the allegations in the Mandiant report as baseless and says China itself has been targeted by hackers apparently based in the United States. Mandiant acknowledges that it does not have absolute proof that the Chinese military is behind what it calls the "Advanced Persistent Threat 1" hacking attacks, but it says the scale and sophistication of the attacks suggest a state actor and that circumstantial evidence overwhelmingly points to Unit 61398 of the Chinese People’s Liberation Army.
Though allegations of Chinese government hacking have surfaced before, the detail of the Mandiant report has kicked up the alarm level among lawyers focusing on China.
Thomas Shoesmith, the Palo Alto–based China practice leader and former Shanghai office head for Pillsbury Winthrop Shaw Pittman, said the release of the Mandiant report led him to call for a meeting with his information technology team to discuss cybersecurity issues. He says lawyers in general, not just at his firm, should be thinking and talking about the subject.*
"We need to talk about the risks, the consequences when you are faced with a data breach," he says. "To what extent can we be held liable if someone hacks our systems for our client’s information, and can our cybersecurity system be negligent?"
Shoesmith says he’s not sure many lawyers are up-to-date on these issues. "To be honest, I have no idea what we are doing with cybersecurity," he says. "I assume we are doing something. We have hundreds of IT people in the firm!"
The issue is a sensitive one, of course, and many law firms, including Latham & Watkins, Cleary Gottlieb Steen & Hamilton, and Nixon Peabody declined to comment on the cybersecurity issue. Several others firms did not respond to requests for comment.
But some lawyers say they think the risk may be overblown. "How often does this actually occur?" wonders Geoffrey Lin, a Shanghai-based partner with Ropes & Gray.
