Federal claims that three Chinese hackers made millions in financial markets with information stolen from corporate dealmaking attorneys show U.S. law firms must invest in cybersecurity upgrades or risk losing some of their most lucrative clients.
The hacking allegations were made public Tuesday with the unsealing of a 13-count indictment accusing Iat Hong, Bo Zheng and Chin Hung of fraud, computer intrusion and insider trading in the theft of data on prospective acquisitions in the technology and pharmaceutical industries, said Prett Bharara, U.S. Attorney for Manhattan.
Hong, 26, of Macau, was arrested Sunday in Hong Kong. Zheng, 50, of Changsha, China, and Hung, also 50, of Macau, have not yet been arrested. The Securities and Exchange Commission, which filed a parallel action in civil court, identified the three as employees of information technology companies who penetrated New York law firms' computers from April 2014 through late 2015, focusing on the e-mails of partners working on mergers.
"Law firms need to upgrade their act in a number of ways," said Columbia Law School Professor John Coffee. "We've seen concerns raised about how law firm accounts are being used for money-laundering purposes, and now we're finding law firms are being victimized by hackers because they haven't engaged in the protections necessary."
Law firms specializing in mergers and acquisitions will need to hire consultants to help them set up tougher security systems, or corporations concerned about their confidential information being leaked will take their business elsewhere, Coffee said.
"Clients will demand more security," he said.
So-called M&A law firms should look at the practices of investment banks, which also handle sensitive information, he noted. "Investment banks have more security," Coffee said. "Law firms don't have as sophisticated protections as investment banking firms."