Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Why Law Firms Are a Breeding Ground for Insider Trading

Bruce Carton | April 8, 2014

The Securities and Exchange Commission announced in March the latest in a growing list of insider-trading cases involving information pilfered from major law firms.

If law firms that handle corporate cases and transactions were not already alarmed that their clients' confidential information could be targeted by individuals inside and outside of the firm, they should be now.

The SEC alleges that Steven Metro, a clerk at law firm Simpson Thacher & Bartlett, misappropriated material, non-public client information about 13 separate transactions on which Simpson Thacher served as an adviser.

Metro was not working directly on any of the various transactions that he allegedly leaked information about over a four-year period. Rather, he used a tactic to obtain inside information that also shows up in several other SEC cases against defendants who worked at law firms: improperly using the firm's computer system to access confidential information. Metro then allegedly passed this inside information on to a stockbroker who used Metro's tips to generate illicit profits of $5.6 million.

The Metro case is the latest reminder that law firms must look beyond just the lawyers and staff that are working on a specific case or deal to protect that client's information. While there have been numerous SEC enforcement actions against lawyers who engaged in blatant (and usually easy-to-catch) insider trading based on their first-hand knowledge of a matter they were working on, such cases seem to be diminishing. Meanwhile, cases against lawyers or staff who use their access to the firm's computer systems to steal information used for insider trading are on the rise.

During the last five years alone, securities regulators have brought at least five cases involving charges that law firm employees stole confidential information. Of these cases, the misconduct of Matthew Kluger offers arguably the strongest cautionary tale in this area for law firms. Between 1994 and 2011 Kluger worked as an associate for several of the largest and most prestigious firms in the world. During this period, he obtained inside information on more than 30 different corporate transactions that he traded on or passed on to others.

Early in his scheme, Kluger used information from deals on which he personally worked. According to the criminal complaint in his case, Kluger realized that he would eventually  get caught, so he tweaked his scheme in 2005 to rely on information about deals on which he did not personally work, but which he learned about by searching his law firm's document management system.

Law firms should learn from the recent SEC cases and hacking reports that attacks on their computer systems from both inside and outside the firm appear inevitable, and they should take a fresh look at the measures they have in place to keep their clients' information secure.

Although the law firm tried to protect this information by using code names for the parties involved, Kluger was repeatedly able to figure out the identities of such companies because he knew that the earliest documents in the system would always have the parties' real names and, as the deal got closer, the lawyers would begin to use code names. Kluger and the other defendants in his ring ultimately netted more than $32 million in illicit profits from the scheme. In June 2012, a federal judge in New Jersey sentenced him to 12 years in prison—a record sentence for an insider-trading defendant.

Kluger is far from the only law firm employee to realize that law firm documents and files are a potential gold mine for insider information. In October 2009, the SEC sued Canadian lawyer Gil Cornblum, who had worked at several major law firms, along with another defendant for an insider-trading scheme that similarly exploited the law firms' computer systems to access inside information. In Cornblum's case, he avoided detection for many years by using the night secretarial staff's temporary passwords when he searched the firm's document management system for confidential information about transactions.

Inside Information Lying Around

Cornblum devised other tactics to steal information from his law firm, as well, including what he referred to as early-morning “spelunking” missions. Cornblum began waking up at 4 a.m. every morning so that he could root through the empty offices of his law firm to search for hard copy files relating to upcoming transactions such as press releases and contracts left on desks and photocopiers. Over a 14-year period, Cornblum allegedly gained inside information from his law firms about 46 corporate transactions and used this information to generate over $9 million in illegal profits.

In November 2009, the SEC sued two attorneys at the international law firm of Ropes & Gray for insider trading. The SEC alleged that like Kluger, these lawyers used their access to the Ropes & Gray computer network to view confidential deal documents concerning proposed acquisitions—and ultimately used this information as part of an insider-trading ring that made over $20 million in illegal profits.

A November 2010 case involving information misappropriated from Canadian law firm Ogilvy Renault shows that it is not just lawyers or law clerks who are scheming to profit from law firms' inside information. In this case, Quebec's market regulator, Autorité de marches financier, charged a former IT specialist at Ogilvy Renault with obtaining confidential information from Ogilvy's computers on at least 13 separate corporate transactions by using his administrator status to access the law firm's computer system. The employee then allegedly used that inside information to buy stock, making over $600,000 in illegal profits.

Protecting Information

As if law firms don't have enough to worry about with so many types of employees—summer associates, attorneys, law clerks, paralegals, IT employees, secretaries, and others—having access to confidential and incredibly valuable information, law firms must be alert to the risks posed by outsiders, as well. Although there has not yet been an insider trading-related case of this sort brought by the SEC, there have reportedly been numerous intrusions by hackers into law firms' computer networks to steal information in recent years. A 2010 National Law Journal article on the subject reported that information security firm Mandiant had worked with over 50 law firms after they suffered security breaches. Mandiant estimated that 80 major law firms were hacked in 2011 alone.

John Stark, managing director at digital risk management firm Stroz Friedberg, says that law firms are a “large and fruitful target” for online attackers. Law firms are often ill-equipped to handle a cyber-security breach, Stark says, despite the potentially devastating fallout that can result—including lawsuits, expenses, SEC and other regulatory inquiries, client defections, and much more. Stark adds that law firms would be wise to anticipate the “inescapable cyber-attack” they will experience at some point by strengthening their physical and IT security, increasing training and awareness, and generally renovating their approach to cyber-security into a more risk-based model.

In short, it is now well-known to would-be insider-trading employees and outside hackers that law firms' computer networks are a depository for extremely valuable information—like a Fort Knox for confidential corporate information rather than gold bullion, and without the impenetrable security systems. Law firms should learn from the recent SEC cases and hacking reports that attacks on their computer systems from both inside and outside the firm appear inevitable, and they should take a fresh look at the measures they have in place to keep their clients' information secure.