Latest Insider-Trading Case Highlights Law Firms’ Risks

Latest Insider-Trading Case Highlights Law Firms’ Risks
JENNIFER SMITH
March 20, 2014 8:23 p.m. ET
Clients rely on big law firms to safeguard all manner of secrets, from intellectual property to confidential information about big-ticket mergers.But a handful of high-profile insider trading schemes—including one revealed this weekthat allegedly turned on tips from an employee at New York law firm Simpson Thacher & Bartlett LLP—highlight the internal risks firms face at a time when sensitive information can be accessed with just a few keystrokes.
“Your employees are your highest risk,” said Linn Freedman, a partner at Nixon Peabody LLP and head of the firm’s privacy and data protection group, who isn’t involved in the latest case. “If someone is going to commit a criminal act, there is only so much you can do to prevent it.”
Prosecutors allege that Steven Metro, a former managing clerk with Simpson Thacher, leaked confidential information on a number of transactions by accessing material on the firm’s computer system. The law firm is known for its work in private equity and mergers and acquisitions. “Metro told the Middleman that he did so in a way that he believed would leave no evidence that he had accessed the documents, which would possibly expose the scheme,” according to a civil complaint by the Securities and Exchange Commission.
A lawyer for Mr. Metro couldn’t be reached for comment on Thursday. Earlier this week the lawyer said his client intended to plead not guilty.
Thirty years ago, confidential files would have been kept in locked cabinets or conference rooms. Now they are stored electronically, often on firmwide networks where lawyers can access documents from offices around the globe. Much of the work on big mergers and acquisitions deals happens in what’s called a data room—a virtual platform where due diligence materials are placed so that bankers, consultants and other attorneys can access the information without logging onto a law firm’s server.
Some firms have strict procedures in place intended to keep word from leaking out about potential deals involving public companies. They might use code names for certain clients, or ensure that documents relating to the transaction can only be read by members of that team.
Still, enterprising lawyers or staffers have other ways to find out about big transactions, from water cooler chatter to more calculated efforts, such as checking in on a firm’s conference room schedule to see if a number of rooms are booked under one client’s name.
In at least one instance in the alleged insider-trading scheme at Simpson Thacher—when Mr. Metro, who held a clerical role at the firm, accessed information about Tyco International Ltd. TYC +0.05% ‘s plans to buy Brink’s Home Security Holdings Inc.—he had also billed time in connection with the deal, according to the SEC complaint, and so could reasonably have been given access to the information.
Simpson Thacher declined to comment for this article. “We have strong internal controls in place and will review our systems and procedures to determine if there are ways in which they could be further strengthened,” the firm said in a statement on Wednesday.
Many law firms are reluctant to discuss such breaches, which can do considerable harm to a firm’s reputation. The legal profession was rocked when in 2011 prosecutors uncovered an insider-trading scheme that netted $32 million over a 17-year period during which attorney Matthew Kluger leaked confidential information he accessed while working at a number of top law firms. Mr. Kluger later pleaded guilty.
To be sure, such leaks also occurred long before law firms migrated to electronic platforms. For example, in 1986 Ilan Reich, a takeover lawyer with Wachtell, Lipton, Rosen & Katz, pleaded guilty to two criminal counts for his role in an insider-trading scandal involving Dennis B. Levine, an investment banker at Drexel Burnham Lambert Inc. Mr. Levine also pleaded guilty.
“Some of the firms are very sophisticated and have considered the insider threat and have dealt with access control accordingly,” said Eric Friedberg, an executive chairman at Stroz Friedberg, a computer forensics and investigations firm that has consulted on these issues with a number of firms. “Some haven’t.”
Locking down information can run counter to the culture at many law firms, where attorneys are accustomed to collaborating on work. Extra layers of security can slow things down, especially when new lawyers are added to a team and need to get up to speed quickly.
“Information is not useful if you can’t share it, and far-flung enterprises have to share it with personnel in far-flung places,” said Joel Brenner, a Washington, D.C., legal consultant and former inspector general of the National Security Agency.
And while some law firms have taken steps to limit who can see such data, security experts say even the best internal controls can’t do much to stop insiders who have access from abusing it.
“Most people behave honorably,” Mr. Brenner said. “But it doesn’t take many bad apples in a barrel to cause a stink.”