M&A lawyers’ use of confidential client data for alleged insider trading shows how Big Law document management systems can be a vulnerability for those intent on exploiting them.
The spotlight on unauthorized access to confidential data is a result of criminal cases involving three attorneys accused of improperly accessing internal documents at seven different law firms. One of the three, Nicolo Nourafchan, pleaded not guilty Monday to charges that he led a massive ring that made tens of millions of dollars in illegal profits.
According to US Securities and Exchange Commission charging documents, in 2018 Nourafchan described to one of his attorney co-defendants, Gabriel Gershowitz, how he obtained confidential information about mergers and acquisitions from his law firm’s document management system. Nourafchan searched the system using keywords and viewed documents in preview or read-only mode to minimize any electronic trail of his access to the files, the complaint said.
In the wake of the high-profile case, legal experts are expecting firms to beef up security around their internal documents. “You can’t just have data there but then not secure it,” said Christopher Ehrman, former director of the whistleblower office at the Commodity Futures Trading Commission.
The scheme, which has resulted in securities fraud, money laundering and other charges against 30 people, shows the emphasis many law firms place on creating document systems that make it easy for attorneys to collaborate rather than erect safeguards that strictly limit access. Nourafchan, who worked at three Big Law firms between 2013 and 2023, illicitly accessed information on transactions, including about a dozen he wasn’t assigned to work on, prosecutors claim.
The case exposes a security challenge within law firms. “If someone really wants to gain access to other client information, they can,” said Scott Cummings, a legal ethics professor at UCLA’s School of Law.
M&A lawyer Eric Pacifici, who worked at three Big Law firms before launching a boutique in 2022, said he’s only seen firms prevent lawyers from accessing information about a colleague’s client when it poses a conflict of interest or involves a high-profile celebrity.
“For a multibillion-dollar M&A deal, there could be several people looking at that file,” Pacifici said. Restricting access with so many lawyers who need to see a file could get “onerous,” which explains firms’ hesitation to create strict barriers, he said.
Nourafchan, a 2011 Yale Law School graduate, allegedly stole material on deals during stints as an associate at Goodwin Procter, Latham & Watkins, and Sidley Austin. Latham fired him after two years on the job, and Goodwin dismissed him within a couple years of his start there.
He allegedly conspired with Gershowitz, an undergraduate classmate of his at George Washington University, who worked as an associate at Weil, Gotshal & Manges, Willkie Farr & Gallagher, and DLA Piper over a roughly 15-year period. Gershowitz is cooperating with prosecutors after pleading guilty to being one of the attorneys providing tips on insider trading.
A third, unnamed attorney who worked at Wachtell, Lipton, Rosen & Katz from 2013 to 2022 leaked information, according to one of the indictments, though there is no record of that attorney being charged.
Latham declined to comment. Goodwin, Sidley, Weil, DLA Piper, Willkie, and Wachtell, and a lawyer for Nourafchan, didn’t respond to requests for comment. Gershowitz’s lawyer, Scott Morvillo, a partner at Seyfarth Shaw, declined to comment.
Security Regimens
Firms do employ some safeguards. The SEC complaint revealed that law firms put code names on pending client transactions, such as “Project Mars,” “Flying Cloud,” and “Project Integrator.”
To obtain sensitive deal information about other clients in a firm’s document management system, an associate would need to know what to look for after receiving a tip, Pacifici said, citing his experience at three Big Law firms. It’s rare in his past experience for firms to proactively put up a security fence blocking lawyers from accessing information about their colleagues’ clients, he said.
“Big Law and technology are dogs and cats,” Pacifici said. “The people who are controlling these firms are very set in their ways.”
Ehrman said firms should strengthen electronic boundaries on their data to ensure that attorneys aren’t able to view files for matters they aren’t working on. “A failure to prohibit the ability of people to lock down a file is to me highly irresponsible,” he said.
Law firm document systems should “identify who has access, and limit that access, and then monitor for anomalous and suspicious behavior,” said David D’Agostino, vice president of managed cybersecurity services at Integris, an IT company that works with law firms. Behavior such as logging in after hours, or accessing or moving certain files, should “potentially trigger a notification and alert that would require investigation,” he said.
The cases are USA v. Fejal, D. Mass., 1:26-cr-10133; USA v. Nourafchan, D. Mass., 1:26-cr-10115; Securities and Exchange Commission v. Nourafchan, D. Mass., 1:26-cv-12068
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.