US prosecutors allege scheme generated millions through stolen merger information
US prosecutors have charged 30 people over an alleged global insider trading scheme involving confidential merger information said to have been taken from law firm systems, in a case likely to attract close attention from UK solicitors, COLPs and compliance teams.
Law firm data at the centre of the allegations
The charges were announced by the United States Attorney’s Office for the District of Massachusetts. Prosecutors allege that the defendants generated tens of millions of dollars in illicit profits by trading ahead of public announcements of major mergers and acquisitions.
At the centre of the allegations is confidential information allegedly obtained from large law firms advising on public company transactions. Prosecutors claim that a corporate attorney and others accessed internal law firm systems to view documents relating to pending deals, including matters on which they were not working. That information was then allegedly passed to traders and intermediaries. The allegations have not been tested in court, and all defendants are presumed innocent unless proven guilty.
Why UK solicitors should pay attention
Although the proceedings are taking place in the United States, the case raises issues that are directly relevant to UK solicitors. Law firms advising on M&A, private equity, capital markets, restructuring, and listed company matters routinely hold information capable of moving a company’s share price if made public.
For UK firms, the issue is not only one of client confidentiality. It may also overlap with market abuse risk. Under the UK Market Abuse Regulation, inside information includes precise, non-public information that would be likely to have a significant effect on the price of financial instruments if disclosed. The FCA prohibits insider dealing, unlawful disclosure of inside information, and market manipulation.
Governance and access controls
Internal access to confidential deal material is a governance issue as well as an IT issue. Firms handling market-sensitive work should be able to explain who had access to confidential documents, why that access was necessary, and how unusual access would be detected.
The case is also a reminder that confidentiality risk does not always come from an external cyberattack. The alleged misuse involved people with access, or connections to access, within professional environments. For law firms, insider risk can be just as damaging as a conventional data breach.
UK firms should consider whether sensitive matter files are restricted to the actual deal team, whether lawyers can search across unrelated matters, and whether access rights are removed promptly when staff move teams, go on leave, resign or are placed on garden leave.
What compliance teams should review
Compliance teams should review whether document access logs are monitored in practice. A record of access is of limited value if no one checks it until after a problem has occurred. Unusual activity, such as repeated access to confidential files outside a lawyer’s practice area, should trigger review.
Personal account dealing policies may also need attention. Firms handling listed company work should consider whether relevant partners, associates, trainees, paralegals, consultants, and business services staff understand when trading is restricted and whether pre-clearance procedures are required.
Training should go beyond generic confidentiality reminders. Staff working on sensitive transactions should understand how inside information arises, why informal disclosure can be risky, and why client information must never be used for personal gain or shared with friends, family or contacts.
Practical lesson for UK firms
For COLPs and managing partners, the practical lesson is clear: confidentiality controls must be active, specific and auditable. Written policies alone are unlikely to be enough. The US case should prompt UK law firms to ask a simple question: if confidential deal information were misused, could the firm quickly identify who accessed it, when they accessed it, and whether that access was justified?