By Jason P. Evans
Published in the Oregon Association of Defense Counsel‘s The Verdict | Issue 1
At this point, the question is no longer if you and your firm will be the target of a cyber-attack, but rather, when.
It is no secret that legal practitioners often deal with sensitive, confidential, and proprietary information. As the legal field has shifted along with the rest of the world from paper to digital files, the means, motive, and opportunity for “cybercriminals” to perpetrate attacks on law firms has increased. These cyberattacks may aim to extract and sell confidential information, extort money in exchange for non-dissemination of sensitive material, or simply lock down a firm’s electronic data and files pending payment of hefty ransoms. Any and all of these attacks can have devastating effects on a law firm’s finances, reputation, and clients.
Recognizing and Understanding the Risk
Cybercriminals do not discriminate and can and will target companies large and small. According to the ABA, in 2021, 25 percent of survey respondents reported that their firm had experienced a data breach “at some time.”1 While reported attacks did scale up somewhat with firm size, solo practitioners and small firms were far from exempt, with 17 percent of solo practitioners and respondents from firms with 2 to 9 attorneys reporting a data breach, compared to 46 percent of respondents from firms with 50 to 99 attorneys.2
In 2020, Vierra Magen Marcus, an intellectual property firm with Fortune 500 clients, suffered a ransomware attack that resulted in the loss of 1.2 terabytes of stolen data, including patents, being auctioned on the dark web. In February 2021, Boston-based Campbell Conroy & O’Neil – known for its service of Fortune 500 clients – fell victim to a massive ransomware attack that the firm’s subsequent press release stated included “certain individuals” names, dates of birth, driver’s license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords).” In late 2020, this author received a malicious link from another attorney – a solo practitioner – requesting that certain documents be downloaded. The attorney’s office would later confirm that it had fallen victim to a cyberattack, and that the link was indeed a malicious one. It had been sent to every single contact in the attorney’s email system.
Law firms are especially susceptible to “phishing” or “spoofing” attacks, given the high volume of emails attorneys and staff receive on a daily basis from external sources. Phishing occurs when a malicious actor uses email or text message to trick a recipient into providing personal/sensitive information (e.g., login ID, password, date of birth, and/or SSN), generally through mimicking messages and websites of reputable, trusted companies or document services.3 Phishing can occur in the form of false QR codes that have been placed in malicious emails, or even cut and pasted over physical codes that a user scans with their phone (e.g., at a restaurant with an online menu, accessible by scanning a tabletop code). Like phishing, spoofing typically occurs by way of a malicious actor attempting to impersonate a trusted, authorized source (e.g., a manager, a representative of a vendor, or perhaps even a client) in an attempt to obtain sensitive, personal information in response. Ultimately, every employee is a potential point of failure for a firm’s security measures, so it comes as no surprise that as firm size increases, so too does the likelihood of a breach.
Best Practices for Cybersecurity Risk Management and Prevention
Practice leaders and managers should consider how to protect their firms from the inevitable attempts to breach their systems as well as put safety nets in place for the unfortunate scenario in which a malicious actor’s attempt is successful. As one author puts it, taking an “It won’t happen to me” approach “just won’t cut it these days.”4 Rather, active engagement with these newfound electronic threats is not only good business practice but may also be an ethical imperative, stemming from an attorney’s ethical duties relating to competence, communication, confidentiality, and supervision.5
How can law firms and practitioners get ahead of this issue? For starters, ensure your firm is not among the 17 percent that report having “no [cybersecurity] policies” or the 8 percent that “don’t know about security policies.”6 One particularly effective and easily – implemented tool – two-factor authentication, lauded by Microsoft as being 99 percent effective against account compromise attacks7 – is an excellent place to start. Firms can also ensure that all employees are trained to identify suspicious emails and links. Even if the material appears to be from a trusted source, if it raises suspicion, a phone call to the sender to verify the message’s legitimacy can easily dispel any doubts. Robust encryption software, cybersecurity protocols and policies, and reliable antivirus programming are additional tools that firms can use to get ahead of these threats.8
While prevention is obviously preferable, cyber liability insurance is also available to mitigate a firm’s risk should a breach nevertheless occur. The ABA 2021 Cybersecurity TechReport reported that 42 percent of its survey respondents had such an insurance policy.9 Some cyber liability insurance policies also include periodic training for employees and staff, with compliance linked to premium incentives. Cyber liability insurance thus may serve dual purposes-not only insuring the company from the potential financial consequences of a breach, but also providing sophisticated resources and incentives to train employees to prevent a breach from occurring in the first place.
Conclusion
As paper-based files become a thing of the past, the sensitive data and financial information that many law firms maintain make them prime targets – one-stop shops – for malicious actors trying to farm sensitive materials or extort money for their own gain. In this fluid situation, with constantly evolving technology and threats, active prevention and response are key. While there is no one-size-fits-all solution to cybersecurity threats, the references provided in this article represent a good set of starting points to consider. Ultimately, case-by-case education and awareness will be key to maximizing the efficacy of each firm’s protections of its clients’ sensitive data.
View the full Issue HERE.
Endnotes
1. David G. Ries, 2021 Cybersecurity, Am. Bar Ass’, https://www.americanbar.org/groups/ law practice/publications/techreport/2021/ cybersecurity/ (last visited Feb. 21, 2022).
2. Id. As many large firm respondents reported being unaware of whether their firm had ever experienced a breach, the occurrence of data breaches at larger firms may be underrepresented by these statistics. Id.
3. FED. TRADE COMM’N, HOW TO RECOGNIZE AND AVOID PHISHING SCAMS, https://www.consumer.ftc. gov/articles/how-recognize-and-avoidphishing-scams (last visited Feb. 21, 2022).
4. Dan Bowman, Law Firm Cybersecurity Starts with You, Nat’lL. Rev (Apr. 22, 2021), https://www.natlawreview.com/article/lawfirm-cybersecurity-starts-you
5. Ries, supra note i. The ABA has issued at least three formal ethics opinions touching on attorneys’ cybersecurity obligations, including ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017), ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 2018), and ABA Formal Opinion 498, “Virtual Practice” (February 2021). Id.
6. ld.
7. Melanie Maynes, One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts, MICROSOFT (August 20, 2019), https://www.microsoft.com/security/ blog/2019/08/20/one-simple-action-youcan-take-to-prevent-99-9-percent-ofaccount-attacks/
8. Dr. Nick Oberheiden, 5 Cybersecurity Risks and 3 Obligations for Law Firms, NAT’L L. REV (Jul. 8, 2021), https://www.natlawreview. com/article/5-cybersecurity-risks-and-3obligations-law-firms
9. Ries, supra note i.