In early May, hackers used malicious ransomware to shut down the oil pipeline that carries gasoline to North Carolina and South Carolina, causing long lines at gas stations lucky enough to have any gas to sell at all. The attack was unusual it the amount of disruption it caused, but it was just one of the thousands that are carried out each year.
While retail establishments, banks, and government entities are atop the target list of cybercriminals, any unfortified networks—including those of law firms—that maintain valuable corporate and customer data are subject to besiegement.
In recent years, law firms have seen an uptick in cyber-attacks. According to the American Bar Association, of those polled, nearly one third of firms with 100 or more lawyers have reported some form of data breach.
Maybe a clogged pipe, maybe a spill
Of all the malware weapons in a hacker’s arsenal, ransomware is considered the most harmful and continues to evolve. Ransomware is a booming business, causing billions of dollars globally in economic costs. And it can be particularly problematic for law firms, which have gone relatively paperless and often hold terabytes of highly sensitive and valuable information prized by cybercriminals.
“Ransomware can prevent a firm from operating and result in the loss of client information and destroy a firm’s reputation,” said Will Orlewicz, a privacy and cybersecurity attorney with Relic Law in Detroit.
At first, hackers simply locked an agency out of its own network, commandeering its files and data until the target paid a ransom for their safe return. Regularly backing up data and keeping it secure helps to mitigate against that risk. But the hackers’ tactics evolved in response to improved defenses, and so today extortion efforts can also include a threat to publicly release the information if the ransom isn’t paid. As such, hackers now have two, not necessarily mutually exclusive, routes to a ransom: pay us or else you’ll never see your data again, or pay us or else everyone will see your data.
On Sept. 30, 2019, the North Carolina State Bar suffered the first kind of attack, inflicted by hackers demanding ransom. And while the association’s servers were locked up and its website rendered inoperable, no data appeared to have been stolen. The bar recovered from the attack without paying a ransom and intensified its efforts to improve network security, including moving its data offsite into a secure cloud environment with real-time and redundant backups.
“As you might imagine, we receive our fair share of … attacks, so employee education is a big part of our security plan,” said Peter Bolac, assistant executive director and legislative liaison at the bar.
A recent lawsuit filed in Washington, D.C., illustrates the threat of the second kind of attack, which is harder to defend against. A former client of the law firm Clark Hill filed a multi-million-dollar lawsuit after a cyber-attack led to confidential information about him and his wife being stolen and posted on the internet. The plaintiff claims to be a Chinese dissident seeking asylum in the United States after his family was threatened by the Communist Party of China.
There are numerous techniques hackers use to infiltrate networks. One of the most common is “phishing,” a method by which hackers, posing as trustworthy sources, infect electronic media such as emails and phone calls to obtain personal information.
Like other targets, law firms are vulnerable because most business transactions—including banking and real estate transactions—are conducted electronically.
“[Attacks] frequently start with someone clicking on a bad link in their email, or an attachment isn’t what they think it is,” said attorney Jack Pringle of Adams & Reese in Columbia, South Carolina. “The inbox is where we do business … funds can end up going to a bank in Cyprus or Ukraine or somewhere.”
Similar to phishing, but more targeted, is “spear phishing,” in which the malicious emails are more focused and personal. The correspondence is sent from spoofed email addresses which are nearly identical to familiar, trusted addresses. (For an example, take a second look at the subhead above.) They can also contain personal information that may make an individual more likely to trust its source and include legitimate links that redirect to malicious malware.
In the wake of COVID-19, many firms transitioned to remote work models that, while necessary, further exposed them to malicious intrusion by expanding corporate networks to include individual devices connected to remote firm resources.
Often, the phishing emails will include typographical errors or poor grammar. They’re often crafted to appear urgent, with hackers posing as an authority figure asking for personal information. Conscious individuals sometimes can recognize phony emails by noticing odd or unfamiliar tones or jargon.
But while due diligence by a single entity or its employees is necessary, it’s not always sufficient. Last year, hackers used a supply chain attack to infiltrate the information technology management platform SolarWinds, exposing thousands of companies. In a supply chain attack, hackers seek the weakest link in the chain of companies to infiltrate the entire network and harm the target company. For example, retail giant Target lost $70 million when cybercriminals entered its network by compromising that of a third-party vendor.
Orlewicz said that many breaches result from brute-force attacks (software that creates thousands of passwords and phrases in hopes of guessing correctly) and credential stuffing (using stolen credentials such as usernames, email addresses, and passwords), often made easier where similar passwords are used across multiple platforms.
Early bird might get the (computer) worm
Lawyers who advise clients about ways they can reduce risk and manage incidents, like Adam Bookbinder of Choate, Hall & Stewart in Boston, agree that no security mechanism is 100 percent effective, especially where highly motivated and sophisticated bad actors are involved. Bookbinder spent nearly 20 years investigating and prosecuting cybercrimes as an assistant U.S. Attorney.
“You can have all the security you want, but they can get access,” Bookbinder said. “The goal is not to be perfect but to make sure that the firm is not an attractive target.”
How does a firm dissuade potential hackers? There are several basic and commonsense measures, experts say. Firewalls aim to block unwanted traffic and malicious activity. Two-factor authentication and strong encryption protocols are highly encouraged, as is keeping software updated, patched, and maintained. Backing up files in secure repositories is a necessity, though backup is not enough.
“Creating the backup is only the first step,” Bolac said. “Having a backup is only as useful as your ability to restore your systems from that backup.”
In a perfect world, no outsider infiltrates a network. But since that’s not feasible, early detection is the next best thing. If a network is breached, the longer it takes to detect, the more damage that can be done. Bookbinder said that hackers will often be inside a target’s network for weeks or months, conducting reconnaissance on desired data and how to get it out.
Orlewicz said that “good cyber hygiene products” and a “zero trust environment” are crucial for early detection.
Attorneys may also have an ethical obligation to report breaches as soon as they’re detected. In 2018, the American Bar Association issued Formal Opinion 483 reaffirming lawyers’ duty to notify clients of a detected or suspected data breach, and offering reasonable steps for them to meet ABA model rules of professional conduct obligations. It says that a lawyer must act reasonably and promptly to stop the breach and mitigate damage, but doesn’t offer specific guidance.
At the network level, Orlewicz said the best way to detect a security breach is to set up live or automated monitoring through a security operations center with can be managed by a third-party vendor.
“These systems monitor network activity to detect anomalous events and throw alerts or respond automatically if unauthorized access is suspected,” Orlewicz said.
Cyber-insurance also comes highly recommended for businesses bearing internet-based liability, helping cover most of the risks undertaken by law firms in the digital era.
“There is no perfect answer,” Pringle said, “but my plea is to consider these potential risks beforehand and practice an incident response plan.”