Daniela Spanier
As we know, technology is increasing and moving forward and faster everyday. This is a great opportunity for us to live in “The Digital Era”. It is really interesting how all the new methodologies and applications are becoming more and more common everyday and how they minimize our problems by saving us energy, time and money in different areas.
While technology is growing faster and making our lives better – so is the use of technology by people with malicious purposes, such as attacking our devices with different kinds of Cyberattacks.
Our focus in this article will be about the prevention of cyber-attacks – by implementing Cybersecurity, and more specifically – what is the status about Cybersecurity in Law Firms.
Cyber Security is defined as the practice of protecting systems, networks and programs from digital attacks. This Cyberattacks are usually aimed at:
- Accessing, changing, or destroying sensitive information;
- Extorting money from users;
- Interrupting normal business process;
- And so forth
Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative. There are different kinds of CyberAttacks: Phishing, Ransomware, Malware and Social Engineering.
- Social Engineering: act of tricking someone into giving relevant information or taking action usually through technology. The idea behind this is to take advantage of a potential victim.
- Phishing: the most common type of Social Engineering, usually used by sending fraudulent emails that seemed to be from reliable sources. This is the main cause of a breach in the security of people’s email. The email may trick the victim into clicking a URL link, which then asks for a password to an online service. This is the principal attack that lawyers suffer because they may have all their clients’ relevant information in their mailboxes. One of the first things to do after such attacks is to change the passwords associated with email addresses and online tools and connect to email accounts. Lawyers can help protect them through education or a technology solution that filters malicious emails.
- Ransomware: happens when hackers lock down files until the ransom is paid. Paying the ransom does not guarantee that the files will be retrieved.
- Malware: software specifically designed to gain access or damage a computer without the knowledge of the owner.
Law Firms and Cybersecurity
One of the most important things in the attorney-client relationship is that it cannot exist without confidentiality and privacy – that’s why the protection of sensitive communications and information is vital in the legal profession. In the particular case of law firms, it is important for them to keep the amount of sensitive information digitally stored a minimum and take all the precautions that are needed to avoid these type of attacks.
Law firms are the prime targets for Cyberattacks because, first of all, they not only keep some of the world’s most valuable secrets and the most relevant information of very important clients – but also are also regularly emailing attachments to clients, providing possible means to get into their system. On the other hand, they have had historically weak defenses and are seen as capable of paying large sums of money.
There are many kinds of attacks, but there are also many ways in which Law Firms can avoid them. It is recommended to the firms to be preventive and rather to be strict in their security methods than to be hacked and let the attackers profit from their sensitive, non-public information.
There are different ways in which lawyers may protect their private information. They may also be aware of their risks through security assessments and penetration testing. This includes external tests to see what part of the system is vulnerable on the Internet, testing the vulnerabilities in web and mobile applications. Prevention is about managing risk, and security assessments take a comprehensive look at what’s missing in a law firm’s IT security and help lawyers identify risk.
Specialists recommend to have a plan before an attack happens, to be preventive, this is because when you are going through an attack, if you don’t have a plan, the firms will waste crucial hours wondering what to do, who’s job is to solve it, what are the best companies that can solve this type of problems. The firsts minutes after a breach are crucial, and a lot of important tasks must begin immediately. Getting the help a firm needs at the right time is crucial because companies that are attacked are judged by their response.
Another important fact is that lawyers have decades of information stored, so to be more diligent – Law Firms must determine which is the most essential to protect (it cannot be always 100% safe, but they can take steps to protect themselves), and don’t retain what they don’t need or at least move it to an archive that is much less accessible.
Moreover, Firms must pay specific attention to their contracts with their clients because sometimes, some clauses include obligations to delete the data once they finish with the representation, and in most of the cases this not realistic because of the way in which data backups work.
According to the 2016 ABA Technology survey, only 17.1% of all law firms have an incident response plan in place to address a security breach and only 50% of firms of 500 lawyers have such a plan in place. The reality is that Law Firms aren’t prepared for a major breach.
Ethics for law firms – crucial element
The ethical obligation is a very important issue due to what’s the role of the lawyer in case their device gets attacked. The matter of whether to notify their clients of what happened or not. The conclusion of most people that studied the subject is that it is ethically correct to share with the client about the problem.
It’s relevant to share the information and the problems that Law Firms lead everyday, all the attacks that they suffer. Not only with clients, but also with partners, colleagues and the companies in general. Sharing information means hackers will have success only once or very few times. But sharing is a very efficient way to prevent these attacks.
The pressure from clients is causing firms to invest and focus on cyber risk, they are demanding a high level of security, most of all in their contracts, when they are hiring a lawyer, they need to be sure that their information will be confidential and protected.
According to the 2016 ABA Legal Technology Survey Report, 30.7 percent of all law firms and 62.8 percent of firms of 500 lawyers or more reported that current or potential clients provided them with security requirements. This push from clients is causing law firms to jump into the expanding world of cybersecurity.
What to do?
In conclusion, we can assure that it’s much more difficult to deal with the Cyber Attack when this happens, than be preventive and take all the precautions that exist to try to win this battle. If it is needed, charge an extra fee to your client, and hire the best type of cybersecurity system.
As stated before, it is also very important to settle down in every contract the real information and to be very clear about the risks that may exist. So if, eventually, a cyber attack happens, you will still have to solve the attack problem, but you won’t be sued by your client because of lack of information or bad diligence.
For any attorney’s reputation, it’s crucial to be diligent. This is because sometimes, there’s an attack and you couldn’t do anything to prevent it, but it would really change your reality if you used all your resources to prevent them.
Popular cyber Cases
- One popular case happened in July 2016 where Malwere infected Jessica Mazzeo and Fran Griesing the computer system from their Philadelphia Firm of 12 lawyers.
- Panama City: Panama Papers-More than 11.5 documents from the Panama- based law firm mossback Fonesca were leaked to the public.
- New York City: Cravath/Well- On March 29, 2016, the Wall Street Journal reported that hackers had broken into the files of some of the biggest law firms in an insider-trading scheme that involved planned mergers.
- Worldwide: Oleras- In February 2016, an alert went out to 46 law firms in the United States and two law firms in the U.K. that Ukraine-based hacker Oleras was advertising phishing services on a Russian Website.
- London: Thrity Nine Essex Street- On Feb 24 and 26, 2014, the U.K. firm Thirty Nine Essex Street was cyber- attacked, Booz Allen Hamilton a technology consulting firm, reported that the attack was most likely from the Russian state-sponsored group Energetic Bear. This group is linked to hacking utility companies in the United State and Europe in 2014.
- Toronto: Trust Account- In December 2012, a Toronto-based law firm was hit with a computer virus, which stole a six figure amount from the firm’s trust account. The hackers installed a Trojan horse virus to get access to passwords to the firm’s bank accounts.
- Washington, D.C: Wiley Rein—Also in 2012, Wiley Rein, one of the largest law firms in Washington, D.C., was hacked, most likely by Chinese state-sponsored operatives. According to Bloomberg News, the hackers wanted information related to SolarWorld, the German-based manufacturer that produces solar panels. SolarWorld’s computers were hacked at about the same time.