Federal Express, the Securities and Exchange Commission, Merck, Yahoo. Every week, it seems, brings news of a major cyber attack. Law firms, too, have been squarely in the cross hairs of cyber criminals. Consider:
– The Petya malware attack in June, 2017 on DLA Piper, an international law firm with over 3,600 lawyers in 40 countries, shut down the firm’s email, phone, and other systems for two days. Nine days after the attack lawyers still had difficulty retrieving electronic files.
– The Wall Street Journal reported in December, 2016 that several law firms, including Cravath, Swaine and Moore, LLP and Weil, Gotschal and Manges, LLP in New York had been hacked by individuals associated with the Chinese government, who sought information for use in insider trading schemes.
– Panama law firm Mossack Fonsecca sustained a breach of over 11 million files relating to offshore investment funds used for tax avoidance in 2016. One of its clients, Iceland Prime Minister Sigmundur Davio Gunnlaugsson, resigned in the wake of the revelations. Another client whose information was disclosed was the father of former UK Prime Minister David Cameron.
– Chicago Law firm Johnson & Bell, Ltd. was sued in a privacy class action based upon allegations that the firm’s protections for information of its clients were deficient .The court referred the matter to arbitration, but not until news of the lawsuit appeared in media across the country. Johnson & Bell was required to spend considerable sums to respond to the law suit. Johnson & Bell has also hired outside counsel to prepare a law suit against plaintiffs’ counsel Edelson P.C., on the ground of defamation for allegedly false statements made in the class action Complaint regarding Johnson and Bell’s information security.
– Solo real estate attorney Patricia Doran was sued in New York state court for legal malpractice and breach of fiduciary duty following diversion of her client’s funds by hackers who had breached Ms. Doran’s AOL-based email and obtained information regarding a request for funds transfer for a Manhattan condominium purchase.
The above examples provide support for the adage that no firm is too big to be the victim of a cyber attack or data breach, and no firm is too small. Each of the above firms sustained significant reputational damage from the attacks. More law firms, too numerous to mention here, have also been hacked and sensitive client information breached.
Managing the Risks
While it appears that law firm cyber security will remain at risk for the foreseeable future, there are steps you can take to shore up your cyber defenses to reduce the chances of a successful attack and, perhaps, to deter hackers who may, upon seeing your defenses, leave and go in search of a less well-defended firm:
– Conduct a data assessment to determine where your firm’s data is created, stored, and sent. You can’t protect data whose whereabouts are unknown.
– Identify and classify sensitive information and client data. Identify the regulations that may apply to your uses, storage, and disclosure of data (i.e., personal identifying information, healthcare patient information, account numbers, etc.).
– Evaluate (or reevaluate) capability of data backup systems and disaster recovery protocols so your systems can be restored to operational status in the event of a ransomware attack (system encrypted by attackers and ransom demanded for decryption) or other attack that cripples the system or locks out users.
– Implement controls and restrictions on access to data. Attorney, as a rule, do not need administrative privileges for the network. Consider limiting access to information on a role-based (need-to-know) basis, logging access to the system and preserving the access logs.
– Implement malware (virus) filtering, in which incoming transmissions are scanned for malware. Consider active threat monitoring sensors or other applications as well.
– Encrypt emails with client data and other sensitive information. Encryption applications are widely available and inexpensive. Many corporations have adopted outside counsel guidelines that require encryption “in motion” (in transmission) and “at rest” (in storage).
– Prepare a process to regularly monitor systems for vulnerabilities and update software (patch management).
– Inventory and evaluate mobile devices used by attorneys and staff for firm information to ensure the appropriate information protections are on the devices (encryption, automatic lockout after a period of nonuse, etc.).
– Prepare and test a breach response procedure: Who decides when to initiate the process? Whom do you call first? What steps do you take to remove the malware, secure the information, and remediate the systems?
– Educate attorneys and staff on cybersecurity practices and protections and social engineering (“phishing”) avoidance by utilizing law firm cybersecurity courses provided by the security experts at Inspired eLearning. Provide reminder security training and office network “pop-ups” regularly.
If You Are Attacked
– Initiate the Incident (Breach) Response Process, and consider in that Process use of the NIST (National Institute of Standards and Technology) response protocol: Identify the problem, Detect the cause, Protect information as best you can, Respond to the attack by clearing the systems of infection, and Recover data and systems (some or all of these steps will require the assistance of third-party forensic consultants and outside data breach counsel to coordinate these efforts as well as notifications to regulators, state government agencies, and affected individuals).
– Notify your IT personnel to disable or quarantine infected systems or devices and activate disaster recovery or backup systems when safe to do so.
– Notify law enforcement (a first call to the local FBI office is recommended).
– If you have cyber risk insurance (which we highly recommend), notify the insurance carrier of the attack and /or breach in writing. Many insurance policies require notice within 30 days of discovery of the incursion, but notification as soon as practicable may result in earlier designation of an insurance carrier panel forensic consultant and “breach coach” counsel to assist quickly. Review your professional liability policy to determine whether notification to that carrier is required (some malpractice policies exclude coverage for cyber events, but unauthorized release of client information may be a covered liability).
– Determine what information protected by state and federal data breach notification laws and regulations has been accessed or taken by the hackers, and initiate the process to notify affected clients and other individuals, depending upon the nature of the information and the states in which the affected people reside.
– Document all steps taken in response to the attack and preserve the documentation and data resulting from the forensic analysis and actions. You may be required to produce it in response to requests from your cyber insurance carrier, state attorneys general or other regulators or parties to any litigation that stems from the breach.
– Review the lessons learned from the attack with the breach response and information management teams and ascertain what can be done to reduce the risk of the next attack.
Source: Inspired eLearning