Focus on what counts

Cybersecurity: Law Firms Are Under Attack

New York State Bar Association's Entertainment, Arts and Sports Law Journal
November 2, 2020
view all archive

As seen in the New York State Bar Association's Entertainment, Arts and Sports Law Journal (pg. 40)

One day in early May the attorneys at a prominent law firm sat down at their computers to work, only to discover that none of their files were accessible. Making matters worse, the hackers who had infiltrated the law firm’s network stole 756GB of firm and client data before encrypted everything on the firm’s servers, demanded $21 million in ransom (later raised to $42 million) and threatened to begin releasing confidential data about the firm’s clients to the public.

The information stored by law firms is among the most sensitive, potentially saleable, and therefore most desirable data imaginable. Law firm breaches can have catastrophic effects on people’s lives, including wealthy and powerful world leaders. For example, after the hack of the Panamanian law firm, Mossack Fonseca, the offshore dealings of hundreds of politicians were exposed, including those of Russian leader Vladimir Putin (Chirgwin, Richard. “’Panama papers’ came from email server hack at Mossack Fonseca.” The Register, 5 Apr. 2016). Exposure of an entertainment or sports figure’s negotiations can have a dramatic effect on that professional’s earnings potential. Even on a lesser scale, if the details of an acrimonious divorce or business deal were exposed after a data breach, it could result in ruination for personal lives and fortunes alike. As the risks associated with storing information continue to grow exponentially greater, attorneys’ ethical responsibility to protect the confidentiality and integrity of the confidential and privileged data they hold takes on yet greater significance. Failure of attorneys to properly understand the implications of cybersecurity can result in a devastating impact on their clients and may even threaten the attorney’s license to practice law.

What is Cybersecurity?

From the largest multinational firm to the smallest solo practice, nobody is immune from a cyberattack or a cyberbreach. The best a firm can do is understand the risk, then take steps to manage the risk and mitigate the potential impact of a breach. In order to manage cybersecurity risk, it is important to first understand what cybersecurity is and the specific impact it can have on a law firm.

Cybersecurity encompasses not only the protection of hardware and network devices but also data stored and transmitted throughout the firm. Cybersecurity is protection of:

  • Computers – All of the devices used to access data, including desktop computers, laptops, tablets and smartphones
  • Networks – Collections of devices used to connect computers and share information, including file servers, firewalls, peripheral devices like printers and scanners, and Internet-connected appliances (IoT – the Internet of Things)
  • Data at Rest – Data that’s stored on file servers, on computer hard drives, on backups or removable media, and in the Cloud
  • Data in Motion – Data that’s moving between computers and between networks, including email, websites, portals, networks, Wi-Fi, faxes and phones

While data privacy is most commonly understood as the focus of cybersecurity, there are actually three cybersecurity objectives:

  • Confidentiality – Ensuring that data can be seen, accessed and used only by authorized individuals (e.g. the theft and subsequent release of client data stolen from Grubman resulted in unauthorized disclosure of confidential and privileged information)
  • Integrity – Ensuring that data cannot be modified by unauthorized individuals, and that it is not inadvertently modified by authorized individuals (e.g. the hackers who breached Grubman encrypted all of the data on the firm’s network, representing an extreme form of unauthorized modification of data)
  • Availability – Ensuring that data is accessible when needed (e.g. the ransomware that was used to encrypt Grubman’s servers disrupted the firm’s ability to access its data)

All organizations, including law firms, are subject to specific cybersecurity-related compliance requirements including state privacy laws (e.g. New York State's the Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act). Firms that accept credit cards for payment of fees are subject to Payment Card Industry Data Security Standard (PCI DSS) requirements. Law firms with healthcare practices may be subject to compliance with certain provisions of the HIPAA Rules. Firms with clients or counterparties in California are subject to the California Consumer Privacy Act (CCPA); those with clients or counterparties in the European Union are required to comply with General Data Protection Regulation (GDPR) privacy rules. Along with the compliance requirements applicable to all organizations, attorneys have additional ethical obligations under the Model Rules of Professional Conduct to ensure the protection of client data from inadvertent or unauthorized disclosure. Clients may also have specific requirements regarding a law firm’s cybersecurity, especially as firms are considered to be third party providers, and the list goes on...

The costs of a cyber breach are significant and may include fines and penalties, technology expenditures, forensics and legal costs, constituent notification requirements, operational downtime, and loss of billings. However, one of the most significant costs to a law firm is the reputational damage that can result from a breach. Clients are entrusting a firm with their confidential information; if one cannot protect this information then clients will find another firm that can.

What Can a Law Firm do to Protect Itself?

Although there is no way to fully protect a firm’s data or clients’ data there are best practices that will help to manage risk and mitigate losses in the event of a breach:

  • Make cybersecurity awareness a part of the firm’s culture. For example, one of our clients has a policy that every meeting starts with a reminder about cybersecurity, even if it’s as simple as asking each attendee if he/she/they locked his/her/their computer screen before coming to the meeting.
  • Understand what information you have, where the data is stored, who has access to it, how it is protected, and what regulations and standards apply to the data and to the firm.
  • Develop and enforce written cybersecurity policies and procedures.
  • Enforce the use of complex passwords, firewalls, antivirus and antispam software, data encryption, and comprehensive data backups. Perform periodic vulnerability assessments and penetration tests to discover and correct holes in your security before they’re discovered and exploited by bad actors.
  • Understand and evaluate the cybersecurity controls of the firm's vendors and service providers; remember that that they often have access to the firm's systems and information.
  • Do not collect or retain more data than necessary, and limit access to that data. Segment the data so that individuals have access only to the specific files they need for the matters with which they are directly involved with.
  • Social engineering techniques are very effective at tricking people into opening attachments, clicking on links, and otherwise disclosing confidential information including network credentials. Users are the weakest link in cybersecurity. Train yourself and your staff to be aware and alert.
  • Audit and test the firm's cybersecurity controls, repeatedly, to ensure that they are being followed.

Most firms are not anxious to devote time and money to activities that are neither client facing nor revenue generating, but protecting the firm’s and clients’ data is a regulatory requirement, an ethical obligation, and just good business.

Elimination of cyber risk is not possible, but by gaining an understanding of the importance of cybersecurity, leveraging the use of expert advisors, and focusing on continuous incremental improvement, significant risk reduction is possible and necessary...unless you want your firm to be in the latest headline about a law firm breach.