Why Do Hackers Target Law Firms?

Simple! The normally weak cybersecurity of law firms makes them an irresistible, lucrative, and easy target for hackers. Not only are they a goldmine for highly sensitive corporate, financial, and personal data, but most law firms don’t know where the threats are coming for much less being prepared to defend themselves.

The Evidence Is Clear

Take a look at what happened to Texas Law Firm Baker Wotring – a hacker group penetrated their network, stole their data, and threatened to post all the firm’s data publically if a ransom wasn’t paid.  According to an ABA Journal article the data included “fee agreements and diaries from personal injury cases.”

This particular incident was part of a broader attack in which multiple law firms were targeted in a 24-hour period.  According to reports “In two of the cases, a portion of the firms’ stolen data has already been posted online, including client information.”

This is nothing new – the ABA stated that “Lawyers especially vulnerable to cyber-breaches.”  and went on to say in the same article that “For too many law firms, security is a secondary concern.”

The Dallas Business Journal reported that “Four out of five corporate law firms operating in Texas have experienced a “cyber incident” or an actual data breach during the past two years.”

Ransomware Can’t Be Covered Up Any Longer

When Ransomeware first appeared, getting it wasn’t necessarily a death sentence.  Many firms had great backup and disaster recovery plans that allowed them to restore systems to pre-infection status and get back to work.  Yes, many businesses didn’t have these systems in place (or they weren’t properly managed and maintained) and were forced to pay the ransom.

Lately, the Ransomeware hackers have upped their game and now steal information from an infected site before encrypting their data so even firms with proper backup and disaster recovery systems are now forced to deal with hackers to prevent the exposure of their sensitive data.

The big problem is that once a ransom is paid to ‘delist’ a firm’s data there is no guarantee that the data will be taken down or even if the data is taken down no guarantee that is won’t be kept and use in the future for additional extortion attempts.

While there has been an ongoing debate in the past as to if ransomware constituted a ‘breach’ since there was no way to proved the affected company’s data left their site, with this new tactic, that argument is mute.  Hackers are now proving they have sensitive information by releasing portions of actually stolen data as ‘proof’ to the target firm that they mean business and have the data in question.

Firms Are Doing The Hackers Work For Them

These attacks aren’t what you probably expect, they aren’t as a result of someone hacking away at your IT defenses and finally getting a foothold because of some technical oversight.  No, the vast majority of these attacks come as an email attachment that someone inside your organization then clicks on to initiate the attack.

In fact; The Verizon Data Breach Report indicates that Email was the top malware delivery method at a whopping 95%.  This attack vector normally comes with either a Microsoft Office document or a Windows Application as an attachment and will typically install backdoor command and control software that allows hackers to take a look around and deploy ransomware once they are ready.

Once they gain access to your system, they can take all of your law firm’s and clients’ classified information or change the content of legal documents, which could drastically affect your practice.

As if the cost of downtime wasn’t bad enough, it’s the incalculable costs such as damage to reputation, loss of clients, and lower employee productivity that could prove to be more disastrous for law firms after a natural disaster.

The fact is that a lot of this risk and exposure can be mitigated with some simple changes and a common-sense approach to Safeguarding Sensitive Client Data.

ABA Is Laying Down The Law

In November of 2018, the ABA issues new guidance on lawyer obligation after a cyber breach or attack as Formal Opinion 483.  In this opinion is it clear that Data Breaches and Cyberattacks are a threat to the profession and the ABA is taking a firm stance on the obligations of law firms should they experience a breach.

First, the ABA states that you need to comply with all state and federal laws to ensure you are in compliance;

“If personally identifiable information of clients or others is compromised as a result of a data breach, the lawyer should evaluate the lawyer’s obligations under state and federal law. All fifty states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have statutory breach notification laws.”

But then takes it a step further;

“However, compliance with statutes such as state breach notification laws, HIPAA, or the Gramm-Leach-Bliley Act does not necessarily achieve compliance with ethics obligations.”

Then spells out that, as it relates to past Ethics Opinions, that a firm should notify clients, should a breach occur;

“Our conclusion here is consistent with ABA Formal Ethics Opinion 95-398 where this Committee said that notice must be given to clients if a breach of confidentiality was committed by or through a third-party computer vendor or other service providers. “

And inform the clients of the law firms plan to respond to the data breach;

“Lawyers must advise clients of the known or reasonably ascertainable extent to which client information was accessed or disclosed. If the lawyer has made reasonable efforts to ascertain the extent of information affected by the breach but cannot do so, the client must be advised of that fact. In addition, and as a matter of best practices, a lawyer also should inform the client of the lawyer’s plan to respond to the data breach, from efforts to recover information (if feasible) to steps being taken to increase data security”

Time To Step Up

With all of the evidence, it is apparent that law firms need to step up their game with respect to their cybersecurity stance.

This starts with an awareness of where the majority of the threats are coming from – your users clicking on email attachments, and implementing an ongoing training regiment to educate your users to the threats they pose to the firm’s security.

Partner With The Right IT Firm

Picking an IT firm can be tricky, especially with the risks faced by law firms today.  Technology Associates has the knowledge and experience needed to help Legal firms navigate stormy IT waters with confidence.

For some tips on making the right decision for your practice, check out our post Choosing An IT Provider For Your Law Firm.