Law firms and lawyers are a profession we sometimes need to rely upon. We depend upon them to manage family matters, custody issues, contract disputes, and criminal matters. Many times, these issues are personally, professionally, or economically sensitive. For this reason, lawyers have legal protections and a code of ethics that require that they safeguard the privacy, confidentiality and interests of their clients. They are known to be careful, knowledgeable, and risk adverse.
But this abundance of caution doesn’t always extend to their practices regarding their client’s data and information. Within the US, according to the American Bar Association and the U.S. Department of Justice, “25% of all law firms have been subjected to, or experienced, some sort of a data breach involving hackers.” Hackers may be particularly drawn to law firms because of the value of the data assets with which they are entrusted. A successful ransomware attack or exploitation of personal data is more than a business inconvenience. It can undermine the reputation of a firm or that of its clients. It can be personally embarrassing. It can tilt a litigation in favour of the opposing counsel. And at the billing rate of many lawyers, it can be very expensive. Cyberattacks of law firms are a lucrative target for hackers. The average cost of a ransomware attack is $133,000 USD. Often these attacks involve copying key files and data, including case files, and then infecting the systems with ransomware. Professional services firms like law firms make up over 18% of all ransomware attacks.
How Do Hackers Get Access?
Two key vectors for attack are RDP and Microsoft O365. RDP or “Remote Desktop Protocol” has become very common during the current pandemic. RDP is a Microsoft toolset to allow a person to remotely log into a their work computer from a different computer. Using RDP, a user can access and edit files on their work computer, receive and send office emails, print files, and use their office software–all from the comfort of their own home. Passwords are often purchased from some other site, guessed by some brute force method, or purchased on the dark web.
Because many law firms use Microsoft Office 365 (O365) for their desktop software, the hacking industry (and yes, it is an industry) produces O365 script kits to try and fool people into giving up their O365 usernames and passwords. Because many organizations use the same passwords for both O365 and internal systems, this is usually enough to gain access to the corporate systems.
At least one cybergang has taken to targeting law firms. The REvil ransomware gang made off with 756GB of data from Grubman, Shire, Meiselas & Sacks, a New York law firm. The ransom demands were in the neighbourhood of $42 M USD. Ransom payments of this scale often exceed a company’s existing insurance coverage.
The American Bar Association makes the following recommendations to make in managing and mitigating the risk of cyberattacks:
- Firms have an obligation to notify clients in the event of a data break and to keep clients informed of subsequent investigations and legal options and recourse.
- Firms should keep abreast of changes in law and practice, including the benefits and risks of relevant technology.
- Firms should consider entering into relationships with competent service providers and ensure that the provider has in place reasonable procedures to protect the information for which is the custodian.
Lawyers are experts in jurisprudence, the interpretations of laws, and the application of precedence. But the legal industry has a large gap in its application and understanding of technology and risks inherent in technology. If it were otherwise, we would be able to electronically sign, encrypt, and verify documents using asymmetric or public-key cryptography instead of ballpoint pens on paper. Many law firms view technology as a business expense rather than a firm asset. I have seen firms with servers that have not been patched in over three years.
It’s hard to tell how much cyberattacks cost an organization. In the case of Grubman, Shire, Meiselas & Sacks, their insurance company agreed to pay the $20,000 directly related to the cost of the hack but not their claim for $700,000 in lost billings. Losses like this might help law firms see that cybersecurity is an asset and not an expense.