Rules, Ransomware and the Case for Improving Law-Firm Cybersecurity

12/7/2017

law firm cybersecurityUrgent developments, from both within and outside the legal services industry, provide strong evidence that law firms, in-house legal teams and even solo practitioners need to prioritize cybersecurity–sooner rather than later.  

Examples include recent attacks specifically targeting law firms, a sobering warning from the FBI and a game-changing ethics update from the American Bar Association (ABA).  

Considering the amount of sensitive (and criminally monetizeable) data residing on a single law-firm server, any one of these developments could be the impetus for upgrading your practice’s cyberdefenses. Considering them collectively makes the case for taking action now that much more compelling.

Law Firms Under Fire

A March, 2017 article published by ABAJournal.com recounts six recent, high-profile incidents involving law-firm hacking and client-data leaks. Most practitioners will recognize the stories, including the Panama Papers scandal and the insider-trading breach.  

In the first, an ‘anonymous source’ exploited unencrypted emails and outdated software to access (and publicly leak) more than 11 million confidential files. In the other, three foreign nationals stole information from two major Wall Street law firms to fuel an insider trading scheme that netted the trio millions in illicit profits.

Smaller firms­­­­ who somehow think size makes them immune to criminal targeting should read how ransomware froze all production at 10-person Rhode Island practice for three full months, resulting in $700,000 in lost billings.

FBI Issues Warning

When the FBI’s Cyber Division uncovers credible threats aimed at specific verticals (healthcare, financial services, etc.), it issues a Private Industry Notification to briefly explain its findings.

In March, 2016, the agency issued this alert, explicitly warning law firms of a criminal insider-trading ring targeting “international law firm information used to facilitate business ventures.” The alert also relates how one cybercrook sought to hire a “technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms.”       

Technology Competency Now an ‘Ethical Duty’              

Something also happened in 2012 that many consider a ‘sea change’ to the legal profession: the ABA formally approved a change to the Model Rules of Professional Conduct.

Known as ‘Comment 8,’ the amendment states that lawyers are not only duty-bound to be competent legal practitioners but to also demonstrate competence in the technology they use to practice, specifically, calling on lawyers to 1) “keep abreast of changes in the… benefits and risks associated with relevant technology, 2) engage in continuing study and education, and
3) comply with all continuing legal education requirements to which the lawyer is subject.”

Though states are free to adopt, reject, ignore or modify any Model Rule, more than half of all jurisdictions (28 states as of September, 2017) have enacted rules mandating that attorneys become and remain familiar with technologies that may impact their practices.  Stay tuned to see how this trend plays out for attorneys.

Conclusion

“Data breach has become an existential risk to every law firm throughout the world, regardless of the number of attorneys, revenues or practices,” concludes a Q4-2017 legal-industry survey cited at CIO.com.  

To effectively safeguard sensitive data and avoid irreversible reputational damage, firms work closely with an IT Managed Services Provider (IT MSP) like TeamLogic IT to assess and strengthen their security posture–in particular, tactical defenses against malware, executive whaling attacks and other destructive forms of business email fraud.