Urgent developments, from both within and outside the
legal services industry, provide strong evidence that law firms, in-house legal
teams and even solo practitioners need to prioritize cybersecurity–sooner
rather than later.
Examples include recent attacks specifically targeting
law firms, a sobering warning from the FBI and a game-changing ethics update from
the American Bar Association (ABA).
Considering the amount of sensitive (and criminally
monetizeable) data residing on a single law-firm server, any one of these developments
could be the impetus for upgrading your practice’s cyberdefenses. Considering
them collectively makes the case for taking action now that much more
Law Firms Under Fire
A March, 2017 article published by ABAJournal.com recounts six recent, high-profile incidents involving law-firm
hacking and client-data leaks. Most practitioners will recognize the stories, including
the Panama Papers scandal and the insider-trading breach.
In the first, an ‘anonymous source’ exploited
unencrypted emails and outdated software to access (and publicly leak) more
than 11 million confidential files. In the other, three foreign nationals stole
information from two major Wall Street law firms to fuel an insider
trading scheme that netted the trio millions in illicit profits.
Smaller firms who somehow think size makes
them immune to criminal targeting should read
how ransomware froze all production at 10-person Rhode Island practice for three full months, resulting in $700,000 in
FBI Issues Warning
When the FBI’s Cyber Division uncovers credible threats aimed at specific
verticals (healthcare, financial services, etc.), it issues a Private Industry
Notification to briefly explain its findings.
In March, 2016, the agency issued this
alert, explicitly warning law firms of a criminal
insider-trading ring targeting “international law firm information used to
facilitate business ventures.” The alert also relates how one cybercrook sought
to hire a “technically proficient hacker for the purposes of gaining sustained
access to the networks of multiple international law firms.”
Technology Competency Now an ‘Ethical Duty’
Something also happened in 2012 that many consider a ‘sea
change’ to the legal profession: the ABA formally approved a change to
the Model Rules of Professional
Known as ‘Comment 8,’ the amendment
states that lawyers are not only duty-bound to be competent legal practitioners
but to also demonstrate competence in the technology they use to practice,
specifically, calling on lawyers to 1) “keep abreast of changes in the… benefits and risks associated with relevant
technology, 2) engage in continuing study and education, and
3) comply with all continuing legal education requirements to which the lawyer
Though states are free to adopt, reject, ignore or
modify any Model Rule, more than half of all jurisdictions (28 states as of September, 2017) have
enacted rules mandating that attorneys become and remain familiar with
technologies that may impact their practices. Stay tuned to see how this trend plays out for
“Data breach has become an existential risk to every
law firm throughout the world, regardless of the number of attorneys, revenues
or practices,” concludes a Q4-2017 legal-industry survey cited at CIO.com.
effectively safeguard sensitive data and avoid irreversible reputational damage,
firms work closely with an IT Managed Services Provider (IT MSP) like TeamLogic
IT to assess and strengthen their security posture–in particular, tactical
defenses against malware, executive whaling attacks
and other destructive forms of business email fraud.