The recent spate of ransomware attacks against state and local governments and court systems has left many law firms on edge, wondering about the security of data within their own systems—and rightly so. When a data breach strikes legal software, it impacts the firm’s data, but more importantly, it exposes highly sensitive client data.
Ransomware, which is frequently delivered through spear-phishing emails, is a type of malicious software that blocks users from accessing critical systems and data until a ransom is paid. According to FBI statistics, in 2018 alone U.S. businesses gave out more than $3.6 million to hackers in these kinds of attacks.
Law enforcement, government agencies and even leaders within the legal profession have become more aggressive in the fight against such cybercrimes; however, cybercriminals have also become more sophisticated, more tailored in their attacks and more damaging to enterprise networks.
In fact, Cybersecurity Ventures predicts that, by the end of 2019, there will be a ransomware attack on businesses every 14 seconds, and every 11 seconds by 2021. Cybersecurity Ventures also forecasts that global ransomware damage costs will reach $20 billion by 2021—that’s 57 times more than for 2015.
As keepers of vast amounts of sensitive client data—whether corporate or individual files—law firms can be devastated by ransomware. Falling victim to such attacks could lead to unauthorized exposure of sensitive client data, a loss of sensitive information (permanent or temporary), disruption to regular business operations, financial losses, and potential harm to a firm’s reputation.
In 2017, a multinational law firm experienced the impact firsthand as it was hit by an extremely costly and destructive ransomware attack, along with several other international companies. The firm reportedly had a “flat network structure globally,” which meant every data center and Windows-based server on its network was impacted by the infamous NotPetya ransomware attack. Clearly, the devastation was widespread and the recovery complex, as the firm’s IT team was forced to put in 15,000 hours of paid overtime to wipe its entire Windows environment and “start afresh,” according to reports.
More recently, it was reported that hackers had found their way into the Georgia court system. And in May 2019, malware struck Philadelphia’s online court system, which forced the court to take its website, document filing systems and email servers offline for weeks, according to reports.
Also this summer, several local governments in Florida were targeted, including Lake City, which paid out $460,000 worth in bitcoins to the attackers, and Riviera Beach, which paid out $600,000 worth of bitcoins, Ars Technica reported.
As these entities work with law enforcement and security consultants to better understand these recent attacks, law firms are reminded of the threats facing their profession and the importance of taking a proactive approach to mitigate risks.
As stated in the American Bar Association’s newly issued Formal Opinion 483: “Data breaches and cyberthreats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession. As custodians of highly sensitive information, law firms are inviting targets for hackers. … Indeed, the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be.”
To help safeguard your clients’ data and your business continuity, consider the following proactive measures.
Review a Hosting Provider’s Security Capabilities
To ensure that your clients’ data is safe and secure when in the hands of a cloud-hosting provider, it is important to review the provider’s capability to secure data. Factors to consider include:
- Does the provider offer a full-spectrum electronic protected health information (ePHI) and HIPAA compliance-ready solution technology?
- Are its data centers in compliance? Given the current cybersecurity threat landscape and increasingly strict compliance standards, it has become common for organizations of all sizes to require strict assurance certifications when contracting with third-party professionals. Those without certification are at a disadvantage. Common compliance standards include, but are not limited to, SOC1/SOC2/SOC3/SSAE16.
- Does the provider offer multifactor authentication? If so, ensure broad implementation throughout your firm.
- Do the data centers leverage biometric authentication?
- Does the provider encrypt at the database level, in transit and at rest?
Do not underestimate the importance of staff education. Take steps to raise staff awareness of cyberthreats and teach them what to look for to help protect against attacks. Encourage staff to adhere to the following:
- Attorneys need multiple passwords for a number of devices, networks, services, and websites—for both work and personal use. As noted by the ABA, consider a password management tool, which allows a user to remember a single strong password for the tool or locker with automatic access to the others.
- Encryption is a basic safeguard that should be widely deployed across computers, laptops, smartphones, tablets and portable devices.
- Never open or download attachments from unknown senders, including potential clients; make contact first by phone.
- Use encryption of email for confidential/privileged communications/documents sent to clients.
- If encrypted email is not available, documents should be password-protected. If this approach is used, securely provide the password or passphrase to the recipient(s) through a different communication channel like a phone call or text message, the ABA noted.
- Do not respond to suspicious or unknown emails.
Some additional security measures that firms must consider:
- Have an independent third party conduct a security assessment. According to the ABA, law firms have been slow to adopt this security tool, with only 28% of law firms overall reporting that they had a full assessment. This number, however, increased from 27% last year and 18% in 2017, as clients are increasingly focusing on the information security of law firms representing them.
- Patch all operating systems and applications.
- Make backup copies of important business data and information.
- Secure wireless access points and networks.
- Limit access to data and information by employees and restrict the authority to install software.
- Install and activate software firewalls on business systems.
- Provide security for internet connections.
- Consider cyber insurance, as many general liability and malpractice policies do not cover security incidents or data breaches. According to the ABA, only 34% of attorneys reported that they have cyber liability coverage, but this number is increasing (up from 27% in 2017, 17% in 2016 and 11% in 2015).
Have a Plan
Securing sensitive client data isn’t just good for business and the firm’s reputation. It’s also the law.
Lawyers must take competent and reasonable measures to safeguard information relating to their clients. Under ABA Formal Opinion 483, lawyers must also make reasonable efforts to monitor their technology resources to detect a data breach, and it is highly recommended they proactively develop an incident response plan.
If your firm suffers a breach, how you respond, and how quickly, can significantly impact your firm and salvage its reputation. Therefore, it’s important to create an action plan outlining the steps your firm would take in the event of an attack. This can save your firm time and help mitigate further damage should anything occur.
Every response plan should be tailored to the lawyer’s or the law firm’s specific practice but, as a general matter, the ABA suggests that incident response plans share these common features:
- Identify and evaluate any potential network anomaly or intrusion.
- Assess its nature and scope.
- Determine if any data or information may have been accessed or compromised.
- Quarantine the threat or malware.
- Prevent the exfiltration of information from the firm.
- Eradicate the malware.
- Restore the integrity of the firm’s network.
- Identify the affected team members and their backups.
- Provide the means to reach team members at any time an intrusion is reported.
- Outline the steps to be taken at each stage of the process and designate the team member(s) responsible for each of those steps, as well as the team member charged with overall responsibility for the response.
And remember: Threats evolve as hackers become increasingly savvy and sophisticated, so it’s important to regularly evaluate and test your firm’s security plan and other safeguards.
Ransomware poses a threat to law firms of all sizes. Safeguarding your clients’ sensitive data and protecting your business start with taking proactive measures to mitigate risks. For help, turn to a technology partner that understands your firm’s unique needs and can assist with disaster recovery planning and reliable backup solutions.