By Kyle Scharoll
The global pandemic has changed the practice of law in the U.S. and worldwide. Lockdowns forced firms to close offices, prompting mass work-from-home migrations for attorneys and staff. Thanks to laptops, mobile devices and Wi-Fi availability, the transition has been relatively painless.
But an escalation in cyberattacks and data security incidents has posed severe threats to law firms of all sizes.
In October 2020, a ransomware attack on 900-attorney Seyfarth Shaw froze users out of the firm’s networks. Fortunately, within 10 days the firm restored its critical systems and reported hackers had not accessed or removed any client data.
Less fortunate was 582-lawyer Fragomen, Del Rey, Bernsen & Loewy, which disclosed that an unauthorized third-party accessed a large client’s employee data. Unlike Seyfarth’s breach, Fragomen’s attackers are believed to have entered the system by obtaining user credentials.
Phishing—fraudulently using email and electronic communications to obtain usernames, passwords, credit card details, and sensitive information—is common, and even large firms are deceived. In July 2020, 1,400-attorney Holland & Knight fell victim to a phishing scam that allowed a hacker to intercept email concerning a multimillion stock sale. Posing as the client, the hacker requested a wire transfer to a foreign bank account, and the funds were never recovered.
Large law firms with deep pockets and recognizable corporate clients are not the only targets; smaller firms are often victims of sophisticated cybercriminals, too. A joint eSentire and International Legal Technology Association report ranks the legal profession fifth among industries most vulnerable to malware attacks in 2020.
In May 2020, hackers obtained client files of boutique entertainment firm Grubman Shire Meiselas & Sacks. They demanded $21 million not to expose documents and dealings of U2, Bruce Springsteen, Madonna, Nicki Minaj and other clients.
Three months earlier, hackers seized work product from 11-lawyer Texas personal injury firm Baker Wotring, threatening to make the information public unless they received a ransom.
An American Bar Association survey showed 26 percent of respondents—from solo practitioners to big law firms—experienced security breaches in 2019. Nineteen percent indicated they didn’t know if their firms had ever been breached, a number that shot to 53 percent in firms with more than 100 attorneys. In all, ILTA and eSentire say legal services organizations have a 45 percent probability of experiencing a data security event each year.
Ethics rules require lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology,” but law firms are not necessarily models of vigilance. Protocols seen as taking too much time are bypassed or overlooked. This lack of attention has worsened during COVID-19. Even pre-pandemic, most law firms had not implemented cybersecurity programs, and they continue to be unprepared.
As one expert told Legaltech News, firms “used to think in terms of ‘bring your own device’ (BYOD) and now must contend with ‘bring your office home’ (BYOH).” Attorneys and staff working from home are more likely to have weak Wi-Fi protocols and passwords, exposing them to phishing and “cultural engineering” scams.
As people’s angst and uncertainty have led them to take fewer precautions, hackers have exploited the rapid dispersion of law firm workforces, accelerated adoption of cloud services and faster online migration of lawyer and staff activities.
Mitigating data breaches
Vaccinations will hopefully bring an end to the coronavirus in 2021, but cybersecurity will remain a significant concern, which is why firms must act now to prevent or mitigate data breaches. Here’s how.
First, ensure data is backed up. “Cold” backups take information offline and avoid the risk of copying data during an update. When cold backups are saved to separate servers, information is preserved even if the primary server goes down. Uptime and integrity are critical, as is regular testing to detect and address errors.
A “warm” backup in a cloud environment allows users to immediately recover data in the event of power outages and disasters. Validation, migration, encryption and testing are best left to technology consultants or managed service providers, even in large firms with dedicated IT departments.
Next, secure data in the cloud and educate lawyers and staff about “shadow IT.” Cloud-based solutions offer significant advantages over local servers, mainly cost. Remote workers accessing networks and applications outside the firm inadvertently invite risk when they use unsecured websites, platforms and software for work. And when they access services on home networks shared with family members accessing other unsecured services, hackers have more opportunities to breach the firm’s network.
If your firm allows clients to pay invoices electronically, payment card industry compliance is imperative. Collaborate with a technology consultant to meet PCI standards and safeguard accounting systems.
Every outside device is a potential threat, so analyze network traffic to detect malware and suspect activity. Although you trust your people, you shouldn’t trust the computers, smartphones, and other hardware they use outside the office.
If a breach occurs, you should have a response procedure that includes initial reporting, escalation, investigation, resolution, and post-incident review and revision.
Last, obtain appropriate cyber-insurance protection. State laws may require your firm to notify government authorities and victims within a set timeframe after discovering a breach. Additionally, disclosing client information—even if due to a cyberattack—may constitute statutory violations of HIPAA, FCRA, and other state and federal laws. Coverage to defend or indemnify these claims is in your best interests.
Despite COVID-19’s economic fallout and operational burdens, one positive is that law firms are savvier about data security and cyber threats. As their workplaces increasingly rely on technology, it must be a pillar of every firm’s business strategy.
Kyle Scharoll is the general manager of Avalon Technologies Inc., and the lead consultant for Avalon For Legal, a practice group that serves in an outside CIO role for law firms seeking to achieve the highest value for their technology investments by improving efficiency and productivity, safeguarding systems and information from cyberattacks, and executing cost-effective cloud-based strategies.