I have written about cyber crimes and law firm technology hacking for a few years now. I wish I no longer had to talk to lawyers about the dangers and risks of the technology we all use in today’s connected world. Unfortunately, the risks not only still exist, they are greater than ever before and the cyber criminals become more creative every day.
Several years ago, I wrote about lawyers being added to the growing list of victims who were scammed or whose computer systems were hacked. Data security breaches happen so often and in so many places it is impossible to even keep count. Nearly everyone has heard about the high-profile breaches, such as those affecting Target, Google, AOL, and many other huge businesses.
The legal profession has not gone unscathed in this mess. Cyber criminals are interested in law firm data, too. This is as true for solos and small firms as it is for big law firms. Think about the client information you have in your system, from financial data to personally identifiable information. Are you adequately protecting your clients’ information? Are you protecting your practice?
There is plenty of fraud out there to make you leery, including fraudulent financial arrangements, phony “clients,” and computer hackers. Sally Anderson, vice president of claims for Wisconsin Lawyers Mutual Insurance Co. (WILMIC), says law firms can be particularly vulnerable.
“Law firms retain confidential information about their clients – information such as Social Security numbers, addresses, and birthdates that can be used for identity theft. Confidential information about clients, business deals and contracts, and case strategies can be of interest, too.”
Law firms have many points of access to confidential information. Lawyers, like others, use mobile devices – laptops, smartphones, and tablets. These are highly vulnerable to loss or theft. If they are not password protected, they provide access to data and possible entry into protected network systems.
Sandy Hauserman, a Vermont lawyer and a founder and managing member of Digital Risk Resources (DRe), an insurance product development company, says that although any law firm could be victimized, solo and small firm practices may be more vulnerable. “If a firm’s security measures are not up to snuff, they can easily be compromised or hacked. It’s not just the big firms that hackers target. Solos and small firms that may not have the IT resources are clearly vulnerable.”
Larger law firms have more resources to invest in security systems, but size can also bring complexity. “The more complex, the more opportunities there are for security lapses to go unnoticed,” says Hauserman. Every mobile device should be tracked and managed. Staff must be trained in safe Internet and technology use. Vendors must be vetted and managed. Security must be a high priority for in-house IT staff and outside technology vendors.
What would you do if you lost sensitive client information? Whether because of a data breach caused by hackers, careless disposal of client records, theft of mobile devices, or misuse of internal security protocols, lawyers should consider how they are protecting client and employee information.
Many of the latest warnings have to do with “ransomware.” Ransomware is frequently delivered through phishing emails to end users. Early ransomware emails were often generic in nature, but more recent emails are highly targeted to both the organization and the individual, making scrutiny of the document and the sender important to prevent exploitation.
An email compromise occurs in one of two ways:
- Receipt of an email containing malicious attachments, including .pdf, .doc, .xls, and .exe file extensions. These attachments are described as something that appears legitimate, such as an invoice or electronic fax, but contain malicious code.
- Receipt of an email that appears legitimate but contains a link to a website hosting an “exploit kit.” When the user opens the malicious file or link in the phishing email, the most frequent end result is the rapid encryption of files and folders containing business-critical information and data. Recent ransomware campaigns have employed robust encryption that prevents most attempts to break the encryption and recover the data.
Here are a few incidents that occurred during the past year:
A Florida law firm was unable to access any of its digital files in December 2015 after a hacker broke into its computer system when an employee opened an attachment. The hacker then demanded that the firm pay $2,500 in ransom money to get the data back or lose the data entirely. The firm paid the money and the files were then unlocked for the firm. Since the incident, the firm has improved its firewalls and installed an isolated server that is used to back up files.
Another kind of ransomware got the attention of many Wisconsin lawyers, who took to the State Bar Practice411 electronic list to talk about it. “Locky” is transmitted by Word documents attached to an email purporting to be an invoice. When the attached “invoice” is opened, files are infected. Then the only way to resolve the problem is to 1) pay the ransom, 2) lose the data, or 3) restore it from a backup. Reportedly, Locky can come through Dropbox, OneDrive, and Google Drive, among others.
Protecting Against Ransomware
The ABA has published a list of prevention tips for lawyers. They include the following:
- Focus on awareness and training. Because end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered and be trained on information security principles and techniques.
- Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered.
- Ensure that anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed.
- Regularly back up data and verify its integrity.
- Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing them offline. Some ransomware can lock cloud-based backups when systems continuously back up in real time. Backups are crucial in protecting against ransomware attacks; if a device or system is infected, backups may be the best way to recover your critical data.
Today, it seems, nearly everyone lives on smartphones, tablets, or other devices. All of these carry risks. But so does the seemingly simple process of following client instructions that come in by email. Many stories have surfaced over the past few years about lawyers stung by hackers who used phony “client” accounts to get access to lawyers and give them fraudulent instructions.
A Texas firm was recently working on a real estate closing for a client. Shortly before closing, the insured received an email from the client’s account that they had used previously in the transaction indicating the proceeds should be sent to a bank in Malaysia. The client’s email accounts had been hacked.
An IT expert testified that the hacker emails came from a computer in Malaysia. He verified that the hack was not of the law firm’s system. He also testified as to the insecurity of the client’s email: the account was on Yahoo and the password for the email was too simple, part of the client’s name and birthdate. Still, the firm was considered negligent for following the phony instructions.
Wisconsin is not immune to email scams. A solo practitioner in the state recently represented clients from another state in a real estate transaction, with net proceeds of the sale wired to the client’s bank, per the client’s instructions. Shortly before the closing of the transaction, the firm received an email allegedly from the client asking that the funds be wired to a different account. The firm followed those instructions but later discovered that the client’s bank had never received the funds. The second email with instructions was fraudulent.
Anderson says she is hearing more and more about these types of situations. “Law firms often have their systems reviewed periodically by their IT department, or in the case of solos, often times by an IT consultant. Sometimes, the banks and even the FBI can be helpful. But of course, once it happens, it can be debilitating for a law firm. In this situation, one phone call to the client to confirm the new wiring instructions would have uncovered the fraud and prevented the funds from being stolen.”
Bolster Your Firm’s Cybersecurity
Every law firm has responsibility for protecting personal information. Many Internet users, whether at a law firm or elsewhere, sometimes do not implement good practices. Training and education for all employees can help manage the risk. If you are a solo practitioner or run a law office, you should know who has access to the personal information you handle. Also, implement a written information security plan, which should include security controls and business practices for handling personally identifiable information and can help protect you and your firm. Restrict access to personal information within your firm. Encrypt electronic data. Shredding paper documents and deleting electronic data when appropriate is also important.
And finally, beware of phony emails! Anderson reminds us, “Be sure to verify emails when they contain client instructions, especially those that direct the transfer of money. A phone call to confirm the instructions with the client is an easy and inexpensive way to alleviate this risk.
As we move deeper into the electronic age, more lawyers are scanning files and saving them electronically. Lawyers must adequately protect and preserve client files, maintaining confidentiality and security, on whatever computer server is being used. As Anderson says, “You can never be too safe.”