Earlier this year, the City of Atlanta’s entire judicial system was hit hard when a ransomware attack affected the city’s computer systems. Ransomware is a type of malware that takes over core systems, demanding payment for their recovery. Over one-third of Atlanta’s essential programs – including mission-critical functions – were taken down in the attack. Up to 10 years of records and documents were lost by some areas of government, while delays and disruptions were common throughout the justice system.
Over 46,000 cases were delayed. The impact of this ransomware attack on Atlanta could be replicated with a similar attack on a law firm. Clients’ access to justice, records and evidence could be at risk if a law firm’s servers are compromised. Personal and financial information could even be exposed to malicious attackers.
Hackers Against Law Firms: Cybersecurity Risks
When cybercriminals target law firms, they do so because they know that firms may have valuable information that could be used for identity theft, to pressure clients or to profit from corporate transactions. They may seek to steal information about pending patents being filed or mergers and acquisitions underway, using that information to profit from investments. Hackers may target litigation strategy information for a particular case for political or financial reasons.
Furthermore, hackers can gain access to attorney-client privileged communications, revealing sensitive information. On a wider scale, personal and financial data of employees, clients and vendors could be widely exploited for identity theft and credit card fraud.
If your firm’s electronic security is compromised, it could be catastrophic for clients and for the firm itself. It could put the firm in breach of ethical rules obligating it to protect its client confidential data.
While it can be tempting for lawyers to leave these matters to outside contractors or tech professionals, it’s also important for firm partners and staff to understand why their electronic security program is so crucial. In the case of an incident, a law firm will be far better placed to respond technically and legally if its security policies and practices reflect recognized best practices.
There are a number of different risks that pose serious cybersecurity threats to law firms. Ransomware, which took such a toll in Atlanta, is a form of malware designed to extract money from the victim. Most ransomware victims are individuals, but it can also target companies and even governments. Law firms may be tempted to pay the hacker, but in the meantime, all of the firm’s data has already been compromised. And of course, the attacker can lie and continue to extort money. One of the most common ways that ransomware can infect a firm’s network is through phishing emails, messages that convince a user to turn over passwords or download a malicious file. Studies show that up to 59 percent of all email received by law firms are phishing messages. While many of these are blocked by standard spam filters, the more sophisticated and dangerous could pass through default security procedures.
What Can Be Done to Improve the Security of Law Firms?
Many law firms rely on secure cloud service providers to protect their data. On the one hand, cloud computing has lowered the risk of attacks; large, professionally secured servers are more difficult to crack than most locally stored data. In addition, the software on these systems is almost always up-to-date, so hackers can’t take advantage of outdated technology.
However, cloud computing has also opened up new venues for cybercriminals. When lawyers and staff members access cloud data on their personal laptops or phones, any malware they have could also gain access to this confidential data. Other types of attacks specifically target cloud software environments. For example, Distributed Denial of Service (DDoS) attacks flood a network to prevent users from accessing the network. While confidential data may not be breached, a law firm may be unable to access its files, with significant impact on pending litigation.
Law firms can put policies in place to bolster their security. An electronic communication and Internet usage policy can provide clear direction to all firm staff. For example, law firms should only use properly secured email services rather than free, Web-based programs. A policy can also direct the type of secured services that attorneys and staff must use when connecting to the firm’s network, including restrictions on the use of Wi-Fi hotspots or personal devices.
A social media policy can also help law firms to protect themselves. In all cases, security policies should be clear and set from the top. A social media policy can cover a law firm’s hardware and technology, prohibiting users from sharing unauthorized information about clients or the firm itself.
Document retention policies and particularly email retention policies can be critical for firms for multiple reasons. Many firms maintain a written email policy to address why messages beyond a certain date are not available for discovery when demanded in a case. Of course, a firm may often repel such requests by pointing to attorney-client confidentiality.
A strong email retention policy can also provide protection if the firm’s email server is hacked. This kind of policy spells out how long an email is to be stored before it is deleted. This deletion can prevent firm emails from being subject to a massive data dump by an attacker.
Secure passwords are also critical. Many phishing attacks rely on the disclosure of passwords, so frequently updated, difficult-to-guess passwords can be mandated across the system. This is particularly critical for highly confidential items like access to a secured cloud computing server.
Implementing secure methods for data and resource management can be critical to bolstering your firm’s security. Secured cloud service providers that specialize in security for confidential data like healthcare, financial and legal information can be key for law firms. In addition, it’s important to understand all of the devices, systems, and software on the network to protect against breaches and identify weak points.
Cyber insurance is another great option. Professional liability insurance may not address all of the eventualities related to a computer security breach, and this form of insurance can fill the gaps. It can cover the costs of forensics experts, crisis management teams, and security firms.
Even when a firm has taken extensive steps to secure its data, it should have an incident response plan and a disaster recovery plan in place in case of a breach or other data catastrophe. This plan can identify action steps and address necessary actions under law, as well as the use of outside experts to deal with the problem. Disaster recovery plans can provide for a communication protocol in case a server is destroyed or client data is lost.
In addition, a litigation hold plan is also critical to a firm’s well-being. Firms that are sued or subject to regulatory action will be placed under a litigation hold, and this will require them to preserve and secure all electronic data. This could include suspending automatic cleanup functions as well as ensuring that notices are sent out. This kind of electronic security can be just as critical to protecting a firm as fending off hackers and malware. By taking action to improve security and prevent a breach, law firms will be better placed to protect their clients and themselves.
About the Author: Maha Amircani
Maha Amircani is an attorney in Atlanta, Georgia and founder of Amircani Law. A Georgia native born to immigrant parents from Egypt, Maha represents clients in city, state and federal court litigation as well as administrative proceedings. Her practice specializes in the areas of personal injury, criminal defense, and real estate closings.