Is Your Law Firm A Target For Hackers? (Spoiler: Yes)
Why are law firms seen as soft, ripe targets for hackers? Columnist Keith Lee explains.
Last week, I attended Practicing Law in the Age of Surveillance and Hackers: An Exploration of Privacy and Data Security, put on by the American Journal of Trial Advocacy. It was an interesting symposium to say the least. The running theme seemed to be: “If you’re not scared, you’re not paying attention.”
The general consensus of the panelists (full list here) was that law firms are seen as soft, ripe targets for hackers. The panelists also emphasized that hackers that target law firms and businesses are not isolated, lone hackers. Rather, they are organized crime cartels operating out of Eastern Europe and China. They do so because law firms are often repositories of trade secrets and other information of their clients.
Three years ago, Mary Galligan, head of the cyber division in the New York City office of the FBI, said that hackers see attorneys as a back door to the valuable data of their corporate clients. And the problem is only getting worse. Firms store all types of data obtained or produced through discovery that may be protected from public view by a protective order. But someone who is breaking into your IT system likely won’t mind ignoring a judge’s order.
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Brian Levine, CHIP Coordinator for the DOJ’s Computer Crime and Intellectual Property Section, stated that law firms are seen as lagging behind the security practices that many other industries have put in place. Levine also detailed the rise of ransomware (cryptoviral extortion that encrypts an IT system’s data, and demands a ransom for the decryption key) that has increasingly affected firms.
Sarah Hutchins, an attorney at Parker Poe who manages large-scale discovery matters, agreed. Hutchins cited ransomware and other such viral attacks as being such a threat that her firm has an outside IT company send employees at their firm practice phishing and spear phishing emails so that employees can learn about safe handling of emails, a common avenue for ransomware and other viral attacks on IT systems.
Spear phishing, a directed attack at a particular organization after gathering background information on the target, was cited as one of the most problematic attacks facing law firms (really any business) today. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.
In light of the threats facing law firms by hackers, there was a large focus on a lawyer’s duty in keeping abreast of best practices in IT security and how to best protect client data. The panelists cited the following ABA model rules as an indication that lawyers, at both big and small firms, have a duty to be vigilant in protecting client data and their IT infrastructures from hackers:
Sponsored
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
How Generative AI Will Improve Legal Service Delivery
Legal AI: 3 Steps Law Firms Should Take Now
How Generative AI Will Improve Legal Service Delivery
- ABA Model Rule 1.6(c) – A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
- ABA Model Rule 1.1 – A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
- ABA Model Rule 1.15 – … property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.
Some lawyers in the audience expressed concern about solo practitioners and small firms being able to keep up with changes in technology and being able to properly protect their systems and clients from attacks. That pressure to properly secure data and IT systems could become prohibitively expensive for small firms to shoulder as smaller firms don’t have the money or resources to staff IT departments to protect their firm’s IT system. But panelist Carrie Goldberg, a solo practitioner, chimed in and detailed her approach to IT security. Goldberg stated that, while it took effort (and money) to secure her IT system, it was doable for a solo practitioner.
And given the increasing number of advisory opinions from state ethics boards regarding a lawyer’s duty to secure their IT systems and client data (California, Washington, Arizona, etc.), at some point not taking the time to properly secure your IT systems could be seen as malpractice.
Data security may not be something that was addressed while you were in law school, but it’s just part of the reality of practice now. Take the time to understand and secure your firm’s IT systems. If not, you’re likely not exercising your due diligence in protecting your client.
And to the hackers out there, you’re just painting a big bullseye on your back.
Sponsored
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Keith Lee practices law at Hamer Law Group, LLC in Birmingham, Alabama. He writes about professional development, the law, the universe, and everything at Associate’s Mind. He is also the author of The Marble and The Sculptor: From Law School To Law Practice (affiliate link), published by the ABA. You can reach him at keith.lee@hamerlawgroup.com or on Twitter at @associatesmind.
