Why Cybersecurity Matters: A Lawyer’s Toolkit

The legal industry is among the juiciest of all honeypot for hackers, given the datasets held by firms, practitioners, and within the public judicial system itself.

Ed. note: This is part one of a two-part series focused on how lawyers can better understand and reduce their exposure to the rapidly growing cybersecurity risks that exist in the legal sector. Part one will focus on the landscape of threats posed to the lawyers, and part two will focus on practical measures that lawyers can take to reduce their threat profile.

A veritable honeypot of sticky data

In recent years, we’ve heard plenty about massive data breaches at organizations such as Marriott/Starwood (500 million guest accounts exposed), Equifax (146 million accounts), and Uber (57 million users). Large consumer-facing brands, such as Target and Home Depot, have been easy prey for sophisticated hackers as have government organizations. And while no entity or industry is immune, the legal industry is among the juiciest of all honeypot for hackers, given the datasets held by firms, practitioners, and within the public judicial system itself.  Clients turn over their most valuable information to their lawyers under the auspices of attorney-client privilege to advise on M&A, IP, and corporate activity, all of which can enrich cyber thieves intent on capitalizing from this insider information.

Breaches and attacks against the legal industry hit hard.  More than 11.5 million documents from the Panama-based law firm Mossack Fonseca were leaked to the public in 2016, representing a jaw-dropping 2.6 terabytes of data. In 2017, global firm DLA Piper fell victim to a ransomware attack that shut down many of its offices — a short-term revenue killer. Small firms, too, are at risk. Moses Afonso Ryan, a 10-attorney firm in Providence, filed suit against its insurance carrier after it denied claims from a ransomware attack that resulted in hundreds of thousands of dollars in lost billable hours. The lesson? Firms should consider the ramifications of cyberattacks not only from a revenue and productivity standpoint, but also the reputational damages that result from security vulnerabilities. It’s too easy for clients to switch firms if they sniff out an operations issue that could jeopardize confidentiality.

How did we get here?

Compared with other sectors, law firms haven’t always prioritized security.  Many lack the internal security expertise and security policies that scale with growth.  Still others don’t even take the precaution of attaching a password to their guest networks.   Additionally, more established firms tend to have aging legacy systems that have been patched over the years and contain large amounts of personally identifiable information (PII) and other sensitive client data in a central location.  Those systems weren’t designed with security in mind and in some cases, modern security technologies such as encryption are difficult to apply.  It’s not just law firms either: consider the types of public databases which judges and law enforcement people can access, such as massive criminal databases and public records such as driver’s licenses.

Network security can also prove tricky at many firms, leaving easy pathways for outsiders to hack into corporate servers and databases.  That’s not to say that attorneys aren’t tech savvy — they love the latest gadgets and apps but can bypass firm policies and procedures in pursuit of productivity.  Chances are, they haven’t been adequately prepped on how to safely use their personal devices for work matters or are using their devices and applications on the side, as “shadow IT.”

Sponsored

Hot button areas for hackers

The stark reality is that most attorneys are highly independent and singularly focused on servicing their clients, whether as in-house or outside counsel.  The extra steps required to access files and applications with oft hard-to-remember (but more secure) passwords are not always congruous with billable hours and around-the-clock attention to deliverables.  Lawyers may compromise on security to ensure direct communications with clients on their platform of choice, in pursuit of the almighty billable hour.

Another vulnerability is that attorneys crave information, the more the better.  This trait is something that savvy hackers understand and will use to their advantage.  Email phishing, in that regard, is a frequent tactic.  The smart cyber-villain will quickly learn how to dupe attorneys and their assistants by sending attachments and links by email that appear to come from a legitimate source.  Once said attachment is opened — bingo! — the malware starts to execute and do the dirty work behind the scenes, scouring the device for desired data points and eventually securing access to an internal network.

Lawyers who are focused on growing their networks and developing relationships and leads to enhance their practices may also fall prey to the foibles of social media.  Recent evidence points to LinkedIn as a tool for hackers seeking to extract personal information from individual users, beginning with innocuous requests related to jobs or business opportunities. Nation states are even using the platform to recruit spies.  All the more reason for lawyers to be careful what they share, whom they connect with, and what they post.  Best practices and policies related to safe social media use can help practitioners demonstrate some restraint in their online activities.

Cyber insurance is not enough

Sponsored

If there is a thought that all this risk can be abated with the proper cyber liability insurance policy, it may be worth revisiting that concept.  Insurance companies have recently demonstrated a disturbing determination to push back on claims related to nation-state hacking through reliance on the “act of war” exemption in some policies.  Whether this evidences a material derogation of coverage is still unclear, but what is clear is that insurance claims are just one more hurdle in recovering from a debilitating attack.

Fortunately, there’s a lot that firms and attorneys themselves can do to reduce risk and ensure client confidentiality in a competitive global climate. The next article will take a deep dive into some frictionless things lawyers can do differently to improve their cyberstance in an increasingly hostile environment.


Jennifer DeTrani is General Counsel and EVP of Nisos Inc., a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr Inc., where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn, or by email at dtrain@nisos.com.

CRM Banner