Law firms are the perfect target for hackers, says Vincent Polley, whose extensive background in cybersecurity includes co-authoring the American Bar Association Cybersecurity Handbook: A Resource for Attorneys, law Firms and Business Professionals, published in 2013.
"Lawyers have really high value data," Polley says. And they're soft targets.
"Law firms are not IT-focused," he explains. "The attorney who is striving to provide clients with the best service and the best access possible is not necessarily thinking about how the firm's data is vulnerable and how it is being protected."
Mark Sangster, vice president of corporate and public affairs at eSentire, which works closely with law firms, says that small and medium size law firms are often less protected than they need to be.
"One misunderstanding we see often is that smaller law firms don't believe they need as much security as larger law firms," he says. "They will literally have a firewall and an anti-virus program and think that's enough."
Why Target Lawyers?
Law firms hold a staggering amount of client data. Probate, divorce and family law firms, for example, have tax forms, bank account numbers and tremendous amounts of personal identity and financial information from their clients and from other parties. Bankruptcy firms, too, have tremendous access to creditors' data.
"Merger and acquisition firms have a tremendous amount of high value data," says Sangster. "Any firm that has escrow funds has a treasure trove of valuable banking information."
Business espionage hackers increasingly attack law firms because of the clients they serve.
In 2013, Mary Galligan, then head of the FBI's Cyber Division, gave 200 top law firms a stern warning: hackers see law firms as less secure back doors to their clients' internal systems.
Law firms are also loaded with their clients' intellectual property.
"Law firms are more and more being targeted by cryptolocker attacks and ransomware," Sangster says. "Those are more likely to come from organized crime."
The attacks are increasingly damaging, he says. Where they once could be undone by resetting the entire IT system to a point in time before the malicious code was introduced, newer attacks can infect the system and eat the files out of memory.
"Cybercrime is on the rise because there's easy access to the tools, they're easy to use and all the training a criminal need is available on the dark web," Sangster says. "It's lucrative - easier than robbing a bank and there's no enforcement and no deterrence. "
While there's $80 billion spent globally on cybersecurity last year, cybercriminals reaped $550 billion from their crimes, he says.
"Rob a bank by handing a teller a note and you face draconian penalties," Sangster says. "Rob the same bank over the internet and you will walk away from it untouched," he added.
Data Defense is Good Business
Cybersecurity is about perimeter defense - but there is no one perimeter, Sangster says. There are many and all have to be secured.
Some fixes are simple because most vulnerabilities are internal - from the associate who thinks nothing of logging into the firm's server from Starbucks' Wi-Fi, to the employee who opens an irresistible message; the partner who responds to the email that looks like it came from a trusted source - but didn't.
"Most lawyers have the attitude that they don't want to be bothered with extra passwords and with the extra effort of using only secure connections to the firm servers," Polley says.
For a law firm, actively protecting against what you reasonably can and meeting current security standards has to be part of the business plan, Polley says.
First of all, it's just good business. Even if a hack doesn't shut the firm down, it costs lots of money just to hire experts to figure out what all has been taken or damaged - or left behind. It can mean replacing stolen escrow funds, having to reestablish bank and financial accounts and lost revenue while the attack Is untangled.
Secondly, taking reasonable steps to protect your data and your clients' data is an ethical obligation. The failure to maintain protections can create legal liability.
"(With cybersecurity) the low hanging fruit is easy to pick," Polley says. "There are some things that are so easy to do that to not do them is malpractice. If you don't encrypt data on laptops, if you use unsecured Wi-Fi for clients' work, that's probably malpractice."
And, he warns, the failure to disclose a breach to clients is a huge ethical lapse.
Disclosing a Brief
The hack against Puckett Faraj in 2012, where all the firm's emails were taken, left the four lawyers contacting all their clients to tell them their communications had been compromised, senior partner Neal Puckett says.
"It created a lot of havoc for us and the stress of the hack certainly contributed to people's decision-making to dissolve the firm," Puckett says.
Contacting past and present clients seemed obvious to Puckett and his former partners. But it isn't obvious to everyone, Polley says.
"If a law firm learns it has been hacked in a way that clients have been compromised or it could be reasonably expected that clients have been compromised, they have a duty to disclose," Polley says. "If it ever comes out that a law firm lost their clients data and didn't disclose, they should suffer discipline for that horrible breach of their obligations to their clients."
Third, a data breach can destroy a law firm's reputation.
"Law firms are very worried about the reputation effects of being hacked," Polley says. "Law firms are prime targets and as such, they are being hacked and are going to be hacked and those hacks are going to be reported on in the media."
"We're moving toward that new normal where everyone understands that, but we're not there yet," he added.
Fourth, prospective clients are increasingly demanding information about IT security as part of the beauty contest for their business.
"In-house general counsel should and probably will ask law firms who is in charge of information security for the firm and if they get a blank look, they will go elsewhere," Polley says.
Prospective clients - particularly financial and technology companies but it will be everyone soon - they increasingly ask about cybersecurity, Polley says.
Cybersecurity Keeps Costs Down
Protection can keep your regulatory and insurance costs down.
"Most of our clients are multi-domicile with at least three locations and often in different countries," Sangster says. "If your law firm is in Los Angeles but you have an office in France, you're responsible for meeting regulatory (security and privacy) standards in Europe."
The standards are evolving and there are penalties for not taking reasonable care with client data.
"In Europe, they are proposing liability up to 20 percent of the revenue. It may not go that way now, but it suggests the direction of the future," Sangster explains.
Cybersecurity insurance offer help with recovering from a hack, according to Christine Marciano, president of Cyber Data Risk Managers. But they're going to require that data was being well-protected.
"The more the businesses do to protect the data, the less the premium costs," Marciano says.
For example, insurers expect to see encryption on mobile and portable devices.
"The claim will be denied if you lose the laptop and the data wasn't encrypted," she says.
But, with all the defenses, hackers can still get in - and, Polley says, they will.
"A determined adversary with time and skill can get into any place they want," Polley says.
Sangster agrees, but says proactive security can limit the damage.
"You will be hacked. Nobody can give an absolute promise you will not," Sangster says. "The problem with being a good guy is you have to be right 100 percent of the time. The bad guys only have to get it right once to succeed."
Marty Graham
Daily Journal Staff Writer
