May 19, 2021 – Because of the sensitive information that law firms hold, they are often targets for data breaches, and hackers continue to evolve on the methods they use to breach computer systems and networks to obtain information they can use to exploit.
That’s why it’s important to stay up-to-date on the latest scams, says State Bar of Wisconsin Law Practice Assistance Manager Christopher Shattuck (Practice411™).
Shattuck and other panelists will discuss data breaches and ethics rules in a full session at the State Bar of Wisconsin’s upcoming 2021 Annual Meeting & Conference (AMC), June 10-12, a virtual event this year. Check out the AMC website or register now.
In this video, Shattuck gives us a sneak peek of the upcoming panel, discusses the most recent data scams out there and what law firms can do to mitigate the risk of data breaches. In addition, discusses what law firms should do if a data breach does occur.
Social Media Account Compromises. “I’ve been seeing an increase in the amount of social media accounts that have been compromised,” Shattuck says.
“These accounts are compromised by users that have been reusing accounts that have been compromised in a previous data breached or by clicking on links in posts by others users that have had their accounts breached.”
Email Account Compromises. Similar to social media compromises, someone clicks on malicious link and their email account becomes compromised. The Account begins to send out emails to everyone on the compromised account’s inbox.
Ransomware. “Ransomware scams are the same as email account compromises, except data is encrypted and cyber thieves demand payment to unencrypt the data,” Shattuck notes. “Often times the cyber thieves will begin posting client data on the internet as a way to force the company to pay the ransom.”
Fake Clients. Someone pretending to be a new client contacts a lawyer regarding obtaining their services to collect a debt on a contingent fee.
“The lawyer contacts another person pretending to be a fake debtor, who agrees to pay,” Shattuck notes. "The lawyer receives a check and client demands the lawyer keep their contingent fee, but immediately return proceeds of the collection to client./”
For social media accounts. “Enable two-factor authentication and make sure to use different passwords for all accounts,” Shattuck says.
You can also check to see if your email account has been the subject of a data breach by searching for free on https://www.haveibeenpwned.com/.
Email Account Compromises and Ransomware. Same as for social media accounts. Additionally, you’ll want to ensure your hardware and software are updated and are using strong security and encryption protocols. You can also test your staff for spotting ransomware attacks for free by using https://phishingquiz.withgoogle.com/.
Fake Clients. Checkout the resources: Scams are Gaining in Sophistication: Are You Protected? And the Office of Lawyer Regulation’s guidance on scams targeting lawyers and trust accounts. Some quick tips are: holding deposits in trust until the funds clear; explaining to clients that trust funds will not be disbursed until cleared; verifying the accuracy of contact and adverse party information; and ensuring your firm has adequate safeguards to detect and prevent wire fraud.
Steps if a Breach Occurs
“Once a breach is identified, I’d recommend contacting your local IT company and, if you do not have one, engaging with one to help stop the data breach,” Shattuck noted.
“After the ongoing threat is addressed, the next step will be to determine what data was compromised.” After that, you’ll want to contact your insurance companies to see whether the type of breach is covered, he noted. A great article on this topic is Once Upon a Cybercrime: Are You Covered?.
Hopefully, you have insurance that will cover the type of notifications that need to be sent out under ethical rules and state substantive law.
Note Wisconsin Ethics Opinion EF-15-01: “If there has been a breach of the provider’s security that affects the confidentiality or security of the client’s information, SCR 20:1.4(a)(3) and SCR 20:1.4(b) require the lawyer to inform the client of the breach.”
“While beyond the scope of this opinion, other law, such as Wis. Stat. § 134.98, may also require a lawyer to inform the client of a breach,” Shattuck said.
As the final step in the process, you’ll want to ensure that you remediate the underlying issue that allowed for the data breach.