Lawyers have access to a tremendous amount of information about their clients: personal identifying information, employment information, intellectual property, and more. And while it’s not a stretch to think that multinational corporations can afford a sophisticated cybersecurity strategy, many law firms either cannot afford much in the way of cybersecurity or do not prioritize it. This is why law firms have become targets within the hacker community. They possess many types of desired information but, on average, have less cybersecurity.
Tom Widman, president and CEO of Identity Fraud Inc., which administers many cybersecurity-insurance products, including the one offered through Wisconsin Lawyers Mutual Insurance Co. (WILMIC), says cyber criminals find certain law firms very attractive to target. “It’s likely that every law firm that is engaged in real estate transactions has been targeted for attack. Attacks against law firms are both widespread phishing attacks and individually and specifically targeted spear phishing attacks. Simply follow the funds. The criminals target firms involved in real estate transactions, whereby they can hack into computers, impersonate the firm, falsify payment details, and abscond with funds sent by wire to the wrong account. It’s a windfall for the cyber criminal and certainly appears worthwhile for them to invest the time and effort to investigate a firm, find their weakness, and wait to attack at the opportune moment. In fact, the FBI issued alerts in 2018 warning that there was an increase of more than 1,100 percent in the number of victims reporting that they had been targeted in a real estate transaction between 2015 and 2017. And the volume of attacks continues.”
Sobering statistics, to be sure. Think of how much private and confidential information each law firm has. Often it is a treasure trove. Perhaps it is financial information, perhaps family information. Whatever the kind, private information has value, and law firms are being held ransom by criminals threatening to release private information.
Becoming a Target Is Likelier Than You Might Think
What are the most common methods cyber criminals use to compromise law firms’ technology systems?
Let’s start with phishing and remote desktop protocol (RDP). Widman says phishing attacks are simple and effective. “Click on a link in an email about COVID or perhaps an email from a fellow employee, family member, or vendor. That link will often have malware that the criminal uses to then record your keystrokes. They uncover your username and passcode and voilà, they are in your system using your email and looking at your files. Support staff all the way to partners are exposed and targeted. Would you click on a link that looks 100 percent legitimate and that came from the CEO or managing partner?”
Widman says that technology tools can scan the entire internet and find computers that have vulnerabilities. “More specifically,” he adds, “if firms allow remote access to workstations called remote desktop protocol, criminals will search for it, find it, attack it, and gain access by using a phishing scam or mere brute force. Once again, they are in your system and masquerade as you or encrypt all the files and hold [your data hostage].”
Kate Campbell, a member of the Data Privacy & Cybersecurity and Technology & Digital Business practice groups at Godfrey & Kahn’s Milwaukee office, agrees with Widman. She sees three main types of attacks that cyber criminals use to take advantage of law firms: 1) attack the end point (for example, with phishing schemes); 2) attack internet-facing devices (for example, by taking advantage of insecure VPN connections); and 3) attack the supply chain (for example, attacking a law firm via attacks on the law firm’s vendor(s)).
Campbell says, “These methods of attack involve law firm employees. Phishing attacks rely on law firm employees to click on a link or an email that unleashes malware or compromises an individual’s credentials. Law firm employees working from home also increase the risk of a cyber attack. They may not have the best technical protections for their internet or remote access to their law firm computer’s desktop, making them more susceptible to cyber criminals.”
What are the most significant and common exposures for law firms? Widman says that email systems are more commonly under attack for the law firms that are customers of his company. “When a criminal can masquerade as a member of the firm, seriously bad things occur. Most of our law firm clients use Microsoft 365, like we do. That needs to have a two-factor authentication system enabled to restrict access, have logging enabled, and restrict email forwarding.”
Campbell adds, “Locking down a firm’s access to its files and demanding payment of ransom in exchange for unlocking the files is common; so is threatening to publicly share information that may be valuable or sensitive to a client unless a ransom is paid.” She says a third common approach is what is known as social engineering. “In that scenario, a hacker uses fraudulent wire-transfer information or other links to divert payments meant to go to banks or vendors.”
The threat landscape for law firms, and businesses more generally, has increased as more and more of our daily life and work are conducted online.
The best advice for firms is to use multiple layers of protection, so if one fails others are in place to protect a firm’s data.
For example, consider only one hypothetical lawyer and how they allocate their time during work and life. Perhaps they start the day by checking email, update their status on Facebook, make a client call, and send a follow-up email with sensitive information attached. Every single one of these actions exposes information that hackers can use to infiltrate the lawyer’s law firm.
Cyber attacks against law firms are not a new phenomenon, but the incidence rate and year-over-year growth are undeniable.
Of course, law firms have many points of access to confidential information. Lawyers, like others, use mobile devices – laptops, smartphones, and tablets. These are highly vulnerable to loss or theft. If they are not protected, they provide access to data and possible entry into protected network systems. If a firm’s security measures are not up to snuff, they can easily be compromised or hacked. It’s not just the big firms that hackers target. Solos and small firms, which might not have sufficient IT resources, clearly also are vulnerable.
Protecting Yourself and Your Firm
How can lawyers and law firms protect themselves? Campbell says, “The best advice for firms is to use multiple layers of protection, so if one fails others are in place to protect a firm’s data. These layers involve both the technical side and personnel side of a law firm: Make sure to use encryption and multifactor authentication, train employees on how to recognize phishing attacks or fraudulent emails, know where law firm data is kept, and have backups in place.”
Widman likes to break down best practices into common sense and compliance. “We know many law firms should have an information security program, protect against threats, protect against unauthorized access, and investigate breaches and notify clients. Firms should also follow guidance from the ABA and consider proactively developing an incident response plan and make all reasonable efforts to restore computer operations when a breach occurs.”
But, these security measures do not guarantee a hack will not occur. Thus, common sense must be used and action taken to mitigate risks. Widman adds, “At this point, I think it is fair to say that most folks, including lawyers, are not experts at information security. Therefore, it makes sense to hire a professional. That professional should support the development of an information security policy that includes education for all staff and technologies and practices to mitigate risks.”
What are those technologies and best practices? Widman suggests the following:
Vulnerability scans to help keep computers and patches up to date;
Education on phishing and scams;
Two-factor (or multifactor) authentication on email and all network access;
Disabling remote access or using multifactor authentication on all remote-access devices;
Exceptional data backup;
Disaster planning (it’s not a question of “if” an incident will occur but “when”).
The American Bar Association (ABA) has held lawyers to the ethical and model rules of professional conduct since they were approved in 1983. These rules are the internal compass for lawyers to use when navigating various scenarios and interactions with clients.
Rule 1.6, regarding the confidentiality of client information, states that, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Basically, this means lawyers must make efforts to protect their clients’ data.
In 2018, the ABA issued Formal Opinion 483, which discusses the importance of data protection and how to handle security breaches. The opinion states matter of factly that the risk of law firms experiencing a data breach is not if, but when. The opinion outlines requirements for law firms before, during, and after cyberattacks. Lawyers must make reasonable efforts to protect their data, react when a breach is suspected or detected, and inform any clients that may have been affected by the breach.
Lawyers’ and law firms’ ethical obligations related to cybersecurity also appear in multiple places in Wisconsin’s Rules of Professional Conduct for Attorneys. Campbell says, “For example, Rule 20:1.1 requires that a lawyer shall provide competent representation. This competency includes understanding the benefits and risks associated with relevant technology. Rules 20:5.1 and 20:5.3 require that a firm has measures in effect that help ensure law firm attorneys and staff are able to comply with professional obligations – for example, by training employees on cybersecurity risks and how best to avoid them.”
Widman sums it up with this motto: “Do your best and insure the rest. Everyone needs to invest some time, effort, and money into mitigating cyber risks. According to insurance and risk management industry surveys, cyber risk is the number one risk facing businesses today. Being better educated, having best practices, using solid technology tools, and being ready to respond when an incident occurs are critical. Investing a few dollars in cyber prevention and insurance is prudent and smart and what we call ‘the final layer of security’.”
Tom Widman, president and CEO of Identity Fraud Inc., says it’s interesting to learn about common loss scenarios. “These include cases where the law firm was never hacked, but an imposter ‘spoofed’ their email and made communications ‘look’ or appear to be coming from the law firm; cases where the law firm was indeed hacked and emails came from the law firm’s Microsoft 365 email, and cases where the law firm was not hacked but their client or the real estate agent or mortgage broker was hacked and best practices were not followed and loss occurred.”
Kate Campbell, of Godfrey & Kahn’s Milwaukee office, provides three examples:
A cyber criminal sits in a law firm’s email system monitoring how invoices are received and paid; the criminal sends a fake email changing the payment method for a law firm’s vendor that looks nearly identical to that vendor’s method of communication, and the law firm starts paying the “vendor” through that fraudulent method. Three months later, an employee of the vendor calls the law firm and says the vendor hasn’t been paid in three months. Now the law firm has to figure out what happened, make sure its systems are secure, and figure out how to pay the vendor for three months’ worth of fees it thought it had already paid.
A firm is using an IT vendor for which the firm might not have done sufficient due diligence. The IT vendor has set up the firm with a remote desktop connection that is not properly secured. A cyber criminal can hack into the firm’s system through the unsecured connection and lock down all of the firm’s files until money is paid. Now the law firm needs to figure out how to get access to its files, whether to pay the money, and how to obtain reimbursement from the vendor for the harm the firm has suffered. “Hopefully the law firm properly negotiated its contract with that IT vendor so this exact scenario would be covered in the law firm’s favor.”
A law firm’s email system is accessed by cyber criminals, who threaten to expose confidential client information from emails unless they get paid.
Campbell says that the costs of a hack can be extraordinary. “They range from lost productivity in the form of lost billable hours, for example, if attorneys can’t access files or have to rebuild client files, to paying ransom, and paying for the costs of complying with state-law notification requirements in the event of a data breach.”
Widman says, “The worst law firm claims we have experienced have involved real estate transactions and their wire transfers going astray.”
» Cite this article: 94 Wis. Law. 49-51 (April 2021).