The shutdowns of an east coast pipeline and a national meat supplier demonstrate the crippling effects of successful ransomware attacks. Hackers typically infiltrate companies by sending legitimate-looking email attachments or links “phishing” for login credentials to unsuspecting employees. Once the attachments are downloaded or login credentials are compromised, ransomware may encrypt or steal (or both) all of the data on an infected device or network, whether in the cloud or on a desktop.

High-profile ransomware attacks specifically targeting companies with billions of dollars in yearly revenues represent only a small percentage of the hundreds of millions of attacks that take place yearly. Most attacks cast a large net and try to capture as many businesses as possible, including law firms. Common ransomware attacks that encrypt data can be thwarted by identifying, scaling down, backing up, mapping, and testing data storage systems.¹ Do not fall prey to ransomware attacks and risk violating your professional obligations² : Take the necessary steps to back up your data. 

Identifying Data Storage Locations

Reflect for a moment and think of every location where your clients’ data is being stored. Common storage locations include computers, smartphones, tablets, email providers, document processing applications (for example, Microsoft and Google), cloud-storage providers (for example, Apple, NetDocuments, Dropbox, and Amazon), social media accounts used to communicate with clients (for example, Facebook, LinkedIn, and Twitter), case management systems, and countless other popular applications.

Next, determine whether any of the identified storage locations rely on other software or hardware to properly function. For this step, you could think about situations in which something was not working properly and the outage caused a crash of one or more of the services you use to access data. Common examples are anti-malware software or data synchronization tools that malfunction and cause data to be inaccessible.

If you are not able to determine your storage locations or if this process seems too burdensome from the outset, contact a local and trusted information technology provider to help. In fact, Practice411^™ recommends using the services of a local IT company, even for those folks taking the DIY method for backing up data. In the event of a data breach or disaster-recovery scenario, trained professionals can help restore systems faster than you are able to do on your own, and the fees for such services will easily be earned back by allowing you to more quickly return to billing your time.

Data Review and Archival

Now that you have identified the various storage locations of your data, try to determine whether you need to keep all that information in your active data repositories. A common goal of ransomware is to seek out and encrypt every file on an infected database, with some variants also sending the data back to the hackers. The theft of unencrypted data may trigger reporting requirements under the rules of professional conduct³ and state⁴ and federal⁵ laws. The question here is whether you would like to make the effort now to remove files from your active systems or take the time later to send out notifications that may be required under these rules and laws.

FCC Five Key Principles. The Federal Trade Commission (FCC) recommends⁶ building data security plans around five key principles:

1. Take Stock. Know which personal information you have in your files and on your computers.

2. Scale Down. Keep only what you need for your business.

3. Lock It. Protect the information that you keep.

4. Pitch It. Properly dispose of what you no longer need.

5. Plan Ahead. Create a plan to respond to security incidents.

The process of data archival is quite simple for law firms. Determine all open and closed matters that your firm currently has. All closed matters can be archived and stored in a separate data backup system that is not constantly connected to the firm’s computer networks. Take another look at your active files and determine whether you need to keep all the information that is stored in those files. Often, files contain personally identifiable information that is subject to data-breach-notification laws but is not needed for representation.

Keep in mind that data archival is different than destruction of the information that is in the client file. For guidance regarding how long client files should be kept, which files should be preserved, and minimum safeguards that should be followed before client files are destroyed, review Wisconsin Formal Ethics Opinion EF-17-01 Retention and Destruction of Closed Client Files (visit www.wisbar.org/ethop).

Backing Up Data

The 3-2-1 data backup strategy⁷ recommends that you keep at least three copies of data, backed up in two different storage types, with at least one copy of the data offsite. For example, your laptop or desktop could count as one storage location, an external hard drive could serve as the second location (if the device is only connected to your network when the backup function is being performed), and the third data offsite location could be a cloud service provider, such as Carbonite or Barracuda.

Data synchronization tools, such as Google Drive and Microsoft OneDrive, do not count as a different storage device, because these tools automatically synchronize the data between your desktop and the cloud. If one storage location becomes infected, it is likely ransomware virus will be synchronized into and infect the other file location.⁸ This possibility is another reason why you should only connect your hard drive when backing up your data or ensure your cloud storage backup is taking images of your files at different times. Otherwise, a ransomware infection on your computer could spread to the backup and cloud storage devices that are continuously connected.

In the event of a data breach or disaster-recovery scenario, trained professionals can help restore systems faster than you are able to do on your own, and the fees for such services will easily be earned back by allowing you to more quickly return to billing your time.

Start with your computer or laptop. Now that you are ready to begin planning your data backup strategy, a great place to start is with your computer or laptop. Apple, Windows, and Chromebook operating systems have built-in programs that easily allow backing up the files on a computer to an external hard drive. Third-party cloud services can also be used to take images of computer files at different time intervals.

You can also readily find guides available to back up your phone, case management system, email, social media accounts, and other popular applications by searching for “data backup” on the websites of your hardware or software providers. Remember, hiring a local IT company can help save you the time of completing these tasks and the local company will likely automate backup tasks, saving everyone time and resources.

Mapping Your Data

After identifying data storage locations, support systems, and backups, your next task is to draw a map of your data process and storage flow. A map or diagram can quickly help illustrate systems that may be affected by an outage or ransomware attack. The most effective maps are one page and simply identify the flow of data between your connected devices, applications, and the cloud.⁹ You should revise your data storage map each time you add new hardware or software and review the map every time you test your backup systems.

After completing your map, make sure to include the diagram in your business continuity and disaster recovery plan.¹⁰ Data infrastructure and recovery plans should not be shared with anyone other than trusted information technology providers, because your plans will provide hackers with the knowledge to easily attack your data endpoints. Also, take steps to make sure the plans are available to your successor counsel, in the event of your unavailability.¹¹

Testing Systems

One of the biggest mistakes when backing up data is setting up a good system but failing to regularly test it. Adequate testing will help ensure that you are backing up the correct data and that the data can be restored and accessed within the required recovery timeframe. Testing systems also can illustrate the strengths and weaknesses of your digital environment and provide opportunities for increasing efficiencies.

If you already have a backup system in place, it is still recommended that you have an outside and reputable company annually test it. IT vendors can conduct vulnerability assessments of software and hardware to reveal potential vulnerabilities and confirm your data backup strategy is effective and might be able to reduce the overall cost of your DIY data backup strategy.

Conclusion

Law firms house more personal information of their clients and third parties than they might realize, causing them to be attractive targets for cyber thieves. Although there are federal and state laws and ethics rules that attorneys must abide by in protecting client data, attorneys often do not think their law firm will be attacked until after they suffer from a successful ransomware attack. Avoid being the low-hanging fruit for hackers: Take steps to back up your client’s data.

» Cite this article: 94 Wis. Law. 45-47 (July/Aug 2021).

Endnotes

¹ See Christopher C. Shattuck, When Ransomware Strikes: Strategies to Prevent and Recover, Wis. Law., Oct. 2019.

² See Wis. Formal Ethics Op. EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing and Wis. Formal Ethics Op. EF-21-02: Working remotely, both available at www.wisbar.org/ethop.

³ See Wis. Formal Ethics Op. EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing, supra note 2, at 5.

⁴ See Wis. Stat. § 134.98.

⁵ See Fed. Trade Comm’n, Data Breach Response – A Guide for Businesses, www.ftc.gov/system/files/documents/plain-language/560a_data_breach_response_guide_for_business.pdf.

⁶ See Fed. Trade Comm’n, Protecting Personal Information – A Guide for Businesses, www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf.

⁷ Ryan Harnedy, What is 3-2-1 Backup?, Carbonite (Jan. 29, 2016), www.carbonite.com/blog/article/2016/01/what-is-3-2-1-backup.

⁸ Computer Ctr., The Myth About Data Backup In The Cloud (Feb. 19, 2021), www.computer-center.com/cloud-backup-myth/.

⁹ See HelpSystems, Intermapper Technical Datasheet, https://www.helpsystems.com/intermapper/intermapper-technical. 

¹⁰ See Wisconsin Law Firm Self-Assessment, Disaster Plan / Continuity of Operations: Do you…, Pg. 31 available at www.wisbar.org/lawaudit (www.wisbar.org/formembers/practicemanagement/Documents/Wisconsin%20Law%20Firm%20Self-Assessment.pdf).

¹¹ See Aviva Meridian Kaiser & Christopher C. Shattuck, Lawyer Death or Disability: Who Will Protect Your Clients?, Wis. Law., Mar. 2018.