According to recent reports, law companies appear to be particularly attractive to hackers, whether to access data or else to demand a ransom for data that has been maliciously encrypted. In 2018, the American Bar Association (ABA) published a report on 2017 data that showed that 25% of all US law firms with 100-499 employees had at least one cybersecurity breach.1 A more up-to-date investigation into UK law firms in 2019 by PwC showed that 60% of all UK law businesses who responded had been the victim of a cyber attack. More interestingly, 100% of the top ten UK law firms questioned had been subjected to a phishing attack, while 75% detected malware, and 25% encountered a data breach, loss of data, or a denial of service (DOS).2 Without a doubt, cyber attacks are increasing year-on-year, both in quantity and sophistication.
It appears that many law firms are underprepared to deal with an attack on their systems. As the 2019 PwC report found: ‘Cybersecurity risks are not always receiving the due attention and budgetary considerations at the right level of influence. We consider it imperative that cybersecurity risk is owned at an Executive level and features on the Board Risk Register’.3 To strengthen a firm’s defenses against an attack, it is imperative that senior management is aware of the cyber risk and is prepared to put in place both a reasonable cybersecurity budget and adequate defensive measures, including staff training.
Defensive strategies for cyber protection:
- Realize that the most significant risk for a data breach lies with employees. 91% of such attacks begin with human error, such as in clicking on an attachment in a phishing email. Regular training needs to be given to staff on what attacks look like and how to avoid them.
- Implement security protocols such as multifactor authentication, using a Security Operations Center (SOC) to identify and manage incoming threats and performing due diligence on third party operators.
- Appoint a Chief Information Security Officer (CISO) to look after the system and make sure they are present at all high-level board meetings.
- Ensure that the company’s data is stored securely behind firewalls and that all cyber protection software is up to date. If the company has many branches, then all data should be stored in one location only.
- All data should be regularly backed up and the back up stored separately to the rest of the data, behind another firewall. This means that even if hackers do get through to your primary data, they won’t be able to get through to the back up as well.
- Apply network segregation (separating different types of data into groups based on classification) and make sure that each segment has restricted access and its own firewall. This prevents third party malware spreading through all of the company’s data.
- Even with robust security, there is always a chance that an attack will get through, so never be complacent and assume that you are invincible. Have a plan ready in case of any breaches so that further defenses can be put in place as well as post-attack strategies for data recovery, and informing clients/employees if their personal information has been put at risk.
To really hammer the nail home about how seriously law firms need to take cybersecurity threats, here are a couple of nightmare cases that show the damage cyberattacks can wreak on your business.
Cyberattack Case Study One
On Tuesday, 27 June 2017, a staff member of DLA Piper’s Ukraine office, downloaded an update to the accounting software that they used. What they didn’t know was that the software was infected with a type of malware designed to cause chaos.4 Within 20 minutes, despite suspicious activity being detected by the UK office, the whole of DLA Piper’s system was affected, with all data being inaccessible. Originally it was thought that the attack was by a piece of ransomware called Petya, which encrypted data, only releasing it after a ransom had been paid in bitcoins. However, even though the malware affecting the law firm initially looked like Petya, it had some critical and dangerous differences. For a start, it spread far more easily from computer to computer, and unlike Petya, the ransom did not seem to be necessary. Even worse, NotPetya did not just encrypt files, it completely destroyed them, taking down the whole company’s data system and means of communications.
For a large international law firm with over 90 offices in 40 countries 5 and customers including banks, multinationals, and media companies, such an attack was catastrophic. It cost them their reputation and many clients, not to mention the cost, which included paying IT staff for over 15,000 hours of overtime alone.6 Although the company’s email was working again within a week, it took months to rebuild the system. In another twist, the insurers are now refusing to pay up because they claim DLA Piper did not have the correct cover for such cyber attacks.7
Cyberattack Case Study Two
Jenner & Block
For law firm Jenner and Block, the loss of personal data through the actions of an employee was more than a little embarrassing as the business promotes itself as having expertise in cybersecurity and data protection. In February 2017, the company fell victim to a phishing incident when confidential files containing 859 employees’ W-2 forms were sent in response to a request to what was thought to be an email from management. The email was, in fact, fake and the personal information ended up in the possession of an unauthorized third party.8 Once discovered, the firm complied with all legal and reporting requirements and provided assistance to any affected personnel.’9 Despite having systems in place to protect such confidential data, it seems that even a sophisticated law firm like Jenner and Block can be vulnerable to human error.
From the two examples above it can be seen that these large law firms did have measures in place to protect themselves from cyberattacks, but that malicious third parties still managed to find a weak spot. This is why no law firm can afford to become complacent about its security. What these two incidents demonstrate is the need to have a cybersecurity awareness program that every person in an organization must complete. This must be conducted regularly and should be mandatory. New malware or employee mistakes are continually being exploited by those hackers who have their own agendas and incentives. You can never take the safety of your company’s data too seriously in this ever-changing digital landscape.
- David G. Ries, ABA 2017 Security Report, ABA, accessed at https://www.americanbar.org/groups/law_practice/publications/techreport/2017/security/
- Price Waterhouse Cooper Annual Law Firms’ Survey 2019, accessed at https://www.pwc.co.uk/industries/business-services/law-firms/survey/risk.html
- Josh Fruhlinger, ‘Petya Ransomware and NotPetya Malware: What You Need to Know Now,’ CSO Online, 01/17/2017, accessed at https://www.csoonline.com/article/3233210/petya-ransomware-and-notpetya-malware-what-you-need-to-know-now.html
- DLA Piper LLP – True Picture, Chambers, https://www.chambersstudent.co.uk/dla-piper/true-picture/22401592/1##firm-profile
- Phil Muncaster, ‘DLA Piper Set to Sue Insurer Over NotPetya Claim’, Infosecurity, 03/28/2019, accessed at https://www.infosecurity-magazine.com/news/dla-piper-sue-insurer-notpetya-1-1/
- Jim Carroll, ‘Do Not Fall Down the Rabbit Hole of a Law Firm Data Breach,’ Bigger Law Firm, 02/08/2019, accessed at https://www.biggerlawfirm.com/do-not-fall-down-the-rabbit-hole-of-a-law-firm-data-breach/
- Christine Simmons, Xiumei Dong & Ben Hancock, ‘More Than 100 Law Firms Have Reported Data Breaches. And the Problem is Getting Worse,’ Law.com, 10/15/2019, accessed at https://www.law.com/2019/10/15/more-than-100-law-firms-have-reported-data-breaches-and-the-picture-is-getting-worse/