Published in NH Bar News (2/17/2021)
Hackers are intentionally targeting law firms, and are likely to continue doing so for the foreseeable future. Headlines have exposed recent breaches at some large and prominent firms, like Goodwin Proctor, Seyfarth Shaw, Cadwalader, and Peabody & Arnold. But, it would be a mistake to believe that hackers targeted only those types of firms. The lists maintained on the websites of the Attorneys General for New Hampshire and Massachusetts reveal that hacks of small and medium sized firms are far more common and damaging.
No firm is immune from cyber threats. Small and medium sized firms are just as valuable targets, and generally more vulnerable. As trusted counselors, we all possess sensitive, personal, and privileged client information. For example, the rosters of breaches noted above show that the targets cover the spectrum from solo practitioners to large firm, and from general practice to specialty firms, especially in the areas of business transactions, tax, estate planning, family/domestic law, real estate, pensions and benefits, immigration, and personal injury.
Sophisticated Ransomware Is the Biggest Threat
Ransomware attacks perpetrated a few years ago typically only encrypted computers and servers, yielding a demand for ransom to obtain the decryption key. Cybersecurity evolved to counteract this threat, including through the use of a combination of advanced activity-based applications that detect ransomware activity and deactivate systems before all data is encrypted, with robust backups that can be used to restore encrypted data.
As a consequence, hackers evolved too. Now, sophisticated ransomware that is typically undetectable by routine anti-malware first extracts data from computers and servers and then encrypts it. Thus, if the target lawyer or law firm refuses to pay the ransom to decrypt its systems, the hackers re-demand ransom to refrain from selling the stolen client information on the dark web.
No Target Is Too Small, and No Practice Area Is Ignored
In years past, hackers may have focused more effort on larger businesses that accumulated credit cards, social security numbers, governmental identification numbers, financial information, or health information. That is not true anymore.
Because big firms generally have invested cybersecurity, smaller ones are now much softer targets. Also, while the foregoing type of information remains generally valuable, some types of its (like SSNs and governmental IDs) have been broadly compromised already, and other types (like credit cards and financial accounts) are surrounded by sophisticated protections. Broader personal information is equally or more valuable for hackers to perpetrate identity or financial crime. For those purposes, the client information we have is prized, like information about assets, finances, monetary and other transactions, family relationships, and sensitive information about their personal lives. Finally, hacking has increased its efficiency by segmenting the criminal enterprise, such as for code writing, phishing, deploying attacks, collecting and aggregating data, perpetrating crime, etc. That efficiency, in combination with greater automation in phishing and deploying attacks, have enabled hackers to exponentially expand their target population.
We All Can Afford Cybersecurity, and Can’t Afford to Ignore It
Two big hurdles for law firms is a lack of knowledge about how to address cybersecurity, and a misconception that doing so will be expensive or disruptive. Neither are prohibitive barriers.
With respect to the first issue, many articles (including here), CLEs, and other resources (such as the ABA Cybersecurity Handbook) exist to educate us on this topic. Also, the market now has a selection of information security professionals qualified to provide services to a wide variety of small, medium, and large firms.
With respect to cost, there is good news for smaller firms. Their relatively smaller technological and physical footprint generally makes it is easier and cost effective to assess their vulnerabilities and implement reasonably safeguards. By contrast, larger firms commonly have established technology systems and office spaces that were designed without necessarily addressing current cybersecurity controls, which means that they may have more vulnerabilities that can be costly and operationally challenging to mitigate. Additionally, we all allocate a certain amount of resources to technology, and an experienced professional can help configure that same budget to incorporate cybersecurity safeguards with limited or no additional costs.
The firms that have experienced hacks know all too well that we cannot afford to ignore these risks. Ransomware cripples a firm for days or weeks, can be exorbitantly expensive (particularly if a firm has no insurance coverage), and often results in loss of clients and business. Hackers will continue to target law firms. It is our duty to protect ourselves and our clients.