Law Firms are Under Attack
In 2016, the FBI’s Cyber Division issued a Private Industry Notification alerting law firms that cybercriminals were specifically targeting them. This alert was not “news” — cybercriminals have been targeting law firms for years. According to the ABA Cybersecurity Legal Task Force, a “recent  study of cybersecurity practices at 200+ law firms found that each one had been targeted for confidential data, and over 40% did not even know they had been breached.” This study also found that the size of the firm had no bearing on the likelihood of the attack.
Why are Law Firms are Especially Vulnerable?
Small to mid-sized law firms are typically not early adopters of technology, and hackers are tuned into that as well as the fact that even large law firms often times do not have a multi-layer security program in place. According to an ALM Legal Intelligence Study, 22% of law firms do not have any organized plan to prepare for or respond to a data breach. Plaintiff class-action law firms are aware of these conditions and are targeting law firms for lax data security. In one such suit, a 100-lawyer firm was sued for failure to take reasonable steps to maintain data security, despite that the firm had marketed itself in written and website materials as having appropriate cybersecurity.
Percent of law firms who do not have any organized plan to prepare for or respond to a data breach
Meet Ethical Requirements and Applicable Standards of Care
Ex post facto analyses of some significant data breaches of law firms show that multi-layered security would likely have thwarted these attacks:
One such attack involved a large DC-based law firm where the hackers used multiple attack vectors to infiltrate the law firm’s network and then steal sensitive data by acting as network administrators. They then collected critical data and exfiltrated it over the course of months. Thousands of pages of emails and other information, including confidential communications with clients, were stolen. This attack was successful despite that the law firm had significant elements of a security architecture in place, and made use of encryption technology
In another attack, Toronto law firms were victims of targeted attacks from China, resulting in the foreign hackers stealing significant sums of money from the firms’ trust accounts. Once again, the firms had what they thought were the essential elements of a security program in place.
In both these examples, a multi-layered security approach would have prevented these damages. For example, assume that the initial infiltration by the hackers could not have been prevented. Despite that, a properly-managed continuous monitoring of traffic into and out of the firms’ networks, as well internal and lateral threat detection inside of the networks, would have alerted the firms to the existence of the infiltration soon enough after it occurred to have thwarted serious damages from being sustained.
View the Cybersecurity Checklist
What is a Multi-Layered Security Program?
The initial step in adopting a multi-layered approach to data security is to review, analyze and assess the firm’s existing security posture. Having a qualified third party perform security assessments — on a regular periodic basis — is not only best practice but also required in many regulatory compliance verticals. Assessments produce a prioritized list of vulnerabilities to be addressed in order to improve a firm’s security posture.
Recommended Assessments for Law Firms:
- External Penetration Testing
- Internal Vulnerability Assessments
- Regulatory Compliance Assessments
- Web Application Security Assessments
- IT Risk Assessments and Gap Analyses
Frequently Asked Questions by Law Firms
“Our firm has adopted end-to-end encryption, for all documents whether they are ‘at rest’ or ‘in motion.’ We use a very strong type of encryption. Doesn’t that mean that we are fully protected?”
Unfortunately, encryption cannot be relied on as the cornerstone of a security program. The most obvious explanation of this is the simple fact that there are examples of law firms that have been breached and seriously damaged, despite that they were fully encrypted, and had email security and firewalls. Without getting overly technical, the basic reason this type of security architecture is inadequate is it is vulnerable to intrusions. Once a hacker has gained access to a firm’s network, there are techniques by which information obtainable from inside the network can be used to decrypt documents, and exfiltrate them from the network.
“We have a next-generation firewall with IDS/IPS (intrusion detection & intrusion prevention), and our IT department carefully catalogs and retains all the logs regarding incidents and alerts regarding our network. Although we don’t monitor all these alerts in real time (there are just too many alerts for anyone to be able to do that in real-time), we archive and retain these logs, so that they can be used forensically if later it’s determined that there was a breach.”
This is actually the security posture many small-to-medium firms find themselves in. While it may seem like a good idea to maintain and retain IDS/IPS logs, it is nearly in all cases too late to gain information from archived logs that will deter hackers. By the time the breach is discovered, the logs provide only historical information. What’s much worse, the logs can be used against you. What the logs will show is there was information available to your firm indicating that the network was vulnerable, was under attack, and a breach resulted, all without any intervention by your IT security staff. This is exactly the type of information that could be useful to plaintiffs in suits against your firm for failure to maintain client data confidentiality, for breaches of the relevant standards of care, and for other malpractice-based actions.
“Our firm has deployed a ‘Next-Generation’ firewall and a ‘Unified Threat Management device with IDS/IPS (intrusion detection & intrusion prevention) capabilities, in which ‘critical’ alerts are sent to a member of our IT staff, and the remainder of the alerts are archived. We maintain all the other traditional elements of IT security (antivirus, anti-malware, anti-spam and other email security, end-to-end encryption, and endpoint protection). We’ve been advised that this is the highest and best level of security that anyone can expect a law firm to implement.”
This is a typical security posture for larger law firms, and there are numerous IT consultants who subscribe to the belief that this represents adequate data security. Unfortunately, this security architecture will not stop determined hackers. This can be shown both from real-life examples in which firms and businesses with this security position have been infiltrated and also from a technical explanation of how a network with this security position can be breached. Once infiltrated, the hackers use readily-available “dark web” tools to obtain network administrator credentials, essentially taking over any portion of the network they wish to. They then exfiltrate critical information and even use information from the network to steal money from the firm’s trust accounts. Furthermore, for a large law firm, it is important to understand that your largest and most sophisticated clients are not satisfied with this type of security architecture. They have gone one step further, by having live monitoring of all alerts and events on a 24/7/365 basis from a Secure Operations Center (SOC) managed by qualified engineers, with the ability to promptly stop any detected intrusions, before they become breaches with significant damages. In the past, one defense to having this vulnerable security posture has been that large law firms cannot afford the same security budget that their Fortune 500 clients can afford. This may have been a possible defense in the past, but with new advances in security technology, and concomitant significant reductions in applicable costs and expenses, the defense of it being too expensive is no longer realistically available, either to large firms or even to small to mid-sized firms.
“Isn’t the adoption of the ‘multi-layers of security described in these materials prohibitively expensive and only available to the world’s largest businesses?”
The simple answer is “not anymore.” Breakthroughs in technology have occurred by which software that utilizes machine-learning principles has streamlined both the analysis and decision-making processes for the many thousands of alerts and events that are flagged daily in any firm’s network. The combination of these new technologies together with a properly trained and maintained Secure Operations Center staff, have resulted in the ability to fully monitor threats, both external and internal, on a continuous round-the-clock basis, at a reasonable cost. As a result, it is now possible to provide that same level of effectiveness and attention that Fortune 500 companies have received from their Secure Operations Centers to a law firm of essentially any size.
“Isn’t it the case that a major threat to our firm might come from within — from an employee, an ex-employee who has improperly retained access to our network, or an independent contractor or vendor — who, because they have access from within the network, are capable of significantly damaging the firm? Are there any methodologies for detecting and preventing these dangers from within?”
Yes, to both questions. Threats from employees and vendors who have access to the network constitute significant potential dangers for any business, including your law firm. There are new technologies available to monitor the activities taking place within your network, and not just the threats coming from outside the network. These technologies create alerts and events that can be monitored by the engineers in a Secure Operations Center, to be handled in the same manner as the threats from outside the network.
“We are a small firm. Aren’t we exempted from these requirements? Don’t they apply only to large firms? How can we possibly afford a cyber security program? Anyway, we are too small for cyber criminals to be interested in us.”
Unfortunately, no, small firms are not exempted. Bar authorities in more than half the states have adopted a modified or new rules of professional conduct which requires that all law firms, regardless of size, have adequate cybersecurity (See, e.g., Model Rule of Professional Conduct r.1.6(c) and Comments thereto; ABA Formal Opinions 477 and 483). Furthermore, recent studies have shown that cybercriminals are very interested in accessing small-to-medium firms, for a variety of reasons. Your client information may be significant to a competitor or a foreign government. Your trust accounts may occasionally contain enough funds to make it of interest to a foreign hacker. If you are an easy target for a ransomware attack, the size of your firm will not deter a cybercriminal from unleashing such an attack. If you are attempting to compete with the big firms in any practice areas where IT security is regulated (such as banking, finance, securities, healthcare, federal contracting) you may find that your clients or potential clients will require certain security standards and ask you to demonstrate that you meet them. In addition, it is no longer prohibitively expensive for the small-to-medium firm to be able to afford a multi-layered security approach (see the FAQ above “Isn’t True Security too Expensive?”).