Are Law Firms A Target For Cyber Attacks?
GootLoader… never heard of it? GootLoader is a type of malvertising that has seeded malicious content to search engines for millions of keywords and search terms. Many of these “fake” search terms deal with legal content. When you are searching for something on the internet you could end up seeing one of these fake links and end up clicking on it, thinking it is a valid website with actual real case law. This fake webpage will have a link somewhere for a file that is infected with GootLoader. This infected file will be loaded with a BlackCat payload. BlackCat known as Noberus is a ransomware family written in Rust (a type of coding language) associated with threat actors.
Who are these “threat actors”? These hackers come from across the world, but the biggest threat is from China, Russia, North Korea, Brazil, India, and of course the US. These hackers employ: social engineering, third-party exposure, cloud vulnerabilities, poor security, and ransomware attacks.
Ransomware has become the go-to scheme against entities because by avoiding banks and asking for Bitcoin or other digital currency there is no easy way to trace the money. This allows the hackers to evade tracing where the money goes, especially when it ends up in Russia, China, or North Korea.
Why Are They Coming After Law Firms?
The answer is obvious! They are coming after your secrets! Law firms are a treasure trove of sensitive information from M&A, financial data, high-profile (ultra rich and celebrities) secrets, and even tax evaders (Panama Papers). While the hackers may not be after the law firm directly, they are after the secrets of the law firm’s customers.
Traditionally law firms have defended companies against cyberattack lawsuits, but recently law firms have been served with class action lawsuits alleging that the firms had failed to protect their client’s data. Since most law firms are small law firms, the legal industry is lagging behind the rest of the business world when it comes to security. One reason is that cyber security is expensive and even the largest companies can’t protect themselves. If a multi-billion-dollar enterprise is subject to cyber attacks and ransomware, there is no way that a ten-person law firm can spend enough money to totally protect themselves. This doesn’t mean that you shouldn’t follow best practices.
It is your ethical duty to protect your client data. Your firm should make every “reasonable effort” to prevent unauthorized access to client data. The ABA has Rule 1.6 Confidentiality of Information, which you should familiarize yourself with, along with several other ethics opinions (Securing Communication of Protected Client Information and Lawyers’ Obligation After An Electronic Data Breach or Cyberattack). If you deal with health care, you may need to follow HIPPA, Europe – GDPR, if you are in California be aware of CCPA, and SHIELD if in New York.
Law firms should have a data security policy, train staff to be aware of phishing attempts, force users to have strong passwords, encrypt your data, have a plan for when a cyberattack occurs, have backups, have an outside party review your plans, and make sure that your clients also are trained on safe internet practices.
Attorney Credits a nationwide CLE provider has many courses about cyber security, from: Cybersecurity Compliance Strategies for Attorneys, Cybersecurity for Legal Professionals, Five Steps to Protect Your Firm from Catastrophic Cyber Attacks, Ransomware Attacks on the Legal Profession, and others. We also have state CLE compliance bundles, unlimited plans, and a Free Trial for new customers.