---

Cyber-attacks are an issue that law firms need to prioritise today

Information security is one of today’s main challenges. All firms are concerned. The concept that some are too small to get hacked is at best a misconception and, at worst, malpractice. Security begins with being aware of the risks and the likelihood of occurrence. A law firm should understand where it is vulnerable and ensure that it can repel attacks up to a given level of sophistication. It should understand who can be a threat and what their motivations are. It should have knowledge of the value of data and how cybercriminals profit from data. It should know how to detect intrusions and how to respond.

This article details how information security works and how a law firm can organize to defend against attacks. It also reviews some key concepts of information security. Thank you to Mr. Thando Toto, expert in cloud security, for having reviewed this article.

Full article

Protection against cyberattacks - Getting the basics right. Security requires commitment

“In 2020, the drive of the Fourth Industrial Revolution towards ubiquitous connectivity and digitalization will continue. But as new connections and technologies support socio-economic progress, cyberattacks and risks to and stemming from these innovations will increase in frequency and impact.” [1]

This statement reflects well why cybersecurity’s importance is due to increase. It also explains why calls for increased security are resonating across the world media, in various forms and forums. The prediction is that the development of broadband technologies, especially 5G, will cause the increase in data creation to be even greater – with everyday devices being¡ increasingly connected to the internet [2].

Currently some of the top threats for 2020 are [3]:

1. Deepfakes

2. Deepfake voice technology

3. Synthetic identities

4. AI-powered cyber attacks

5. Attacks on AI during its learning phase

6. Disinformation in social media

7. The security challenges of 5G

8. Advances in quantum computers

9. Vehicle cyberattacks

10. Cloud jacking

11. Election security

12. Data privacy

13. Breaches in hospitals and medical centers

If some of these types of attacks do not mean anything to you, this is part of the reason why they are dangerous.

In 2013, the American Bar Association (‘ABA’) released a cybersecurity handbook for lawyers. The book is now in its second edition. The ABA describes the situation as follows [4]:

«Since the release of the first edition published in 2013, cybersecurity breaches in law firms have made news headlines and clients are asking questions about lawyers' and firms' security programs. From the massive Panama Papers breach that led to the dissolution of the Mossack Fonseca Law Firm in April 2016 to the WannaCry and Petya Ransomware attacks, the latter that led to the several day work outage at DLA Piper in June 2017, it is imperative that attorneys understand the potential risk of weak information security practices to their practices and their clients.»

Lawyers are targets. And, often, they are easier to hack than their client.

There is supply and demand. Understanding the profiles of cyberattackers and the motives behind cyber-attacks is the first step to take when considering protecting your organization.

“Who is likely to attack you?” is an important question to answer when elaborating an information security policy for your organization. Currently, the following profiles are identified [5]:

• Organized crime
• Angry person
• Hacktivist
• Script kiddie
• Competitor
• Nation state

These profiles have differing reasons to attack:

• Organized crime typically attacks for money [6]
• Angry persons attackers can be dissatisfied customers, unsatisfied former employees or simply someone who wants revenge
• Hacktivists attack to destroy, for racist motives, to disrupt services and for political influence.
• Script Kiddies typically want to test their skills, they look for fun / excitement / training / experimenting or to show-off.
• Competitors hack to gain a competitive advantage
• And state actors hack for political or cyber warfare motives, such as destruction, spreading disinformation, influencing politics and espionage.

According to Emisoft [7], the stolen data must first be structured and organized in a database. The objective is to identify valuable information, such as:

• Login credentials
• Financial information
• Identity information (name, email, phone, social security number…)
• Legal data Once the database of the stolen data has been created, they can be monetized in various ways [8]:
• Use it themselves, for example to make unauthorized purchases, apply for loans or credit cards, pay off debt or impersonate you to ask money from your contacts. [9]
• Selling the whole database [10]. There are black market prices for credentials, depending on what the credential give access to.
• Using your firm as a platform to launch an attack on your firm’s clients or third parties, using your firm’s credibility to bypass the victim’s defense.
• Selling personally identifiable information (PII) [11] in marketplaces on the dark web (the part of the internet that search engines cannot find):

The market price of PII is relatively elastic in response to supply and is typically determined by the following: Shelf-life (how long can cybercriminals abuse PII before it becomes invalid), Freshness (Age of PII and level of previous abuse), Amount (The more PII is available, the cheaper the price) and potential ROI [12]

• Hold data ransom to extort you – and then sell your data on the black market anyway, once you can no longer be extorted [13]. 

There are several elements to consider for efficient security, from understanding your risks to staying on edge, from performing regular mini-audits to ensuring continuous improvement of security.

A risk assessment “helps organisations identify, analyse and evaluate weaknesses in their information security processes. [14]”

According to Irwin, “the risk assessment is essential to that process, helping organisations:

- Understand the specific scenarios in which their data could be compromised;

- Assess the damage each scenario could cause; and

- Determine how likely it is that these scenarios will occur.”

Securing the help of an information security expert will greatly help in achieving these results in a way that is consistent with your organization’s security objectives.

Information security is not, per se, expensive. The key criteria you can use to evaluate the probable cost of your security are:

• How sensitive is your, and your clients’ data?
• How great is the threat to that data?
• How likely is it that an attack would be successful?
• How damaging could a potential breach of data be?
• How risk-adverse or risk-friendly is your firm?

The risk assessment is intended to help your organization determine the level of security it needs.

For example, if your firm is a typical firm of 2-5 lawyers with regular clients facing the typical everyday legal challenges, you may be fine with simply following the basic information security requirements, such as keeping your equipment up-to-date, raising awareness about phishing threats and email security, having safe passwords and keeping them secure, etc [15].

In any event, every security system should begin with the implementation of the basic hygiene controls described above. Most national data privacy / information security agencies will have a list of basic controls to ensure you meet the minimum safety rules.

These rules should be followed regardless of your size. If your firm is larger, employs more staff, procures services from several providers and counsels high net worth clients or PEPs, it will require a higher level of security for its initial setup.

The level of security will obviously be limited by the available budget that can be allocated to it.

No security system is unbreachable. Your firm’s objective is therefore to reach a compromise between the strength of your security and its cost.

Increasing the security will impact not only the cost, but also your firm’s ways of working. For example, a “paranoid” security level could perhaps mean that an associate would have to get approval for any and all document access request – this is simply impractical.

This ‘paranoid’ level is however excessive for almost all law firms. Your firm will therefore always have to find the right level of security, a compromise between the risk it is willing to accept and the budget it is willing to allocate.

As mentioned in this article’s introduction, the threats continue to evolve daily.

“While an attacker only has to find and exploit one vulnerability, those in charge of defending against attacks have to manage all possible vulnerabilities." [16]

The software we use is updated regularly to improve functionalities and design, but also to patch vulnerabilities. Likewise, the code used to create the software is also regularly updated and therefore also has the potential to create new vulnerabilities:

“[V]ulnerabilities are regularly introduced by the implementation of new services and products(…).” [17]

Another example warranting a review of the firm’s security is the acceptance of an exposed client that can cause a sharp increase in the likelihood of an attack or the impact of a data breach.

• Increased likelihood of breach: if your organization has just agreed to defend a politically exposed person (PEP) [18] in a money-laundering case, you may be facing new threats from new attacker profiles. This increases the likelihood of an attack.
• Increased impact of breach: you may also have ordinary clients whose data, if leaked, could have a considerable damaging impact on their lives. The victim of filmed violent acts may suffer additional and very substantial harm if the video is leaked and circulated. This increases the impact of a security breach.

Lawyers should therefore always assess whether accepting new data increases the likelihood of an attack or the impact of a breach and adapt their security as appropriate.

Clarifying the sensitivity of the information with the client is, in my opinion, crucial: the client alone can set their tolerance to a data breach.

It will help your firm to be equipped to detect intrusions. For example:

• How do you know that, right now, a hacker is not monitoring your law firm’s activity?
• How do you know that, at this moment, a hacker is not extracting client data from your firm?
• What clues would you look for, if you wanted to know whether a hacker has infiltrated your firm’s computers?
• What processes does your firm have, that would allow it to detect that a colleague or a service provider is extracting client data?

There are many means of detecting intrusions. I will present one of them for illustration purposes: the honeypot. Security honeypots serve to attract attackers:

“Honeypots are digital network bait and use deception to attract intruders, thereby distracting them from real production systems. A honeypot with several layers can slow down an attack, increasing the possibility of [detection], and (…) countering the intrusion before it succeeds.” [19].

As explained by Baykara and Das [20], the main purposes of honeypots are:

• “To acquire more insight about uncommon threats and vulnerabilities.
• To act as a set-up trap system, where it attracts the attention of attackers.
• To detect malicious activities on the network.
• To form a protection for real systems by hiding them, and if any attack takes place, it would come to the honeypots.
• To discover new attack types and methods (zero-day).” [21]

In line with the principles discussed above, the selected method should be suitable for the detection of attacks related to the threats you have identified in your risk assessment and in line with your budget.

This being said, most intrusions in law firms will occur as a result of 3 main entry points:

- A member of the team allows the attacker in (phishing email, corruption,…)

- Lost / stolen IT equipment, smartphone, …

- IT service provider is hacked. A law firm should therefore begin, by implementing the basic information security rules – security hygiene – as set out by their national security agency.

In information security, it is a given that all systems will be breached or, at the very least, can be breached. Given this sense of inevitability, what standard should a judge apply to determine whether the law firm is liable for a given data breach?

Ethan S. Burger, Adjunct Professor at the Washington College of law, reported back in 2016, that Citibank had “criticized many of the largest law firms for their reluctance to discuss or even [publicly] acknowledge breaches that result [ed] in the release of their clients’, employees’, and counterparts’ confidential personal data, which has frustrated law enforcement and corporate clients for several years. That frustration bubbled over in an internal report from Citigroup’s cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms” [22].

Burger identifies the following grounds for malpractice claims, in the event of a data breach in a law firm [23]: 

1. “Failure to protect their clients’ confidential ad personal data;

2. Failure to supervise those members of the law firms, their employees, and contractors responsible for cybersecurity;

3. Claims where their clients may be harmed in current (and possibly past) criminal, litigative, administrative, or transactional matters; and

4. Fraud or constructive fraud as well as misrepresentation by law firms as to the standard of care they observe when doing work for existing and former clients”.

I would also argue that damage to client data could also give grounds to a claim.

In my opinion, a claim for a data breach can be characterized as inadequate risk assessment or a failure to enforce the security required by an adequate risk assessment.

The following questions can help the judge in this exam:

• Had the firm performed a risk assessment?
• Was that risk assessment realistic and reflective of that law firm’s actual risk and was it consistent with the client’s risk?
• Was that risk assessment regularly reviewed and kept up to date?
• Were security measures consistent with the risk assessment implemented?
• Were these security measures regularly reviewed and kept up to date?
• Did the firm accept data that its security was not designed, or able to, protect or did the firm fail to update its risk assessment and increase its security after accepting more sensitive data? 
• Which measures were immediately enforced to end the attack and prevent any further leak from that attack?
• How sophisticated was the attack that resulted in the breach?
• Should the firm’s security have prevented this attack? If yes, why did it not prevent the attack?

As to the law firm, in my opinion, its defense is to show that its level of security was appropriate for the risks that it had identified and that the attack was beyond what its level of security could defend against. This defense can only operate if the firm has implemented an effective information security system based on an adequate risk assessment.

As to the client, the firm should always be able to explain the level of security it applies. This allows the client to determine whether that level of security is consistent with his or her own requirements.

Conclusion

As a conclusion, the Equifax hack can serve as an example [24]. The ICO notably found that Equifax ltd (UK) had breached the Data Protection Principle 7 (Schedule 1 to the 1998 Data protection act) as follows:

• “Equifax Ltd did not undertake an adequate risk assessment(s) of the security arrangements put in place by Equifax Inc [USA] before transferring data to it and/or following the transfer;
• Equifax Ltd failed to ensure adequate security measures were in place and/or to notice or address that Equifax Inc had failed to take such measures, including:

Not adequately encrypting all personal data held on its system; Not adequately protecting user passwords; Failing to address known IT vulnerabilities, including those that had been identified and reported at a senior level, by promptly identifying and applying appropriate patches to all vulnerable systems/ parts of the system; Not having fully up-to-date software; Failing to undertake sufficient and/or sufficiently regular system scans, and/or using inadequate scanning tools; Failing to ensure appropriate network segregation; Permitting accounts to have more permissions than needed; Storing service account passwords in plaintext within files and allowing such files to be accessed by staff; and (…).” [25]

In information security, the liability for a breach should always be analyzed in comparison to the circumstances, as set me out in the risk assessment. In summary, if your firm’s level of security is appropriate with regards to its risk assessment, and if the security was operating properly at the time of a breach, there should not be any liability.

In my opinion, it is highly advisable for reasons of evidence to document events and processes related to security, so that the law firm will have the necessary evidence ready in the event of a breach.