More than one-quarter of all law firms have experienced some type of data breach — here’s what your firm needs to know when it faces a cyber or ransomware attack
If you think your law firm’s secure technology is up to date, you might want to think again. The New York entertainment and media law firm Grubman Shire Meiselas & Sacks is the latest victim of what seems to be the new norm in the legal representation of high-profile clients.
According to an attorney with the firm, Allen Grubman:
“Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom.”
Law firms are particularly susceptible to these attacks due to the sensitive nature of the data that they store on behalf of their clients. According to the American Bar Association and the U.S. Department of Justice, 25% of all law firms have been subjected to, or experienced, some form of a data breach involving hackers.
The average cost of a ransomware attack on a business is $133,000. The cost of ransomware attacks surpassed $7.5 billion in 2019, according to Emsisoft. Computer-oriented crimes span a wide variety of actions, intentions and goals, and no company is too large or too small to be affected by a cyberattack. This is why cybersecurity for law firms is so important.
So, what is there to know about ransomware attacks on law firms? And what should you do if your firm finds itself facing such a dire scenario?
Let’s hash it out.
How Do Ransomware Attacks Happen?
Hackers generally start by accessing your server by using remote desktop protocol credentials deciphered through a brute-force attack. If not through a brute-force attack, hackers are known to gain entry by purchasing remote desktop protocol (RDP) credentials on cybercrime marketplaces.
During the COVID-19 pandemic, the number of brute-force attacks on RDP servers has drastically increased due to the record number of employees who are now working from home. This increase in attacks is primarily due to companies rushing to grant remote access to their workforce. The need to remotely access workstations and servers inevitably creates additional vulnerabilities in a firm’s network.
On April 29, 2020, the Department of Homeland Security released updated Microsoft 365 Security Recommendations, which highlight the fact that many organizations are rushing to “adapt or change their enterprise collaboration capabilities to meet ‘telework’ requirements” and that organizations “may not be fully considering the security configurations of the platforms they are moving to.”
After a hacker gains access to a firm’s server, they will map the target network, looking for any sensitive intellectual property, client files, banking information, social security numbers, or other information used for identification.
On their way out of your firm’s network, the hackers will infect your server with ransomware. The purpose of installing ransomware is to compel the firm to produce a sum of money in exchange for the return of their clients’ privileged data.
In some instances, hackers demand two ransoms: one paid to get your data back, and the other paid to destroy whatever data they may have stolen. These types of hacks are known as Maze attacks. Payment in these types of hacks is almost exclusively demanded in the form of Bitcoin or some other type of cryptocurrency.
REvil Ransomware Attacks in 2020 (So Far)
In May 2020, it was announced that the REvil gang — also known as Sodin and Sodinokibi, which is a ransomware-as-a-service (RaaS) operation — was able to hack the servers of Grubman Shire Meiselas & Sacks and compromise the law firm’s client information. This means that REvil is allegedly in possession of 756GB of data from the New York law firm’s database.
The hack has compromised the privileged legal contracts of many global celebrities, including “the king,” LeBron James, Jennifer Lopez, and David Letterman. The firm has also represented companies like Facebook, Activision, HBO, Sony, and Vice Media. The stolen data includes confidential contracts, phone numbers, email addresses, personal correspondences, non-disclosure agreements, and more.
In April 2020, Travelex chose to pay $2.3 million — in the form of 285 Bitcoins — to the REvil gang after their ransomware attack crippled Travelex’s currency exchange services. Likewise, Allen Grubman is being forced to face a similar reality: comply with the ransomware demands to the tune of $42 million, or compromise the confidential information of his law firm’s most high-profile clients.
As of May 14, 2020, Allen Grubman refused to comply or negotiate with the cyber gang known as REvil. According to the law firm, the FBI has classified the hack as an act of terrorism.
But the REvil ransomware gang is not the first hacker group to extort law firms, and it won’t be the last. According to sources, the Sodinokibi ransomware gang appears to be making a killing.
Negotiating Is a Violation of Federal Law
Negotiating with a group deemed to be a “cyber terrorists” (or paying that group a ransom) is a violation of federal law. Crimes related to ransomware violate the federal Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.
Computer hacking is the most common cybercrime investigated by the federal government under the CFAA. Although federal laws can be widely enforced, the federal government usually limits itself to enforcing crimes that cross state lines and, more recently, computer crimes considered to be a threat to national security.
As a criminal defense attorney, it’s hard not to reflect on the parallels in a situation like this. Typically, we would find ourselves on the opposite end of these types of conflicts.
In the past, we’ve defended a sports gambling software company accused of conspiring with the mob. That case went to trial and was ultimately dismissed. Later, we handled a cryptocurrency hacking case, an online currency arbitrage platform. And, more recently, the alleged illegal deployment of scored Bitcoin ATMs around high crime neighborhoods.
Charges related to the release, implementation, and spread of ransomware are becoming more common. This trend mirrors the rise in ransomware hacks carried out on law firms around the United States and the increased sophistication of these attacks. That is why it is essential for law firms to stop taking their secure technology for granted.
Your Cyber Insurance May Not Cover This…
As you may have guessed, cyber insurance companies are litigating payouts to law firm policyholders who attempt to claim lost business income related to either:
- the monetary ransom paid to hackers who infiltrate a law firm’s network; or
- the lost billings resulting from a firm’s inability to access their system.
For example, the law firm of Moses Afonso Ryan is seeking payment from their insurance carrier, Sentinel Insurance Company, as reimbursement for the $25,000 the firm paid in ransom to hackers that accessed the law firm’s secure network. The law firm is also seeking reimbursement for $700,000 of lost billings during the time the firm was shut down due to the hack.
While Sentinel did reimburse the firm for $20,000 related to the hack, they are refusing to reimburse the $700,000 claim for lost billings.
According to Sentinel’s argument, under the policy in question, Sentinel has no legal obligation to cover other ransomware losses. That’s because the policy coverage for lost business income applies only when there is a physical loss or damage to the property at the business premises.
It’s possible to obtain a policy covering direct costs associated with a hack, such as ransom costs and hiring legal counsel and investigators, to advise you in the event your firm experiences such an attack.
However, the unfortunate truth is that a law firm has yet to see a significant reimbursement related to the “business interruption” component of their insurance policy related to a ransomware attack. And to make matters worse for them, insurance carriers in 2020 are gearing up to litigate such claims.
So, how can your law firm avoid this type of litigation? What preventative measures should you be putting in place? And what are “best practices” for attorneys?
ABA Best Practices Re: Hackers
Attorneys nationwide have three ethical obligations:
(1) to be competent in all respects of the representation of a client,
(2) to maintain the confidentiality of client information and documents received by the attorney, and
(3) to maintain open communication with the client and inform the client of any material defects that would contribute to the client making an informed decision regarding continued representation.
“Transparency and Disclosure to Clients”
The ABA has urged attorneys to notify clients in the event of a data breach and to keep clients updated on subsequent investigations. The American Bar Association’s (ABA) Model Rule 1.4 states that:
“[a] lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”
And based upon an American Bar Association (“ABA”) decision issued on October 27, 1995 (Opinion 95-398: “Access of Nonlawyers to a Lawyer’s Data Base“), the ABA is of the opinion that:
“[s]hould a significant breach of confidentiality occur, the lawyer may be obligated to disclose it to the client.”
The bottom line: If your law firm’s data breach is likely to affect your client’s position or the outcome of your client’s legal matter, disclosure of the breach would be required under Rule 1.4 (b).
“Maintaining Technological Competence”
Model Rule 1.1, Comment 8 states that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”
This rule imposes a mandate on an attorney not only to have, but also to maintain, a level of competence in areas of law and technology to provide legal services to a client effectively.
“Establishing Contracts with Service Providers”
When a lawyer considers entering into a relationship with a service provider, they must ensure that the service provider has in place (or will establish) reasonable procedures to protect the information that it gains access to.
Attorneys should take steps to ensure that their service providers fully understand their obligations regarding a client’s privileged information.
Ransom: To Pay or Not to Pay?
It’s widely understood that there are no good options available for firms that find themselves the victim of a ransomware attack. As many analysts have stated, even if a firm pays a hacker the amount demanded, nothing is stopping the hacker from disregarding the payment and releasing the privileged client information anyway.
We recently wrote about the FBI’s stance on paying computer ransoms, noting that the FBI has made multiple statements encouraging or allowing companies to pay off ransomware attacks:
- Joseph Bonavolonta, Assistant Special Agent of the FBI’s Cyber and Counterintelligence Program, said that in most cases, because the FBI can’t help these companies recover files, their agents often recommend them to pay the ransom to get their data back.
- An official statement from the FBI said they don’t “advocate” paying ransoms, but that the “FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
Beware of Preventable Attacks
When considering that these hacking methods are not a new phenomenon, and analyzing attorneys’ duties from an ethical perspective, some attorneys believe it’s highly likely that a law firm would be held liable in the event of a data breach if the attorney did not take reasonable steps to protect a client’s data. The reality is that there is no sympathy for law firms when something like the REvil ransomware attack strikes.
The FBI has stated that they continue to see many organizations fall victim to preventable attacks. If these attacks are, in fact, “preventable,” there would appear to be some degree of foreseeability related to ransomware attacks in 2020.
If these attacks were deemed “foreseeable,” law firms may open themselves up to civil litigation and ethical implications regarding their duty to:
- protect their clients’ confidential information,
- maintain technological competence in the representation of the clients, and
- decide whether they ultimately disclose the attack to their clients.
While the FBI has not publicly announced a policy of indicting companies for paying ransoms, they’re hovering around the idea. They’re looking for ways to make a public example of those who:
- succumb to preventable attacks,
- enter into a conspiracy to pay ransoms to possible crime cartels by negotiating with hackers, or
- make paying ransoms a business model.
According to the FBI’s Ransomware Prevention and Response for CISO’s, “proactive prevention is the best defense.” They suggest:
- implementing awareness and training programs,
- enabling strong spam filters to prevent phishing emails from reaching end users,
- purchasing firewalls to clock access to known malicious IP addresses,
- managing the use of privileged accounts based on the “principle of least privilege” (only granting admin access to those who absolutely need it), and
- disabling Remote Desktop protocols (RDPs) if it is not being used.
Should these preventative measures fail, they suggest taking the following steps if your law firm’s system is infected with ransomware:
- isolate the infected computer,
- secure backup data or systems by taking them offline,
- change account passwords and network passwords, and
- contact law enforcement.
Another great step would be to encrypt your data. If the data that’s stolen in a data breach is properly encrypted, it means that the attackers won’t be able to access the plaintext data without the keys. This means that no data breach will have occurred.
Implementing your law firm’s security incident response plan and preparing for this type of attack involves taking a lot of different factors into consideration. Luckily, we are here to guide you through that process.
8 Cybersecurity Tips for Law Firms in 2020
1. Review Your Law Firm’s Insurance Policy
Should a breach occur, will your insurance cover ransomware payments, damage to your digital assets, or reputational harm? Does your insurance company have a legal obligation to cover other ransomware losses? For example, does you policy cover lost business income in the event you are unable to access your network and are forced to shut down your business for some period of time? Or will your insurance company claim that your lost business income clause only applies when there is a physical loss or damage to the property at the business premises?
2. Develop and Implement a Cyber Attack Protocol
Having the proper policies and procedures in place in the event of a cyberattack is key. This involves maintaining an open line of communication between your senior and junior level attorneys, administrative staff, and, in some cases, clients. Keeping an open line of communication with your staff will ensure a more rapid response time to an attack and will allow you to isolate the infected computer from devices that may not have been infected.
3. Conduct In-House Cyber Audits, Ethical Hacks and Penetration Testing
Hire a certified ethical hacker to conduct routine audits of your law firm’s system. Penetration testing is a common way to conduct an ethical hack and involves simulating a cyber-attack to highlight vulnerabilities in your firm’s network and test your firm’s defenses. When you hire an ethical hacker, be sure to outline:
- the scope of the penetration test,
- when the test should occur (to avoid service interruptions),
- whether to run an automated scan prior to the engineer’s review of the system,
- whether or not your engineer will have internal knowledge of your law firm’s network prior to the test, and
- whether your law firm partners, associates, and administrative staff will be aware of the test (or do you want their response time tested as well?)
4. Utilize Off-Site Data Storage and Take Inventory of Digital Assets
Your law firm should be utilizing off-site data storage with encrypted security to preserve your data in the event of a breach. In addition, take inventory of your law firm’s digital assets and account for all systems and devices that maintain a connection to your network.
5. Limit Access to Your Network and Data
Your law firm’s network traffic should be segmented to limit network access and prevent access between network segments. Follow the “principle of least privilege” (POLP) to ensure that admin access is only granted to those who absolutely need it. In addition, ensure that all law firm personnel accessing servers and emails are routinely conducting virus scans on their individual devices.
You can also limit access through the use of client certificates, or what are known as personal authentication certificates (PACs). Traditional SSL certificates are useful for authenticating a server to a client (a user’s web browser). PACs work the opposite way: They authenticate the client to the server. So, if a user who lacks the right permissions tries to access the server and its data, their access is denied.
6. Conduct Routine Data Backups and Maintenance
Ideally, your law firm should have the appropriate backups to restore stolen data. Having these backups may eliminate the need to pay to recover data in the event of a ransomware attack. In addition, one of the most common ways malware makes it into a law firm’s website is through out-of-date plugins.
To prevent this, make sure your firm is regularly updating its WordPress usernames and passwords and keep your WordPress, PHP coding, and plugins up to date. Also, if you maintain multiple domains, purchase daily backups for each individual domain.
(Some hosting providers include daily backups of your entire server. The issue with backing up the entire server as a whole is that if a malware attack occurs, you will be required to restore all of your sites on that server back to the time of that backup – causing you to lose work that has been done on other sites on the server that may not have been infected. Having an a la carte option to restore any one site that may have been infected is much more efficient than turning back the clock on all of your sites.)
7. Update Firm Passwords and Institute Multi-factor Authentication
Keep a hard copy of all your firm’s account usernames and passwords, and update them regularly. This includes the credentials for websites, directory listings, email accounts, billing accounts, and servers.
Two-factor authentication (2FA) doesn’t cut it anymore. Multi-factor authentication (MFA) should be required to access your firm’s servers and other data assets. Multi-factor authentication can include requirements to provide account numbers, passwords, PINs and a code sent to a remote device listed on the account, in addition to things like voice verification and fingerprints.
8. Maintain Transparency and Disclosure with Clients
The final tip is to always maintain transparency and disclosure with your clients in the event their personal identifying information is compromised. Getting hacked can be devastating and facing ethical implications as a response to your poor handling of a data breach will only make it worse.
Final Thoughts on Cybersecurity for Law Firms
Crypto-locking malware infections are often just the final stage of an attack that may have already persisted for an extended period of time. Law firms are far from immune from this malicious activity, and it’s time to face that truth.
Navigating the “new normal” in 2020 will be hard enough for some businesses without the added repercussions of ransomware or cyber-attack. That is why cybersecurity for law firms is critical. Firms must take reasonable steps to avoid liability and ethical implications in the event of a data breach by hiring a cybersecurity firm and consulting with legal counsel about best practices.
This article was co-written by Robert Pagan and Ryan Blanch. Pagan is a law clerk for The Health Law Group and is currently awaiting admission to the N.Y.S. Bar. He graduated from the Maurice A. Deane School of Law at Hofstra University in Long Island in 2018. Pagan has experience with health care regulations and compliance, criminal health care litigation, and government investigations.