Law firms are extremely unique places of business. They don’t rely on releasing products, but on a specific service that requires the collection of confidential information from clients. Further, because law firms typically serve multiple clients at a time, they hold a wealth of information on both corporations and individuals. And this knowledge isn’t run-of-the-mill company fun facts; it’s the scandalous, salacious, highly-confidential information that would cause chaos if publicly revealed.
Unfortunately, cybercriminals have realized this, and have taken decisive action. In the past few years, law firms have become a prime target for cybercriminal organizations because of their combination of valuable data and relatively lax cybersecurity. This culminated in a 2020 attack by REvil, a notorious ransomware gang, on Grubman Shire Meiselas & Sacks, demanding a USD $42 million ransom for the near-terabyte of stolen data [1]. Overall, 29% of firms recorded a security breach in 2020, according to an ABA survey [2].
It’s clear that law firms are a top target of cybercriminal gangs. Therefore, it’s important to stay informed on these gangs’ strategies, and the best ways to prevent cyberattacks.
How do Cybercriminals Attack Firms
Although cybercriminal organizations typically have “go-to” strategies, there isn’t one specific way that all law firms are attacked. Whether it be with phishing emails, malware, or even insider attacks, there are a variety of ways that law firms can be targeted. While large firms were mostly targeted a few years ago, cybercriminals have recently shifted their priorities. Due to the global crackdown on ransomware gangs, these diabolical organizations started to target small and mid-size firms, avoiding the publicity (and government attention) that an attack on large firms would bring. In fact, mid-size law firms have become the prime target for cybercriminals [3]. After all, these firms still have loads of valuable information, but likely have much less stringent cybersecurity measures.
Concerningly, fewer than half of all law firms use simple security measures like two-factor authorization and file encryption [2]. With a significant portion of firms having no cybersecurity protection beyond usernames and passwords, it’s no wonder that cybercriminal gangs have raked in money from desperate firms. In 2021, the average ransomware payment was USD $140,000, a massive figure for small and mid-size firms [3]. Unfortunately, if an unprepared firm is hit with ransomware, there is typically no other option but to pay the cybercriminals to unlock their encryption and return the stolen data. That’s why the best defense against cyberattacks is preparation.
Legal and Moral Obligations
While there is no federal law requiring law firms to have certain cybersecurity precautions, some individual states and industries do regulate firms’ cybersecurity practices. For example, firms that handle financial data may be subject to the Sarbanes-Oxley Act of 2002, a law that mandates stringent recordkeeping and reporting [4]. Further, certain states like New York and California have more cybersecurity regulations on their books. For example, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act mandates prompt public disclosure in the event of a security breach [4]. These regulations ultimately help firms stay prepared for cyberattacks, while also serving the public interest if a cyberattack were to occur. Failure to follow these regulations could lead to investigations, lawsuits, fines, and an overall loss of public trust.
In addition to federal and state laws, law firms must also follow the American Bar Association’s (ABA) Model Rules of Professional Conduct. One rule states that lawyers must take
Reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client [4].
Additionally, the ABA requires firms to reasonably inform clients about the status of a cyberattack. While the term “reasonable efforts” is certainly open to interpretation, the ABA is clear: It’s an ethical obligation for firms to prepare for cyberattacks. In today’s digital world, handling client data unsafely isn’t only irresponsible; it’s immoral.
What Can Law Firms Do?
So, we know that law firms are ethically, and in some cases legally, required to take reasonable precautions for cyberattacks. But what exactly can firms, particularly small and mid-size, do? Businesses like this simply can’t afford the cybersecurity infrastructure of large firms, with dedicated staff and numerous expensive programs. Thankfully, providing strong protection from cybercrime is simple and inexpensive.
The best way to prevent data breaches and ransomware attacks is to cultivate a culture of security in the workplace. Specifically, this means embracing simple safeguards like two-factor authorization and file encryption. Just taking these two precautions vastly lowers the risk of a successful cyberattack. Additionally, having yearly (or even twice-a-year!) training on cybersecurity risks helps create a culture of security as well. Think about it: Phishing emails are typically well-disguised. But if all employees know the difference between an innocent work email and a nefarious phishing attempt, your firm will be significantly safer.
Finally, in the unfortunate case that a firm is hit with a cyberattack, it’s extremely useful to have an incident response plan. As a cyberattack is occurring, every minute counts, and having a specific plan can be the difference between a devastating data breach and a failed attempt. If employees know what to do immediately, whether it be turning off all computers, shutting down Wi-Fi, or calling a trusted expert, firms can minimize the risk, or at least lessen the impact, of a surprise cyberattack. Unfortunately, just 34% of firms maintain an incident response plan [2]. While this is an increase from past years, this shows there is still a long way to go regarding cybersecurity at law firms.
About AXEL
Law firms will continue to be targeted by nefarious cybercriminals. Thankfully, AXEL is prepared. At AXEL, we believe that privacy is a human right, and that your information deserves the best protection. That’s why we created AXEL Go, a secure file sharing software. AXEL Go uses military-grade encryption, blockchain technology and decentralized servers to ensure it’s the best file transfer software on the market. Whether you need cloud video storage or cloud file management, AXEL Go is the secure file hosting solution. If you’re ready to try the best file sharing app for PC and mobile devices, try two free weeks of AXEL Go here.
[1] Shankar, AJ. “Council Post: Ransomware Attackers Take Aim at Law Firms.” Forbes. Forbes Magazine, March 11, 2021. https://www.forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-law-firms/
[2] Loughnane, John. “2020 Cybersecurity.” Americanbar.org. American Bar Association, October 19, 2020. https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/
[3] Dalton, Brian. “Law Firms Stagger through Ransomware Attacks.” Above the Law, November 2, 2021. https://abovethelaw.com/2021/11/law-firms-stagger-through-ransomware-attacks/
[4] “5 Cybersecurity Risks and 3 Obligations for Law Firms.” The National Law Review, July 8, 2021. https://www.natlawreview.com/article/5-key-data-privacy-and-security-risks-arise-when-organizations-record-job-interviews