The 2021 Microsoft data breach shook the cybersecurity industry to its core because of the sheer amount of data that the company collects. The thought of one of the oldest and largest technology companies having its database compromised raised alarms across every industry, including the legal community.
Law firms receive and store highly sensitive information and are notorious laggards in protecting themselves with proper cybersecurity measures. In this roundtable discussion, experts weigh in on how law firms are at incredible risk and how they protect themselves—and their clients—from having their data compromised by hackers.
Natalie Shkolnik (NS), a partner at Wilk Auslander LLP, has significant experience in judgement enforcement, commercial litigation, arbitration, business disputes, and advising on cybersecurity preparedness and enforcement. | |
Andy Wilson (AW) is the CEO and co-founder of Logikcull, which is a highly secure, cloud-based eDiscovery platform used by over 20,000 legal professionals. | |
Eli Wald (EW) is the Charles W. Delaney Jr. Professor at the University of Denver Sturm College of Law. He is a legal ethics expert who has written and lectured extensively about cybersecurity for lawyers. | |
Clinton Sanko (CS) is a shareholder at Baker Donelson and oversees the firm’s eDiscovery team. He is a seasoned trial lawyer and seeks maximum efficiency throughout the eDiscovery and document review processes. | |
Jake Bernstein (JB) is a partner at K&L Gates’s Seattle office. He is a member of the Technology Transactions and Sourcing practice group, and primarily services clients under the Data Protection, Privacy, and Security focus area. Jake is also a Certified Information Systems Security Professional licensed by (ISC). Jake also co-hosts The Cyber Risk Management Podcast. |
Why are we seeing an increase in law firm data breaches?
NS: Clients’ confidential files and personal information are the backbone of a law firm’s practice. The files contain highly sensitive, often valuable, information such as trade deals, mergers, or regulatory investigations. By targeting confidential client files, which law firms are ethically obligated to protect, cybercriminals can force law firms to pay out quickly to end a ransomware attack.
JB: Law firms make amazing targets on every conceivable level. They have loads of valuable data, and they are ethically required not to lose that data, which might make them more willing to pay ransoms quickly and quietly. Additionally, attorneys are stereotypically not a tech-savvy bunch, and they have a professional predisposition to move quickly through emails in order to get things done. Even the largest law firms are still small compared to most enterprise-class companies, meaning that their cybersecurity is unlikely to be top-of-the-line.
AW: Law firm data breaches are nothing new. Five years ago, the Wall Street Journal broke the story of two of the most preeminent firms losing valuable M&A information to hackers. It’s been just as long since a law firm hack resulted in the release of the Panama Papers.
In 2020, the first year on record, the American Bar Association reported a decrease in the measures law firms collectively took to secure client data. Meanwhile, the number of electronic records involved in litigation, investigations, and eDiscovery has exploded with law firms now handling terabytes of sensitive data. Hackers are becoming increasingly sophisticated, and they know law firms house incredible valuation information with substandard security.
Motivated hackers, easy targets, and priceless data to be stolen creates the perfect storm. Thankfully, we are also seeing a growing awareness about law firm cybersecurity risks among those with real leverage—large corporate clients. They’re increasingly taking control of processes involving their most sensitive data, like eDiscovery and investigations, owning the platforms their attorneys will use, and making sure data is protected by bank-level encryption, robust security procedures, and technology that reduces the risk of human error.
EW: Law firms have long been a favorite target of hackers for three related reasons: they receive, store and send out sensitive, valuable client information; they are less sophisticated and relatively easier to hack compared to larger companies, and they are perceived to have the means to pay off ransoms.
The COVID-19 pandemic has forced many law firms to work remotely, which has made legal staff increasingly dependent on remote technology. Thus, it increases the volume of data potentially vulnerable to attacks. At the same time, remote work has made some less diligent about regularly observing cybersecurity protocols, which also renders the firms more vulnerable to breaches.
What impact has COVID-19 had on the ability of firms to protect client data?
EW: COVID-19 has compromised the ability of law firms to protect client data for several related reasons. First, by forcing staff to work remotely, the pandemic has increased the volume of data that is vulnerable to attacks. Second, the pandemic forced most lawyers and staff to shift to remote technology, including those less proficient in secure, remote technology protocols and less adapt at observing cybersecurity protocols. Third, the pandemic has undercut the culture of law firms, including the culture of adherence to reasonable cyber-security measures. Simply put, with little in-person contact, it has become harder for IT professionals and management to monitor the cyber work habits of their lawyers and staff.
CS: COVID-19 forced all attorneys and staff to a work-from-home model. This created more opportunities for the proliferation of data across different devices. In many cases, people began using home computers that had never been used for secure business purposes before.
While attorneys generally have been mobile for many years, and the preparedness was high, this was a new experience for the support staff at law firms. A fast-moving strategy was necessary to adjust to the changes nearly overnight to account for the new needs of a secure work from home situation.
AW: The pandemic has exacerbated vulnerabilities like data sprawl across multiple devices and locations and a growth in “shadow IT,” which is the use of unapproved, often unaccounted for software that might not meet security standards. However, the extent to which the pandemic has pushed more law firms into secure cloud-based systems has been a boon to law firm security. COVID-19 has pushed even the most conservative firms to adopt secure, cloud-based platforms: from bank-level encryption to single sign-on or two-factor authentication.
Instead of relying on homegrown security teams and on-premises technology, the switch to cloud has led to the rapid rise of improved security standards in the legal industry. As security improvements are made on the cloud, they’re implemented immediately to mitigate vulnerabilities without any downtime. That means we’re far less likely to get hit due to vulnerability from outdated software, which is exactly what the hackers exploited in the Microsoft Exchange data breach.
Amazon Web Services, Amazon’s hosting subsidiary that powers much of what we think of as “the cloud”, is dedicating more resources to cybersecurity than any individual law firm (or even any global firm for that matter) would ever be capable of. At Logikcull, we put a similar focus on instilling trust through our extreme security measures.
JB: COVID-19 has impacted many businesses’ ability to protect their clients’ data largely as a result of the world’s largest digital transformation and remote work experiment ever performed (albeit unwillingly). Almost no one was ready for the remote work transition due to the pandemic.
The lack of secure infrastructure created a predictable situation: work was bound to be performed under non-secure circumstances. Whether an RDP port is left open, or a child decides to browse the web while logged into a corporate VPN, these holes in security are bound to happen at any company. Law firms were no different.
NS: COVID-19 threw the proverbial wrench into the ability of firms to protect client data. The abrupt shift to remote working left many firms unprepared for new challenges. Firms suddenly needed reliable remote access systems that were capable of handling the traffic of the entire firm, along with secure, preferably firm-issued devices for all employees to use at home.
Many lawyers have been used to relying on in-person office administrative support and are unused to and uncomfortable with new technology. These challenges were compounded by two more factors: a dramatic increase in malware and phishing schemes aimed at exploiting the new working arrangements and the societal desire for the latest information about COVID-19.
Malware can be disguised as work-from-home resources or files relating to the coronavirus. Even foreign government hackers are targeting VPN applications and other secure workspace applications.
Why are law firms such attractive targets to hackers?
AW: Hackers don’t want your password. They don’t want to take over your Mom’s Facebook account. They don’t care too much about the spam in your inbox. What they want is money—and to a lesser extent, in the case of nation-state hackers like those suspected to be behind the Microsoft hack—they want your secrets.
Law firms are a one-stop shop for that incredibly valuable data. They manage mergers and acquisitions across dozens of clients; they help protect some of the most valuable intellectual property in the world, and they advise on incredibly sensitive information for incredibly deep-pocketed clients.
Instead of going after individual organizations for that information, which are always more robustly protected, law firms’ databases provide access to sensitive files from hundreds, if not thousands, of clients.
That’s not just hypothetical. We see it happen over and over, whether through phishing partners’ email accounts, brute force cyber attacks, or simple human error that leaves sensitive information exposed.
EW: Law firms have long been a favorite target of hackers for three related reasons. First, they receive, store and send out sensitive, timely client information. A successful breach is likely to yield a more valuable return compared to a successful hack of other entities.
Second, when compared to some more experienced corporate clients, law firms usually have less sophisticated cybersecurity measures in place. Finally, law firms are perceived to be high-status, rich professional institutions who are likely to have the means to pay off ransom demands.
NS: Law firms often possess valuable, confidential information that is business-critical and not readily available to the public. They store data regarding their clients’ strategies, transactions, and liabilities. Law firms also frequently have client banking or tax information that could be used for fraudulent transactions by cyber criminals.
Instead of attacking a single business and gaining information solely about that business, law firms potentially offer access to confidential information pertaining to dozens of various businesses across multiple industries. Finally, law firms are notorious for employing employees who are not trained on technology and protecting themselves against cyber threats. That makes them more vulnerable to phishing or social engineering tactics.
CS: Law firms are the nexus for the types of information that cyber criminals, hacktivists, and nation-states are seeking. Hacking a law firm could get a threat actor not just employees’ data but information about clients and their cases. For instance, the law firm may have confidential deals that could facilitate insider trading, proprietary information, or trade secrets from cutting-edge technology companies.
Attorneys also may have other sensitive information such as clients’ medical and financial records or highly sensitive communications. In short, the data that law firms store can be very valuable.
Why should businesses care about the Microsoft data breach?
JB: The Hafnium attack—widely attributed to a Chinese cyber espionage military unit—perpetrated against Microsoft Exchange Server exploited a number of newly discovered flaws in on-premise Exchange servers. Essentially, the exploits allowed the attacker to gain administrative control over a victim’s email servers. This one is exactly as bad as it sounds: anything in email would have been accessible through these “back doors.”
In many states, that is enough to constitute a data breach, even without proof of exfiltration. Worse, Hafnium quite likely affected a disproportionate number of large law firms simply because many have yet to make the transition to a cloud-based email infrastructure. Because of the importance of email to the typical law firm’s workflow, many large law firms have decades-old in-house infrastructures that they continue to maintain simply because the cost of making a transition is high, and many may not see a substantial need to do so. But the experience with the recent Microsoft Exchange hack should change minds.
The fact is that email security is hard and doing it “at scale” is extremely difficult. This hack essentially means that any documents or communications made with affected law firms could have been intercepted and copied by threat actors and then sold on the dark web to almost anyone. Businesses who rely on email to communicate with outside law firms must pay attention to whether a law firm has modernized its email infrastructure or, at minimum, prepare to ask some tough questions about their law firms’ security.
CS: The first priority of every business should survey whether it, or anyone housing sensitive or business proprietary information for it, could potentially have been compromised in the breach. If a company or any one of its partners in its data supply chain is compromised, a full incident response will need to be deployed if it has not been already. While the Microsoft data breach targeted email servers, it is not only email at play.
Once an email server is compromised, these threat actors can branch out to other servers or devices which puts all kinds of information in jeopardy. Hence, additional remediation will be necessary, and the right partners must be chosen to ensure effectiveness. Finally, every business needs to take this opportunity to have a candid conversation with its partners that house sensitive information about their security strategy and approach.
NS: The SolarWinds hack that was first publicly reported in December 2020 reached into multiple U.S. government agencies and Fortune 500 companies that included technology companies like Microsoft. These agencies and companies have extensive cyber protection policies, protocols, training, tools, and savvy IT professionals, yet they were still hacked through a point of vulnerability that had not been considered previously.
If such companies can be hacked, particularly those that are experts in the field of cybersecurity, any company is susceptible to a data breach or ransomware attack. Businesses need to be wary and proactive; they should assume that the next potential hack is always just around the corner and prepare accordingly.
EW: Most businesses, law firms included, rely on reputable third-party service providers such as Microsoft to reasonably and safely store and protect massive quantities of client data. Breaches that reveal third-parties’ vulnerabilities such as this one undermines trust in the providers and their ability to protect client data.
Even if businesses are not held liable for breaches to third party software or vendors, such attacks can undermine clients’ trust in both the third party and the business itself. Moreover, the Microsoft data breach serves as a reminder to diligently and promptly download all updates and patches recommended by third-party providers.
AW: The Microsoft hack stands out for three major reasons. First, this is Microsoft – not some amateur player in the tech market. And the fact that an organization with Microsoft’s experience and resources can still succumb to cybersecurity vulnerabilities should remind everyone that, when it comes to getting hacked, it’s often a question of when not if.
Second, the breadth of the Microsoft breach is spectacular. Thirty thousand organizations in the United States alone were compromised, including hundreds of law firms.
Finally, there is the fact that this could have been prevented. The breach impacted Exchange Server versions that were anywhere from two to eight years out of date. Simply keeping your systems up to date with the latest technology—and making sure that your third-party partners do the same—can bring a great deal of protection.
What should corporate clients do to protect their sensitive files?
CS: Throughout the course of litigation, corporate clients should consider their strategy for protecting their data. The strategy should begin with preservation and continue through production and decommissioning. This ensures that the corporation can audit the security controls and manage the parameters to be consistent with internal policies, the sensitivity of the specific data itself, and the needs of the litigation.
This almost always involves partnering with experienced eDiscovery service providers. Oftentimes, these decisions are left in the hands of the trial lawyer who was chosen for their substantive or industry expertise.
AW: First, stop blindly trusting law firms to protect your data for you. We see corporate clients putting vendors and software companies through the security wringer on a daily basis to ensure they have the right certifications, the most robust protections, and more. But we almost never see them demanding the same of their law firms. Why?
Second, try not to hand your data over to law firms at all. You can own the platforms your data lives in, and therefore own the protections it’s given. That typically means greater risk reduction and significant cost savings. In the eDiscovery realm, for example, corporate clients can upload their discovery data to a platform like Logikcull, ensure that it is encrypted, and invite in their outside counsel and partners to review the data in the company’s account, on the company’s terms. It’s a vastly superior approach to protecting your data.
EW: The Microsoft data breach should not cause reasonable corporate clients to lose faith in reputable third-party providers’ and businesses’ ability to protect their sensitive data. It should, however, lead clients to insist that businesses they use (law firms included) only use reputable and cyber-savvy third-party providers, that businesses they use put in place reasonable cybersecurity plans to both minimize the probability of successful hacks and effectively respond to them promptly when they do occur, and to themselves implement such reasonable plans and cybersecurity protocols and policies, including training their employees to adhere to the plans and to involve their management in cultivating a culture of cybersecurity awareness and compliance.
NS: The first action a corporate client should undertake is to confirm that its cybersecurity is current. Cyber attack methodology is continuously evolving. Corporate clients should engage a cybersecurity firm to evaluate every aspect of their digital environment.
They should look into external access methods and what files could be vulnerable once a cybercriminal has gained access. For example, if a hacker makes it into a client’s internal systems, are there firewalls in place, or is everything now accessible?
Second, it is vital that the recommended security measures are implemented and followed. That means both that the necessary technical tools are installed by an expert, and that employees are trained on cybersecurity awareness and the importance of following policies and utilizing the cybersecurity tools. Employees should know how to spot red flags, be encouraged to report them, and be held accountable for lapses.
JB: Generally speaking, truly sensitive files should never be sent via unencrypted email. Anyone who has gone through a home purchase or refinance in the last five years has experienced truly secure email: it usually requires multiple steps and a browser-based interface. However, standard email is not encrypted and even if it is sent via TLS. There’s no guarantee that it won’t be routed through snooping servers without encryption.
The simplest rule is to not trust email when security is absolutely required. Aside from using encrypted email systems when possible, clients should also have a discussion with their law firms about security when exchanging files, particularly during litigation. Clients should ask law firms to use secure file sharing technologies that are set up and managed by the firm and to avoid one-off uses of personal cloud services.
What steps should law firms take to safeguard their clients?
CS: The primary answer is simple: law firms must create a culture of security that permeates the consciousness of the entire organization. While top-down mandates from management are an important component, the entire environment should be one that recognizes the preeminent importance of stressing to the entire organization that security of the clients’ data is a key component of a professional, confidential relationship.
Creating this security-first mindset should permeate various aspects of the relationship, including ensuring that any client data that is requested and housed is done so in a responsible manner that accounts for the needs of that data. Consistent patching, performing phishing training, and engaging in real-time monitoring are table stakes.
NS: Law firms should establish protocols for safely transferring files to and from clients, vendors, experts, opposing counsel, and regulators. Each transfer is a potential point of vulnerability that requires a secure method to prevent unauthorized access. Today, there are several applications on the market that can address this need.
Additionally, law firms should consider limiting access to client files within the law firm, whether by actively granting access only to certain people or by tying access to client files to billing a certain amount of time to the client’s account. Should law firms conduct annual training for their employees on cybersecurity issues, they can make all persons aware of new policies and potential threats as well as ensure compliance with those policies. Finally, law firms should periodically test for vulnerabilities and immediately address any discovered.
JB: Law firms have ethical duties to protect client data and the responsible use of technology to deliver legal services. The ABA has published several relevant Formal Opinions (477R and 483) relating to law firm cybersecurity ethical duties in addition to a full cybersecurity handbook targeting lawyers. These resources should be consulted and their recommendations followed.
Fundamentally, law firms need to assess the state of their cybersecurity program, create a remediation plan to close any gaps, execute that plan and then repeat this process on at least an annual basis. Cybersecurity is process-oriented, and requires management to make it a priority to keep the firm—and the firm’s clients—as reasonably safe as possible.
EW: Rule 1.6(c) of the ABA Model Rules of Professional Conduct, which is followed in most US jurisdictions, states that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The comment to Rule 1.6 explains that breaches do “not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure” of client data. Thus, law firms must take reasonable steps to safeguard their clients’ data, including putting in place cybersecurity plans designed to minimize the risk of breaches and ensure prompt mitigation should breaches occur.
Such reasonable steps include using current virus and malware scanners and firewalls, regularly installing patches and updates, using cryptographically strong passwords, routinely replacing default passwords on networks, avoiding risky software downloads from the Internet, eschewing the use of public cloud providers or file-sharing services for sharing documents, avoiding the use of web-based email services and public Wi-Fi, and training employees to recognize deception (“phishing”) attacks.
AW: You don’t need to be a Cravath or a Skadden for hackers to have you in their sights. Even small firms and solo practitioners can be victims of hacking—and they often face some of the most devastating effects. The question isn’t if you’ll be hacked, it’s when. So, law firm security improvements need to be industry-wide.
A lot of law firm data security improvement has been motivated by client demand, but you don’t need to wait for a security-aware client to come along, or worse, for something to go wrong, before making improvements.
Some initial security measures are simple: Make sure you’re using secure platforms for anything that is touching client data whether that’s your discovery software, your case management platform, or just your email system. Second, make sure you’re following security best practices, like enforcing two-factor authentication, file encryption, and strict user controls.
The most ambitious firms will pursue security certifications that are already common in the enterprise sphere, such as SOC2 Type II compliance. That takes work, but it is well worth the investment, not just as insurance against risk, but as a selling point and potential revenue generator for new client business.
About the Author
Nicholas Gaffney is the founder of Zumado Public Relations in San Francisco and a member of the Law Practice Today Editorial Board. Contact him at ngaffney@zumado.com or on Twitter @nickgaffney.