Impact of Cyber-Attacks on Law Firms

Recently, many companies were left crippled by the “Petya” ransomware attack, which resulted in large-scale implications across industries. Rosneft (Russia’s top oil producer), A.P. Moller-Maersk (Danish shipping giant), WPP (world’s biggest advertising company), Merck & Co (leading pharmaceutical company), and Saint Gobain (French construction materials company), just to name a few, were all impacted by this latest version of malware targeted at corporations. A.P. Moller Maersk’s 17 shipping container terminals were hacked, with two systems in Rotterdam and 15 in other parts of the world, leading to widespread disruptions.

The legal sector, too, has fallen prey to Petya, with global law firms such as DLA Piper and Backer McKenzie suffering hacked systems and blacked out email and phones. Cyber-attackers demanded a ransom of 100 bitcoins ($256,000) in exchange for a private encryption key to unlock their lines. Law firms have always been a potential target for cyber attackers, as these firms hold repositories of client’s sensitive data such as details on M&A deals, trade secrets, and personal information of client stakeholders, employees or parties and witnesses in litigation. This highly sensitive and critical information holds immense value to third parties such as external governments, competitors and other enterprises, and stand to impact clients adversely.

It is estimated that over 60% of all law firms globally have recently been targeted by some sort of cyber-attack. The most common form includes email phishing, where attackers try to gain access to clients’ information. Nearly 84% of firms have been victims of these attacks. California-based law firm Gipson Hoffman & Pancione was representing CYBERsitter, a leading provider of blocking and filtering software programs in a $2.2 Billion lawsuit against Chinese computer firms and software makers and the Chinese government. Eleven emails, in the form of spear-phishing (Trojan) attacks, were directed to individuals associated with the law firm. The emails appeared to be coming from other individuals within the law firm containing a link or an attachment which, if opened, downloaded malware. These emails were sent to the firm only a few days after they filed the CYBERsitter lawsuit and were suspected to be linked to Chinese servers.

Law firms are vulnerable to these cyber-attacks as they are mostly dependent on off-the-shelf security products. Only few of 100 top law firms have IT managers on site with the relevant expertise to counter such threats.  There are some preventive steps to avoid further cyber-attacks:

• Law firms should partner with managed security service providers such as Symantec, IBM, Verizon, etc. who can help safeguard their data from cyber-attacks
• When sharing files with other individuals such as LP’s, law firms should use secure document sharing applications like ShareFile
• When sending emails, law firms should ensure that attachments are encrypted and sent in a secure manner
• Firms should have cyber liability insurance, so if an insured firm’s network is hacked an expert is assigned by the insurance carrier to help these firms comply with regulatory requirements and prevent any future breaches

Clients are recommended to engage with law firms that have certain data security measures, such as PCI DSS (Payment Card Industry Data Security Standard) or HIPAA (Health Insurance Portability and Accountability Act), which ensure that data will be securely stored.  PCI DSS costs around $70,000 per audit for large firms owing to onsite audit, penetration testing, training and policy development, software and hardware update etc. This is may increase expenses for law firms but is essential in providing assurance to clients about their data safety, which is of utmost importance.

Cyber-attacks on law firms not only brings the risk of data breach but also tarnishes the brand name of law firms, negatively impacting their reputations. Reports say that 31% of clients go back to the same law firm and even the same attorney and solicitor with whom they have worked for past three years. However, after the recent series of cyberattacks, law firms are obligated to have proper security standards in place to ensure their data is safe. In the event that law firms fail to follow proper security standards, they stand the risk of losing business to other competing firms or corporate legal departments who are ahead in technology and adhere to higher security standards. This will result in further loss of business for law firms amid an already sluggish outlook for legal services.