Law Firms and Cyber Security
A hacker’s dream and a lawyer’s nightmare
Helping clients build
in cyber security.
About Delta Risk
Delta Risk LLC is a global provider of strategic advice, cyber security, and risk management services to commercial and government clients. We believe that an organization’s approach to cyber security should be planned, managed, and executed within a tailored and organization-specific program. We help guide organizations to succeed in today’s cyber environment by building on the people, processes, and technology they already have.
Delta Risk LLC www.delta-risk.net Page 1
Law firms are high-value targets for hackers
from all backgrounds including nation-states,
cyber criminals, and even political activists.
s early as 2009, the Federal Bureau of Investigation warned law firms of cyber criminals using spear phishing attacks (targeted socially engineered e-mails to lawyers and legal staff) to hack
firms.1 In 2011 it was reported that at least 80 prominent law firms were hacked.2 The frequency
and sophistication of these law firm cyber attacks continue to grow at an alarming rate; in 2013, FBI cyber security expert, Evan Koblentz publicly stated:
“We have hundreds of law firms that we see increasingly being targeted by hackers… We understand that the cyber threat is our next great challenge. Cyber intrusions are all over the place, they’re dangerous and they’re much more sophisticated.”3
This Delta Risk Viewpoint offers the perspective that law firms should pursue a deliberate top-down and
bottom-up cyber security program development approach that builds around an accepted risk
management framework, yet is tailored to their size, structure, and operating model.
A sample of several high-profile attacks underscores the value of the law firm as a target to a variety of actors, from nation-state and criminal to the political activist:
§ In 2011, a prestigious Washington DC based law firm was attacked by a hacking group
purportedly linked to the Chinese People’s Liberation Army in a criminal operation known as “Byzantine Candor.” This sophisticated hacking group targeted energy companies, government agencies, and defense companies across the world for the purpose of gathering information related to an international trade case brought against a Chinese energy company and several Chinese exporters. The Chinese cyber unit targeted the firm because its lawyers were prosecuting some of these claims. Remarkably, the attackers were able to take complete
1 “Spear Phishing Emails Target U.S. Law Firms and Public Relations Firms,” United States Federal Bureau of Investigation, last modified Nov 17, 2009,
2 Michael A. Riley and Sophia Pearson, “China-Based Hackers Target law Firms to Get Secret Deal Data,” Bloomberg BusinessWeek, Jan 21, 2012, accessed Jan 15, 2015. http://www.bloomberg.com/news/articles/2012-01-31/china-based-hackers-target-law-firms.
3 Evan Koblentz, “LegalTech Day Three: FBI Security Expert Urges Law Firm Caution,” Law Technology News, Feb 1 2013, accessed Jan 15 2015.,http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202586539710&LegalTech_Day_Three_FBI_Security_Expert_Urges_Law_Firm_Caution.
Delta Risk LLC www.delta-risk.net control of the firm’s email system thereby exfiltrating thousands of pages of emails, documents, and private communications.
§ In 2012, a firm representing a US Marine Staff Sergeant charged with homicide for his alleged
role in the 2005 Haditha Massacre was hacked by the global political hacktivist group known as Anonymous. Anonymous was able to exfiltrate 2.6 GB of attorney-client email correspondence related to the firm’s criminal representation of the defendant, which it then released to the public.
§ In 2014, a small US law firm based in North Carolina fell prey to Cryptolocker ransomware that arrived through a phishing email. The firm attempted to pay the demanded ransom, but failed to do so within the time limit, which left every single document on the firm’s main server encrypted and ultimately useless to the firm. Cryptolocker is popular type of ransomware that encrypts all of the data files on the victim’s computer, rendering them inaccessible. The attacker threatens to delete the encrypted data and asks for a sum of money in return for access. These types of attacks are successful precisely because the attackers understand the value of time in the legal business and what law firms are willing to do in order to rapidly restore workflow.
A Hacker’s Dream
Cyber criminals are focused on law firms for one simple reason; law firms hold highly confidential and sensitive data including personal health information, trade secrets, intellectual property, corporate documents, and litigation strategies.
In addition to being high-value cyber targets, law firms are inherently vulnerable due to the nature of the legal industry, as many lawyers do not fully appreciate the risk of data breaches. A 2012 American Bar Association technology survey found that only 9.6 percent of participants practicing in firms with 100-499 lawyers believed that their firm had security issues, while 63.5 percent admitted that they had no
knowledge or awareness of cyber security risks.4
Moreover, with the now-widespread use of mobile technologies such as computer tablets and cell phones, clients expect their lawyers to be accessible and responsive at all times. To meet these client demands, many lawyers work remotely from the office, at home, in a hotel room, or even in coffee shops. As a result, the law firm threat profile has dramatically expanded.
Finally, law firm economics lead to law firm cyber vulnerabilities. For non-partner attorneys, the “billable hour” model inherently promotes productivity and convenience over data security. Partners with an ownership interest are sometimes unwilling to spend resources on cyber security professionals and technology.
A Lawyer’s Nightmare
The American Bar Association (ABA) has expressly acknowledged the emerging cyber risks confronting U.S. law firms. In 2012-13, ABA President Laurel Bellows announced that cyber security would be a priority for the organization.5 In addition to increasing ABA scrutiny, ABA Model Rule 1.6(c) imposes an
Legal InfoSec,”Tiro Security, LLC, accessed Jan 15, 2015, http://www.tirosec.com/legal-infosec/
5James Podgers, “Threat of cyber attacks must be recognized and responded to, ABA president urges lawyers,” ABA Journal, Feb 1, 2013, accessed Jan 15, 2015,
Delta Risk LLC www.delta-risk.net Page 3 ethical duty on a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of,
or unauthorized access to, information relating to the representation of a client.”6
Comment 18 of the Rule identifies the “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts…include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
In addition to ethical obligations, law firms have a legal duty to safeguard client data. For example, the Securities and Exchange Commission has issued guidance for publicly traded companies, requiring them to “…evaluate their cybersecurity risks and take into account all available relevant information, including prior
cyber incidents and the severity of those incidents.”7 Critical here, this guidance applies not only to publicly
traded companies, but also to their “business partners.”8 It is highly likely that a law firm doing any level
of business with a publicly traded company qualifies as a business partner
Similarly, law firms receiving or holding healthcare information qualify as “business associates” under the Health Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.) As such, law firms handling healthcare
information must implement “reasonable and appropriate administrative, technical, and physical safeguards”
to ensure the integrity and confidentiality of personal healthcare information against “reasonably anticipated
threats and unauthorized uses and disclosures.”9
Along with the federal laws identified above, lawyers must also comply with rapidly evolving state law. For example, Massachusetts requires “[e]ncryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information
to be transmitted wirelessly.”10
What to do
Maintaining the confidentiality and security of client information is the bedrock of the legal profession. The ABA Cybersecurity Task Force warns that “[i]t is critical for law offices to have appropriate data security because of the huge volume of data lawyers collect about companies and individuals” and sets forth the following “top considerations” for law firm cyber security:
§ Develop a Comprehensive Security Information Plan including technical, operational and
management controls, which is specifically designed to prevent data breaches.
§ Conduct a Risk Assessment to identify, prioritize, and address law firm cybersecurity
§ Use Appropriate Encryption Technologies to protect data in transit (email) and at rest (on servers or in the cloud).
6 ABA Model Rule 1.6(c) (Emphasis added).
7 “CF Disclosure Guidance: Topic No.2: Cybersecurity” U.S. Securities and Exchange Commission, Oct. 13, 2011, at 3 (Emphasis added) 8 Ibid. at 2.
9 42 U.S.C.A § 1320-2(d). (Emphasis added). 10 201 CMR 17.04(3) (Emphasis added).
Delta Risk LLC www.delta-risk.net § Utilize appropriate Mobile Device Management to protect confidential data sent to mobile
devices including laptops, smart phones, and tablets.
§ Use Multifactor Authentication to limit network access to authorized users.
§ Develop a Data Retention and Destruction Plan to ensure that data is maintained for an appropriate amount of time and then properly disposed of when necessary.
§ Conduct Table Top Exercises simulating potential data breach scenarios involving
management and relevant decision makers.
§ Designate and Train Internal First Responders who will take the lead during a potential or actual breach occurrence.11
Cyber security is of critical importance to lawyers and their firms. The ABA Cybersecurity Task has identified cyber security “cornerstone goals,” which include the following:
§ Data confidentiality
— This concerns the privacy of highly sensitive privileged information and in practice means preventing unauthorized disclosure of information.
§ Data integrity
— The legal profession must be able to trust that the information they receive is consistent, accurate, and trustworthy. Law firms have always needed to ensure that unauthorized personnel are not able to alter data. Historically this may have come in the form of escorted messengers – in the modern age, this could mean using version control measures or file permissions to prevent erroneous changes.
§ Data availability
— The legal services industry is extremely time-sensitive and a loss of reliable access to
information carries financial consequences. This means having redundancies in place and planning for hardware failures to ensure that backups are available if incidences of sudden data loss or interruptions occur.
Delta Risk can help
If your law firm is challenged with establishing a cyber security risk management program, Delta Risk may be able to help. We have expertise in developing enterprise information security programs and supporting the implementation of processes for risk management and the day-to-day management of cyber security operations. We can help you think through the ideas presented in this Viewpoint as they apply to your enterprise, understand and prioritize your cyber security challenges, and work with you to devise and implement tailored approaches to address them.
11 Jill D. Rhodes and Vincent I. Polley, The ABA Cybersecurity Handbook: a Resource for Attorneys, Law Firms, and Business Professionals (Chicago: American Bar
To discuss these ideas please contact us at
Delta Risk offices:
San Antonio, Texas
106 St. Mary's Street, Suite 428 San Antonio, TX 78205 210-293-0707 Washington, DC 4600 N Fairfax Dr., Suite 906 Arlington, VA 22203 571-483-0504