Here’s a hypothetical but very possible scenario for a law firm: A hacker emails a law firm leader, saying he has obtained confidential and sensitive client information from the firm and will make it public unless the hacker is paid millions, in an apparent ransomware attack.
What should a firm do?
A panel of experts weighed in Thursday at a cybersecurity discussion during the American Bar Association’s annual meeting in New York.
The event, moderated by Craig Newman at Patterson Belknap Webb & Tyler, was held at the New York City Bar Association. The meeting came less than six weeks after DLA Piper fell victim to a ransomware attack that crippled the global firm’s communications.
Joseph Lawlor, a managing director in the cyber defense practice at K2 Intelligence, said his company did a phishing exercise with one organization last week using an email titled “2017 bonuses.” It produced an 85 percent click rate, he said.
Law firms facing cyberattacks should immediately contact their general counsel and members of an incident response plan, which should be prepared in advance, Lawlor said. Other team members may include firm executives, public relations professionals and insurers.
They should start communicating off the network, treating it as a “zero trust environment,” Lawlor said at Thursday’s discussion. “It could be as simple as starting a group text.”
Edward Kim, chief of the complex fraud and cybercrime unit at the U.S Attorney’s Office in Southern District of New York, encouraged companies and firms to contact the FBI and their U.S. Attorney’s Office immediately after an incident. “I can assure people that we have dealt with many such incidents and we continue to deal with them and we know how to treat business concerns,” he said.
Kim said law enforcement can potentially offer victims information about larger patterns behind the incident and the identity of the hackers. “We may be able to bring to justice whoever is behind it,” he said. “The individual victims may feel they are the only ones in the world that have been targeted … But very often we see victims connected to one another.”
Kim said he is not aware of “any codified policy” across the Justice Department about ransomware payments. He said law enforcement can give pros and cons of such payments and if the firm decides to make a payment, law enforcement might be able to coordinate to try to track a hacker.
In cases where leaked information could include sensitive material about clients and alleged regulatory violations, Kim said the office would view a victim’s documents as essentially privileged.
Companies shouldn’t worry that information shared with law enforcement will be shared with regulators, Kim said. “We treat [targets] of cyber-incidents as victims,” he said, and sharing information with regulators could have a chilling effect.
Lawlor recommended firms can get started on securing their networks by conducting a technical scan of their internal and external systems to determine vulnerabilities, and by assessing the potential for human errors—like their likelihood to open that bonus email—to get “baseline metrics” about employees’ susceptibility. Firms can use that experience to train lawyers and staff, he said.
Still, if a hacker has the time or resources to hack a firm, it will, he said, noting JPMorgan Chase & Co.’s annual budget for cybersecurity was in the hundreds of millions of dollars and it was still breached.
“Disaster recovery must be a part of your plan,” he said.
Oftentimes it’s just simple mistakes that can lead to large hacks. Rachel Nguyen, counsel at Attorneys’ Liability Assurance Society Inc. an insurer providing professional liability insurance to more than 200 large law firms in the United States, said some of the most common types of claims that get reported include stolen or lost laptops, including those left in cars or airplanes. Others involved spoofing or phishing emails at law firms, she said.
After the panel discussion, Manhattan District Attorney Cyrus Vance Jr. spoke on cybersecurity during a luncheon event, remarking how cyberattacks are becoming more sophisticated and complex. Vance highlighted the risk law firms face if they don’t protect themselves, using as an example the Panama-based law firm Mossack Fonseca, in which 11.5 million documents were taken in a high-profile hacking scandal. The global firm had 45 offices before the hacking and now it has six through downsizing. “For law firms that want to protect their brand, they also have to make sure they protect their data,” Vance said.