Tag Archives: Law firms

How Does Your Lawyer Protect Your Data?

Law firms are a target for hackers. After all, what does a law firm do? They know where the proverbial bodies are buried.

Case in point.

Campbell Conroy & O’Neil, law firm to companies like Apple, Boeing, Exxon Mobil, Ford, Honda, IBM, Toyota and many others, suffered a breach.

They discovered the breach in February. They are not saying when the breach happened or how long the hackers were inside the company.

They are also not saying why it took them five months to report the breach. Depending on what states are affected, that could be a breach of state law.

They eventually figured out that they were hit by a ransomware attack. Possibly it took them several months to figure out what was taken. Maybe?

Among the data potentially stolen was names, dates of birth, driver’s license numbers, payment card info, medical info, health insurance info, biometric data and account credentials. Among other stuff.

Not to worry, however. The firm takes its responsibility to protect the data that they didn’t protect seriously.

And to show you how serious they are about your security, they are reviewing their policies and procedures and working to implement additional safeguards.

Of course, they are not saying what corporate information was taken that belongs to any of their Fortune 100 clients. They are not required to disclose that by law.

That brings me to the point of this post.

Your law firm or firms have a lot of sensitive information of yours. Potentially lawsuits, mergers and acquisitions, employee information, patent information and more.

Most law firms, in their standard boilerplate engagement letters say that security is hard and they are not responsible if anything bad happens.

Is that acceptable to you?

If not, then you need to be proactive.

Ask the firm about their security practices. Who is the firm is accountable for security?

How soon do they have to notify you if they have a breach? Five months is a long time. DoD requires their contractors to tell them within 72 hours.

Do they have cyber insurance? Who takes the lead in case of a breach?

There are lots of questions and, in many cases, law firms are either not prepared to answer your questions or don’t want the liability for their answers.

And, you want the answers in writing. Which they really won’t like.

Your call. How important is your information?

Credit: Campbell Trial Lawyers

Another Law Firm Hacked?

Remember the Panama Papers hack?  11 million documents stolen causing one Prime Minister to resign and another to be fired?  If not, check out an old post here .  That hack caused the law firm of Mossack Fonseca to go out of business.

We it seems that some other firms may be on the wrong end of the hacker’s mouse pointer.

The hacking group The Dark Overlord claims to have hacked law firms handling September 11th litigation and has stolen tens of thousands of documents.  It is believed that there are two law firms involved: Hiscox Syndishares Ltd and Lloyds of London.  The group claims to have hundreds of gigabytes of documents.

They say the data stolen includes emails, retainer agreements, litigation strategies, liability analytics, expert witness testimony and conversations with the FBI, DoJ and DoD, among other stuff.

They claim that at least one law firm paid the initial ransom but then violated the terms of service by bringing in the police.  Now they want more ransom.

The hackers claim to be shopping the data on the dark web.

However, they are very kind.  They say that if you are working with this law firm and you don’t want your stuff released, contact them, pay them a separate ransom and they won’t release your stuff.

You have to admit that it is pretty entrepreneurial.

This is the same group that stole the unaired episodes of Orange is the New Black, threatened to publish the plastic surgery files and photos of the rich and the famous and even threatened to physically harm school children, sending school districts and parents copies of stolen information on the kids.  Not necessarily a nice bunch.

The cops did arrest a Serbian who, they claimed, was associated with the group, but that apparently hasn’t stopped them.

What does this mean for you?

One challenge is that no law firm has admitted to the breach or paying the ransom, but if you believe that Hiscox and Lloyds were the targets and you are a client of theirs, you might want to start thinking about damage control.

It does appear that these folks are pretty mercenary, so if the law firms pay up, maybe they won’t release anything.

If they do release documents, there is the prospect of collateral damage.  Maybe they will very selectively release documents, but more than likely, since they say they will bury the law firms, they will be less than selective.  In which case, collateral damage is likely.

Now would be a good time to look at your agreements with your various  law firms, no matter who they are.

On the other hand, if you are a law firm, now would be a good time to review your security practices.

Is there anything in writing about cybersecurity requirements?

What about  liability for damages if they get hacked?

Do they have to provide annual third party certification of their cybersecurity practices?

Are they even required to notify you if your stuff is compromised?  (Note that in many cases, the law does not require that).

And, of course, you are dealing with lawyers.  If it is not in writing it will be hard to impossible to enforce.

If cybersecurity requirements are missing, now might be a good time to review and amend your agreement.  In many cases you can switch law firms at any time since it is extremely rare to have any kind of exclusivity with law firms.  Even if there is current litigation, you could leave that with the existing firm and move new business to a new firm.

If the firms say that you should trust them, tell them that you do.  And you still want it in writing.  Trust, but verify, so to speak.

One thing that we do not know – how many other firms have been hacked and have not said anything about it?  Think about reviewing and changing your law firm agreements as insurance.

Information for this post came from SC Magazine.


Law Firm Sues Insurance Company Because They Didn’t Buy the Right Coverage

Sorry, but I am not going to be very sympathetic to this law firm.  Here is the story.

A Rhode Island law firm, Moses Afonso Ryan, was hit with a ransomware attack.

Apparently, the company did not have a plan for dealing with a ransomware attack.  In general, if you have good backups and have tested restoring those backups, you are pretty well able to respond to a ransonware attack.  We have a client who was hit by a ransomware attack and it encrypted 3,000,000 files.  They did have effective backups and within a few days they were able to recover their data and move on.  Good backups = good defense.

The firm hired some “experts” who were unable to decrypt the ransomware – which is not totally uncommon.  They don’t say who the experts were or what the ransomware strain was, so I take this at face value.

They said that after they could not decrypt the files, they reached out to the hackers.  They claim that they could not collect the ransom of $25,000 quickly because they could only buy two Bitcoins a day.  Perhaps, based on whoever they picked to buy bitcoin from they could only buy 2 Bitcoin a day, but that is certainly not a systemic issue with Bitcoin.  If the company that they chose to buy Bitcoin from had that restriction, they should have immediately looked elsewhere for a solution.

After they paid the ransom ($25,000) the file decryption tools did not work – which is not altogether unusual either. After paying more ransom the hackers provided some other tools and were able to decrypt the files.

The firm says that the process took them three months.  While I wasn’t there, that number seems ridiculously long.  Perhaps they didn’t want to pay the ransom – and didn’t have backups – and worked on trying to decrypt the files for 2.5 out of those 3 months.  I don’t know.

The law firm said that the lawyers were essentially unproductive for those three months and that in the previous year they billed out $700,000 during those same three months.

So, if I understand this right,  they normally billed around $230,000 a month and they messed around for 3 months trying to fix this – with their 10 lawyers sitting on their thumbs during these three months.  What’s wrong with this picture?

Have they not heard of a disaster recovery plan?  What about a business continuity plan?  Did they even have an information security program?

Many companies think (or perhaps hope) that they will not be the target of hackers, but that is, at best, just hope. Hope is not a very effective management strategy.

The insurance company says that they paid the policy limit of $20,000 for computer viruses and is not liable for anything above that.  Again, I am not there, but this is pretty common.  The company buys a bargain rate insurance policy and they get a – yes – bargain rate insurance policy.  It is extremely unlikely that the policy really had a million dollar limit but the insurance company decided to only pay out $20,000.  More than likely, the company figured that they weren’t going to get attacked and bought a policy with really low limits because it also had really low premiums.  Again, I was not there, so I can’t be sure, but this seems pretty likely.

In Colorado the minimum auto insurance you can buy is $25,000.  Someone buys that and figures they are covered.  Then they get into an accident, maybe a couple of cars are totaled and a couple of people are hurt.  The insurance company writes a check for $25,000 and walks away from the deal.  They don’t even bother to defend the driver.  In this case, all the other drivers are left holding the bag and have to try and sue a turnip (the driver that only bought the minimum insurance policy).  At least in this case, who gets to deal with the consequence of making a poor business decision (buying a cut rate insurance policy) is the people who were impacted by that decision.

Cyber insurance is complex.  If you buy it from a broker who normally sells fire insurance or life insurance, or even general business insurance, you are likely to wind up on the wrong side of that deal.  The typical cyber insurance policy has many options and picking the wrong ones is basically equivalent to not having any cyber insurance.

We shall see what happens with this deal, but I would put the vast majority of the blame on the law firm.

For your company, some questions to prepare you for that almost certain cyber incident –

  • Do you have backups?
  • Have you tested the backups?
  • Recently?
  • Do you have a data map and plan so you know whether you are backing up ALL of your data?
  • Do you have a ransomware attack plan?  The FBI said that ransomware reports were up 2500% over the last two years, so you should expect to be attacked.
  • Does your attack plan include anything to mitigate the effects of an attack?
  • Do you have a disaster recovery plan?
  • Do you have a business continuity plan?
  • Do you have a cyber incident response plan?
  • Do you have cyber insurance?  The RIGHT cyber insurance?  Are you sure about that?

Of course the alternative is to pretend that you won’t get attacked.

How is that working for Moses, Afonso, Ryan?  It likely would work just as well for you.

Prepare now or pay later.  Pretty simple.

Information for this post came from the ABA Journal.


Law Firms Face Cyber Security Risks

“This is not time for firms to keep calm and carry on.  The proper response is to freak out.” – Prof. Dan Solove, GWU Law School

While I am not sure that freaking out is, in fact, the only proper response, I think that what Prof. Solove is saying is that ignoring the situation is not going to work very well.  We are beginning to seem law firms being hacked showing up in the news. Firms such as Weil and Cravath have been outed by the FBI.  Bloomberg says that 80 out of the top 100 law firms have been hacked.  The Russian hacker Oleras has announced he is trying to hack 48 specific law firms.  It seems like the handwriting is on the wall.

Professor Solove calls hacking law firms a “gourmet data feast“.  Once they get in, many law firms have little to no monitoring, so the odds of getting caught are nearly zero.  In addition, many firms have no internal access controls, so while associates are not supposed to access files for clients that they are not working on, there is nothing to stop a hacker, who is using an associate’s credentials, from hacking every client’s data and sending it to their server in Outer Slobovia.

The gourmet data feast comes from the fact that most law firms have hundreds of clients and the data that they have may include HIPAA protected information, non public personal information, financial information, criminal trial information, civil trial information, merger and acquisition information, insider trading protected information and other sensitive files.  Hackers mouths just water at the thought of it.

Prof. solove suggests that state laws governing breach of confidentiality, public disclosure of private facts and negligence may be used against attorneys that do not take appropriate steps to protect their client’s information.  Even if the case is not ultimately successful, the reputational damage can be significant.

In the case of HIPAA protected information, the fines can be very steep.  HHS can fine a law firm that has a client’s protected health information up to $1.5 million per violation.  In addition, the client can be fined because the law firm is now considered a business associate under HIPAA and HiTech regulations and if the client does not have a written and signed business associate agreement, they can be held liable for violating HIPAA as well.

In addition to dealing with the breach – paying for forensics investigations, dealing with lawsuits and depositions, reputational damage and regulatory fines, victim clients could file ethics complaints for failing to adequately protect confidential information.

A client’s trade secrets could be disclosed and I am not sure how you can possibly put that genie back in the bottle.

In addition, the client could be liable too, via vicarious liability.

Since the client did not adequately vet the law firm for cyber security risk prior to hiring them, they get to share in the responsibility.  Assuming this happens the client could both get sued by the victims and sue the firm.

To really make things messy, the FTC recently sued a company for violating section 5 of the FTC Act – unfair or deceptive practices – for failing to vet their vendor prior to giving them sensitive information.  This means that the FTC could commence an action against your client for your data breach.  Under typical FTC consent orders, the FTC will be closely watching your client for a mere 20 years and requiring an external audit every year or two.  Who do you think the client is going to turn to in order to recover those costs?

To make matters a little more uncomfortable, the insurance broker Marsh did a study recently and found that only half of the law firms surveyed had cyber risk insurance and 60% said that they had not calculated the effective revenue that could be lost following a breach.  For the firms that do have insurance, whether the insurance would adequately cover the effects of a breach is unknown.

One last thought.  Professor Solove has almost 900,000 followers to his LinkedIn blog in addition to being a law professor at GWU Law School.  In the blogging world, that is a ridiculously large following.  He is also the organizer of the annual Privacy + Security forum in Washington, DC.  I would suggest that he would likely qualify as an expert.

Information for this post came from Prof. Solove’s company, Teach Privacy.

Law Firms Under Attack!

It is unlikely that, by now, you have not heard about the Panama Papers.  On Sunday, over a hundred news outlets, working together, released stories based on the internal documents of a Panama and Las Vegas based law firm.

Working from 2.73 terabytes of data stolen from that law firm representing almost 5 million emails, 2 million PDFs, 5 million database files and other documents, these reporters traced billions of dollars in hidden assets, much of that linked to world leaders such as Putin.

Whether you think these people are heroes or terrorists, the point is that they decided to out this law firm and I suspect, given who their clients are reputed to be, it will be a life altering event for the firm.

On a sheer scale, this is 2,000 TIMES the size of the WikiLeaks State Department cable disclosure.

Not only will this have ramifications for the law firm of Mossack Fonseca, but now a number of governments are saying that they are going to start investigating some of these claims.  That means, for the people named, no matter how this ends up, their lives will never be the same either.

For that law firm and the hundreds of people who work for it, their lives will likely be changed as well,  It is reasonable to assume that some customers – maybe a significant number – will leave the firm, meaning employees may lose their jobs.

Now onto the second law firm breach story in the past week.

Last week the Wall Street Journal reported that hackers broke into a number of the nation’s top law firms, likely for the purpose of stealing confidential information to use for insider trading,  Two firms were named as having been breached – Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP.  The hackers claimed to have hacked into more, unnamed, firms and are threatening to attack more firms.

Cravath said the incident happened last summer and they are not aware of the information being used illegally  – which, of course, does not mean that it was not used illegally, but rather that the hackers did not tell them how they planned to use the information.  Weil declined to comment.

These two cases point to two different motives – the first being to embarrass the law firms and their clients (and possibly to get both of them charged with crimes and convicted), the second is to make a lot of money.  The J.P. Morgan Chase hackers from 2013 supposedly made over a hundred million dollars before they got caught – if they had been a little less greedy they might not have been caught.

What all professional service firms – lawyers, accountants, financial advisors, brokers, etc. need to understand is that the information that they collect can be extremely valuable to people with a motive.  On the other hand, there are tens of thousands of targets of opportunity.  For the most part – and it is possible that Fonseca was an exception, but maybe not – these attackers use the spray and pray methodology favored by many terrorists.   Try to attack a thousand firms and see where you get in.  Move on from there.

My, admittedly biased, recommendation is that if you run one of these professional service firms and you business depends on your reputation, you need to get ahead of this freight train and hunker down.  Otherwise your’s may be the next name on the front page of the Journal.



Information for this post came from Wired and the Wall Street Journal.