Law Firms as Targets For Hackers - Risks and the Way Forward

Sunday, February 28,2021 / 02:00PM / By Raphael Irenen (Aelex) / Header Image Credit: Aelex

Introduction

Thegrowth in technology has led to a sudden shift in the storage of informationfrom physical storage systems to online storage platforms. Individuals andorganisations are now beginning to save their information online and thereasons for this development are not farfetched.

Amongstseveral advantages, online storage of information appears safer compared totraditional methods, as such information stored online cannot be wrecked byenvironmental hazards such as fire or natural disasters including storms andearthquakes. Furthermore, it makes suchinformation easily accessible for those that are entitled to access them.

Theoutbreak of COVID-19 has also encouraged and facilitated an increase in theonline storage of information by individuals and organisations. This is mainlyas the various lockdown orders halted the movement of goods and persons and asa result, several organisations and businesses have had to work and operateremotely. To be able to access relevant data and work effectively, while workingremotely, these organisations have had to adopt several digital means ofstoring its relevant data.

However,the storage of information through online and digital means does not occurwithout some challenges. Indeed, with the increase in online and digitalstorage of information, cyber-attacks and data breaches by cybercriminals arenow a very common phenomenon in the world today. And these cyber-attacks mainlyoccur without the knowledge of their victims. Additionally, the cybercriminalseither utilise these access and information they get, for their personal use orsell them to other persons who may be in need of them. For example, threatintel firm, Group-IB reports that the sales of access to compromised corporatenetworks grew fourfold in 2020.¹ It therefore appears that the sale of accessgained by cybercriminals to the data of some corporate organisations andentities have become a lucrative venture.

The Peculiarities of the Legal Sector

InNigeria, the legal sector is not left out of the odious ventures of thesecybercriminals as law firms are a vital part of society. First, they have intheir possession and control, commercially sensitive and privilegedinformation, as almost all sectors in the country involve the services oflawyers in their operations and transactions. These transactions have givenNigerian lawyers and law firms access to salient and privileged information ofthese business entities that they work for.

Theinformation with law firms that are attractive to hackers include intellectualproperty information (such as trade secrets, patents, industrial design andcopyrights), corporate financial reports of clients, financial details(including account access information), confidential and privileged businessinformation of both the law firms and their clients, relevant informationrelating to their clients' criminal activities, personally identifiableinformation (PII) of both law firms and clients, proprietary software codes,the personal health information of individual clients, emails and other formsof correspondences.

Ironically,despite the potential cyber threats being posed by cybercriminals and thetendency for law firms to be targets, there appears to be the narrow-mindedbelief that law firms are hardly targeted or that if such threats exist, thenthey are problems of the magic circle or top-tier law firms. However, inreality, small law firms and sole practitioners have become vulnerable targetsof cybercriminals. As a matter of fact, the issue of cyber breach and attack oflaw firms was raised in a 2020 ABA Legal Technology Survey Report that revealedthe percentage of law firms experiencing a known security breach stood at 29%in2020.

Furthermore,DLA Piper, a multinational law firm with solid expertise in cyber-security wasalso hit by the popular Notpetya Ransomware attack. This should serve assufficient warning for both law firms and lawyers, on the issue ofcyber-attacks and data breaches. Consequently, the need to establish protocols,procedures, policies and precautions that guarantee cyber hygiene for bothlawyers (involved in sole practitionership) and law firms cannot beoveremphasised.

Types of Cyber Threats/Breaches

Itis salient for these law firms to have an idea of the possible cybersecurityrisks that they are highly susceptible to. Though cyber breaches can occur invarious forms, the ones that commonly affects law firms include:

1.     Ransomware
Itis a type of malware from cryptovirology. It threatens to release and publishits victim's data or block access to it in perpetuity unless a certain sum ispaid. It is quite common and infected DLA Piper's system in June 2017.²

2.    Virus
Avirus uses written codes that it replicates. It also attempts to spread fromone device to another by attaching itself to a host program.

3.    Worm
Itis a standalone and self-malicious program that replicates itself in order tospread to other programs.

4.    Malware
Asoftware that is intentionally designed or formulated to damage, disrupt orgain unauthorized access to a device. It is often utilised by hackers tocompromise information systems.

5.    Spyware
Itis a software that enables its user spy on other computers. It enables its userto obtain covert information about the activities and actions of other computers.It does this by simply transmitting data in a covert manner, from their harddrive.

6.     Trojan Horse
Atype of malware that often confuses computer users of its true intention. Itusually appears useful or even harmless. However, it contains hidden codesdesigned to exploit or damage any device which it runs on.

7.     Phising Attacks
Thisis a type of social engineering that disguises as a trustworthy entity in anelectronic communication (mainly by mail), in order to steal user data,including login credentials and credit card numbers. It operates in such a waythat it dupes its victims into opening an email, instant message or textmessage, just to get relevant data from the user.

Otherfactors that can also contribute to cyber breaches include:

External and internal threats (such asrecklessness of certain members of staff).
Website vulnerabilities
Security issues with cloud systems
Security issues with other third-partyproviders
Weak password management
Utilization of outdated technology
The activities of Hacktivists.

The Importance of Cyber Hygiene to Law Firms and Lawyers

Accordingto a recent report, email malware creation increases by 26% year over year,with about a million malware threats created every day.³ Additionally,between 2014 and 2015, the number of new malwares that emerged grew from 317million to 431 million. By 2016, a breach of more than 11 million confidentialand privileged documents which included emails, databases, files, PDFs andthousands of text documents, occurred as a result of an attack on MossackFonseca law firm. Based on the reports released by security researchers, therewere multiple reasons for the success of the attack. These reasons includedexternal-facing servers running outdated software while missing criticalsecurity updates. This suggests that the Mossack Fonseca law firm did not haveadequate cyber hygiene protocols and procedures as there was a clear lack ofvisibility across the firm, as well as missing patches and vulnerabilitiesincluding poor network segmentation. This clearly indicates that the worstcyber breach is often a result of poor cybersecurity.⁴

Tothis end, law firms and lawyers need to pay more attention to theircybersecurity. With the growing rate of cyber breaches, law firms cannot affordto be careless with the information of their clients within their possession.Procedures and protocols must be established by these law firms to ensure cyberhygiene.

Forthe purpose of clarity, cyber hygiene underscores a successful incident andthreat management program that keeps computer systems up to date, promotes fullvisibility and guarantees data protection. It includes a range of proceduresand protocols that helps to maintain best practices in keeping sensitive datasafe from external attacks. It also helps to ensure compliance with the latestsecurity standards.⁵ If a proper cyber hygieneprocedure is not put in place, then the valuable and sensitive information inthe possession of these law firms may be tampered with by cybercriminals. Thiswill affect the integrity of the firm and may also result in some legal actionsbeing taken against the law firm.

Additionally,ethical issues may also arise, particularly with regards to the provisions ofthe Rules of Professional Conduct ("RPC") which vests with legal practitionersin Nigeria, an ethical and professional obligation to make sure that valuableand sensitive information of clients are protected from unauthorised access andthey are kept confidential.⁶ The provisionsof Rule 19 (1) - (3) of the RPC is clearly to the effect that a lawyer has aduty to ensure that whatever information that is disclosed to him by hisclient, is not divulged to another person, except:

with theconsent of the client (upon full disclosure to them);
where suchlawyer is required to disclose any relevant information on grounds of law or byan order of the court;
where theintention of the client is to commit a crime and a disclosure of suchinformation is necessary to prevent the commission of such crime;
Where suchdisclosure is necessary for the lawyer to establish or collect his fee; or
Where suchdisclosure is necessary to defend himself or his employees and associatesagainst an accusation of wrongful conduct.

Clearly,the above exceptions provided for under the RPC does not covercyberattacks/breach. The inference drawn from this is that a lawyer may beliable under the RPC for any cyber or data breach that affects his clients' information.

Possible steps that can be taken by law firms to ensure cyberhygiene

Thefollowing steps can be taken by lawyers and law firms to ensure cyber hygieneand prevent any further cyber or data breach.

1.      Law firmsshould routinely identify items such as unmanaged laptops, servers anddesktops.
2.     Engage inregular awareness and training of its employees on cyber security and cyberhygiene in general.
3.     Carefullyaddress any system updates and operating-system-specific updates.⁷
4.     Initiate aregular change of password policy and multi-factor authentication.
5.     Adequatelyidentify unencrypted valuable and sensitive data and adhere to the requiredindustry security compliance program.
6.     Develop asecurity system that adequately addresses insider threats.
7.     Scrutinisehardware and firmware updates for the purpose of identifying security risks andpriorities.
8.     Obtain cyberinsurance policies for future cyber liabilities.
9.     Establish andfrequently update cybersecurity policies.
10. Carry outregular penetration and vulnerability test on the various software and hardwarebeing utilized by the firm, to determine their cyber strengths, overtime.

Conclusion

Asearlier noted, cyber hygiene in Nigerian law firms is now more than ever, imperative.Law firms must begin to take steps to secure information that is stored onlineand offline. An understanding of the responsibilities vested with a lawyer toprotect and keep confidential, information of clients, is sufficient for alawyer to be proactive and take the necessary steps to avoid any cyber breach.Lawyers must also understand that they are not in any way immune from theactivities of cybercriminals. In fact, they appear to be one of the mostvulnerable targets of these cybercriminals.

Hence,law firms must begin to establish and maintain policies that guarantee andpromote cyber hygiene. These firms must consider educating and enlighteningtheir employees on cybersecurity. Apart from the steps recommended in thisarticle, Nigerian law firms must also look forward to other ways, in whichtheir data will be secured. Similarly, the services of experts and consultantsshould also be acquired by these law firms where necessary.

Thoughsome of these measures may be expensive, it is better to expend resourcesensuring the safety of the information of their clients, than to spend on anyresultant legal action or liability that may be incurred as a result of a cyberbreach.

Footnotes

1. Network hackingand ransomware fueling global cybercrime surge by John Leyden (accessible via https://portswigger.net/daily-swig/network-hacking-and-ransomware-fueling-global-cybercrime-surge)

2. DLA Piper setto sue insurer over Notpetya Claim: Report (published oninfosecurity-magazine.com)

3. 5 Facts onEmail Security Threats in 2021 (published on Mailbird Blog).

4. Law firms asprime targets for hackers: 7 Steps to reducing cyber risks by Aniket Bhardwaj,Charlse River Associates (Published on Lexology).

5. Ibid.

6. Rule 14 andRule 19 of the Rules of Professional Conduct.

7. Ibid.