The Colonial Pipeline ransomware attack may have sparked gas shortages throughout the Southeast, but it could have a silver lining.
It should remind Florida lawyers that their data is a tempting target.
“Lawyers are low-hanging fruit,” says Jacksonville attorney Steven W. Teppler, chair of Mandelbaum Salsburg’s cybersecurity practice group. “It’s really tough to get people to look at this in a proactive, preventative manner.”
Lawyers should be reviewing their data security, training methods, and incident response plans, Teppler says, adding that it isn’t as daunting as it sounds. He compares it to owning a car.
“You don’t have to know how to do a valve job or rebuild an engine, but you should be performing preventative maintenance, changing the oil regularly, and know how to identify problems,” he says.
Ransomware attackers plant malware in a victim’s network that denies access to files, and then demand payment for a key. Lawyers face a double threat, Teppler says.
“One is to lock your data up, and the other is to exfiltrate it, and hold it over you for a second ransom to not disclose it,” he said.
Most malware attackers use “social engineering” to enter the target network – posing as an authority figure or associate to lure a victim into divulging a password, inserting a thumb drive, or opening an email and clicking on a contaminated link.
Lawyers may consider themselves too savvy to fall prey, but nearly every firm is susceptible, Teppler says.
“Most lawyers are not solo practitioners and have assistants of some type, there’s always a weakest link,” he said. “It’s not just anti-virus, it’s not just getting a cool-looking box that blinks in your server room, it’s having a policy that also trains your employees and staff members to always be mindful.”
Larger firms are using software that simulates social engineering to ferret out vulnerable employees, Teppler says.
But no prevention is foolproof, and lawyers should always assume that sooner or later, an attack will succeed, Teppler says.
“Do you have an incident response plan, do you have a disaster recovery plan, do you have a business continuity plan?” he said. “Each of these has a slightly different focus.”
Know who to call when the computers freeze, and who else to call if that person is unavailable, Teppler says. If the data has been properly backed up, know how to retrieve it, he says.
Backing everything up in a single cloud server could be a mistake, he says. Cloud servers have also been breached. Also consider drawing up a “business continuity plan,” Teppler says.
“A business continuity plan is, okay, we’ve been attacked, what do we do to come back to life?” he said. “Do we need our phones, do we need our internet, do we need to have a second site?”
Many lawyers are working from home during the COVID-19 pandemic, and remote lawyering increases the risk of a data breach, or the accidental disclosure of confidential client communications, experts warn.
Many law firms save money by allowing lawyers to use their personal computers. “BYOD,” or Bring Your Own Device, could be a costly mistake because personal computers are less secure, Teppler says.
“To me, BYOD stands for Bring Your Own Disaster,” he said.
LegalFuel, home of the Bar’s Practice Resource Center, recently posted “Thin Walls, Smart Homes, Zoom Towns & Data Breaches: 21 Things a Lawyer Should Know About the Ethics of Lawyering Remotely in 2021” on April 26.
The free, one-hour video is credited for 1 hour of General CLE and 1 hour of Ethics CLE. It can be found here.
In the seminar, national experts identify the risks of remote lawyering. They include other household members being able to overhear client conferences, or view client files on a shared computer.
George L. Washington, Jr., chief litigation counsel at Orange Business Services in Oak Hill, Virginia, warns lawyers in home offices should unplug voice-activated digital helpers, such as “Alexa.”
Alexa’s user agreement gives the service provider the right to record conversations, ostensibly so engineers can improve its performance, Washington warns.
Unless it’s switched off, the device is always listening for an activation word, Washington warns. Sometimes the device will interpret a TV show, or street noise, as the activation signal, he said.
“This is serious enough that at least one law firm in the UK has ordered all staff to conduct client conversations outside of the device,” he said. “The main point here is to remain privacy conscious at all times.”
A lawyer’s ethical responsibility to guard against data breaches includes accepting regular software updates, no matter how annoying or inconvenient, Washington said.
If it’s not possible to turn off a device immediately, schedule them for the middle of the night or weekends, Washington said.
“I’m as guilty as anyone,” he said.
The Zoom “chat” feature invites accidental disclosure of confidential information, Washington warns. He suggests texting a client separately during a videoconference proceeding.
David J. Kaplan, general counsel of Nevada-based, “deep-tech pioneer” AXEL, also advises law firms to have an incident response plan in case of a ransomware attack, and to make sure it’s current.
“Everyone, basically, should expect to be breached,” he said. “The ABA recognized this in issuing Formal Opinion 483 in October of 2018. To minimize the likelihood of somebody getting in, you need to use training and tools.”
Kaplan recommends arranging for the services of a law firm that specializes in responding to data breaches. Some firms have data hostage negotiators who bargain with the cybercriminals.
Law firms that get breached have probably not seen the last of their attackers, Kaplan said.
“If you do get breached, it’s much more likely to happen again,” he said. “Now there’s people out there with information about your system.”