Just another day at the firm. The case was settled, with a $500,000 payment to be made to the approved settlement administrator. The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions. Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated. Poof – gone in an instant.
Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions. But how did the bad guys know precisely to whom and when to send the phony email, and exactly what to say? Was it from publicly available information in the court file? Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator? Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?
Business email compromise (BEC) is a growing threat for businesses generally. Reports of BEC incidents to the federal Financial Crimes Enforcement Network (FinCEN) have doubled from 2016 to 2018, with the dollar amounts rising nearly threefold, from $110 million monthly in 2016 to over $300 million monthly in 2018.
But BEC is only one of many potent threats to law firm data security. Here are some high-profile examples from the news:
- Human Error: Simple mistakes are made, such as inadvertently disclosing confidential data through erroneously addressed emails or failing to scrub edits and other metadata in attachments.
- Social Engineering: Phishing and other deceptions can result in malware injections, stolen system access credentials, and also monetary theft, such as the California case mentioned above, or another law firm conned into wiring $2.5 million in property sale funds to the wrong account. Fraudulent emails impersonating law firm senior executives can deceive payroll staff into sending copies of employee W-2 forms to identity thieves. And law firm information can be used in spearphishing scams targeting the firms’ clients.
- Insider Abuse: Law firm insiders may maliciously access information for profit, extortion, or revenge. A large-firm associate was convicted for accessing a partner’s email account and attempting to extort ransom for the stolen information. And a terminated law firm employee and her husband were convicted for hacking into the firm’s servers (with a hacker friend), installing password-capturing malware, and exfiltrating personal financial information of the firm’s personnel.
- Ransomware: Malware-loaded email can encrypt law firm computer drives, with the perpetrators demanding ransom in exchange for unlocking the data.
- Cyber Warfare Collateral Damage: NotPeyta, the “ransomware” whose global sweep paralyzed DLA Piper’s computer systems two years ago, is now understood to have been a Russian cyberweapon targeting Ukraine, but which then spread indiscriminately worldwide. And WannaCry, the “ransomware” with global impact earlier in 2017, is now attributed to North Korea.
- Hacking and Stealing Confidential Client Data: Hackers penetrate law firm computer systems and exfiltrate confidential data for a variety of reasons. Some do so for sale, or for profit, such as the hackers who used confidential client information stolen from several major U.S. M&A firms to garner millions of dollars through insider trading. Others do so for public exposure, such as hactivist group Anonymous stealing and publishing the client files of law firm Puckett & Faraj, or the hackers who stole and turned over for publication the “Panama Papers,” over 11 million client documents of the Mossack Fonseca law firm. And other hackers break in, exfiltrate confidential files, and then extort ransom, or else the confidential information will be published or sold.
These examples from the headlines may seem extreme, like unusual misfortune that is “somebody else’s problem.” But law firm data security breaches are actually, and unfortunately, commonplace. The 2018 ABA Legal Technology Survey asked lawyers across the country whether their firm has had a security breach, such as a lost or stolen laptop, a system hack, or a website exploit. The responses (by firm size) are sobering:
- Solo: 14% Yes, 4% Don’t Know
- 2-9 Lawyers: 24% Yes, 10% Don’t Know
- 10-49 Lawyers: 25% Yes, 19% Don’t Know
- 50-99 Lawyers: 42% Yes, 35% Don’t Know
- 100-499 Lawyers: 31% Yes, 58% Don’t Know
- 500+ Lawyers: 30% Yes, 61% Don’t Know
And when asked if their firm’s technology has been infected with a virus, spyware, or malware, the responses were similar:
- Solo: 31% Yes, 8% Don’t Know
- 2-9 Lawyers: 48% Yes, 17% Don’t Know
- 10-49 Lawyers: 57% Yes, 22% Don’t Know
- 50-99 Lawyers: 40% Yes, 43% Don’t Know
- 100-499 Lawyers: 34% Yes, 57% Don’t Know
- 500+ Lawyers: 20% Yes, 71% Don’t Know
This is not merely somebody else’s problem. The data security threat environment for law firms is troubling, particularly combined with law firms’ unique security vulnerabilities.