Law firms are under enormous pressure to step up their data protection efforts. With 27 states adopting technology competency requirements at the time of this writing, attorneys who fail to make reasonable efforts to secure client information are risking their books of business, their reputations and, as a wide range of ethical guidance now hitches technology acumen to fitness to practice, their careers.
No law firm wants to be the next Mossack Fonseca, which now hosts a separate damage control website to counter "inaccurate views" stemming from last year’s Panama Papers leak.
While it’s likely necessary for law firms to consult with qualified cybersecurity authorities to audit their security practices and IT systems, they must also pay close attention to a variety of emerging cyber attacks and vulnerabilities. The four described below are only a sampling of the growing number of threats law firms should regularly patrol.
Last summer’s data breaches involving Cravath Swaine and Moore and Weil Gotshal showed that even elite, deep-pocketed firms are not immune to cybercrime. During this data breach, a group of three hackers successfully infiltrated Cravath and Weil’s servers and stole confidential client information they used to make $4 million through insider trading (they've since been indicted).
How did they obtain this information? With a now-prevalent hack called a distributed denial of service (DDoS). DDoS attacks occur when a hacker compromises multiple third-party servers and computers, and then sends mass website traffic from these compromised sources directly to a law firm’s website. Because the traffic volumes from a DDoS attack are typically well above what the firm’s website can handle, the attack causes the firm’s website to crash and become inoperable.
DDoS attacks occur when a hacker compromises multiple third-party servers and computers, and then sends mass website traffic from these compromised sources directly to a law firm's website.
The real danger of DDoS attacks extends beyond taking down the law firm's website. Often, these attacks serve as diversions that occupy scrambling lawyers and IT personnel while cybercriminals execute more sophisticated strikes -- for example, infiltrating firm servers to retrieve steal client data. While DDoS attacks are difficult to avoid, firms can mitigate the effects of possible attacks by working with their web hosting provider to implement server-side DDoS mitigation software or by using a content delivery network (CDN) service with their websites such as Cloudflare or Incapsula.
With over half a billion users, Dropbox has quickly become one of the most popular cloud-based document and data storage apps in the world. It has also become a go-to program for solo practitioners and small law firms; according to the most recent ABA Techreport, over half of solo and small firm lawyers use Dropbox to store, work on, and edit work-related documents. These lawyers, however, should be paying close attention to Dropbox’s recent Smart Sync release, which allows users to directly access cloud-stored documents on their computers and devices without having to create and re-upload new versions of these files locally on their devices.
Lawyers should be paying close attention to Dropbox's recent Smart Sync release, which allows users to directly access cloud-stored documents on their computers and devices without having to create and re-upload new versions of these files locally on their devices.
In order to do this, however, Smart Sync requires “kernel access” to the account holder’s device, meaning that versions of Dropbox using Smart Sync will have an all-access VIP pass to the core function areas of your computers and devices. If this access is placed in the wrong hands, both your computer and Dropbox account can be compromised -- as Dropbox can serve as a beachhead to access synced devices. While no Smart Sync breaches have been reported since Dropbox released this functionality in late January, it would behoove lawyers to explore cloud-storage software that provides more encryption functionality such as two-factor authentication, or use one-time password generation tools like Yubikey to add an extra layer of authentication to locally-stored files.
Lawyers, like everyone else, are likely to use personal devices to perform work outside the office, often outside the scope of their firm's BYOD policy. In fact, according to the ABA, about 1 out of every 4 lawyers use their smartphones to access the internet to conduct legal work, while 1 out of every 5 lawyers use tablets for the same purpose.
While mobile device operating systems are regularly updated to patch potential security gaps, hackers have been keen to exploit one glaring vulnerability impacting both Android and Apple users. The attack is initiated by sending a smartphone user an email containing an image file or link that, when clicked on by the user, causes the mobile device operating system to crash.
Stagefright attacks are initiated by sending an email containing an image file or link to a smartphone user that, when clicked on, causes the mobile device operating system to crash.
Email vulnerabilities can prove to be the downfall of law firms, and can compromise client trust if they are exploited. Hackers can access sensitive client data by executing an SQL injection, which overloads targeted email databases with malicious code instructions in order to open them up.
One way to figure out if your firm’s website or servers are vulnerable to SQL injections is to use Google Dorking, which is described in this Udemy tutorial. Google Dorking involves using specific search terms in Google’s search engine to pinpoint hidden files on your websites and servers that rely on scripts such as PHP, and then typing each URL you find in full, followed by an apostrophe afterwards into your web browser. If your browser displays the phrase “SQL error” after you try visiting the page, then that particular page or server connection is vulnerable to a SQL injection attack. Because PHP files are particularly vulnerable to SQL injections, any owners of Wordpress-based websites should be on guard. If you find that any part of your website or servers are vulnerable, consult with a qualified expert to patch it.
As told to Eric Pesale, a soon-to-be attorney and founder of Write For Law. Eric is a regular contributor to the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.