Law firms have long been easy targets for hackers. They are full of sensitive information, yet the resources expended on data security often don’t measure up against efforts taken in other industries, such as finance and healthcare. Lawyers, too, have not won many awards for their tech savvy. (In 2015, Verizon reported that corporate legal professionals were the easiest professionals to hack.)
The result is a steady stream of law firm hacks, to some of the biggest law firms in the country. In 2016, for example, the Wall Street Journal reported that Cravath and Weil Gotshal had been successfully targeted hackers. A few months later, the DOJ indicted three men, accusing them of making millions in insider trading after hacking into the emails of Big Law M&A teams. Last summer, cybersecurity experts reported that Russian hackers personally targeted U.S. attorneys based on their perceived susceptibility to phishing attacks.
And it’s not just Big Law. Even smaller practitioners have had their pockets picked by sophisticated cyber criminals, whether ransomware wielders or email con artists. One solo attorney in the Washington, D.C., area was robbed of a sizable settlement after hackers took control of his email and sent instructions for the money to be transferred to an offshore account, for example. Another firm in California fell for a similar ploy, paying out half a million dollars to cyberscammers before realizing their mistake. Last year, a 10-attorney Rhode Island firm was hit by a cyber attack that shut them down for three months, resulting in a loss of over $700,000 in revenue.
Of course, these are just the victims we know of. Most cybersecurity events in the legal industry are never even detected. Others are handled quietly, outside the public eye.
Despite these constant and recurring threats, for years it seemed like much of the legal industry’s approach to cybersecurity was limited to “there but for the grace of God go I.”
The DLA Piper Hack & Law Firm Cyber Insecurity
Then, DLA Piper got hacked. Last June, the 4000-plus-attorney firm got hit by the Petya (or Not-Petya, depending on who you ask) attacks that disrupted businesses throughout the world. The hack was a so-called ransomware attack, where malicious software encrypts a computer and then demands payment, often in the form of Bitcoin, to unlock it. For this attack, victims were greeted by the message “Ooops, your important files are encrypted.” Ooops indeed.
The ransomware attack apparently first hit DLA Piper’s offices in Ukraine, but quickly spread throughout the firm’s global network. The Petya malware was able to replicate itself so quickly and widely by exploiting a vulnerability in Microsoft Windows.
Soon, nearly every DLA Piper office was shuttered. Signs in their DC location warned staff, “All network services are down, DO NOT turn on your computers!” It took days for the firm’s email to come back online and weeks for operations to return to normal. The shutdown likely cost millions of dollars in lost revenue.
The DLA Piper attack made it much harder for law firms to ignore cybersecurity risks. And now, it seems, more firms are taking those risks to heart, moving to build up their cybersecurity defenses and ensure that they're protected when something goes wrong. At least in Washington, D.C., that is. According to the National Law Journal’s Ryan Lovelace:
Alarmed by the rising threat of hackers bent on extorting, exposing or undermining their work, Washington, D.C., law firms have been quietly changing their behavior since DLA Piper fell victim to a major security breach last June.
According to Lovelace, as a result of the the DLA Piper attacks, D.C. firms have “quickened their behind-the-scenes efforts to thwart and respond to such attacks.” They have begun purchasing cyberinsurance, if they did not have it already, and increasing their coverage, if they did. One brokerage saw its client base grow by 10 percent after the Petya attack, while the medium limit of insurance for large firms doubled, rising to $20 million. Many firms are increasing their investment in cyberdefenses as well, making sure they are not just insured against a possible attack, but equipped to defeat it.
DLA Piper itself has worked to improve its infrastructure following the attack. It’s also built up some analogue failsafes should another attack cripple its systems:
Jeff Lehrer, managing partner of DLA Piper’s D.C. and northern Virginia offices, said that in the months since, his firm has returned to developing hard-copy printouts of phone numbers and other information needed for the firm to continue functioning in case of a cyber crisis.
Keeping Data Secure With a Closed-Loop System
Law firms looking to protect their data need to do more than just up their cyberinsurance policies and print out contact information, though. As FCC Cyber Security Planning Guide notes, data is most at risk when it is on the move. And in many law firms, data moves frequently, whether it’s through documents emailed between lawyers and clients, hard drives full of data mailed across the country, or between individual computers, each with their own repository of sensitive files—each a potential entry point for a hacker.
The traditional discovery process, for example, is full of data movement. Data is gathered from the client and sent to the law firm, from the firm it may be shipped to third-party vendors, processed and returned, before finally being passed along to the requesting party. This movement-intensive approach to discovery is ripe with opportunities for a data breach.
In a closed-loop system, those risk points are greatly reduced. Data can be uploaded to one secure platform, where it’s protected by bank-level encryption when in motion and at rest. Once uploaded, access to the information can be secured and controlled, allowing you to make sure that sensitive data is only available to those who need it. Such systems can even allow you to produce information to other parties through a secure download link, rather than, say, a CD-ROM sent in the mail.
For firms looking to shore up their cybersecurity, making sure that you secure your discovery process is essential. The reality is that hackers are already targeting discovery repositories, according to Lael Andara, litigation partner at Ropers Majeski. “We just haven't necessarily identified the hacks.”