Quimbee logo
DMCA.com Protection Status

Cyber Hygiene for Lawyers

4.8 out of 5 Excellent(35 reviews)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

Cyber Hygiene for Lawyers

In this digital age, invisible threats lurk in every dark alleyway of the internet. Knowledge, awareness, and daily cyber hygiene are necessary to prevent cybercrime and fraud, preserve confidential information, and ethically serve clients. Through two hypothetical scenarios, we’ll explore the biggest cybersecurity vulnerability of all—ourselves. People with poor cyber hygiene are a prime target for cyber adversaries, who use tactics and methods like phishing, social engineering, and malware to exploit their weaknesses. We’ll explore the ethical dimensions of cybersecurity, the types of cybersecurity threats and vulnerabilities, some daily preventive habits that can reduce threat exposure, some techniques for recognizing phishing scams, and the anatomy of a ransomware attack. Viewers will also receive a cyber hygiene checklist.



Jason Potter: Welcome to Cyber Hygiene for Lawyers by Quimbee. My name is Jason Potter and I'm a staff presenter at Quimbee. We have some written materials for you today, including a cyber hygiene checklist, along with cases, statutes, rules, and links for download. You could follow along with them or just sit back and enjoy this practical introduction to cybersecurity in law practice.

   The pilgrims stunk. No, no, no, really. When the pilgrims arrived 400 years ago, a stench trailed the Mayflower into Plymouth Harbor. On shore, the crusty pilgrims were introduced to lobsters and baths, and both repulsed them. With hygiene issues fit for a late season episode of Survivor, the pilgrims were encouraged to bathe by Skwonto, but it was no ducking use. Back in the 1600s, bathing was uncommon and uncouth in Europe. Heck, Louis XIV apparently only bathed three times during his reign. Hey, and germ theory wasn't even on the radar, so the pilgrims refused to get naked and the showers didn't turn on.

   But we've come a long way since personal hygiene sullied the pilgrims' landing. We know lots of things about germs. A clean mouth has between 1,000 and 100,000 bacteria on each tooth, so we brush. The number of germs on your fingertips doubles after we use the toilet, so we wash. COVID-19 is spread mainly by inhaling droplets released from an infected person's coughs or sneezes. The virus needs us to activate and spread, so we wipe the groceries with bleach, jog in a mask and meet friends for happy hour on Zoom. When there is a threat in the world beyond our view, good hygiene practices help protect against it.

   Unseen threats in cyberspace abound. These threats want something from us, our information. The technology we use automatically exposes us to these threats and because technology connects... it meshes us through the internet, through social media, mobile technology, email, and more, these threats have numerous ways to spread, infect and extract. And extract they do. In one headline grabbing story from 2020, the computer systems of one New York based entertainment and media law firm representing clients like Lady Gaga, Madonna and Elton John were attacked by ransomware that stole 756 gigabytes worth of confidential information, then demanded a $21 million ransom payment for its return.

   Confidential client information is gold to hackers and these criminals are to find. They tend to ransomware. Whether an attack is successful, mostly depends on the victim's vulnerability, not the sophistication of the hacker. Many of these vulnerabilities can be prevented with good cyber hygiene habits. For some lawyers, it may seem like a tall order to bring discipline to all interactions with technology, but the stakes for lawyers are great. Law firms of all sizes are now major targets for cyber criminals. One late night bleary-eyed click on a fraudulent PDF attachment can become the biggest dumpster fire of a lawyer's career. In this presentation, we'll present some best practices for cyber hygiene that lawyers can incorporate right now into their practices, along with some important context on cyber security, ethical implicate, and the occasional cyber pun, maybe.

   Cyber hygiene and cyber security more generally is not just a good business practice. It's a professional obligation, so we can't dive into the hygiene of it all without some professional context. We all know that lawyers of owe their clients a duty of confidentiality. In light of advances and technology, lawyers do a lot of their work online; storing sensitive client information in the cloud or on devices that may be vulnerable to attacks. The lawyer's duty to maintain the confidentiality of information comes from ABA Model Rule of Professional Conduct Rule 1.6. Under rule 1.6, the general rule is that a lawyer can't disclose representation related information. The rule applies to intentional and unintentional disclosures, but it also requires to take steps to prevent others from accessing it. Under rule 1.6 (c), the lawyer needs to take reasonable efforts to prevent, "Oops! We leaked it." inadvertent or unauthorized disclosure of representation related information by the lawyer or someone else under the lawyer's supervision. And the lawyer needs to take reasonable efforts to prevent, "Oops! They took it." unauthorized access to representation related information by a third party.

   If the lawyer takes reasonable efforts to prevent these oopsies, then the lawyer hasn't violated Rule 1.6 (c). To determine what reasonable efforts means, Comment 18 directs attorneys to consider factors like the information sensitivity, the likelihood of disclosure without more safeguards, the cost of more safeguards, and whether the safeguards adversely impact the representation. When communicating representation related information, Comment 19, states that the lawyer doesn't need to take on any special security protocols if the communication gives a reasonable expectation of privacy, but special security protocols may be needed depending on the sensitivity of the information and whether the communication's privacy is protected like by law or by a confidentiality agreement.

   One case pending in 2020 demonstrates the implications of this. In Wengui v. Clark Hill, a DC law firm allegedly made promises to a Chinese political dissident that the firm had adequate security to withstand hacking, allegedly knowing from the outset that agents of the Chinese government had previously conducted persistent cyber attacks on the dissident. Nonetheless, the firm allegedly used their server to store the client information and their regular email to transmit information to third parties. The firm was hacked and the client information was stolen and posted publicly. The client sued the firm from malpractice alleging among other things that the firm had violated its duty of confidentiality, misrepresented its security protocols and had mishandled the client's information. This claim survived a motion to dismiss. The District of DC found that the client had sufficiently pleaded that the firm mishandled the client's confidential information. The district court's decision and the complaint are in your course materials.

   This case appears to show a clear violation of Rule 1.6. What would have been considered reasonable efforts was allegedly far more than the firm's ordinary security protocol in light of the sensitivity of the information and the likelihood of disclosure without more safeguards. We'll be touching on a few other ethical duties during the presentation, so this isn't the last you'll hear of ethics. Attorneys may also have a legal obligation to maintain good cybersecurity hygiene. For example, New York's amendment to its data breach notification law, the Stop Hacks and Improve Electronic Data Security Act, or the SHIELD Act became effective in 2020. This law is setting the bar for privacy laws across the country. The SHIELD Act applies to any person or business that owns or licenses computerized data that includes private information of a resident of New York. The SHIELD Act requires a stricter level of data security over personal information, as well as notification of any breaches. This statute also requires implementing a cyber security program and protective measures like risk assessment training and a response report.

   So an understanding of cyber and professional responsibility go hand in hand. Prioritizing cybersecurity is prioritizing clients as well as your reputation and your future.

   Lawyers are prime targets for cyber attacks for three reasons: value, efficiency and softness. First, value. Lawyers get, store and use highly sensitive information about their clients while at times using safeguards that may be inferior to the safeguards used by the clients themselves. There are also numerous uses for the data. Just to name a few, data in connection with mergers can be used to conduct insider trading before the merger even becomes public knowledge. Also, hackers or hacktivists may steal data in order to derail a transaction. So it's valuable. It's also efficient to attack lawyers. The information lawyers gather is valuable and more valuable than the voluminous information they had to sift through in the first place. Lawyers are also only involved in their clients' most important and pressing matters, so this data tends to be more sensitive than other client related data. So picking on the lawyers is efficient for hackers.

   Also, softness. Lawyers are still known as easy soft targets for hackers. Although cyber security is a high priority at many law firms, the high value information stored is just generally still more accessible than it is on client systems, at least insofar as corporate clients are concerned because businesses tend to be better at cybersecurity than lawyers. So when businesses work with lawyers, the lawyers are the vulnerable ones and so law firms are basically a one stop shop for hackers. And those are the FBI's words, not mine. And hack, they do! By the numbers law, all firms of all sizes are major targets for cyber threats. In the ABA's 2018 Legal Technology Survey or LTS Report, 23% of respondents indicated that their firm's network or systems have been breached in the past. As of 2018, the percentage of firms that have ever reported a breach generally increased with the size of the firm. 14% of solo practitioners, 24% of firms with two to nine lawyers and 10 to 49 lawyers, 42% of firms with 50 to 90 in lawyers and 31% of firms with 100 or more attorneys.

   While 60% reported that their firms hadn't been breached, breaches may not have been detected and the firms may not have reported. Shockingly only 9% of firms that had experienced a data breach notified clients and only 14% notified authorities. It's understood that many law firms just don't report. It's too damaging for their reputations. The damage these threats cause is significant. In the LTS Report, 40% of firm networks were infected with viruses, malware and spyware, and firms with two to 49 attorneys were infected at a greater rate than larger firms. Of those firms breached 41% of firms billable hour losses, 40% needed to pay remediation consultants, 11% reported destruction or loss of files and 27% replaced hardware and or software.

   Generally the precautions firms take are not enough. In the LTS Report, 34% of firms breached reported using full drive encryption, 29% of firms breached reported using encrypted email for client communications, 34% of firms breached reported having cyber insurance coverage and only 25% of firms breached reported having an incident response plan in order, a major component of law firms cybersecurity today. Not withstanding the seriousness of cyber threats, as much as 80% of attacks can be prevented with good cyber hygiene. So what's cyber hygiene? Cyber hygiene is a reference to security practices that people using the internet should follow to protect their device and shore up their information online. Like hand washing or wearing a mask many cyber hygiene practices are seemingly simple and straightforward like not clicking email links from unfamiliar senders or not checking social media and personal email at work. Cyber hygiene is the basic line of defense against attacks. It's part of good business practice.

   But before we talk about prevention, it's important to understand exactly what we are trying to prevent with cyber hygiene, so here's a little primer on malware. Malware is a malicious computer code intended to damage a computer. It's become an umbrella term for different types of malicious software, including but not limited to viruses, the most common form of malware and possibly the most destructive. Viruses are capable of any number of tasks like hijacking your computer, erasing the data, sending spam from your computer or hosting and distributing illegal content. Another type of malware is spyware; software that collects your personal inform and sends it to third parties without your knowledge and without your permission. Spyware can install viruses like worms or Trojan viruses. Another form of malware is adware; software that displays popup advertisements when you are connected to the internet or have your browser open. Also, rogue security software. Rogue security software masquerades as legitimate security software and once installed, opens your computer up for further infection and data breaches.

   And finally ransomware. It's a kind of malware that infiltrates networks and systems and encrypts the data until the victim; a person, an entity, or both pays a ransom often demanded in Bitcoin, which is untraceable. Ransomware is usually spread when a user clicks on a malicious hyperlink or attachment in an email. So there are a number of techniques for malware attacks. Malware can come in through junk email or spam, sometimes this is known as the spray and prey approach. It can come in through phishing; scam emails that often look legitimate, but the link or attachment is fraudulent. They also come in through known vulnerabilities, discovered through internet wide searches with bots. So the question becomes, how do these nasty threats come in? Through these three doors. Malware can attack with impunity bit by bit. In the film, Bonnie and Clyde, Warren Beatty as Clyde Barrow introduces them by saying, "This here is Miss Bonnie Parker. I'm Clyde Barrow. We rob banks."

   This is the sort of impunity that hackers have. Hackers often prey on organizations and people with poor cyber hygiene using basic tactics and methods like phishing, social engineering, and malware to exploit existing vulnerabilities. We're going to explore some of these vulnerabilities now in the context of a few hypotheticals. This is Catherine. Catherine works for a small firm that has a flexible schedule. She has the option of working from home or the office. Catherine has two court appearances and decides to work from a nearby coffee shop between appearances. The coffee shop is crowded, but Catherine locates a table, she sets up her laptop to begin working. Catherine logs into her MacBook Pro laptop with her password, meangirls1. A notice of a software update pops up on Catherine's screen. She dismisses it so she can get started. Catherine connects to the coffee shop's WiFi, which is free with purchase and doesn't require a password. She then logs into her firm's case management software using her password, meangirls1.

   Catherine works in MS Word on a brief for an upcoming appearance, then she saves her work locally, uploads it to the firm's system, closes her computer and leaves the coffee shop. What are Catherine's vulnerabilities here and what could she have done to mitigate them? Catherine's method of accessing the internet is a vulnerability. Catherine connected to an open wireless hotspot without a password. Now open WiFi networks are dangerous for security and confidentiality reasons as hackers can sniff data packets from public WiFi networks. Is there anything she could do to access that network? What if it was the only available connection? Well, if Catherine uses a virtual private network or VPN after connecting to the WiFi and for the duration of her connection to it, her vulnerability would be reduced, but not eliminated. A VPN creates a private network on top of a public network and allows the user to transmit on the public network as if it's on the private one. But even a VPN is considered vulnerable today.

   As a matter of cyber hygiene, Catherine should just avoid public wifi connections altogether, tethering to her smartphone or using a cellular mobile hotspot or modem or secure alternatives to access the internet. Next, Catherine's lack of situational awareness is also a vulnerability. Catherine was working on her computer on a client matter in a crowded coffee shop, but she seemed to lack awareness of her surroundings. She needed to make sure that no one could view the work on her computer or worse if she stepped away.

   For better cyber hygiene, Catherine should add these tools into her routine. First, Catherine should consider using a privacy filter for her computer. It's an analog tool placed over the screen that obscures it from viewpoints other than the viewpoint of the person directly in front of the computer. Second, Catherine should consider requiring screensaver passwords and enable her computer to lock, so others can't view her data when she's away. Also, Catherine should consider covering her webcam in the case of a webcam hacking, a precaution that's recommended by the FBI. Next, Catherine's failure to update her software also puts her at risk. Catherine did what many of us do when we need to get to work. We just put off those software updates. But if a manufacturer is suggesting you update your software, chances are they know something that you don't know and it's often about security, some known vulnerability say that they've patched. So it would be good cyber hygiene for Catherine to stay on top of installing the newest software updates for all devices and software and applications on those devices. This includes staying up to date on and using antivirus malware and firewall software.

   In addition, Catherine's use of the same weak password for multiple logins is a vulnerability. For passwords, inconvenience equals security. In Catherine's case, she uses the same password, meangirls1 for her laptop's login and to log into her firm's case management software. There's convenience in that. It's easier to remember one password. It's more convenient. However, the more convenient the password, the less secure it is. For passwords, there's a tension between security and convenience. So here are some cyber hygiene tips about passwords. First, passwords should be totally private. Even though it might be convenient, Catherine, shouldn't give it out to anyone else like her assistant. Strange things can happen. For example, one firm let a legal secretary go and ended her access to the firm's network. Her replacement didn't show up on her first day. The firm realized that the sacked secretary knowing the partner's password had sent her replacement an email from the partner's account saying the firm had rescinded their offer.

   Second, password should be unique. If Catherine commits to using unique passwords, this would provide her with more security. It might be inconvenient, but there are ways to add convenience. Unique means using a different password for each application's login, one password for email, a different password for the cloud, et cetera. And to add convenience, Catherine should use a password manager, for example, LastPass, which is a secure central repository for passwords. These services are more underused than they should be in the legal profession. Catherine should also not write down those unique passwords, even though she may be tempted to do so for convenience.

   Third, passwords should be strong. Don't choose a bad password. So here's a parade of horribles. According to one data analytics firm, these were some of the top worst passwords in 2018. Password, 123456789, 11111111, sunshine, cordy, I love you, princess and admin. These worst passwords were the result of a study of frequency in passwords leaked by hackers. Choose a word, phrase or character combination of at least 12 characters that includes capital letters, special characters and numbers. Here's one way to make it memorable, I call it the syllable secret. Choose a favorite lyric from a song or a favorite line from a play like Shakespeare or your favorite film. I don't know about you, but I think Love Hurts by Lizzo is pretty amazing. The song starts, why men great till they gotta be great? Start by writing down the first letter of each syllable, using capital letters for stress syllables and keeping any punctuation, like the question mark the end of Lizzo's lyric. Add some numbers like the year the song came out. Voila! Wmgttgtbg?17 Then test it.

   According to the password testing site, howsecureismypassword.net, it would take a computer about 63,000 years to crack this password. Secure and memorable. Thanks, Lizzo.

   When creating a word don't use personally meaningful or common words or phrases like Bible versus or movies. Let's consider Catherine's password. Catherine's password, meangirls1 is lacking because it's the title of a popular teen comedy, has too few characters, has no special characters and contains no upper case. In fact, apparently that password would take a computer only one day to hack, but add a little more mean girls and we are in business. Translation, on Wednesdays we wear pink. That was so fetch. According to howsecureismypassword.net, it would take five decillion years to hack this. I don't even know how long that is. That's so fetch!

   Fourth, logins should have two factor authentication when possible. This form of authentication widely available on most internet services like Google or Facebook or Yahoo will require a code or a biometric of some kind in addition to a password. This is the most secure you can get. It prevents about 98% of cybersecurity issues. Sometimes it's called F2A. Catherine logged into her MacBook Pro using her password, but if it's a new model, she should consider enabling biometrics. Catherine should have a unique, strong password for each program, software or device that contains or has access to client information. She'll need to include special characters, some sign language, a Limerick, a secret handshake, an eye of newt. I'm just kidding. She should include some combo of caps, numerals, and a special character or a punctuation mark. If she uses a thumb drive, Catherine should require a password to access information stored on it. And at the end of her sessions, Catherine should manually log off websites, networks, platforms, and devices. And yes, this includes turning off her computer completely.

   Using unique, strong passwords is good cyber hygiene. It might be inconvenient, but so is flossing teeth and we all know how that turns out if we neglect it. Based on Catherine's situation, here are some basic tips for cyber hygiene regarding passwords and privacy: avoid public WiFi networks, even with a VPN, keep applications, software, and operating systems patched and up to date, use strong passwords or pass phrases and have a unique password for each login. Also, enable multifactor authentication when available. See the checklist in the course materials for more cyber hygiene tips on passwords and privacy.

   Let's take a look at the second hypothetical. This is Dante. Dante is an associate attorney for a medium sized law firm in Portland, Maine, and he's been working from home on his personal laptop during the COVID-19 pandemic. Dante's firm recently started using a secure cloud-based client portal called Legal Owl. Dante's laptops hard drive is not encrypted. The firm requires that attorneys and staff send and receive emails, save all documents and transmit all documents through Legal Owl. To prepare for a conference call in connection with a confidential upcoming M&A deal, Dante downloads the client file, including all the closing documents from Legal Owl to his personal laptop for faster access and editing during the call. While waiting for the call to start, Dante checks his email through Legal Owl. Dante notices a new email about COVID-19 in his inbox. Dante reflexively clicks and reads the email.

   It says, to Dante Simpson from CDC-INFO. Emergency coronavirus infections peak in your city. There's an attachment, Newguidelines.pdf distributed via CDC Health Alert Network, CDC Chan. Hello, the US Centers for Disease Control and Prevention, CDC, is monitoring a sharp increase in COVID-19 infections in your location. An updated list of new cases around your city and new guidelines regarding personal protection equipment are located here, a link. The new guide lines are incorporated in the attached tips for protecting yourself. The CDC strongly advises anyone in your city to go through the new protocols to avoid hazards. Sincerely CDC-INFO, National Contact Center, National Center for Health Marketing, Center for Disease Control and Prevention.

   Dante's community has been particularly hard hit by the virus, but the city hasn't released official infection rates lately, so Dante is anxious for local updates about the pandemic. Dante hovers his finger over the link to read about the new local cases and protocols. Based on this, what are Dante's security vulnerabilities at this point? Let's start with Dante's email habits. Dante's indiscriminate clicking in email makes him vulnerable to a phishing attack. Phishing is the easiest way into law firms. These scams are effective. In fact, studies consistently show that about 20% of phishing emails get opened. Some phishing attacks are targeted and appear legitimate. This is called spear phishing. Spear phishing is the worst type of security threat for law firms. So much information about lawyers is known publicly or accessible and can be used to trick lawyers into believing the email is meant for them. The COVID-19 pandemic makes for especially effective social engineered phishing attacks.

   Social engineering is a type of coding that leverages human vulnerabilities instead of technological weaknesses. One human vulnerability is our tendency to act quickly in cases of emergencies or urgency. So social engineers often try to get the recipient to do something urgently. The sense of urgency clouds the recipient's ability to recognize that something is a miss. COVID-19 has us particularly vulnerable to these types of attacks because while we're all eager for new local information about the pandemic, we've all been distracted and we are out of our comfort zones. And many of us have been working from home in more relaxed environments, which can be disorienting. This all has social engineers as eager to pounce as Boris and Natasha are to kill moose and squirrel.

   Was the COVID-19 email that Dante received a phishing email? Well, here are five questions we can ask to help determine this. Is the sender unknown, or is the email unexpected? The biggest warning sign for phishing emails is strange or unknown senders. Certainly if the email address of the recipient doesn't match the purported organization, or if the email address is a bunch of letters or numbers, it's a red flag. In Dante's case, if he hadn't signed up for CDC updates, then receiving this one would be out of left field. That would be a red flag. However, keep in mind that phishing emails can also appear to come from familiar senders, but when you look a little bit closer, it can be a little bit off. In Dante's case, the email comes from CDC-INFO, [email protected], but upon closer inspection of the email address, it's clear that the email doesn't originate from cdc.gov, it originates from cdc-gov.org. That's a huge red flag.

   Sometimes, especially with COVID phishing scams, the email appears to come from the lawyer's own IT department and directs the user to a fraudulent login page. Imagine getting an email that said, dear all, important company policies regarding the COVID-19 virus have been uploaded. You can read them here. Many did receive that email. Some COVID-19 related emails appear to come from IT teams and may direct the user to a fraudulent login, so be on the look at out. And certainly if you're not expecting such an email, that email should be automatically suspect, even though the email may try to overcome that lack of expectation.

   Next question, are there impersonal out of the ordinary or irrelevant references? Emails from strangers that are important to open often address us by name. Although some spear fishing scams place the recipients surname in the email, many times there's nothing specifically tying the recipient to the email. Here, there's nothing specifically tying Dante to the message. The salutation merely states, hello, which is unusual. Other out of the ordinary salutations commonly seen in phishing emails are sir, madam, hi or no salutation at all. Also, when an email contains references to things that just don't apply to you, take it as a big warning sign.

   Next question, are there misspellings typographical errors or improper domains? If there are any misspellings in the sender's email address or in the body of the email, this can be a warning sign. In Dante's case, in the email signature, the actual name for the agency should be US Centers for Disease Control and Prevention, not what appears, Center for Disease Control and Prevention. This is a subtle clue that we have ourselves a phishing email. Also, another question, is there an urgent plea for you to do something? Usually phishing emails ask you to do something, enter an email, call, text, send money, visit a website, download a link and there's usually an urgency to this plea. In Dante's case, the plea for assistance was to visit a website and download an attachment. As an initial precaution, Dante could have taken a moment just to do a simple web search for cdc-gov.org, to confirm that it was a legitimate website and associated with the CDC.

   Next question, are there suspicious attachments or links? Be cautious about hyperlinks and attachments that you open from emails. They can direct you to fraudulent websites where they solicit sensitive information. Attachments should already be suspect, certainly if it's an unfamiliar file type or a file type that doesn't match up with what's stated in the email. In Dante's case, the attachment appears to be a PDF file, which should always be highly suspect. Links to websites too are highly suspect. Hover over the link to inspect the address, watch out for insecure imitation domains like google.support, as well as web links that don't match the email address. To determine whether a website is legitimate begin by checking for a secure website that starts with HTTPS and those often have a padlock symbol in the browser's address bar. When in doubt, check the company's main webpage and navigate to the login or input webpage that you need, rather than relying on a direct link from an email. You may also choose to call to confirm the site's authenticity, but look up the phone number instead of relying on any number listed in the email.

   So in light of these factors, it appears that Dante is about to click on a phishing email. In reality, I fashion Dante's email from a real COVID phishing scam that continues to circulate. A phishing attack can be prevented through education, by slowing down and by undoing reflexive habits. For more resources on phishing, there's a link to a really excellent phishing quiz by Google in the course materials. Now, based on Dante's situation, there are some basic tips for cyber hygiene regarding email communication; slow down when checking email, be wary of emails from unknown senders, as well as unexpected emails, heed the warning signs of a phishing email, look for impersonal out of the ordinary or irrelevant references, misspellings, typographical errors, and incorrect domain names, urgent please to act and suspicious attachments or links. Treat those attachments or links as evil until proven good, and delete all suspected phishing emails completely from your email server.

   So, well, what if Dante falls for it? Let's imagine that his eagerness to learn the new COVID-19 guidelines just gets the better of him and he downloads the attachment, newguidelines.pdf. Well, within moments, any and all files on Dante's computer, including all of the deal related documents he downloaded locally become encrypted and inaccessible. His data has also been exfiltrated. A message appeared on Dante's computer reading, if you see this page, you are lucky because we are giving you a chance to recover your data. We have listed your entity on our website among with others trying to hide our attacks from their constituents. To recover your files you must pay $3,000 in Bitcoin. To have files destroyed and prevent public release you must pay an additional $3,000 in Bitcoin.

   Dante panics. What happened? What should he do? Dante's firm has not yet adopted an incident response plan and Dante doesn't even know whether his firm's liability insurance covers this kind of incident, but let's assess the basic cause. Dante succumbed to a phishing email that installed ransomware on his computer. Ransomware attacks are an epidemic and a big threat to law firms and legal employers of all sizes. By some predictions, by 2021, ransomware will successfully attack a business every 11 seconds and the damages are predicted to be 57 times greater than they were in 2015. Ransomware doesn't just attack computers. We often think of ransomware attacking computers, but Dante's ransomware attack could have occurred on his iPhone. Ransomware also impacts mobile devices now, including iPhones. So Dante's lucky that he didn't click that email link on his phone. He hasn't been encrypting all those selfies.

   According to the Federal Trade Commission, ransomware typically gains access through phishing emails, which are the majority of ransomware attacks, this is how Dante fell victim. Through infected websites, which automatically download malware, through servers with vulnerabilities that hackers can exploit and through online ads that contain malicious links. So let's assess the incident here. Dante didn't lose the data completely, its compromised. It appears that Dante's firm has instituted a means of saving and backing up data in a secure platform, Legal Owl, that's not connected to the same network or operating off the hard drives of its lawyers' computers. Of course, Dante has been working from a computer that lacks encryption, but at least the firm appears to adhere to the basic prevention protocol, multiple secure and physically separate copies of all servers, applications and data. But Dante's act of downloading the client files to his hard drive, violates a general cybersecurity rule, store less, delete more.

   To prevent theft of data, one should remove unnecessary data, including temporary internet files and cookies and remove all the confidential data itself. Give it to a third party. If Dante's data lives on Legal Owl, it should remain on Legal Owl and not his computer. So what looks like Dante's client related documents are securely stored on the Legal Owl cloud and loss of the locally saved copies doesn't mean they're entirely gone, but this doesn't mean Dante is out of the weeds. In thinking about the security of information, consider the who, what, when and where of that information. Who is storing and accessing the data? What is currently protecting it? When do data backups occur and where is the data stored? All lawyers should be able to answer these questions. And if Dante had considered these, well, he might have realized that the local files were vulnerable and deleted them.

   Are their ethical duties that Dante and his firm have here? Absolutely. Dante has a duty to notify his firm and he and his firm will have a duty to reasonably respond to breaches, such as following an incident response plan. Under Rule 1.1, lawyers have an obligation to monitor for data breaches as well as stop breaches and restore their systems to serve their clients. In ABA Formal Opinion 483, pertaining to data breaches and released in October of 2018, the ABA specifies what a reasonable response to a security incident would be. They write, as a matter of preparation and best practices, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach further. Further, the opinion states that the decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach. The ABA notes that their recommendations should be tailored to the attorney's particular needs and circumstances.

   So the purpose of an incident response plan is to institutionalize a process that will allow the lawyer or firm to respond in a core coordinated way to a security incident, including cyber threats. In Dante's case, Dante's firm lacks an incident response plan, which is likely unreasonable given today's cyber landscape. Dante's firm should develop a plan that evaluates potential network threats or intrusions, assesses its nature and scope, determines if the data or information may have been accessed or compromised, quarantine the threat or malware, prevent any exfiltration of information from the firm, erase the malware and restore the integrity of the firm's network. To act competently, Dante should immediately notify his firm and Dante and the firm should make all reasonable efforts to restore his computer's operation to continue to serve clients in a safe and secure way. Dante and his firm also have a legal and ethical duty to notify all potentially impacted clients.

   Under Model Rule 1.4 (a)(3), an attorney must keep the client reasonably informed about the status of a matter. And 1.4 (b) states, a lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. According to Opinion 483, this rule creates a duty for a lawyer to communicate with current clients about a data breach. Also, Ethics Opinion, 95-398 declares when the unauthorized release of confidential information could reasonably be viewed as a significant factor in a representation, for example, where it is likely to affect the position of the client or the outcome of the client's legal matter, disclosure of the breach would be required under Rule 1.4 (b). In Dante's case, Dante and his firm are representing a party in connection with a confidential upcoming M&A deal. The exfiltrated data includes the client's entire deal file, all closing documents. Per the ABA guidance disclosures required if material client information was actually or reasonably suspected to have an access. The exfiltration of Dante's client's confidential information is a scenario that has the reasonable possibility of negatively impacting the client, even killing the deal or much worse.

   So Dante and his firm would have an ethical duty to notify their client of the breach as part of their duty to keep the client informed. It would be unethical of them to hide the breach from their client as so many firms, apparently do. Also, since Dante's client file likely would've contained confidential information that's personal Dante and his firm would need considered duties under federal and state laws. A number of federal and state agencies have confidentiality and breach notification requirements and all 50 states, the District of Columbia and territories have statutes involving breach notification. These statutes require entities to notify people of any breaches that result in loss or disclosure of private personally identifiable information. In the course materials we've included the text of Maine's statute as an example of statutory notification duties.

   What about Dante's response to of the ransom demand? As a general matter, as one expert noted, the response to a ransomware incident is to have a robust and tested backup system, so you can shut off the infected system and get the company backup and running on the backup as if it was never infected. In Dante's case, in a traditional ransomware attack, Dante might be tempted to tell the hackers to eat my dust and refuse to pay the ransom because Dante had at least one backup of the client's information on the Legal Owl cloud based server. In traditional ransomware attacks, malware does not exfiltrate data. It merely encrypts it and a ransom is demanded in Bitcoin to receive a decryption key, but this seems slightly different. It appears we can rule out the so-called Miley Virus, computers affected with that virus stop twerking altogether. Okay.

   No, here, the ransomware's message was, if you see this page, you're lucky because we are giving you a chance to recover your data. We have listed your entity on the website and to recover your files you must pay 3,000 in Bitcoin. To have your files destroyed to prevent public release you must pay $3,000 in Bitcoin. Dante seems to have been attacked by malware that is trying to prevent him from blowing it off. In fact, Dante appears to have been attacked by a specific new generation ransomware called Maze or one similar to Maze. With Maze, a user's data isn't merely encrypted, it's exfiltrated, it's stolen first. Traditional cyber ransoms are often discreetly paid without public knowledge, but Maze is much more brazen. With Maze, victims are listed publicly on their website to let the world know that they've been attacked. Hackers, then demand two ransoms, one ransom to get the data back and another to have it destroyed before it's possibly released publicly.

   The Maze ransomware has become a major problem for law firms recently. At least five law firms have been attacked and at least one of those firms has paid the ransom to be deleted from Maze's website wall of shame. The hackers behind Maze appear to be leveraging the devastation that can result from public release of confidential client data. Now there's no clear guidance about whether to pay ransoms. Whether to pay a ransom is a complex legal and ethical question and Dante and his firm should seek legal advice before making a decision. There don't appear to be any US laws directly outlawing the paying of a fee to decrypt data, but as part of its efforts to combat global terrorism, the US seeks to prevent terrorists from accessing or using our financial system. Hackers and other fraudulent actors could be considered terrorists, so payments via ransomware may be considered violations of banking laws and policies, as well as related laws and policies. Federal regulators have issued conflicting opinions on whether to pay a ransom. So there's no definitive guidance from the federal government.

   The FTC states, law enforcement doesn't recommend paying a ransom, noting that it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. The FBI advises against paying ransoms and filing an FBI complaint first. In a 2019 podcast two FBI agents stated instead of paying the ransom contact your local FBI field office and report it to ic3.gov as soon as possible. When we get a ransomware complaint, we'll respond to that. We will contact the victim company and work with them to determine what the best course of action is going to be. But there are also reports that the FBI typically advises those people, just pay the ransom. Also, paying a ransom in Bitcoin has practical implications. It requires creating a Bitcoin wallet and purchasing on a Bitcoin exchange, which are notorious for hacking. Bitcoin is also considered property, not currency so it's used to pay a ransom is a taxable event.

   So whether to pay a ransom should be a decision made in conjunction with competent legal counsel, the professional liability insurer if there's coverage for this type of attack, possibly a security consultant versed in ransomware, government regulators and law enforcement and the client whose data is the object of the ransom. So, sorry, Dante. There's no clear cut answer on whether to pay the ransom, but there are some clear cut things that he and his firm can do to prevent this sort of thing from occurring again. Based on Dante's situation here, here are some basic tips for him and his firm about cyber hygiene: develop a response plan to be followed in the event of a security incident, maintain cybersecurity insurance that covers social engineering, consider disclosing cybersecurity protocols and concerns in a client retainer letter, conduct diligence on third party vendors to confirm their security practices, keep backups encrypted and offline and be an informed conscientious device user. Dante should continuously educate himself about cybersecurity awareness.

   We've created a great cyber hygiene checklist for you in the course materials that summarizes all of today's cyber hygiene tips. Social engineers are increasing savvy and Dante really needs to be mindful about what he downloads and clicks. In this digital age, invisible threats lurk in every dark alleyway of the internet. Threats come in by email, through apps, via lost or stolen devices, smartphones, or tablet, poor passwords, public WiFi, poor data disposal habits, cloud storage with poor security and just simple human error. The buck really stops with the individual technology user. It's ultimately the responsibility of each person and each entity, and more specifically each person in that entity to take reasonable steps to protect themselves and to take daily cyber security precautions.

   The biggest security vulnerability of all are people with poor cyber hygiene. These people are the target of cyber adversaries who use targets and methods like phishing, social engineering, and malware to exploit bad uninformed habits. Knowledge, awareness, and daily cyber hygiene practices are necessary to prevent cyber crime and fraud to preserve confidential information and to ethically serve clients.

   Thank you for joining us for this introduction to cybersecurity by Quimbee. To learn more about the content of today's presentation, please check out the accompanying course materials, which include today's slides, presenter notes, and that cyber hygiene checklist. We thank you for joining Quimbee for your CLE needs, and we hope you'll join us again soon. Thanks.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

Supplemental MaterialsHandout

Practice areas

Course details

On demand
1h 0m 06s

Credit information