Editor's Picks

Pop-ups from hell: the compromise of client confidentiality in the age of cyber attacks

As an intense malware virus has continued to wreak havoc on computer systems internationally, concerns have been raised as to the protection of client files within various organizations.

One week after the cyber attack infecting over 45,000 computer systems around the world, cyber security experts are still working to contain the damage. Among those victims affected by the unprecedented and widespread attack include the United Kingdom’s hospital network, Germany’s railway system, Spain’s telecommunications operator Telefonica, Russia’s Interior Ministry, and the U.S.’s own FedEx Corp. In addition, scores of businesses and large corporations have also been compromised at the literal hands of hackers clicking away in their anonymous locations.

The malware responsible for the attacks, known as “WannaCry,” is a type of ransomware designed to infiltrate computer systems and keep data files hostage in exchange for payment. As with all ransomware viruses, users are locked out of their networking system until cooperating with some specific demand, typically the payment of money. Victims of WannaCry receive a pop-up window notifying them that their data files are now encrypted and $300 in bitcoins are demanded for access. The message also informs victims that they have three days to make the payment before the price is doubled, and the window includes a countdown clock threatening to permanently delete the files after seven days without payment. According to a BBC analysis published last week, just under $70,000 has been paid to release locked data files so far.

Due to an outdated system and lack of security, Panama-based law firm Mossack Fonseca fell victim to a massive cyber attack…

Despite the diverse and indiscriminate victims of WannaCry, law firms have been fortunate not be a target of the ransomware. Nonetheless, this attack and other significant attacks occurring last year should have firms on edge. The risks at stake for law firms are enormous due to the type of electronic material they store. For example, it is not unusual for a typical law firm to contain confidential documents about a corporate client’s finances and business deals, valuable information relating to intellectual property and trade secrets, as well as thousands of emails revealing the private details of clients’ personal and professional lives. The existence of such information poses as an attractive target for hackers looking to gain an edge in the stock market or use as collateral for a substantial ransom.

The particularized risks associated between law firms and cyber attacks are perhaps best demonstrated by the highly publicized data breach that occurred in April 2016. Due to an outdated system and lack of security, Panama-based law firm Mossack Fonseca fell victim to a massive cyber attack that resulted in the leak of millions of internal documents onto the internet now known as the Panama Papers. The breach exposed secretive information regarding the financial dealings of several world leaders, including that of Russian President Vladimir Putin who was discovered depositing money into offshore accounts.

[T]hree men were able to purchase shares in target companies and then sell them after the mergers were announced, gaining a profit of more than $4 million.

Another incident occurring last year represents the impact of cyber attacks on insider trading. While a law firm specializing in mergers once had to worry about one of its own employees stealing valuable information to sell, now there is a realized fear of hackers doing the same. In December 2016, federal prosecutors in Manhattan charged three Chinese citizens with successfully hacking into two New York firms and targeting at least five more in an attempt to obtain information about future corporate dealings. By stealing the emails of partners working on mergers, the three men were able to purchase shares in target companies and then sell them after the mergers were announced, gaining a profit of more than $4 million.

Using stolen employee credentials, the three men installed malware on the law firms’ web servers, which gave them access to the various networks on at least 100,000 occasions. According to an article by the New York Times, the hackers were able to benefit from several prominent deals including the sale of an American drug maker, Intermune, to Switzerland’s healthcare company, Roche, and the acquisition of Altera by Intel. Fortunately for these New York firms, which remain unidentified, this was one of the rare instances where the culprits were actually identified. For the majority of cyber attack victims, however, their hackers remain at large and always lurking.

Save the few small firms seemingly unable to step outside the realms of antiquity, digitalization has more or less come to dominate all aspects of a law firm’s operations.

“Big-Law” firms are not the only ones that should be weary of potential data breaches; small law firms are just as prone to cyber attacks as their larger counterparts. In May 2016, 10-attorney firm, Moses Afonso Ryan Ltd. of Providence, Rhode Island, was held captive by a ransomware virus for three months, causing nearly $700,000 in lost billing. Although the hacked information was never lost, it remained encrypted until the $25,000 ransom was paid. After being denied recovery for the $700,000 due to a $20,000 cap in its insurance policy for computer virus related damages, Moses Afonso Ryan filed suit against its insurer, Sentinel Insurance Co. Ltd., for breach of contract and bad faith. The case, filed April 21, 2017, remains pending.

As cyber attacks continue to proliferate, law firm executives are beginning to place cyber security risks at the forefront of business matters. Save the few small firms seemingly unable to step outside the realms of antiquity, digitalization has more or less come to dominate all aspects of a law firm’s operations. Without access to their databases and networks, firms like that of Moses Afonso Ryan are forced to remain unproductive while costs to clients and employees steadily climb. In addition, many law firms mistakenly believe that cyber security liability is already covered by legal professional liability or indemnity insurance. As the Providence law firm case illustrates, however, certain gray areas within these general policies can likely leave a victim of digital espionage less than fully recovered.

The most recent ransomware virus, WannaCry, proves not only that pop-ups are still among the most hated technological creations, but also that there is a great need to amp up cyber security measures across the board.

In the wake of the 2016 cyber attacks, more law firm executives are counting on insurance companies to provide better coverage in the event of a cyber take-over.  One response to the call came earlier this year when the American Bar Association announced that it would be expanding its insurance program to include cybersecurity coverage, which consists of an array of digitally-centered protections for firms with a minimum revenue base of $250,000. For example, one clause relating to extortion expenses explicitly includes Bitcoin, and its coverage is applicable anywhere in the world. Thus, if a law firm with this insurance policy has been hacked by WannaCry, it would be able to recover the money spent decrypting hacked files as demanded by the insidious pop-up window.

In order to exist and be successful, law firms must establish a foundation of trust with their clients because the essence of the attorney-client relationship revolves around the notion of confidentiality. Moreover, a lawyer’s duty to protect his or her client’s confidential information is imposed by the Professional Rules of Conduct and federal and state law. In the current volatile climate of data breaches and cyber attacks, the need for law firms to be proactive and take the appropriate steps to prevent and mitigate such possibilities, or rather, probabilities, becomes requisite. By not doing so, a firm runs the risk of an attack and the consequent loss of confidence from its current and potential clients.

The most recent ransomware virus, WannaCry, proves not only that pop-ups are still among the most hated technological creations, but also that there is a great need to amp up cyber security measures across the board. While they may have managed to escape the damage this time, the past year attests to the fact that law firms are prime targets for hackers. As data breaches continue to occur, law firms will have to address their security concerns and mitigation techniques, whether it be through acquiring better insurance or keeping their networks under tougher guard.

Katie King
About Katie King (10 Articles)
Katie King is a third year law student and serves as Managing Editor for the Campbell Law Observer. Originally from Calabash, NC, Katie went to NC State University where she received a Bachelor of Arts in History. During her second year, Katie worked in real estate at Brady Law Firm located in Raleigh, as well as in the Chambers of The Honorable Judge John M. Tyson at the NC Court of Appeals. Her legal interests include corporate law, real property, and estate planning.