So your firm is secure you say.
Law firms have been identified by hackers as a great source of information that might be more difficult to access elsewhere. Lawyers keep sensitive client information that can be of value to not just criminals but to other nations as well. Earlier this year, underground Russian website DarkMoney.cc offered to sell phishing services identifying law firms as potential targets. Then the FBI’s cyber division warned that law firms have become specific targets for financially motivated hackers seeking sensitive information as a form of insider trading.
Using the weapons of the 21st century, these unseen criminals might be searching for clients’ plans to expand into new markets, potential overseas acquisitions, sensitive customer intellectual property and information related to their work on human rights campaigns. “It’s all about the data. Law firms have sensitive information about their customers and their clients and there are people out there after that data,” says Scott Algeier, executive director of the U.S. Information Technology – Information Sharing and Analysis Center.
Penetration of the Mossack Fonseca law firm earlier this year, resulting in the worldwide release of what has become known as the Panama Papers, has had an unprecedented impact upon its vast client list. The revelation, which involved records on 11.5 million offshore holdings and led to the resignation of the prime minister of Iceland, put scrutiny on several world leaders and more recently resulted in Denmark announcing it will buy some of the leaked data in hopes of getting information on 600 people who might have evaded tax in Denmark. And now the future of the firm itself is in doubt as it is subject to police raids, and many of the firm’s offices worldwide have been shuttered.
During the 2011 takeover bid of Potash Corp. of Saskatchewan, hackers using computers in China launched an attack on Canadian government computers and reportedly also cracked the systems of several Bay Street law firms to gain information on the $38-billion takeover, which ultimately failed.
Daniel Tobok, whose firm was hired by some of those law firms, describes it as a sophisticated attack using a type of malware not seen before.
“This is a global phenomenon, not a Canadian phenomenon. When you breach a corporation, you breach X amount of information. When you breach a law firm . . . you have access to thousands and thousands of other corporations,” says Tobok, CEO of Cytelligence, formerly of Digital Wyzdom. “That’s why it’s extremely attractive to attack law firms and accounting firms. Because they harbour lots of information about other companies.”
Of the 20 investigations his firm conducts monthly, Tobok figures about 10 per cent of them are law firms.
But often, say those who work in the field, the firms have no knowledge that they’ve been accessed.
Recent revelations that Yahoo’s email system had been hacked took two years for the company to realize it had occurred. The hack had been reported by those surfing the darknet where the information retrieved through the hack had been posted for sale.
Foreign countries, unlimited resources
Foreign companies, often equipped with unlimited resources, are behind many of the attacks on systems, observes Algeier. The traditional craft of government spying has evolved into digital spying. “There’s a clear trend where governments are interested in private corporate networks.”
For firms that are hacked, there is a further problem, particularly if they’re trying to protect their reputation by keeping it secret, adds Tobok, the cyber sleuth. The first issue is that many are not prepared if something happens, and once hacked, there’s potential for further harm. “The problem is you’re now put on a dummy [sucker] list,” he says. “We have seen some very high activity, up to 46 per cent, on the dark web . . . where activity of lists of people . . . are being sold to different organizations.
“We see Canadian law firms on the dark web in the investigations that we do . . . Nobody’s immune to this.”
Among the differences between law firms and other professions is how they are regulated. Lawyers and not firms are regulated. So while there is an obligation to report any breaches to clients, there is no central location to which law firms must report and no real clear indication of the breadth of the problem.
New privacy legislation is in the works, which compels businesses to report when there is a real risk of significant harm, although it applies to information pertaining to individuals and not corporations.
“The lack of reporting on it I think relates to the fact that if there’s a breach in Canada and 100 clients are notified, clients won’t tell, nor will firms,” says David Fraser, an Internet and privacy lawyer with McInnes Cooper in Halifax. He does expect to see lawsuits in the near future for firms not taking adequate care, but again, there will be a great incentive for them to settle to keep any breaches under wraps and steer clear of risk to reputational harm.
Canada’s banking sector is seen as being more on top of breaches. The Financial Services Information Sharing and Analysis Center has launched a section specifically for law firms. The premise is that if breaches are reported to this central clearing house, experts can analyze the breaches and strengthen their security and defensive approaches. The International Legal Technology Association is a Texas-based non-profit that shares information on the broader approach to technology as it relates to law firms.
Mark Sangster is the legal industry cybersecurity strategist for Cambridge, Ont.-based eSentire Inc., which manages detection and response in the mid-market. Law firms, he says, are seen as the back door of the industry. But there are other motivations than just information, he says.
He has seen ransomware paralyze information for a specific firm preventing them from conducting business. The motivation was not money but likely tied to a specific file. “It’s a nasty version of painting graffiti on the wall of an organization you don’t like. People do this all the time.
“The technology that’s available now, you have very complex cyber-weaponry.” It’s readily available on the darknet, with instructions or one can pay someone in another jurisdiction.
Personal emails of CIA officials have also been hacked, leading to the suggestion that less mighty organizations are perhaps more vulnerable, says Vancouver-based Boughton Law’s information technology manager Rob Walls. “I would say that at least half the law firms get poked by things every once in a while, possibly more. Some of them may not be aware that they are being hit by things.” But, he adds: “You can do a lot to make sure you’re not as juicy a target.
“It’s challenging because if IT gets too intrusive in the way people want to do things, they stop relying on IT and start doing their own thing. It’s a balancing act.”
The general belief is the bigger the firm, the more protections they have in place, meaning smaller firms are more vulnerable.
Walls, who also serves as the British Columbia Legal Management Association technology subsection co-chairman and the International Legal Technology Association’s member liaison for the Vancouver area, suggests firms approach their security plan from the perspective that, eventually, they are going to be compromised. Should the firm be held by ransomware and can’t access their systems, a robust recovery system can help get them back up and running in a few hours.
A layered defence system is seen as the best approach, so the firm has a variety of protection procedures and tools in place. Security organizations point out if different areas are protected by different tools, compromise of one won’t necessarily mean another section will be penetrated by hackers. The key, though, is testing the security measures that are in place to ensure they are robust. Many firms prefer to hire outside agencies to run regular tests.
McCarthy Tétrault, for instance, requires multi-factor authorization for any remote access, points out George Takach, whose legal practice focuses exclusively on technology-related law. In addition to having a plan to deal with any breaches, he suggests putting a team in place that is equipped to respond immediately, push out the hackers, understand the scope of the breach and deal with notifications.
“I think it’s just going to be, unfortunately, a cost of doing business,” he says. “I see the same trend in physical security … It’s a sign of the times that we live in.”
Those who work in the industry also say firms need to draw the distinction between those who work on the firm’s information technology systems and security because they are separate disciplines. IT staff might manage the firm’s security, but they don’t necessarily have the expertise to put it into place.
• Stay current on available tools;
• Have a recovery system in place in
case of penetration;
• Have data loss protection points
focusing on the end points;
• Keep separate controls on every
individual using the system;
• Use encryption;
• Train staff on secure use of systems
and be wary of the latest phishing email schemes;
• Keep testing.