Trust is the pivotal building block of the attorney-client relationship. This critical relationship requires the exchange and divulgence of confidential or privileged information— from trade secrets and IP to strategy and high-value financial and personal documents. Unless this confidentiality is truly protected by effective security measures, clients cannot trust their lawyers, and lawyers cannot credibly represent clients’ interests.
Cyber attacks, often performed deliberately and quietly within a closed and seemingly protected network, present the latest and most disruptive threat to the integrity of sensitive client information. In its Annual Security Report, Cisco Systems ranks legal enterprises as the seventh-highest sector vulnerable to attacks by cyber criminals.
Law firms are a prime target because the Information they control and retain is commercially sensitive and most communication is primarily conducted via email. That includes sending and receiving privileged documents and communications from our clients. Email systems are notoriously difficult, if not impossible to protect, often leaving information unencrypted and vulnerable to various types of attacks.
Threat Prominence
At least 80% of the 100 highest revenue-earning law firms have suffered a data breach since 2011, with the number of attacks only increasing. Attorneys who handle large government contracts, support global tech corporations, or assist with mergers and acquisitions are amongst the most popular targets. The reason — the amount of high-level value data stored and transferred, and the tendency among law firms to place less focus on IT security.
That isn’t to say that smaller law firms aren’t appealing targets for criminal hackers. All practices store and transmit sensitive client data, including financial information and health histories — the latter constituting the most valuable data on the black market. Cyber criminals are also attracted by data containing corporate trade secrets that may be produced in e-discovery, yet otherwise obscured from public view by protective orders. The current BYOD workplace culture only further amplifies a massive threat to the already porous security of law firms’ communication. When the loss or theft of an employee’s device threatens high stake communications, the credibility of a law form may be at stake as a result of failing to protect client information.
Top Risks
As experts note, ransomware has become an increasingly prominent attack leveled at legal practices. It is a method of digital extortion, by which malware encrypts a target’s systems to render them unreadable. Cyber criminals then demand a ransom in exchange for the decryption key. According to Mikko Hypponen, a prominent security expert, a single version of ransomware — CryptoWall — has extorted payoffs of over $300 million.
A staggering 91% of targeted attacks across industries involve another threat vector — spear phishing, with about 20% of recipients succumbing to the traps included in the deceptive emails. Victims typically don’t discover that their network security has been compromised until about 205 days after a breach has occurred. And just like one hole can sink a very large ship — a single user’s mistake can enable powerful and persistent attacks on an entire firm’s network and database.
Managing Risks
The dangers to client data confidentiality are evolving. Cyber criminals seek to exploit the attorney-client relationship and the valuable information it protects. Where clients’ cyber security measures are strong, but their attorneys lack appropriate security architecture, cyber-criminals strike. In a perverse twist, criminal attacks may render the attorney not the guardian of client trust, but the key to breaking it.
While the underlying duty of attorneys to protect client confidentiality remains unchanged, what it takes to meet this duty is evolving at a staggering pace. As a profession, we must adapt by evaluating our data security strategies and gradually implementing and improving cyber safeguards for clients’ sensitive data and communications.
The ABA and many state bar associations require competency in technology, and the focus of late has been on shoring up the very cornerstone of how most clients seek legal advice — protecting written communications. The easiest path to doing so per ABA recommendations is through a tool developed a while back — encryption. Strong modern encryption that offers granular control over who has access to high-target information and how long it must be retained is the first line of defense for law firms. Thankfully, today’s encryption protocols are no longer cumbersome as they used to be or prohibitively expensive.
To learn more about Wickr’s encrypted business communications platform that provides confidence that attorney-client conversations remain private and secure, reach out to our risk management experts at business@wickr.com