Hackers are increasingly targeting lawyers’ computers
By Gary Blankenship
Law firms of all sizes are magnets for computer hackers simply because of the nature of what lawyers do.
“Law firms are attractive because they have personal and sensitive and valuable information from personal and corporate clients,” said Adriana Linares, the Bar’s technology consultant. “The best thing you can do to prevent spyware and hackers is go through training with employees and teach them how to identify these potential risks.”
Linares was addressing the Bar Board of Governors at its March meeting at the behest of board member John Stewart, who chairs the board’s Technology Committee.
“We’ve identified this as probably the biggest issue facing our constituents, our Florida lawyers, and that is data privacy, client confidentiality, and maintaining the same,” Stewart said. “There are a lot of reports out there that there are targets, and the targets are our constituents. They’re small firms; they are not just large firms that are the targets of cybersecurity threats.”
Linares said an ABA study found that 15 percent of all law firms have experienced a security breach of their computer systems, a number she said is likely low because firms are reluctant to admit when there has been a breach. Almost half have had problems with viruses, spyware, or malware affecting their computer operations.
Tech people have a saying, Linares added, that there are two types of firms: Those who have been hacked and those who don’t know they’ve been breached.
There is actually an online market where hackers can sell illegally obtained information. Even small-town attorneys who think they have nothing of value in their client information will be surprised to learn there is a market for data that can be gleaned from their files.
Also, the Florida Information Protection Act, passed in 2014, requires reporting security breaches, both to the Florida attorney general and to clients if more than 500 Florida residents are affected, and there are penalties for failing to report.
“When you send this notice to the AG’s office, you have to include what happened, how many individuals were affected. Oh, by the way, if you also have information about residents in one of the other 46 states with breach notification laws, you have to tell them, too,” Linares said. “If you are a multistate firm, or you have clients in other states, you also have to comply with their breach notification laws.
“You also have to tell the [Florida] AG’s office what you are going to do to make this situation better. Are you offering everyone credit protection, fraud protection? You have to do that, and that’s one of the reasons this can become so expensive….You also have to fix the situation, you have to tell…the steps you are taking to rectify the breach.”
Linares recommended that firms establish a breach response program.
The information protection act reporting provision does not apply if the stolen data was encrypted or otherwise made secure and anonymous.
“Encryption still works, they [hackers] can’t crack it,” Linares said. “Everything should be encrypted, including thumb drives.”
Where are other threats? It’s almost impossible to count. Linares provided a list to board members, noting threats can come in emails; from social programs; lost or stolen laptops, cell phones, or other devices; weak passwords; poor disposal of data; discarded photocopiers that retain information; lost flash drives; from third-party providers such as cloud storage companies with poor security; hacked cloud-based software used by law firms; inadvertently revealed information as part of e-discovery; and simple human error. The head of one law firm backed up information from the firm’s computer system every day and took it home with him on a hard drive — only to have his home burgled and the unencrypted hard drive stolen.
A growing problem is malicious software that comes disguised as a link in an email. When an unwary user clicks the link, the software takes over the computer and blocks access to all documents, Linares said. A ransom is demanded — frequently to be paid in bitcoins — from the hacker to unlock the files. However, increasingly, the hackers take the money and leave the files locked up. The only solution is to have backups for the data.
Some protections are basic and low-tech, Linares said.
For instance, can visitors to your law office see confidential information on the receptionist’s computer screen or on screens if they walk through the law office? If you use a smartphone, tablet, or laptop for legal work, is it password protected in case it is lost or stolen? Is the information on those devices encrypted? Is the password itself sufficiently secured or could it be guessed easily? Are passwords frequently changed and different for various programs and functions? Linares said there are programs to help manage and change necessary multiple passwords.
Lawyers should also get rid of any information they don’t need — Linares said having to provide post-hack protection to someone who had not been a client for 10 years, yet whose information was still retained, would be both expensive and unnecessary.
She again emphasized that all information on computers should be encrypted, including when the information is backed up and transported, either electronically or physically. Employees should be trained to recognize questionable email that might contain malicious spyware or ransomware, she said.
Firm digital devices should have antivirus software, security against spyware, a popup blocker, regular backups to protect data, and a utility program to remove unwanted data, including temporary internet files and cookies from various websites, Linares said. Make sure there are policies protecting information when employees are terminated.
She told of one firm that let a legal secretary go and closed her personal access to the firm’s computers. But when her replacement failed to show up for work, the firm discovered the terminated secretary, knowing her boss’ password, had sent the new employee an email in the boss’ name saying the firm had decided not to hire her.
She also said computer users should be careful about using free Wi-Fi services offered at many businesses and restaurants. It’s easy for someone to attach a device to those systems that captures all data coming through that Wi-Fi system.
Stewart said the Technology Committee wants to help Bar members avoid the pitfalls of the rapidly changing technology world and protect their clients.
“The first goal is awareness,” he said. “Lawyers know it is their obligation to keep client confidences and often do not realize that the way they use technology to communicate with clients and others, as well as the way they maintain confidential information, often puts client confidences at risk.
“Once we raise the awareness of lawyers…concerning data privacy and confidentiality, the second goal will be to provide simple, easy-to-follow instructions on how best to keep client confidences and maintain data privacy in this digital age. The final step will be to provide more in-depth CLE programming for Florida lawyers on these issues.”
Additional information and resources on cybersecurity and securing client data is available via the Practice Resource Institute www.pri.floridabar.org.