Your Money or Your Data

Shaun Jamison[1]

Trends in other industries make it clear that lawyers must prepare for ransomware attacks. Here’s how to get started.

Earlier this year, ransomware cyber attacks at Hollywood Presbyterian Medical Center in Los Angeles, California and MedStar Health, based in Columbia, Maryland, made headlines and alarmed health providers and patients. The ransomware attacks, which involve a virus that is designed to hold data hostage until the victim pays for a “key” to regain access to their data, should also serve as a warning to lawyers.

Indeed, in a recent ransomware case involving the Brown Law Firm in Jacksonville, Florida, the firm was not able to access its client data.[2] Instead, the firm received a message stating that their data was not accessible and it would be destroyed unless the firm paid the equivalent of $2,500 in Bitcoins to the hackers behind the attack. Although the firm hired an information technology (IT) professional, it ultimately decided to pay the ransom on the advice of that IT contractor; the risk of losing the data by attempting to circumvent the ransomware was too great. Such attacks are often successful because the hackers behind the assault ask for a relatively small amount, knowing they can spread fees over many victims. This attack strategy also makes it an easier choice for the lawyer to pay.

What is Ransomware?

Ransomware is a malicious computer program (also known as malware) that is introduced into a computer system like a virus and allows the attacker to block access to the victim’s computer data and demand payment for restoring the data. Typically, there is a time element to the ransom demand: The owners of the data are threatened with its destruction if the ransom is not paid within a predefined number of hours. If you do not represent likely targets of ransomware, does this affect you as an attorney? Yes, because your law firm or corporate legal department is a target.

What is the Risk?

Lawyers, just like health and finance professionals, maintain confidential and sensitive information which they are obligated to protect and need to access to serve their clients. Lawyers can be locked out of data, and the data may be sold or made public.

Should I Pay?

This is the big question, and one without a great answer. If you pay, you are likely to get your data back. However, you will be a more likely target in the future and you will unwillingly be funding attacks on other lawyers. Further, there is no guarantee the hackers will honor the agreement.[3] Prevention is ideal, but if you are the victim of an attack, you will have to evaluate whether you can both restore data and protect against its release without paying the hacker. Ironically, sometimes even the police are left with no better option than paying the ransom.[4] The FBI has sent mixed signals on whether to pay or not, most recently advising against it.[5] Consulting with an IT professional and law enforcement will help you with the decision-making process.

Preventing Ransomware Attacks

While there is no means of attainng perfect assurance against a ransomware attack, the following precautions can help to mitigate risk and to diminish the impact of a breach on your practice.

Good backup: If you have a backup, you can restore the data to the point of last back up. But you still have a confidentiality issue[6] and the requirement to safeguard client property.[7] You will be obligated to report client data was compromised.

Good firewall: A firewall is the watch guard of the firm’s network. Think of the firewall as a security bubble. If you turn it on high, you can shut down virtually all communications, but users will complain that system is unusable. If you turn it down too much, you will be open to attack. So you have to find the right balance.

Training: Make sure you and your staff are trained to avoid infecting your network with ransomware. End users can enable breaches by downloading a suspicious attachment or clicking on an unknown link. Hackers use “human engineering” to trick you into clicking on attachments. If you receive a communication that normally would not come by email, do not open the attachment. Call the sender to confirm. Working from home on an unsecured computer can also compromise the network. Network security is only as good as the weakest link. Any device connected to the network needs to be inspected. Educate your staff on how to avoid risks. Use strong passwords and keep them secure. Keep your antivirus software current, but don’t assume it is protecting you.

Encrypt your data: This may not prevent an attack, but it will mean an attacker cannot release your clients’ confidential data without great effort.

Install an ad blocker: Some ransomware can be delivered via pop-up advertisements.

Hire an expert: Lawyers know what happens when their clients go DIY (do-it-yourself) on complex legal work. Likewise, you should considering hiring an IT professional to evaluate your network’s security rather than relying on your own knowledge of cyber security.

Use work computers only for work: Have a computer not connected to your law office network for surfing the Internet, or consult your IT professional for other ideas to isolate and protect sensitive areas of your network.[8]

Screen and monitor employees: As noted above, an employee might accidentally open a suspicious attachment or click or an inappropriate link, but in addition some employees might sell your password. According to a recent survey, 56 percent of employees would sell passwords for $1,000 or less.[9]

Review your insurance coverage: Do not assume you have coverage for cyber attacks. Check with your carrier.[10]

Dealing With Ransomware Attacks

If, despite your best efforts, you become the victim of a ransomware attack, there are several things you will need to do.

IT: Call for IT help, whether internal or an external consultant. Do not undertake any measures on your own unless you are a cyber security expert.

Insurance: Call your insurance carrier. They may be able to help you unwind the problem. And in any case, you may have a notification requirement to secure coverage for an event.

Law enforcement: Call law enforcement.

Work your plan: If you are part of an organization, contact those individuals internally who are identified in your plan, such as partners.

Assess the situation: Can you fix it with a backup? Was data actually accessed? Is paying a ransom advisable?

Determine notification requirements: Once the attack has been resolved and you are up and running, determine notification requirements. You will want to review the ethics rules as well as any state law requiring notification of a breach. Further, if you have any health data, you may have notification requirements under HIPAA.[11] Failing to disclose, even if you are not required to, may have negative consequences from a trust and public relations standpoint. Weigh your options carefully.

Reassess: Once you are up and running and the system is all clear, take some time to figure out what went wrong and how you can avoid problems in the future.

Ransomware attacks on lawyers are likely to increase. When the Hollywood and Medstar medical data attacks happened, it seemed like the beginning of a trend. Turns out a recent survey shows that half of the hospitals participating in the research had been subjected to ransomware attacks.[12] So the two publicized episodes were public confirmation of a trend, not the possible beginning of one. It may well be the same in the legal industry. Once hackers see success with victims motivated to recover and protect their clients’ data, they will continue the attacks as long as it remains profitable. This summer, we learned hackers are targeting lawyers using phony ethics complaints to trick them into downloading an attachment infected with ransomware.[13]

Staying up to date is part of your defense. The ABA’s Cyber Security Legal Taskforce is a good source of information.[14] The Better Business Bureau and the FTC have scam alerts. ABA members can also sign up to receive FBI Cybersecurity Alerts.[15] You should document your cyber security policy and use it to train your employees and have as a reference in case of attack. Your will want to have it in paper form in case you cannot access your computers. Your policy should outline the procedures for your response. You don’t want to be trying to figure out what to do when your office is paralyzed by an attack.

Lawyers are obligated to keep up with technology to protect their clients’ interests or to hire someone with the expertise to do it for them.[16] By keeping up with the risks and educating and monitoring your staff, you can avoid having to pay a ransom for your data and the possibility of seeing your clients’ data compromised.

This article originally appeared in the September 2016 issue of Bench & Bar of Minnesota, the official magazine of the Minnesota State Bar Association, and is reprinted with permission.

Endnotes

1 Shaun Jamison is a professor of law with Concord Law School of Kaplan University and is the former chair of the Minnesota State Bar Association Practice Management and Marketing Section. Jamison teaches CyberLaw, Legal Research, and the Future of Law Practice. He may be contacted at sgjamison@gmail.com.

2 “Florida Law Firm Hit by Ransomware Scheme” (2/16/2016) http://www.batblue.com/florida-law-firm-hit-by-ransomware-scheme/ (now https://opaq.com/)

3 Katie Dvorak, “Hackers return for more money in ransomware attack at Kansas hospital,” FierceHealthCare (5/23/2016) http://www.fiercehealthcare.com/it/hackers-return-for-more-money-ransomware-attack-at-kansas-heart-hospital.

4 “When hackers cripple data, police departments pay ransom,” Boston Globe (4/6/2016) https://www.bostonglobe.com/business/2015/04/06/tewksbury-police-pay-bitcoin-ransom-hackers/PkcE1GBTOfU52p31F9FM5L/story.html.

5 Paul, “FBI’s Advice on Ransomware? Just Pay The Ransom,” Security Ledger (10/22/2015) https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/, but see a more recent declaration from FBI Cyber Division Assistant Director James Trainor saying companies should not pay ransom: Katie Dvorak, “Hackers return for more money in ransomware attack at Kansas hospital,” FierceHealthCare (5/23/2016) https://www.fiercehealthcare.com/it/hackers-return-for-more-money-ransomware-attack-at-kansas-heart-hospital.

6 ABA Model Rule 1.6(c) – A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

7 ABA Model Rule 1.15 – … property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.

8 Scott Perry, “Law Firms Kill Web Access In the Name of Cybersecurty,” (5/26/2016) Above the Law http://abovethelaw.com/?sponsored_content=it-security-vs-users&rf=1.

9 Tara Seals, “Employees Would Sell Passwords for $1000 or Less,” retrieved 4/15/2016: http://www.securion.io/#!Employees-Would-Sell-Passwords-for-1000-or-Less/c14jh/56f137afOcf266a29260bfe.

10 Peter S. Vogel, “Bad news for P.F. Chang – Court rules that all claims for 2014 data breach are not covered under its cyberinsurance!” Lexology (6/2/2016) https://www.lexology.com/library/detail.aspx?g=4dc04202-1357-4b3c-8c96-43aeac63e00f.

11 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).

12 Katie Dvorak, “Poll: Most hospitals have been targets of ransomware attacks,” FierceHealthIT, retrieved 4/12/2016: https://www.fiercehealthcare.com/it/poll-most-hospitals-have-been-targets-ransomware-attacks.

13 Mike Mosedale, “Ransomware scam targets lawyers with phony ethics complaints,” Minnesota Lawyer (6/7/2016) http://minnlawyer.com/2016/06/07/yikes-ransomware-scam-targets-lawyers-with-phony-ethics-complaints/.

14 ABA Cyber Security Legal Taskforce, https://www.americanbar.org/groups/cybersecurity/

15 Log in to sign up to receive alerts at this link: https://shop.americanbar.org/eBus/MyABA/MyLists.aspx.

16 ABA Model Rule 1.1 – A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.