Who is the next target and how is big data related ulf mattsson
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
1. 60 Wyoming Lawyer February 2015 www.wyomingbar.org
2
TECH TIPS
Data Breaches and Other Cyber Threats
2014 was not a good year for cyber secu-
rity. Last year, a number of prominent busi-
nesses, and their customers, suffered major
data breaches including eBay, JP Morgan,
Target, Home Depot, and most famously,
Sony Pictures Entertainment. Hacked in-
formation in these cases included personnel
records, bank account numbers, credit card
numbers, Social Security numbers, account
usernames and passwords, confidential
email communications, unreleased movie
scripts and full-length films, and other high-
ly sensitive information. At least one of these
retailers offered to purchase identity theft
protection for all customers who shopped
within its stores, and all of them had to warn
customers that their personal information
might be in the hands of cybercriminals. At
the time of this writing, at least seven class
action lawsuits have been filed against Sony
for claims relating to its data breach, which
has been widely attributable to North Ko-
rean operatives.
The last major cyber attack of 2014,
striking at a steel mill in Germany, failed
to make headline news but has rattled the
cyber security community for good reason.
This attack, which disabled blast furnace
controls and prevented shutdown, resulted
in massive damage and marks the second
confirmed case in history where a cyber at-
tack caused the physical destruction of ma-
chinery. The cyber attackers, who remain
unknown, gained access to control systems
after mill employees opened emails, dis-
guised to appear as if they were sent from
by Blake A. Klinkner
blakeaklinkner@yahoo.com
trusted sources, which caused malicious
software to download onto the system and
then allowed hackers to take control of the
furnace operations.
2014 also showed that law offices, both
private and public, are increasingly a target
of cyber attacks. Last year, the American Bar
Association conducted a technology survey
in which 14% of respondents admitted that
their law offices were the victims of data
theft, cyber attack, or some other form of
security breach. However, the actual rate of
law office breaches is considered to be much
higher, especially since many firms may nev-
er notice that cyber attacks have occurred.
In fact, one security consulting firm recently
issued a report estimating that 80% of the
largest law firms in America have experi-
enced some sort of a data breach. Law offic-
es are becoming targeted by cyber criminals
interested in stealing data for their own uses
or for sale to others, which can include trade
secrets, litigation strategy, or the terms of
corporate transactions. In addition, online
activists (“hacktivists”) routinely attempt to
obtain private information on businesses,
public figures, and other targets for use in
blackmail or public ridicule campaigns –
law offices representing these targets are
themselves becoming the object of cyber in-
trusions. Lastly, there is a growing suspicion
in the security industry that many cyber at-
tacks are supported by foreign governments
interested in conducting espionage through
hacking into networks at public and private
sector law offices.
A good New Year’s resolution for law
offices would be to take steps to reduce the
potential for becoming a victim of data
breaches or other cyber attacks. Some sug-
gestions include the following:
Have trusted antivirus and firewall
software installed on office computers.
Ensure that the antivirus software is up-
dated and run frequently (at least once a
week is ideal). Firewall software should
always be activated and running.
Use strong passwords for email ac-
counts, computer and network log-
Last year, the American Bar Association con-
ducted a technology survey in which 14% of
were the victims of data theft, cyber attack,
or some other form of security breach.
2. www.wyomingbar.org February 2015 Wyoming Lawyer 61
ons, data backup and storage, wireless
networks, and mobile devices. Strong
passwords generally have eight or more
characters and are a mix of letters, num-
bers, and symbols.
Never open attachments, or click links,
contained in emails from unknown
senders. The same applies to emails from
“trusted” sources which contain un-
usual language or subject matter – this
is a sign that the sender’s account has
been “spoofed” or hacked (“spoofing”
involves complicated efforts whereby
an entity successfully disguises itself as
a trusted source, and hacked email ac-
counts are those which have been com-
mandeered). In such instances, call the
“trusted” source and verify that they did
in fact send you that email.
Double-check the spelling of websites
before you go to them. Cyber criminals
frequently create bogus websites whose
addresses are in fact misspellings of le-
gitimate Internet addresses, hoping to
prey on users who mistype a website
name and then proceed to enter in their
username/password or download mate-
rials without realizing that they are on a
copycat website.
Avoid using portable drives for two
main reasons (frequently known as
“pen,” “thumb,” “flash,” “USB,” or
“jump” drives). First, these drives are
easily misplaced, lost, or stolen, thus al-
lowing their data to be accessed by un-
known parties. Second, a common trick
of hackers is to load malicious programs
onto portable drives and then place
them on the ground or somewhere else
near an office – their hope is that some-
one in that office will insert the disk
into their computer to see who the disk
belongs to, which will then cause the
malicious software to infect the office’s
computer system. If your office must
use portable drives, make sure they are
password protected.
Law offices should be proactive in iden-
tifying cyber vulnerabilities and taking steps
to reduce the likelihood of being hacked,
infected with malware, or being other-
wise victimized. Additionally, law offices
should plan how to mitigate the damage
that would happen if a cyber breach were to
occur, which should always include a plan
for quickly informing clients that their data
might have been breached. Law offices owe
a duty to protect their clients against data
breaches, and may be liable for any harm
to clients resulting from inadequate cyber
security measures. Furthermore, clients are
increasingly demanding that law firms prove
their commitment to cyber security as a con-
dition of being retained. Lastly, law offices
should realize that cyber security is an ever-
changing landscape that requires constant
vigilance and updating to guard against new
threats.
ENDNOTES
1. Betsy Atkins, Why It’s Time For a Board-Level
Cybersecurity Committee, Forbes (Dec. 27,
2014, 9:27 AM), http://www.forbes.com/
sites/frontline/2014/12/27/why-its-time-
for-a-board-level-cybersecurity-committee/
print/.
2. Ted Johnson, Sony Hit With Another Lawsuit
Over Cyber-Attack, Variety (Jan. 6, 2015,
6:09 PM), http://variety.com/2015/biz/
news/sony-hit-with-another-class-action-
lawsuit-over-cyber-attack-1201394240/.
3. Kim Zetter, A Cyberattack Has Caused Con-
firmed Physical Damage for the Second Time
Ever, Wired (Jan. 8, 2015, 5:30 AM),
http://www.wired.com/2015/01/german-
steel-mill-hack-destruction/.
4. Jennifer Smith & Emily Glazer, Banks De-
mand That Law Firms Harden Cyberattack
Defenses, WALL ST. J. (Oct. 26, 2014, 4:18
PM), http://www.wsj.com/articles/banks-
demand-that-law-firms-harden-cyberattack-
defenses-1414354709.
5. Matthew Goldstein, Law Firms Are Pressed
on Security for Data, N.Y. TIMES (Mar. 26,
2014, 7:00 PM), http://dealbook.nytimes.
com/2014/03/26/law-firms-scrutinized-as-
hacking-increases/?_r=1.
6. Michael A. Riley & Sophia Pearson, China-
Based Hackers Target Law Firms to Get Secret
Deal Data, BLOOMBERG (Jan. 31, 2012,
2:37 PM), http://www.bloomberg.com/
news/2012-01-31/china-based-hackers-tar-
get-law-firms.html.
7. Smith & Glazer, supra note 4; Goldstein, su-
pra note 5.