According to a study by Cybersecurity firm Mandient, 80 of the largest 100 law firms in the United States have been hacked over the last several years.
For many lawyers, this is old news; it’s assumed that IT staff has already done everything it can to address any possible security vulnerabilities. However, increased hacker sophistication has brought the emergence of new risks. Hackers are now targeting individuals, exploiting potential weaknesses such as plain-text email messages (lacking encryption) containing sensitive or valuable information.
Who is at risk depends often on (a) the hacker’s perceived value of a potential target lawyer’s information, and sometimes on (b) the potential target’s perceived value of their own information (i.e. the price they are willing to pay to keep their own information private.)
One trend, for example, is for hackers to use stolen information to drive enormously profitable financial manipulation schemes.
U.S. Attorney General Loretta Lynch confirmed that hackers stole business and investor secrets to drive complex pump-and-dump schemes to their benefit and the detriment of investors. In this case, they stole private information and used it to set up more than 75 shell companies to trade on the information and realize substantial profits. A ploy like this can cause extensive damage to affected clients, which in turn can cripple a law practice’s ability to acquire or retain clientele.
Other hackers are developing online/electronic behavior profiles of target individuals, intercepting invoices, changing payment destination details, and sending them onward. Payer funds are inadvertently paid to a “Wells Fargo” or other seemingly familiar account, and upon receipt in that bank account, transferred offshore – gone forever. This can directly impact lawyers managing closings on real estate transactions, corporate acquisitions, or even e-payment of lawyer invoices.
Some hackers are stealing users’ sensitive personal or business information, and then holding that information and/or users’ computers for ransom, demanding a ransom payment to unlock a computer or keep sensitive information private. The preferred method of infection is through emails that look legitimate, usually with content related to alleged invoices, successful orders or wire transfers. Consider for a moment the consequences if your attorney-client privileged email – your most sensitive client litigation or estate planning dialogue — was intercepted and you received a ransom note demanding payment, threatening to post this information online for the world to scrutinize.
With the abundance of potentially lucrative information lawyers are sending to and receiving from their clients and other parties, some experts say the question to ask is not whether you or your law practice will be hacked, it’s “when?”