Crisis Communications: Protecting law firm data and reputation: A guide to cybercrime mitigation

By Gina F. Rubel

This column is the first in a series on the basics that law firm leaders must know about cybercrime.

Whether it is identifying ransomware, phishing schemes, and data breach threats, or rolling out robust cybersecurity measures, comprehensive risk management strategies, tabletop exercises, and heightened internal awareness campaigns, the goal is to arm you to protect your reputation and data, and most importantly, your clients.

The growing cybercrime landscape

Law firms and their clients are facing an unprecedented rise in cybercrime, with 2024 being the biggest year yet for cybersecurity incidents. The American Lawyer and Bloomberg Law report that at least 21 law firms filed data breach reports to state attorneys general offices in the first five months of 2024, preceded by 28 law firm breach reports in 2023, and 32 in 2022.

To the uninitiated, the cybersecurity threat trajectory may appear to be downward. However, every year the severity of attacks is worse, reflecting the growing sophistication of the perpetrators.

According to one survey, more than half of law firm respondents who experienced a security breach lost confidential client data — among the worst things that can happen to a law firm.

To a cybercriminal, law firms are a treasure-trove of sensitive and confidential information, including IP, internal personnel and financial records, and business, financial, and personal client information. Cyberattacks have exposed vulnerabilities within law firms, leading to significant financial losses, reputational damage, and legal repercussions. Law firms have been subject to class-action lawsuits and have unknowingly contributed to insider trading that has cost companies millions of dollars—all because of cyberattacks.

In a recent review of ransomware attacks:

• 12 percent of attacks on law firmsresulted in a lawsuit. Of those, when you include the 25 percent of matters that were settled out of court, the law firm lost every time.
• Only 26 percent of law firms believe their firm is “very prepared” to respond to cyber incidents.
• In one survey, 39 percent of law firm respondents reported awareness of a security breach in the last year, and56 percent lost confidential client data. Sixty percent identified the sophistication level of the attacks as the biggest challenge in reducing risk.
• Law firms face an average ransom demand of $2.5 million, globally.

Types of cyberattacks affecting law firms

Ransomware phishing, smishing, vishing, social engineering and spoofing, denial-of-service (DoS) attacks, and insider threats are among the sophisticated cyberattacks being directed at law firms.

Ransomware

Ransomware is malicious software or “malware” that targets individuals, businesses, and institutions, and any type of device with computing capabilities. Ransomware encrypts files, or locks out users, rendering their data or system inaccessible. Criminals then demand a ransom payment, typically in cryptocurrency, in exchange for the decryption key or restoring access.

Typically, ransomware spreads via unsolicited emails and employees who mistakenly click on genuine-looking links. Paying the ransom does not guarantee data recovery and it may encourage further criminal activity. A growing number of ransomware gangs use double-extortion tactics by stealing data and encrypting systems.

Phishing, spear-phishing, smishing and vishing

These attacks commonly lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications. All typically create a call to action with urgency, curiosity, or fear, and confuse victims with deceptive messages that appear from trusted sources.

1. Phishing: An umbrella term that often focuses on fraudulent emails and websites meant to steal data. Example:An email from a third-party vendor, such as a court reporter, asking users to reset their passwords due to a security breach, leading to a fake login page.
2. Spear-phishing (business email compromise): A spear-phishing email is a scam that attempts to steal money or sensitive data from a business.Spear-phishing narrowly targets individuals, groups, or organizations and evades multi-factor authentication (MFA) and other safeguards. These personalized scams trick victims into divulging sensitive data, downloading malware, or sending money to an attacker. Only proper cybersecurity training can challenge business email compromise.
3. Smishing (SMS phishing):A form of phishing that invites users to reveal data through fraudulent text messages. Example: A text message alerting the recipient of a suspicious client funds transaction and urging them to click a link to verify their IOLTA account.
4. Vishing: Exploits voice communication, typically over fraudulent phone calls that induce victims to reveal personal information. Example:The receptionist receives a call from someone claiming to be from the state bar association, stating that a partner failed to pay their bar dues and will face disbarment unless they make an immediate payment.

Few of the 3.5 billion smartphone users worldwide understand the dangers of clicking on a link in text messages or responding to unsolicited voicemail messages, making smishing and vishing two of the most lucrative forms of cyberattack.

Social engineering

These tactics rely heavily on using multi-step psychological manipulation to trick victims into giving away sensitive information.

Spoofing

These tactics are supercharged with spoofing, where cybercriminals disguise themselves as a known or trusted source. According to CrowdStrike:

• Domain spoofingis a form of phishing where an attacker impersonates a known business or person with a fake website or email domain to fool people into trusting them.
• Email spoofingtargets businesses through emails with forged sender addresses.
• Address resolution protocol (ARP) spoofing or ARP poisoning is an attempt by hackers to intercept data by tricking one device into sending messages to the hacker instead of the intended recipient.
• Denial-of-service (DoS) attacks

A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network with false requests to disrupt business operations. In a DoS attack, users are unable to perform routine tasks such as accessing email, websites, online accounts, or other compromised computer or network resources. DoS attacks originate from just one system and DDoS attacks launch from multiple systems.

Generally, these attacks resolve without losing data or paying ransom. For law firms, these attacks cost time and money. Worst-case scenarios can involve so much downtime, a cascade of negative results can ensue, missing filing deadlines, deals blown up, and a host of issues that implicate professional conduct violations.

Insider threats

Insider threats are internal maligned actors such as current or former employees who have direct access to the company network, sensitive data, and IP as well as knowledge of business processes, company policies, or other information. The risk of insider threats mandates that all law firms remove or restrict access to law firm data and IT systems when any employee moves to a new job or when terminated.

Differentiating between a cyber incident and a data breach

While all cyberattacks are concerning, once you have reason to believe your law firm has been targeted, it’s important to differentiate between a cyber incident and a cyber breach. The consequences and necessary responses can vary significantly.

Cyber incident (no data captured): A cyber incident refers to an event where a law firm’s security systems are compromised, but no sensitive data is captured or accessed by unauthorized parties. Examples include a successful denial-of-service (DoS) attack that temporarily disrupts operations or an attempted phishing attack that is caught by the firm’s security measures.

While these incidents may not result in the direct loss of data. they still expose vulnerabilities that need to be addressed to prevent future breaches.

Cyber breach (data compromised): A cyber breach, on the other hand, involves unauthorized access to sensitive or confidential information. This is the scenario that law firm IT departments fear the most. A breach can expose critical client data, such as Social Security numbers, financial records, HIPAA-protected personal information, or intellectual property.

The legal, financial, and reputational fallout from a breach can be catastrophic, often requiring significant resources to manage the aftermath and restore trust with clients and stakeholders.

This is Part 1 of a series. Future pieces will detail the proactive measures law firms can take to prevent cyber incidents and how to manage your firm’s reputation if a cyberattack occurs.

Gina Rubel is the CEO and general counsel of Furia Rubel Communications. She educates professionals on devising and implementing strategic communications plans to manage their reputation, develop and attract top talent, and drive business success. She is the host of On Record PR. Gina can be reached on LinkedIn at https://www.linkedin.com/in/ginafuriarubel/.