Ransomware Attacks and Your Practice
Barbara Engstrom, Executive Director, King County Law Library
Ransomware attacks on Colonial Pipeline, JBS (the world’s largest meat processing plant), and various hospitals and schools became major news stories over the last year. Law firms were no strangers to cybersecurity risk either. The first well-publicized law firm attack was on DLA Piper in 2017. In early 2020 five law firms were attacked in short order, with three firms hit in a 24-hour period in February.¹ There were high profile attacks at the New York firm of Grubman, Shire, Meiselas & Sack in May of 2020, the Chicago firm Seyfarth Shaw in October of 2020 and as recently as this July, Campbell Conroy & O’Neil was attacked.² Of course, these are the attacks that received media attention; presumably many more were never reported or went under the media radar.
My assumption has always been that large law firms are the main targets for ransomware attacks. The findings from the Q1 2021 Coveware Quarterly Ransomware Report had some very troubling statistics conveying that is not the case. The Coveware report delivered a grim cybersecurity assessment for the current small and medium law firm model.
The most notable change in industries impacted by ransomware attacks in Q1 was the Professional Services industry, specifically law firms. Small and medium sized law firms continue to succumb to encryption ransomware and data exfiltration extortion attacks. (Emphasis added.) Unfortunately, the economics of many small professional service firms do not encourage or enable adequate cyber security.³
According to the report, in the first quarter of 2021 the average ransom payment was $220,298 (an increase of 43% from Q4 2020), and the median ransom payment was $78,398 (an increase of 59% from Q4 2020). The threat by hackers to release stolen data increased to 77%, a 10% change from Q4 2020. The average downtime was 23 days, also a 10% increase from Q4 2020.
For small and medium law firms, vulnerabilities associated with Remote Desktop Protocols (RDP) and phishing emails were by far the largest attack vectors. While the switch to remote work opened law firms up to new paths of exposure, 86% of ransomware attacks still begin with a person clicking on a virus-laden email.⁴ Other attack vectors included passwords that were insufficiently strong, software that was not updated, and insufficient cybersecurity training and audits.
In addition to the business operations and reputational harm that ransomware attacks cause for any business, lawyers are subject to the additional burden of potential ethics violations. In their 2019 report on cybersecurity, the ABA delineated several RPCs implicated in a cybersecurity breach. The report notes that Comment 8 to the competency requirements of Model Rule 1 clearly requires competency in cybersecurity. “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” The report also notes that with much client communication done through email, Model Rule 1.4’s requirement to keep clients reasonably informed would require that the channels of communication are secure. The report also points out the cybersecurity implications of Model Rule 1.6’s requirement to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”⁵
The report also discusses two relevant ethics Opinions. ABA Formal Opinion 477, which discusses special security precautions to protect against the inadvertent or unauthorized disclosure of client information, lists seven factors to consider when determining the appropriate level of cybersecurity: (1) the nature of the threat; (2) how confidential client information is stored and sent; (3) the use of reasonable electronic security measures;(4)how electronic communications should be protected; (5) the need to label client information as privileged and confidential;(6) the need to train lawyers and nonlawyer assistants, and (7) the need to conduct due diligence on vendors who provide technology services.⁶
ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” (October 17, 2018) states “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” The opinion further states that “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”⁷
Advisability/ Legality of Ransomware Payments
After being forced to shut down its operations, Colonial Pipeline paid a $4.4 million ransom (though they later were able to recover $2.3 million of the Bitcoin payment). JBS paid an $11 million ransom as the domino effects of the attack rattled the meat processing and restaurant industries.
While there may be situations where paying a ransom is the least bad option, many cybersecurity experts take a very dim view of that choice. The Coveware Q1 2021 report had an interesting take:
Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense of security, unintended consequences and future liabilities. Coveware’s position remains unchanged and we advise victims of data exfiltration extortion to assume the following:
- The data will not be credibly destroyed. Victims should assume it will be traded to other threat actors, sold, misplaced, or held for a second/future extortion attempt.
- Exfiltrated data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future.
- The data may be deliberately or mistakenly published before a victim can even respond to an extortion attempt.
- Complete records of what was taken may not be delivered by the threat actor, even if they explicitly promise to provide such artifacts after payment.⁸
While laws such as the Computer Fraud and Abuse Act and the Foreign Corrupt Practices Act touch on some of the issues involved in ransomware payments, there is no overarching statute that bans payment of ransom for a cyberattack. There is movement on both the federal and state levels to create legislation to ban ransomware payments. New York (Senate Bill 6806A), North Carolina (House Bill 813), Pennsylvania (Senate Bill 726) and Texas (House Bill 3892) all considered legislation that would prohibit the payment of ransom.⁹ Those who oppose legislation maintain that banning payments may cause unforeseen problems and do more harm than good to the victims. Legislative bans may also incentivize not reporting cyberattacks to law enforcement, potentially leading to further extortion.¹⁰
Cyber Liability Insurance
According to the ABA 2020 Cybersecurity Report survey, the number of firms investing in cyber liability insurance is steadily increasing. 36% of survey respondents reported carrying cyber liability insurance in 2020 which is up 10% from 2017. Interestingly, firms in the 10-49 attorney range reported a higher percentage of coverage (40%) than firms with 100+ attorneys (38%). 36% of firms with 2-9 attorneys and 33% of solo attorney reported coverage.¹¹
As with all insurance, the devil is in the policy details, but ransomware attacks have layers of complexity and may have repercussions that are not immediately discovered or covered. “Cyber liability policies generally require prompt notice. Most also require consent before engaging incident response and security firms as well as other professionals and vendors needed to respond to the attack and restore the company’s network. And many (but not all) cyber liability policies require prior consent to make a ransom payment.” ¹²
Best Practices for Law Firm Cybersecurity
So, what can you do to protect your firm from ransomware attacks? A recent roundtable discussion of the impacts of the Microsoft hack on law firms suggested the following:
Create a security-first mindset – “While top-down mandates from management are an important component, the entire environment should be one that recognizes the preeminent importance of stressing to the entire organization that security of the clients’ data is a key component of a professional, confidential relationship.”
Establish safety protocols for transferring files – “Each transfer is a potential point of vulnerability that requires a secure method to prevent unauthorized access.”
Create and maintain an ongoing security process – “Fundamentally, law firms need to assess the state of their cybersecurity program, create a remediation plan to close any gaps, execute that plan and then repeat this process on at least an annual basis. Cybersecurity is process-oriented, and requires management to make it a priority to keep the firm—and the firm’s clients—as reasonably safe as possible.”
Cover the Model Rule 1.6 basics – “Such reasonable steps include using current virus and malware scanners and firewalls, regularly installing patches and updates, using cryptographically strong passwords, routinely replacing default passwords on networks, avoiding risky software downloads from the Internet, eschewing the use of public cloud providers or file-sharing services for sharing documents, avoiding the use of web-based email services and public Wi-Fi, and training employees to recognize deception (“phishing”) attacks.”¹³
The Law Library is Here to Help
If you’d like to learn more about the legal implications of ransomware attacks on law firms, the law library has databases and resources to help. Feel free to reach out with questions on this or any other topic at firstname.lastname@example.org
1 See AJ Shankar, Ransomware Attackers Take Aim at Law Firms, Forbes (Mar 12, 2012) available at https://www.forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-law-firms/?sh=49af643aa13e
2 See AJ Shankar, Ransomware Attackers Take Aim at Law Firms, Forbes (Mar 12, 2012) available at https://www.forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-law-firms/?sh=49af643aa13e See also Brian Fung, Ransomware Hits Law Firm with Dozens of Major Corporate Clients, CNN Business (July 19 2021) available at https://www.cnn.com/2021/07/19/tech/ransomware-law-firm/index.html
3 Coveware Quarterly Ransom Report, Q1 2021, Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound. (April 26, 2021) available at https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound#companies
4 See Jim Ash, Prepare Now to Thwart Ransomware Attacks, Florida Bar Journal (Jun 28, 2021) available at https://www.floridabar.org/the-florida-bar-news/prepare-now-to-thwart-ransomware-attacks/
5 See John G. Loughnane, Techreport 2019: 2019 Cybersecurity (Oct 16, 2019) available at https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/cybersecurity2019/
8 Id at 3.
9 See Cynthia Brumfield, Four States Propose Laws to Ban Ransomware Payments, CSO Spotlight (Jun 28, 2021) available at https://www.csoonline.com/article/3622888/four-states-propose-laws-to-ban-ransomware-payments.html
10 See Alvar Maranon & Benjamin Wites, Ransomware Payments and the Law, LawFare (Aug 11, 2021) available at https://www.lawfareblog.com/ransomware-payments-and-law
11 See John G. Loughnane, Techreport 2020: 2020 Cybersecurity (Oct 19, 2020) available at https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/
12 See Ashley Jordan and J. Andrew Moss, Don’t Make the Cure Worse Than the Disease: Tips for Securing Prompt Insurance Recovery of Ransomware Losses, Reuters Legal News Beta (Sep 1, 2021) available at https://www.reuters.com/legal/legalindustry/dont-make-cure-worse-than-disease-tips-securing-prompt-insurance-recovery-2021-09-01/
13 See Nicholas Gaffney, How Microsoft’s Data Breach Impacts Law Firms (and Their Clients), Law Practice Today (Jun 15, 2021) available at https://www.lawpracticetoday.org/article/how-microsofts-data-breach-impacts-law-firms-and-their-clients/