Feb 03 2015

Law Firms Must Prepare for Modern Data Breaches

With the risk of data breaches on the rise, legal services organizations must prepare for the worst.

If you work at a law firm and think you’re on the low end of the totem pole when it comes to hacking and cyberwarfare, think again.

A recent story from Crain’s Chicago points out that phishers are actively using the names of several Chicago-based law firms to bamboozle users into downloading and distributing malware.

Scammers have co-opted the names of several major law firms to send phishing emails, including Chicago's Sidley Austin and Baker & McKenzie, as well as Reed Smith and Hogan Lovells.

The emails, apparently released en masse yesterday, are a new, legal twist on an old ploy: Send an email from a seemingly reputable company urging immediate action that persuades the recipient to click on a link, which then delivers malware to the victim's computer.

The subject lines for the emails read, “Your complaint received” or “Notice to appear,” according to a report in trade newsletter Pinhawk Law Technology Daily Digest. Ed Greenberg, an account director at Security Management Partners in Waltham, Mass., says that if a user clicks on the link, malware is downloaded onto his or her computer that logs keystrokes.

While it might seem odd at first, the truth is that law firms make the perfect partner for this sort of phishing, scamming and hacking. Because they often work with clients across various industries, law firms can be a smorgasbord of corporate data.

And law firms are not only figuring out how to protect themselves from hacks better, they’re also starting to offer cybersecurity as a service. DLA Piper, a large, international law firm, has decided to offer clients it cybersecurity services, The Washington Post reports.

[T]he idea for the service was first considered several years ago, but at the time, cybersecurity laws weren’t developed enough.

“There weren’t enough laws and regulations originally to make a business of it,” said Larry Clinton, president and chief executive of the Internet Security Alliance. “But we have long since passed that threshold, we have lots of laws and regulations now, many are conflicting and create new problems.”

This ambiguity about cybersecurity laws and policies was the focus of a recent episode of the Legal Talk Network’s Digital Detectives podcast. David Bodenheimer, a privacy and cybersecurity attorney for Crowell & Moring, was the guest on that episode, and he highlighted how the murky definitions around cybersecurity have led to this chaos on the cyberwarfare landscape.

“Right now, we’re truly on the frontier of international law and trying to determine what governs cyberwar in the international arena,” Bodenheimer said.