Law Firms Need to Get Serious About Cybersecurity

22 May 2020

What do Robert DeNiro, Lady Gaga and Rod Stewart have in common?

Other than global stardom and luxurious property, the three A-listers were amongst those whose personal data was breached in a recent cyberattack targeting celebrity law firm Grubman Shire Meiselas & Sacks.

The headline-grabbing hack saw the New York City-based firm’s system breached by cybercriminals who threatened to expose a 746GB data cache using a strain of ransomware known as REvil/Sodinokibi. Sensitive emails, contracts and non-disclosure agreements are amongst the files that could soon find their way into the public domain.

But high-flyers of the entertainment industry are not the only victims of this high-profile attack. According to the Los Angeles Times, a $42-million ransom demand has been made by hackers who claim to have files that incriminate President Trump.*

(Sound familiar? We’ve been here before. In the height of the 2016 election campaign, WikiLeaks published a new wave of hacked emails from the account of John Podesta – the chairman of the Clinton campaign. Four years and approximately 1,580 mentions by Donald Trump of “Hilary’s Emails’ later, the President of the United States’ reputation lies in the hands of cyber-criminals during an election campaign. I believe the term is ‘poetic justice’?)

Let’s return our focus to the law firm in question: Grubman Shire Meiselas & Sacks.

Headed up by long-time entertainment lawyer Allen Grubman, the firm has said it is co-operating with enforcement officials including the FBI to resolve the data breach and has no intention of paying the sum demanded.

“We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law,” a representative for the firm said in a statement.

“Even when enormous ransoms have been paid, the criminals often leak the documents anyway.”

They aren’t wrong. When your network has been compromised and your confidential data has fallen into the hands of nefarious cybercriminals, you’re hardly in a position to be making demands.

While this particular cyberattack has naturally drawn in the media circus due to the celebrity status of the victims and size of ransom demanded, they aren’t the only law firm grappling with the threat of cyberattack.

According to figures from CYFOR, 73 of the UK top 100 law firms are regularly targeted by cyber criminals. When this insight is combined with figures from Ponemon’s Cost of Data Breach Study: Global Analysis which states the average consolidated total cost of a data breach in the UK is £2.37 million, the urgency of this type of threat becomes crystal clear.

By nature, law firms handle large volumes of sensitive information about their clients, their employees and the business within their systems. It’s not hard to see why they are such an attractive target for opportunistic cyber-criminals – be they magic circle or high street practice, a law firm’s personal data must be kept on strict lockdown (no pun intended.)

What’s more, recent research has evidenced how hackers have grown increasingly more successful in their attempts to hack law firms in the last few years. That isn’t surprising when you consider how rapidly technological advancement has progressed in the last decade and how dependent on digital processes we have become as a society. In 2019, the Solicitors Regulation Authority found that of the 52% of the law firms that had experienced some sort of cybersecurity breach that year, 80% of these were phishing attacks.

If they are to avoid reading their names in the morning papers, its time law firms started taking cybersecurity seriously. At a time like this, it’s easy to deprioritise data protection – particularly if you’re a law firm dealing with an influx of new cases on the back of the Coronavirus crisis.

As a general rule, it’s best to behave as if your law firm’s data will be hacked tomorrow. If cybercriminals didn’t hesitate to infiltrate EasyJet’s network and steal 9 million personal data records and 2000 customers’ card details, they certainly won’t miss out on the chance to steal and potentially even leak your law firm’s data.

As a virtual firm acting for and advising a portfolio of clients in the field of data protection and technology, it may not come as news to you that IT security is amongst our top priorities. When it comes to sharing sensitive information, our desktop and mobile apps and document management system were built with security baked in. Our state-of-the-art cloud-based infrastructure and best-practice data protection processes ensure our clients’ data is not at risk of being compromised.

*a former high-flyer of the entertainment industry

Copyright © 2020 360 Business & Private Client Law Limited. All rights reserved.