Ransomware — a technology threat that bad actors use to breach a firm’s security systems and deny or hinder system access in exchange for a monetary payment — is seen as a genuine threat to law firms today
“All data breaches threaten reputation because they imply the firm does not have its act together and does not care about clients’ data security,” says crisis expert Thom Weidlich, Managing Director of PRCG Haggerty, a strategic communications firm specializing in high-level reputation management as well as crisis and litigation communications. “Ransomware adds to that in the sheer embarrassment of being held hostage and having your operations interrupted.”
Ransomware’s first documented attack was relatively rudimentary and delivered via floppy disk containing a malware program in 1989 that told its victims to pay $189 in ransom to a PO Box in Panama. Today ransomware criminals are significantly more sophisticated, thanks to advances in cyber-methods and cryptocurrencies.
The US Secret Service reported a marked growth in crimes involving cryptocurrencies and digital extortion schemes, including ransomware, in 2021. Other reports show that ransomware is fast becoming a tool of choice for far flung cyber-criminals. Verizon, which has been analyzing data security trends since 2008, finds in their 2022 Data Breach Investigations Report that ransomware has increased almost 13% since last year — a rise as big as the last five years combined, and ransomware was present in almost 70% of malware breaches last year.
The people problem
Security experts agree that the human element is a crucial driver of this type of digital threat. Verizon’s report puts a number to it, citing that 82% of data security breaches involve human error — most often employees who inadvertently expose systems to data threats.
“Most ransomware attacks are made possible through the vulnerabilities caused by humans (i.e., the employees of the firm). This is why hyper-vigilance about phishing emails is crucial,” explains Jennie Wang VonCannon, a Certified Information Privacy Professional and Partner with Ellis George Cipollone O’Brien Annaguey. “Many times, it is an employee who clicks on an email which contains malware, inadvertently deploying it onto their computer which then infects the entire network. Or someone enters their login information after receiving an email request to do so, thinking it’s legitimate, and just like that, the malicious actors can enter the firm’s network and encrypt the firm’s data and hold the decryption key for ransom.
Management should educate their personnel about how to spot a scam email and the importance of not clicking on any links or even opening the email, if possible, adds VonCannon. “Depending on the organization’s culture, it may want to conduct regular tests by sending out suspicious-looking emails to keep employees primed to spot a phishing attack.”
Weidlich agrees that many data breaches occur due to employee error, either clicking on a phishing link or through malfeasance, such as stealing data. “It’s crucial to let employees know how important the issue is to the firm,” he says. “Talk to employees, train employees, and view employees as a defense against breaches.”
Depth of your data
A fundamental step in mitigating the harm of a ransomware attack is understanding what data your firm collects and maintains — and the access rights that certain parties have to it.
Trina L. Glass, a shareholder and member of Stark & Stark’s Investment Management & Securities Group, suggests that firms inventory their data to know who has what kind of access. “Prior to implementing controls and procedures to help prevent or mitigate a firm’s risk of a ransomware attack, the firm should first know what data it collects, where the data resides, and who has access to the data,” says Glass, adding that firms also should take steps to reduce copies of sensitive firm and client data.
Indeed, supply chain weaknesses, partners, and vendors pose a unique data risk; and these third-party risks are increasing, according to Verizon’s data risk analysis. Glass says that firms should take appropriate precautions. “Educate and train your employees and third-party vendors on your firm’s information security control procedures,” she explains. “Most ransomware attacks are orchestrated through phishing scams, third-party software vulnerability, and credential stuffing.”
There are several basic IT security measures that firms must take to prevent malware disruptions, including:
- establishing security practices and policies;
- ensuring software patches and virus protections are current, proactive system protection such as firewalls;
- encrypting information; and
- installing two-factor authentication.
What to do when an incident occurs
Should a ransomware incident occur, most law firms already will have a crisis playbook in place that would likely trigger the firm’s lock-down protocols. Communication during this period is critical, Glass says, noting that at this point, firms should activate their incident response plan. “Since you’ve taken the time to implement a comprehensive plan, you will know to whom, internally, to immediately escalate the incident and what details to include in your notification,” she says. “The who should also include law enforcement, your insurance carrier, IT vendor, and outside counsel.”
A forensic analysis of how the risk came about will likely occur soon after discovering the incident. This intervention involves understanding what data and systems were compromised and how and when that happened, VonCannon adds. “If the entire network is encrypted and the firm’s computers [are compromised], firms need to think about getting back online as soon as possible using the up-to-date data backups that they have been diligently keeping so that they can continue operating in the event of a ransomware attack. They should also immediately consult with an expert in this field, such as an attorney with cybersecurity and data privacy experience, who can coordinate the firm’s response.”
Weidlich agrees, and advises that there are three defensive measures firms must immediately take should they find themselves on the receiving end of a ransomware or data security incident. Those include: i) hiring a data-incident firm; ii) hiring a crisis-communications firm; and iii) informing legal authorities since every state has unique laws that must be followed.
The big questions: Transparency & the ransom payment
Two decisions that every law firm must make in the aftermath of a ransomware attack have the potential to divide firm management and will need careful consideration on a case-by-case basis.
The first question on which to achieve consensus is whether to disclose the attack publicly or not. Law firms will naturally be conservative around making public statements and want to minimize liability risk; yet Weidlich counsels that it is possible to communicate a breach in a way that respects those views. “Firms should publicly communicate beyond the legal requirements and standard practice,” he says. “The focus should be on rectifying the situation.” He cautions that any communication must be empathic, and firms can achieve this by acknowledging to clients the inconvenience arising from operational disruption and stating if and how the breach will affect clients and other outside stakeholders.
Second, the firm will also need to determine whether to pay the ransom or not.
Glass cautions that, generally, firms should not be quick to pay ransomware requests. “The FBI… does not support paying ransom in response to a ransomware attack,” she says. “Paying a ransom does not always guarantee that you will receive your data back or prevent future attacks.”
Weidlich observes that ransomware attacks present great difficulty concerning how firms respond to them. “Firms must realize that whatever action they take — whether they pay the ransom or not — they will be criticized,” he explains. “If you pay the ransom, you’ll be criticized for encouraging criminals; but if you don’t pay, you’ll be criticized for not caring enough about clients’ data.” To ensure that all sides receive due consideration, the firm must be clear on why it’s taking the action and be just as clear in communicating that, he adds.
Of course, the best defense against potential ransomware threats is a strong offense. Firms can accomplish this through updated policies and protocols that provide clear guidelines to employees and third parties with system access, regular training and testing to shore up your systems against attacks, and an active crisis-management plan that can validated against known and emerging digital threats.