By Jim Calloway

The Oklahoma Rules of Professional Conduct offer guidance and rules for lawyers confronting ethical challenges. Technological advances often progress more quickly than legislative or regulatory responses to these developments. So where technology is involved, some of our ethical obligations tend to change and evolve before any new rules can be written.

For almost every lawyer reading this, the possibility of a major digital attack is a potential threat to your law firm’s operations. Imagine showing up to work and finding that every computer in the office has had its data encrypted – and even though the provider said it wouldn’t, it also took out the office VoIP phone system.

We, as a profession, must now always consider cybersecurity to protect our clients’ confidential data as well as our business operations, which benefit both the law firm and the clients. As one calendar year ends and another begins, take this opportunity to examine and increase your safeguards against cybercrime. 

THE IMPORTANT INITIAL DECISION ABOUT YOUR CYBERDEFENSE STRATEGY

In the Nov. 13 issue of Courts & More, I posted “Does Game Freak’s Lack of Response to Malware Attack Hold Lessons for Lawyers?” I encourage you to read it.

Game Freak was hacked and apparently did not pay the ransom. Kavi Sivasothy, a Canadian lawyer, analyzed why this large company with mostly digital assets might have behaved that way and concluded that they planned on not paying a future ransom.

Mr. Sivasothy wrote: “Now, not every organization can just say ‘no’ to a ransom demand. A hospital has to consider very different factors than a dry-cleaner. But regardless of what business they are in, there are core steps every organization should be proactive in taking to maximize their opportunity to say ‘no’ when being extorted by a hacker.”

That is your most important business decision going forward. If your law firm is hit with a cyberattack that shuts down your systems, are you going to pay the ransom? Our concerns are closer to the hospital than the dry cleaner, but every business wants to return to operations after an interruption as soon as possible.

Today, ransomware demands are rarely in the four-figure range – they are more likely five or six figures. In the early days of this type of crime, the people running the ops were – to use an inappropriate term – more professional, and there was a decent chance your data would be restored. That is less true today. Suppose payment of the ransom is accepted, and you receive several digital keys to decrypt your data. Does anyone in your firm have the expertise, plus the nerve, to handle that? Therefore, the firm will be paying more for additional external support.

If you believe the ransom amount may influence your decision to pay and your firm possesses the necessary assets or credit lines to cover a ransomware attack, it would be prudent to consider obtaining a cyber insurance policy that includes coverage for damage remediation. I have little information about the insurance market. I know this coverage is expensive, and the application process may require upgrading parts of your systems, which is most likely a good thing. But we all appreciate that an insurance policy that provides both funds and expertise to repair your network is the best way to avoid paying the ransom, and it is also more likely to restore law firm operations more quickly.

As with many risks in life, insurance is the best answer if you can afford it. Realistically, these premiums are not affordable for all law firms. For some, the decision is that the firm can’t afford cyber insurance, or paying for it would significantly impair the firm’s operations. But if so, it is also probable that your firm would not pay a ransom. 

WE CAN’T OR WON’T PAY THE RANSOM

I would predict most of the lawyers reading this would be in the “will not pay” category, whether it is uncertainty, lack of funds, lack of technical expertise in decryption or resistance to funding criminal activities. My goal in this column is to convince those law firms to accept that fact so they can move on to preparing for recovery in the event of an attack.

Please read Mr. Sivasothy’s article[i] for an excellent brief overview of your next steps, then review your own systems to prioritize what you should do first. It may be that some outside IT consulting help is required.

Let’s take a worst-case scenario: a firm at high risk for an attack. Consider a small law firm with little in-house technology expertise beyond Word and the billing system. They are still running Windows 10 on one computer, even though they know they shouldn’t. The subscription to the online backup service and security services were both accidentally canceled when the law firm’s credit card was compromised, and the person who set those up no longer works for the firm. So what does this law firm do in a high-risk situation? They must first prioritize protecting client data. Before we protect the castle, we must ensure the crown jewels are safe.

For emergency triage, there are two broad paths:

• You subscribe to a secure cloud storage service and move your data there. (Secure, in most cases, means you are paying for it.)
• You send someone to the local big-box store or go online to buy several portable hard drives – hopefully, one for each computer in the law firm. Then, copy the data onto the portable hard drives. There are instructions, and some drives even include simple software. Unplug the drive when finished. Do not store the drive in the office. Now, you have backups as of that day, and you can decide how often you want to update your backup.

Those are triage plans, which are not intended to be permanent solutions. So let’s discuss building your cybersecurity defenses/recovery systems. 

GREAT DEFENSE WINS CHAMPIONSHIPS

Let’s note that preparing for a future recovery from an attack does not mean abandoning your defenses. You will need to maintain a firewall, an antivirus solution, email spam filters (because this will often block email threats, not just advertisements) and mandatory password managers to facilitate everyone using long, secure passwords.

Multi-factor authentication (MFA) is essential for security today, even if we are tired of looking at our phones (or whatever method is employed) when we want to log in to a website. Today, it is critical to use MFA to protect online bank or investment accounts, as well as any shopping site with your credit card information stored. Client information should also be guarded by MFA. 

SAFELY STORE YOUR CLIENT’S DATA

Cloud-Based Practice Management Systems

We believe that for most lawyers in medium- to small-sized law firms, the best recovery solution is also your best system to improve day-to-day operations – a subscription to a cloud-based management tool. A practice management system (PMS) doesn’t just provide a backup of the data, but it is also a tool to avoid business interruptions. What if everyone arrives at the office, but there is no power, and the utilities indicate restoration will take hours? All lawyers should have a laptop that allows them to log in to the PMS from home, enabling them to work remotely. Some staff may also do the same. It is advisable to determine in advance who will stay at the office instead of deciding during an emergency situation.

PMS providers invest millions into security and hire numerous security experts and engineers. They monitor new threats. They were designed from the outset to securely hold client data for lawyers and have a good track record. 

Microsoft OneDrive

OneDrive is a secure digital storage platform that is part of Microsoft 365 and usually comes with one terabyte of storage. So it is a great solution in many situations. 

Other Secure Storage Providers

There are many providers of digital storage. This is a service you will need to purchase, with Dropbox being one conspicuous exception. Some people are skeptical of Dropbox, but as long as you set it up properly with MFA and a very long password, it is likely as secure as any. ShareFile is also a secure solution.

While lawyers might have been initially hesitant about embracing cloud storage of important documents, we have now come to understand that usually, an appropriately vetted and secured cloud storage provider offers better security and backup than many law firms can accomplish on their own. Regular backups, hopefully to a secure cloud-based site, are still critical both to protect client information and to provide business continuity for the firm in the event of a breach. 

LAW FIRM CYBERSECURITY AWARENESS TRAINING

Today, many, if not most, serious threats arrive in your inbox. Artificial intelligence allows for more sophisticated phishing attacks. Since everyone in your firm uses email, they all (including the lawyers) should have regular cybersecurity awareness training at least annually, if not semi-annually.

“Training for Employees Has Never Been More Critical,” is a detailed outline for in-office cybersecurity training written by Michael Maschke, Sharon Nelson and John Simek. As many of you are aware, Sharon was my podcast teammate for many years, and recently, she and John announced their retirement from Sensei Enterprises Inc. But this guide should help you get started with in-house training.

WHO GETS ACCESS TO WHAT?

Permissions to access certain data have rarely been implemented in smaller law firms, which is understandable with a staff who may work for any of the lawyers. But artificial intelligence tools, like Microsoft Copilot, have pointed out the flaw in not attaching permissions to sensitive documents, as associates using the tool have stumbled onto the payroll and bonus information they were not intended to see.

Sometimes, when the firm represents someone with a high profile or the matter is making headlines frequently, it may be wise to restrict information within the firm to those working on the matter. This should not be taken as a sign of any mistrust related to your team, but removing temptations can be the best practice.

CHECK FRAUD AND WIRE FRAUD

These schemes are fairly easy to recognize because they involve the same elements. A large cashier’s check appears in the office after minimal to no legal work has been done, and it is deposited in the trust account. After a rather convincing exchange of emails and sometimes phone calls, a miracle happens. The matter resolves quickly – suspiciously quickly, in fact – and the client wants the money and offers you a stunning attorney fee you can keep if you get that money wired out today.

When you look at these facts, it is almost certainly a scam. But the client will become indignant and start mentioning the bar association if you don’t wire it out today.

Today, the best practice is to do your investigation in advance before accepting the matter. They will send you information referring to real companies, but they don’t have the resources to do anything more than send you emails and call you. So, often, a few telephone calls to people or businesses named in the solicitation email will expose the fraud. Cited cases often do not match the numbering system for the court.

CRAFTING AN INCIDENT RESPONSE PLAN

The incident response plan will serve your firm well in times of emergency. There are forms online for these plans, which may suggest items for you to cover. But this should not be just completing a form. You need to include your priorities in your plan, with contact information for your insurance company, outside technical assistance, all staff and maybe even that nearby lawyer who owes you a favor and usually has an empty office or two in their suite. Be sure to store several copies off-site.

OBA RESOURCES

December is the season for an uptick in fraudulent activity as the holidays approach. The OBA provides an online resource to help you stay vigilant. Visit www.okbar.org/scams to track current and evolving scams. 

Mr. Calloway is the OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8060 or jimc@okbar.org. It’s a free member benefit.

Originally published in the Oklahoma Bar Journal — December, 2024 — Vol. 95, No. 10

[i] Id.