Cybersecurity Awareness Month- Week #4

Media coverage about attacks such as the Colonial Pipeline attack, the WannaCry cryptoworm and the attacks on the Costa Rican financial and healthcare systems has raised awareness of the devastation that ransomware attacks can cause. Attacks on government agencies and companies involved in critical infrastructure have the greatest potential to cause widespread damage, but attacks on law firms can also ripple out further than initially anticipated. In this final week of Cybersecurity Awareness Month, we provide an example of one such attack and its aftermath.

The Attack

In 2017, a small litigation firm in a suburb of Kansas City discovered that its server had been breached by an international cybercrime organization. At the time of the attack, the firm was handling coverage and subrogation matters for a commercial insurance company. The insurer had been a client of the firm for about 15 years.

The firm employed outside technical and legal consultants and notified the FBI of the attack. The investigation that followed revealed that the hackers accessed data relating to 1,500 of the insurance company’s policyholders. The hackers threatened to publicize the data accessed if the firm did not pay a ransom. The firm paid the ransom and negotiated with the hackers to have the data destroyed. The firm also agreed not to disclose anything about the attack.

A year later the hackers re-established contact with the firm and accused the firm of cooperating with the FBI. The hackers again threatened to publicize some of the data accessed, revealing that the data had not been completely destroyed. When the law firm did not immediately acquiesce, the hackers contacted the firm’s client—the insurance company—and revealed that the hackers had policyholder information that came from the law firm’s server. This was the first that the insurance company had heard that any data had been compromised.  

The insurance company called in its own legal and technical consultants to plan a response. The law firm also hired a company to conduct a forensic analysis of the breach to aid in the insurance company’s efforts. The insurance company then contacted each affected policyholder to provide notice of the breach. The total cost to the insurer for technical, legal, and public relations consultants and policyholder notification exceeded $2M.

The insurance company sued the small law firm alleging breach of contract, breach of fiduciary duty, and legal malpractice. After two years of litigation in federal court, the legal malpractice claim was tried to a jury and resulted in verdict in favor of the law firm.

Lessons Learned

The experience of this firm drives home some hard truths about ransomware attacks:

• Any firm is a potential victim. Lawyers cannot rationalize lax cybersecurity by thinking that their firm is too small to be the target of cybercriminals. The firm involved in this case had four lawyers when the attack occurred.
• Cyber-attacks are costly. Although the law firm involved in this attack escaped liability, there were still significant costs, such as:
  • loss of productivity while responding to the attack
  • the cost of technical and legal consultants
  • the ransom payments
  • the cost of technology upgrades or system repairs
  • loss of a long-time client
  • loss of productivity while engaged in federal litigation
• A breach may have unanticipated consequences for the clients whose data has been accessed. In this case the insurance company had to review the insurance laws and regulations of multiple states to determine its notification responsibilities for each affected policyholder.

How to Apply the Lessons Learned

As with most cyberattacks, the starting point for protecting against a ransomware attack is education. Everyone in a law firm who uses a computer should be trained to understand how ransomware attacks happen and how to avoid them. OBLIC policyholders can use OBLIC’s Cyber Toolbox for that educational material. Here are some other tips:

• Lawyers should make cybersecurity a priority by:
  • Periodically auditing existing systems for security vulnerabilities and opportunities to improve cybersecurity
  • Using strong passwords and two-factor authentication
  • Keeping anti-virus software updated and using it appropriately
  • Regularly backing up data somewhere disconnected from the law firm’s network
  • Developing an incident response plan in case of a breach
• Lawyers should carry cyber insurance coverage with appropriate limits
• If a breach occurs, lawyers must act quickly to identify the clients affected, and provide sufficient notice for clients to make an informed decision about how to proceed. Notify OBLIC immediately after contacting your IT professional. The cyber coverage included in the OBLIC policy may provide assistance.

For more information, we recommend the following:

• Ransomware- Critical Information You Need, OBLIC Alert, August 10, 2021
• Is Your Backup Secure?, OBLIC Alert, February 14, 2020
• Addressing Ransomware Threats, OBLIC Alert, January 20, 2019
• Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, ABA Formal Opinion 483
• Securing Communication of Protected Client Information, ABA Formal Opinion 477R
• Hiscox Insurance Company, Inc. et al. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL, Western District of Missouri

As always, if you have any questions, please contact us. We are here to help!