FINAL Disclosures Art-Cyber Threats n Law Firms-Magner FINAL
1. FINAL
New Cyber Threats Pose a Challenge to Law Firms
By: Matthew Magner, J.D., CPCU, RPLU
Cyber threats seem to be the number one concern for law firms these days, and with
good reason. While all law firms are at risk of a data breach, former ABA President,
Laurel Bellows, declared that small law firms, in particular, have become cyber
criminals’ latest victims. In 2011, Mandiant, an information security company, estimated
that 80 U.S. law firms were hacked; looking at more recent studies, it’s not difficult to
imagine that the number of law firm data breaches has since increased significantly. In
2014, data breaches worldwide totaled 1,540 up 46% from 2013—representing almost 1
billion data records that were either lost or stolen according to a report by digital security
firm Gemalto.
As companies find ways to prevent data breaches, the criminals continue to come up
with new techniques to steal valuable data. Following are several evolving trends that
pose significant security threats to law firms that can be difficult to prevent. However, by
educating law firm staff about these trends as well as best practices to protect valuable
data, law firms can make it more difficult, if not impossible for criminals to steal data.
The WiFi Pineapple is not as sweet as it sounds. With a simple Google search, anyone
can purchase this inexpensive device that looks like, and mimics, a wireless router. The
Pineapple can pretend to be a legitimate Wi-Fi source, enabling a cybercriminal to
intercept transmissions, record keystrokes or redirect victims to malicious websites. For
instance, law firm staff accessing free Wi-Fi while staying at a hotel during a business
trip or catching up on e-mails at a favorite coffee shop, could find that their laptop or
smart phone is being intercepted by a Pineapple device that is capturing user names
and passwords.
Side channel emissions are tiny signals emitted by an electronic device, such as a
laptop or smart phone even when it’s not connected to the Internet, that can offer
hackers a big win. Hackers, located several feet away from the device or even in
another room, can listen to these signals and hijack what is being typed. For instance,
an attorney preparing a sensitive trial strategy report on an airplane may not realize that
the laptop will emit acoustic signals that can be picked up by an antenna, microphone or
radio placed nearby, possibly hidden in a briefcase, and provide the hacker with
valuable attorney-client information--without the attorney ever accessing the internet.
2. Another threat to law firms are office copiers, fax machines and printers, which often
contain hard drives not unlike those in desktop computers. These hard drives are
capable of storing massive amounts of information; this may include tax returns,
medical records, financial information and more. In some cases, vendors or employees
may access these hard drives without authorization, or criminals may “rescue”
discarded copiers/fax machines/printers and their hard drives that still contain valuable
data.
Law firms can help mitigate their exposure to these new threats as well as other data
breach risks by following best practices.
• Look Alert. Employees should be aware of their surroundings when they access
the Internet outside of the office, especially if someone has placed an unusual
object nearby; it could be a device that is capturing keystrokes. Tell employees
to try to avoid logging on to password protected sites while using public Wi-Fi.
• Wipe It Clean. Confirm that encryption technology is used for hard drives in
printers, fax machines and copiers, and that the data is wiped or destroyed prior
to disposal of the device. Never use a public copier for sensitive information.
• Take Precautions. Turn off the Wi-Fi on electronic devices when you don’t need
an Internet connection, and only use a network that is WPA-encrypted and
requires a password. Consider purchasing VPN (virtual private network)
software or an App for your mobile device that will encrypt your connection.
Law firms should also consider consulting with a legal professional regarding their
practices and purchasing a cybersecurity (network security and privacy) policy. Most
lawyer’s professional liability policies require that the definition of “professional services”
be triggered for liability claims and do not extend coverage to the myriad of first-party
exposures such as forensic and compliance assessment expenses, notification costs,
business interruption expenses, fines and penalties, and extortion demands. But,
perhaps the most important line of defense is education. Educating law firm staff about
these trends and best practices can help keep hackers out of your firm’s network.
Matt Magner is a senior underwriting officer for the Chubb Group of Insurance
Companies can be contacted at mmagner@chubb.com.