Protecting Data: Cybersecurity Tips

For those of you pressed for time, the tips are in this post from the ABA Journal.  For the rest of you, I will now return to our regularly scheduled programming.

The phishing scam I warned about yesterday turned out to be a false alarm; a case of the school that conducted a fire drill without notifying the fire department.

Still, I’ll channel my inner Dwight Schrute:

FACT: lawyers and law firms are frequent targets of phishing scams & malware/ransomware attacks.

Some readers asked what the perpetrators of a phishing scam hope to gain by targeting lawyers and law firms.

Access to information.  Either yours or your clients’.

For example, be wary of an unsolicited e-mail that asks you to click on a link and confirm an account number or password.  This is obvious, correct?  If you respond, what have you done?  That’s right – you’ve given out an account number and its password.

Lately, there’s been a rash of well-publicized phishing scams designed to release malware or ransomware. In some instances, the malware provides the scammer with access to data – account numbers, passwords, secure client information.  In other instances, ransomware encrypts an office’s data.   And by “encrypts” I mean “prevents the office from accessing the data unless or until a ransom is paid.”  Think I’m exaggerating?

The Providence Journal has this story about a firm that was locked out of its data for three months earlier this year.  The firm paid a ransom, then paid another, lost $700,000 in billings, and is in litigation with its cybersecurity carrier.  Oh yeah, and how about being in the news for  having had confidential information breached?  Probably not the marketing campaign most of us would choose.

Or, from the FindLaw blog: last year, a prosecutor’s office in Pennsylvania paid a ransom to release files that had been locked after an employee clicked on a link in an e-mail that the employee believed to be from another government agency.  Sound familiar?  It should – that was yesterday’s pseudo-scam: an invitation for lawyers to click on links in an e-mail that appeared to be from the “ethics board.”

It’s not just small firms and state agencies that are at risk.

DLA Piper is one of the largest firms in the U.S. and has offices all over the world.  Last June, DLA Piper issued this cybersecurity advice in response to a global ransomware attack.  Unfortunately, and as reported by Above The Law, DLA Piper fell victim to a similar attack shortly after issuing the warning.

Today, I came across a post in the ABA Journal: Practical cybersecurity for law firms: How to batten down the hatches.  Give it a read.  It’ll be worth your time.

Remember: the Rules of Professional Conduct impose a duty to act competently to safeguard client information.  I understand that some of you worry that your unfamiliarity with technology will make you look silly if you ask for help.  Stop worrying. Doing nothing other than hoping that it doesn’t happen to you is not a reasonable alternative.

Safeguarding data