By Lyndon T. Nkomo
Introduction
Cyber attacks are a reality, and most law firms are unaware that when a breach occurs, they would have been compromised. A single attack is able to have a global reach in its impact and that signifies the gravity of cyber terrorism. The Internet’s strength is actually its weakest link. The interconnection of networked computers that create the information superhighway makes it possible for a single release of software viral attack to rapidly spread around the digital world through billions of unsecured computer-related devices. A recent report on the BBC website indicates how a single cyber-attack infected billions of computers worldwide. It also raised the need to ensure that cybersecurity breaches are regarded as national s
security threats. The BBC reported that:
security threats. The BBC reported that:
“A cyber-attack that has hit 150 countries since Friday should be treated by governments around the world as a "wake-up call", Microsoft says. It blamed governments for storing data on software vulnerabilities which could then be accessed by hackers.”[1] These attacks amount to global terrorism and can no longer be ignored. The viral press attack which affected the UK earlier in the year targeted a huge number of law firms as well.
Issues
Whilst the majority of law firms in Zimbabwe may not be using sophisticated cyber defence systems, it is important to note that law firms elsewhere, are not spared from cyber attacks. Cyber criminals are targeting law firms for the sensitive data which they hold on behalf of their clients. It is reported that:
…at least 80 of the 100 biggest law firms in the country, by revenue, have been hacked since 2011 and the 2015 Legal Technology Survey Report from the American Bar Association found that 15% of firms have been the victims of a breach.[2]
In the same article published by Law Technology Today, it is reported that:
There are over 4,000 cyber attacks every day. That’s 170 attacks every hour, or nearly three attacks every minute. That alone is a scary thought for anyone running a business, but for law firms whose currency is built on the inherent trust they receive from clients, it is especially troubling. Yet, most firms do not even know they have been compromised when an attack occurs. By the time firms have realized a breach has happened, significant damage has already been done and most are not sure where to turn to for help.[3]
The figures are alarming and it is a clarion call for law firms to be more vigilant as the digital era advances. With more technological innovations taking place, the risk of attacks increases as more avenues for cyberattack are opening up due to the emergence of the Internet of Things (IoT). The cyber defence mechanisms no longer have to be left in the hands of IT specialists as such matters are now issues of strategic importance. The knowledge of how cyber attacks occur and their potential impact on the business become serious matters on the risk matrix of a law firm. A law firm can potentially shut down business in the event of data security breaches and the potential liability arising therefrom. The data security breaches at Mossack and Fonseca in the Panama papers scandal is a warning to what might possibly happen to a law firm whose data security has been breached. The judgment of the Eastern Cape Local Division High Court in John Andre Lochner vs Schaeffer Incorporated and Monae Schaefer and Tania Schaefer Case no. 3518/16 is a case in point in which a law firm was sued for negligence arising from a cyber-fraud. The key success factors in any law firm’s business are client confidence and trust. As a result, any loss of sensitive information to cybercriminals is likely to violate these cardinal values.
There are three key areas in cybersecurity which are: (i) The Legal Concepts of Cybersecurity (ii) Technical Concepts of Cybersecurity and (iii) Business Impact of Cybersecurity. Whilst most lawyers are interested in the legal concepts of cybersecurity, it is also interesting to note that they are equally not concerned by the technical concepts of cybersecurity because they think that it is an area for Information Technology technicians. Other lawyers are not worried about the potential impact of cybersecurity breaches on their businesses as some effects of cyber attacks do not appear immediately until after some time. It is important for law firms to begin to be wary of such cases just like many other businesses which deal with sensitive and valuable information. They must realize that they are also potential targets for cyber attacks. A report from the Legal Technology Survey shows that in 2015 about 15% of law firms in the US were victims of cybersecurity breaches. David G. Ries notes that:
According to the 2015 Survey, about 15% of respondents overall reported that their firms had experienced a security breach at some point. The question is not limited to the past year, it’s “ever.” A breach includes incidents like a lost/stolen computer or smartphone, hacker, break-in, or website exploit. This compares with 14% in 2014, 15% in 2013, and 10% in 2012.[4]
These numbers indicate that there is a need for lawyers to be more vigilant in this area and it must be emphasised that this is not a remote risk for law firms in Zimbabwe. The knowledge limitation about the Zimbabwean market arises from lack of empirical evidence because no surveys have been done to establish the risk levels faced by Zimbabwean law firms in relation to cybersecurity, and no major breaches have been reported as yet in this regard. However, it does not mean that they have not yet occurred. It only means that when such breaches occurred some lawyers may not have appreciated the gravity of the potential impact of the breaches. One article suggests that in some cases the full effects are felt a year or two after the incident. This means that the Law Society of Zimbabwe must begin to consider ways and means of establishing and implementing ethical rules that would ensure that law firms that are using cyber technologies have adequate security to protect their client’s information. For instance, the American Bar Association have ethical rules that put obligations on lawyers to take competent and reasonable measures to secure their clients’ information. David G. Ries notes that:
The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information. These duties present a challenge to attorneys using technology because they are not technologists and often lack training and experience in security. Compliance requires attorneys to understand limitations in their knowledge and to either obtain sufficient information to protect client information, or to get qualified assistance if necessary…[5]
We can never overemphasize the need for information security especially in the digital era and to help law firms to consider this issue. David Myers, a cybersecurity expert suggests that lawyers must ask themselves the following three key questions in relation to cybersecurity:
- How safe are your firm’s operations?
- How do I identify cybersecurity issues?
- Can we use cloud computing in the practice of law?[6]
It would be interesting to know whether there are any law firms in Zimbabwe that are sure about the security of the data they hold on behalf of their clients. It must be pointed out that for as long as a law firm has access to the internet, there is always a door for a possible cyber attack. Thus, it is always important to ensure that the law firm’s operations are run on the basis of competent and reasonably secure cybersecurity systems which do not give cyber intruders easy access to the firm’s database.
In order to achieve this degree of security, it would, therefore, be prudent for the law firm to be able to identify potential cybersecurity risk issues within its network. This exercise would entail the law firm developing a cybersecurity risk matrix which would help them to identify potential breaches, the likelihood of the breach happening, potential impact on both the business and the firm’s operations should it happen and the mitigating factors which the firm must take in order to reduce the likelihood of the breach as well as the associated impact on both the business and operations of the firm. The risk matrix should always be on the agenda of the meetings of the executive partners of the law firm.
It is important to emphasise that privacy and confidentiality of data are fundamental ethical values to the practice of law without which the practice of law will lose public trust and confidence. At the RSA Conference 2016, the Hubbard Decision Research[7] presentation made a very important remark to the question “What is your single biggest risk in cybersecurity?” and the response they gave to that question was “How you measure cybersecurity risk.”[8] This is a very critical observation as it determines what measures if any, should be put in place to respond to cyber risks. However, for some law firms particularly those in Zimbabwe, that question may sound pre-mature in the sense that one must first ask how many law firms are using the internet in the practice of law and whether those lawyers appreciate the possible cybersecurity breaches and how they occur. In fact, the assumption made in the Hubbard Decision Research presentation is that one already knows the potential cybersecurity risks and how to identify them. That question is more applicable to law firms in the developed world. Nevertheless, it should not be assumed that there are no potential cybersecurity issues that can arise in an environment like Zimbabwe. The recent ransomware attack which affected over 4000 computers in 152 countries around the world did not spare Zimbabwe. Therefore, there is a need for lawyers, to make conscious decisions about how to deal with the risk of potential cybersecurity beaches.
General Misconceptions by Lawyers
According to David Myers, there are some general misconceptions made by lawyers which end up making them easy targets of cybercrimes.[9] The first misconception is that they say “I am not the target; It’s the big law firm.” The size of the law firm does not matter but the value of the transaction matters.[10] This point is best illustrated with what was reported in the Financial Times of 30 December 2016 wherein Brooke Masters wrote that:
Willie Sutton, the notorious US outlaw, famously said he robbed banks “because that’s where the money was.” Now hackers are going after law firms for exactly the same reasons…US prosecutors charged Chinese traders with securities fraud, saying they made more than US$4m trading on information stolen from two of US’s best-known law firms’[11]
In the digital world, the motivation to commit cybercrimes is found in many cases in the nature of the data held by the potential victim and its potential monetary value both to the data subject and the would-be perpetrator.
The South African case of John Andre Lochner vs Schaeffer Incorporated and Monae Schaefer and Tania Schaefer Case no. 3518/16 (Eastern Cape Local Division) illustrates this point. The cyber criminals, in this case, forged an email address of the client in order to get its lawyers to remit funds which were associated with some conveyancing work they were doing on behalf of their client into a wrong account. An amount in the sum of R512 720.13 was stolen and this created a potential liability on the part of the lawyers concerned and later became the cause of action for the dispute. This matter shows that it is not the size of the firm that matters but the value of the business or data which the law firm is handling on behalf of some data subjects that attract illicit cyber intrusions.
David Myers also notes that it is not only the value of the data but the value of your client’s business partners or the people that are doing business with the lawyers’ clients that may also attract potential cybersecurity breaches. In an article which appeared in the Financial Times, it was noted that:
The US Securities and Exchange Commission said the hackers targeted seven firms known for their mergers and acquisitions work, hitting them with more than 100,000 attacks over a three-month period. They then struck gold with two organisations. After installing malware on each law firm’s computer network, they gained access to their IT departments and from there broke into the files and emails of senior M&A lawyers. They ended up stealing nearly 60 gigabytes of data related to at least 10 potential deals.[12]
What is clear in these cases is that the attacks were not necessarily targeting the size of the law firms but the nature of the business they transacted and the parties involved in those business transactions. Whilst the breaches may have happened in the US, it does not mean that they cannot be targeted on Zimbabwean law firms. As long as some of them are holding valuable data, the possibility of cyber attacks will always exist.
Some lawyers erroneously think that if they have antivirus software, they have adequate protection against cyberattack. Hackers are not deterred from attacking any subject because of antivirus software. If antivirus software were able to deter attacks then few data sources would be subjects of potential cyber attacks. Neill Feathers argues that:
Enterprise solutions do not work for smaller firms and existing solutions are expensive, complicated and require high technical skill. These options may be ideal for large firms, but small firms need solutions that fit within their means. In this void, consumer antivirus is pervasive. Often, firms assume server protections for data centres and endpoint security provide sufficient protection. While they do protect parts of the IT infrastructure, their scope is limited.[13]
This quote indicates that antivirus software does not provide 100% protection but that the scope of protection will be limited. As rightly submitted by David Myers,[14] there is not a single technology that provides 100% defence against cyber attacks. Thomas J. Holt et al’s[15] explanation on the limitations of antivirus software reveals why it is important for anyone not to fully rely on antivirus software alone as a source of protection. They submit that:
The benefit of antivirus software is that it can help to reduce the risk of malware being able to actively infect a protected system… The definitions that the software has on file run the risk of being outdated every day, as new variants of malicious codes are being produced all the time.[16]
Thus, for as long as the targeted variant of the malicious codes keeps changing there will always be limitations on the scope of protection which an antivirus software offers and that raises an obligation on potential victims to remain up to date with the software updates that the manufacturers of the antivirus software will regularly offer. It will also be important for the law firm to have a backup storage system for its data that is also regularly updated to ensure that the law firm will be able to fall back on its backed up data if its live data sources are corrupted by software viral attacks. A layered approach to cyber protection will be important as there is no single solution that will be able to thwart potential cyber attacks on the firm’s network.
Another misconception emanates from the trust that we accord without question to IT technicians who are given access to maintain internal networks. It is possible for some delinquent and unethical computer technicians to plant malicious bugs into computers causing them to be inefficient or act as launch pads for attacks on other people’s computers by secretly repurposing a firm’s computers for criminal activities. This is not a farfetched possibility and having worked for a mobile telecommunications company in Zimbabwe, whose prepaid platform was maintained and serviced by a service provider based in Dubai, I have first-hand experience of this possibility. The service provider had the ability to access the prepaid platform remotely by dialling into the network and could correct some technical issues on many occasions through this method. However, we came to experience that whenever, they had not received their maintenance and support fees on time, they would find a way of slowing down the efficiency of the system through the same method and as soon as they were paid the prepaid platform would begin to run efficiently again. This is a matter that raises ethical issues about how computer maintenance technicians who have access to sensitive corporate information or networks should behave during and after attending to an incident, fault or as they carry out their regular maintenance routines.
There are some computer technicians who are engaged to undertake maintenance works that do not belong to any professional association which regulates their conduct. Regrettably, it also appears that there are no regulatory bodies that deal with ethical and disciplinary issues involving computer technicians in Zimbabwe and yet they pose risks which may be dangerous to business. Furthermore, it may also be difficult to trace the attacks back to them.
Some law firms also have the misconception that they are a small firm and therefore no one will have the desire to hack into their system. That is wrong. Hackers do not always hack for data, but they also look for easy targets which they can use to attack other data subjects to avoid being quickly traced. This is more like guerrilla warfare against potential data subjects.
The case of Cates Machine and Welding provides an example of hackers who used their victim’s old computer to hack into a:
…Silicon Valley food delivery start-up, a major Manhattan law firm, one of the world’s biggest airlines, a prominent Southern University and a smattering of targets across Thailand and Malaysia.[17]
The hackers are able to use a law firm’s computer to launch cyber attacks on other victims making it difficult for them to be detected. This is a tactic similar to a thief who hijacks a motor vehicle and then uses it as a tool to commit a criminal offence and thereafter, dumps it by the roadside. The Cates Machine and Welding’s computer was repurposed by hackers and used to attack the victims identified above. Another interesting example is that of the Internet of Things gadgets which were repurposed to webcams connected to the internet. CBS news reported in 2014, that a Russian website was able to hack into webcams that were connected to the internet and most of these cameras belonged to people who had not changed their default passwords and it was indicated that over 4000 webcams in 152 countries fell victim to this type of hacking.[18]
It is important for law firms in Zimbabwe to get rid of the false sense of security that they may not be targeted because they may be running small law practices. It could also be that they may not have noticed or may not be aware that their computers are being used as launch pads for virtual attacks of unsuspecting victims. Anyone anywhere can be a victim and the recent attack by the WannaCry ransomware virus in over 104 countries did not spare Zimbabwe.[19] Information security issues in the digital age have caused the elevation of cyber risk to be a permanent agenda item in boardrooms across the world. Therefore, it is important for organisations to formulate key strategic performance indices on the minimisation or exclusion of cyber risks because of the serious ramifications which cybersecurity breaches may have on the business. It will be useful to examine the validity of this assertion by looking closely at the business impact of cybersecurity breaches as noted below.
Business Impact of Information Breaches
First, it was the interconnection between humans and machines and now it is a machine to machine interconnection via the internet to establish what is known as the Internet of Things (IoT). A policy options paper prepared by Joshua Meltzer notes that:
The internet is transforming how goods and services are used and delivered, as businesses offer online services (such as monitoring of equipment or data analysis of product use) in combination with goods, such that the services component is an increasingly significant share of the overall product value. Businesses are using the Internet to reach consumers globally, which is also driving international trade.[20]
He further noted that the e-commerce global market had a value of US$16.5 trillion in 2016 when the paper was released and that “the World Bank has found that a 10% increase in broadband penetration results in a 1.38% rise in economic growth in developing countries and 1.21% in developed countries.”[21] These are big numbers and what would be interesting to establish is the potential loss of business in the event of cybersecurity breaches. In December 2016 Yahoo reported that almost 500 million email addresses were hacked and stolen from them and this was in addition to another hacking incident that occurred in September 2016.[22] Wired magazine further reported that Verizon which was in the process of acquiring Yahoo asked for a billion dollar discount of US$4.8 billion deal and that the transaction was likely to be affected by the recent disclosure. For law firms, any data security breach is likely to affect a firm’s reputation. Tim Lince in his piece outlines how some law firms’ in the UK fell victim of cyber attacks following the WordPress hacking which targeted a number of law firms. The impact of the hackings in these cases was construed as follows:
David Gibson, VP of strategy and market development at security firm Varonis, tells us, the appearance of being insecure could be enough to scare off clients. “Having your website defaced isn’t going to make clients feel any better about your data security practices,” he explains. “We don’t need to look past the Panama Papers to remember what happens to client trust when their data is stolen. So everyone needs to be worried about security these days, including the small businesses running WordPress sites. Law firm clients will likely go elsewhere if their firm suffers a data breach or they feel their information is vulnerable, and a website defacement isn’t going to help anyone’s confidence.[23]
The reputational damage suffered by Mossack and Fonseca law firm in Panama and the subsequent arrest of its founding partners will make it hard for their law firm to regain the trust and confidence of its clients as it is going to remain in the spotlight for a very long time for the wrong reasons. The Panama Papers scandal literally killed their thriving business and this scandal among many other issues underscore the importance of ensuring that data security is not tampered with. The values of trust, privacy and confidence are critical to the success of any law firm.
Conclusion
It is therefore important for law firms to begin to take issues pertaining to data security seriously and make all such steps as may be necessary to implement measures that will enhance cybersecurity within their practices. As the Internet of Things continues to grow, the risk of cybersecurity breaches will also continue to rise. The Law Society of Zimbabwe may need to review the adequacy of its ethical rules pertaining to data security, privacy and confidentiality by accordingly increasing the weight of the obligations of the law firms in this regard.
[1] “Microsoft warns ransomware cyber-attack is a wake-up call”, 15 May 2017, Available at http://www.bbc.com/news/technology-39915440# accessed on 15 May 2017.
[2] Neill Feather, “Don’t Let Your Law Firm Get Served with Cyber Attacks”, July 18, 2016, available at http://www.lawtechnologytoday.org/2016/07/dont-let-law-firm-get-served-cyber-attacks/ accessed on 9 May 2017.
[3] Ibid
[4] David G. Ries, Security, ABA Techreport 2015, Available at http://www.americanbar.org/publications/techreport/2015/Security.html Accessed on 12 May 2017
[5] Ibid
[6] David Myers, Cybersecurity for law practices, available at https://www.youtube.com/watch?v=DEwzzNnuzBU Accessed 12 May 2017.
[7] Richard Tiersen and Douglas Hubbard, ‘How to measure anything in cybersecurity risk’ Available at https://www.rsaconference.com/writable/presentations/file_upload/grc-w05-how_to_measure_anything_in_cybersecurity_risk.pdf Accessed on 12 May 2017.
[8] Ibid, Slide 4.
[9] David Myers, Cybersecurity for law practices, available at https://www.youtube.com/watch?v=DEwzzNnuzBU Accessed 12 May 2017.
[10] Brooke Masters, “Lawyers and accountants are prime targets for cyber-attacks”, DECEMBER 30, 2016, Available at, https://www.ft.com/content/f52f6fee-ccf4-11e6-864f-20dcb35cede2 Accessed on 9 May 2017.
[11] Ibid
[12] Note 10 above.
[13] Note 2 above.
[14] Note 6 above.
[15] Thomas J Holt, Adam M Bossler, Kathryn C Seigfried-Spellar, Cybercrime and Digital Forensics: An Introduction, Routledge, 11 Feb 2015.
[16] Ibid, page 107.
[17] Nicole Perlroth, “The Chinese Hackers in the back Office”, June 11, 2016, Available at https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html?_r=0 Accessed on 15 May 2017.
[18] Charlie D'Agata, “Is someone spying on you through your webcam?” November 20, 2014, Available at http://www.cbsnews.com/news/russia-webcam-hacking/ Accessed on 16 May 2017.
[19] L.S.M Kabweza, “WannaCry Ransomware: Zimbabwe among countries hit by latest massive cyber-attack” Available at http://www.techzim.co.zw/2017/05/wannacry-ransomware-zimbabwe-amoung-countries-targeted/ Accessed on 16 May 2017.
[20] Joshua P. Meltzer, “Maximizing the Opportunities of the Internet for International Trade”. E15 Expert Group on the Digital Economy – Policy Options Paper. E15Initiative. Geneva: International Centre for Trade and Sustainable Development (ICTSD) and World Economic Forum, Available at http://www3.weforum.org/docs/E15/WEF_Digital_Trade_report_2015_1401.pdf, Accessed on 16 May 2017 Pg 6
[21] Ibid.
[22] Lily Hay Newman, “Hack brief: Hackers Breach a Billion Yahoo Accounts. A Billion.” 14 December 2016 Available at https://www.wired.com/2016/12/yahoo-hack-billion-users/ Accessed on 16 May 2016
[23] Tim Lince, Law firm websites hacked due to WordPress exploit; expert warns of reputational risk of cyber security incidents, 15 February 2017 Available at http://www.worldtrademarkreview.com/blog/detail.aspx?g=e1a097c7-1a26-4534-9ad0-516cce0dc2ce Accessed on 15 May 2017.
No comments:
Post a Comment