This week’s CaseByte is different from previous issues. In this issue we want to highlight a real cyber threat relevant to all law firms – hacking groups targeting law firms.
In a July 2020 security report by the respected and well-known cyber security firm Kaspersky, researchers uncovered a new hack-for-hire mercenary hacking group that targets law firms. The main modus operandi of the hacking group is to steal sensitive business and financial data from clients of law firms, by using spear-phishing campaigns. 
The article goes on to say that the hacking group currently focuses its cyber campaigns towards law firms in Europe. Would it be easy for the hacking group to direct their attention to firms located in the United States? Yes! The nature of the Internet lends itself to quickly and with little effort target any organization worldwide.
"...the size of the law firm does not matter." says the American Bar Association.
US law firms have been and continue to be subject to cyber-attacks. The American Bar Association (ABA) touched on this topic in an article  back in 2013. Recognizing the immense risk, the ABA made revisions to the Model Rules of Professional Conduct (ABA Rule 1.1, ABA Rule 1.6) which, according to the ABA, “…require attorneys to take notice, understand technology risks, and protect their client information from inadvertent or unauthorized disclosure or access…”
Separately, the ABA Cybersecurity Legal Task Force stresses that cyber threats against law firms are real, no matter its size.
Typically, the objective of a hacking campaign is to gain access to sensitive data and attempt to exfiltrate such data or to gain a foothold for surveillance; while remaining undetected. Taking the ABA’s observations into account, a perspective of “our firm is too small, and the larger firms need to be concerned about this…” or perhaps, “we don’t have any data that hackers would want…” are misguided. With client data being the main driver for hackers, it is necessary to consider that your client’s business may be the actual target of the attack.
“Our firm is too small, and the larger firms need to be concerned about this…” or perhaps, “we don’t have any data that hackers would want…” are misguided perspectives.
Changing the narrative to clients being the objective raises the question, what type of information are law firms entrusted with by their clients? Routinely, law firms receive or develop highly sensitive attorney-client privileged data, merger & acquisition (M&A) information, intellectual property or patent information, contract negotiation strategies, eDiscovery data, case strategies, employee records, patient data, government documents, and more. When such sensitive data resides inside a client’s network, the client has control and the responsibly to protect it. However, when legal matters arise and data is exchanged with law firms, the law firm now shares the responsibility in protecting the sensitive information.
Cyber security and data protection are complex topics that cannot be solved in a single conversation. By raising awareness of this real and targeted cyber threat against law firms, we hope to encourage dialogues and actions to make it more difficult for hackers to gain access to sensitive information.
Hackers hit A-list law firm (https://www.bbc.com/news/technology-52632729)