Despite having attended ABA TECHSHOW for many years, I still find it easy to answer the question, “What session do you remember the most?”
The answer is not a session filled with tech tips, or a keynote focusing on trends driving the legal technology world. Ironically, the most memorable session was one I didn’t plan on attending but stopped in because I had time to kill. In retrospect, the session is as relevant today as it was when I heard it at TECHSHOW 2008. In some ways, the lesson is the same, and applies to virtually every situation. But in other ways, it sent a message that now applies to the world of cybersecurity hackers.
The 2008 program focused on how a few law firms based in New Orleans had prepared for and were able to operate during Hurricane Katrina. Even though I believed I would never be the victim of a hurricane, I decided to stop in and listen. The program turned out to be enlightening, and its lessons remain with me well over a decade later: Advanced planning is necessary, and it works. But sometimes we all need to hear this message again.
In 2008, I was naïve and believed that being unable to go to my office only happened “there” and to “them.” As this column will discuss, the need for advanced planning applies to all of “us,” and law firms still need to do more to prepare for what may seem to be the unthinkable, including cyberattacks, that make it impossible to access any of your firm’s technology and data.
I have thought about that session many times over the years. At times I see its relevance when performing mundane activities in the office such as inserting to-dos in my case management system, knowing that I would forget to do the scheduled item without a reminder.
I see the relevance when I purchase a new cell phone, remembering how the firms impacted by Hurricane Katrina purchased cell phones for their entire staff, using phone numbers from throughout the country, to assure that everyone could keep in touch and that inoperative cell towers would not hamper firm communications.
I saw the relevance during the pandemic when many firms were unprepared to work remotely. Instead of recognizing the many circumstances (not just a pandemic) when remote access might be necessary for staff, they failed to have in place any methods or protocols to address those situations. Instead of recognizing situations when staff may need to access the firm’s client data remotely, they chose not to digitize documents, making remote work impossible. And instead of recognizing that non-digitized documents are of no value when staff is accessing the firm remotely, they continued to employ the paper-centric systems that were in place before computers existed.
I saw the relevance during the pandemic when solo attorneys became ill and were unable to operate their practices. In many states, there are no requirements in the Rules of Professional Conduct or in attorney licensing provisions mandating that solo attorneys designate successor or emergency counsel to oversee their offices in the event of sudden illness or death. This lack of advanced planning left clients without an attorney, made it impossible for clients to access their IOLTA funds and prevented families who stored original estate planning documents with the attorney from obtaining them after a loved one had passed.
I saw the relevance during the pandemic when firms failed to have appropriate backup and fail-safe systems in place that would kick in should their servers or cloud storage go down. Because many offices were closed, and access was forbidden, attorneys found themselves with no way of working with client and other data.
As Benjamin Franklin said, “By failing to prepare, you are preparing to fail.”
That adage, a paraphrase of the 2008 TECHSHOW session, struck home over the past few days and months as I was preparing to write this column.
There were disasters everywhere. There was Hurricane Ida, which caused different devastation from Katrina, but nonetheless was crippling in its own way. In the Philadelphia area where I live and work, we not only experienced torrential rains and flooding, but also tornados that wiped away homes and buildings with ease. The flooding itself was biblical. For example, I-676, the main artery through the city, was flooded so high that it reached just below the overpasses above the roadway. One person performed an Olympic-worthy dive into the water, while others floated on rafts or went swimming while rescuers were pumping out the water.
The hurricane and accompanying tornados also impacted law firms. Many lawyers could not get to their offices because of closed roads and flooded buildings. Courts were closed. Some office buildings had such extensive structural damage that was estimated that it would probably be weeks or months until it was safe to access them.
There was similar devastation in other cities. New York City’s subway system, the main method many lawyers and staff use to commute to their offices, looked like the inside of a waterpark ride. Highlighting the impact of the weather, The Washington Post reported that “Nearly 1 in 3 Americans live[d] in a county hit by a weather disaster” since July 2021, a conclusion based on the Post’s analysis of federal disaster declarations.
The problem caused by weather, wildfires and other events, which prevented law firms from opening or many staff from getting to work, is not a one-time situation. While the COVID- 19 pandemic was yet another wake-up call, many firms remained unprepared for the unexpected.
Weather is only one aspect of the problem that arises when firms do not prepare. There are other more predictable events that have closed offices, and they have nothing to do with the weather.
What caught my eye was an alert, Ransomware Awareness for Holidays and Weekends, issued jointly by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA.) The alert placed an exclamation point on the need to prepare for the worst. In the release accompanying the report, the FBI and CISA “encourage[d] all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.”
The accompanying report explained that the two agencies “have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021.”
Law firms have reason to be concerned because they remain major targets for cyberattacks because of the confidential and sensitive information they have. For example, in Sector 17 – The State of Cybersecurity in the Legal Sector, a 2020 report by cybersecurity consulting firm BlueVoyant, the investigators concluded that their “survey of internet traffic showed evidence of possible compromise originating from law firms around the world.” The report also noted that “an in-depth analysis of 20 representative law firms showed that 3 out of 20 showed strong evidence of compromise—a total of 15%—while a further 9 firms had evidence of suspicious traffic.”
This conclusion is consistent with the FBI/CISA report, which highlighted recent attacks, including 1. a May 2021 attack leading into Mother’s Day weekend against the U.S. energy sector, resulting in a weeklong suspension of operations; 2. a May 2021 Memorial Day weekend ransomware attack against “a critical infrastructure entity in the Food and Agricultural Sector . . . resulting in a complete production stoppage;” and 3. a July 2021 ransomware attack against “a U.S.-based critical infrastructure entity in the IT Sector.”
The BlueVoyant report noted “millions of threats targeting the legal sector [that] were not only high-volume and constant, amounting to hundreds of thousands of attempted attacks against law firms daily; they were also highly targeted, as evidenced by numerous engagements with threat actors on the deep and dark web. Threat actors steal and abuse credentials; probe for network vulnerabilities; use anonymizing tools and proxies; and make use of persistent, advanced tactics in order to ‘crack’ law firms around the world.”
News stories confirm that even the largest firms were not prepared to fend off cyberattacks. Thus, on July 16, 2021, the law firm Campbell Conroy & O’Neil issued a news release advising that on February 27, 2021, the firm “became aware of unusual activity on its network. Campbell conducted an investigation and determined that the network was impacted by ransomware, which prevented access to certain files on the system.”
Although the firm could not confirm whether specific information relating to individuals was accessed, it stated “that the information present in the system included certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/ or online account credentials (i.e. usernames and passwords).”
Campbell is not a small firm. To the contrary, its list of current and past clients is a who’s who of major corporations, including Ford, Toyota, Honda, Chrysler, Hyundai, General Motors, Subaru, British Airways, Dow Chemical, Fisher-Price, Marriott, ACE USA, Johnson & Johnson and many more.
The sophistication of these cyberattacks highlights the importance of the FBI/CISA report, which includes data from the FBI’s Internet Crime Complaint Center (IC3), which “received 791,790 complaints for all types of internet crime—a record number—from the American public in 2020, with reported losses exceeding $4.1 billion.” The report noted that “[t]he number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands.” Consequently, the report recommends that businesses “examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.” Where does this leave law firms?
It takes them back to TECHSHOW 2008 and the warning to plan, not just for hurricanes, but for cyberthreats. Fortunately, the FBI/CISA report offers practical guidance that law firms can implement immediately, not just for holidays and weekends, but all the time.
Preliminarily, firms should have in place appropriate systems for monitoring all types of threats and intrusions, including ransomware and other malware. In addition, firms should employ network best practices and have IT staff or a qualified professional available “on-call” in the event of an attack.
The challenge that firms frequently lament is where to go for information they can trust. The answer, it turns out, is the FBI, CISA and, in particular, the National Security Agency (NSA), whose website is filled with practical guidance in non-technical language about preparing for and dealing with the dangers. Yes, the agencies that have been poster children for government surveillance into our private lives are also the ones that provide the best guidance for how to prevent attacks by cyberterrorists.
The NSA, often in conjunction with CISA, publishes guides on a wide range of topics, including 1. Top Ten Cybersecurity Mitigation Strategies, 2. Steps to Secure Web Browsing, 3. Limiting Location Data Exposure, 4. Keeping Safe on Social Media, 5. Best Practices for Keeping Your Home Network Secure, 6. Mobile Device Best Practices, and 7. Selecting and Safely Using Collaboration Services for Telework, a fact sheet that also provides a listing of numerous videoconferencing websites, such as Zoom and Webex, and outlines the security features of each provider’s platform. These guides, which are regularly updated, encourage best practices, and provide a road map for how to secure your office’s and your staff’s technology.
While being underwater following a hurricane may seem an unlikely occurrence for most law firms, being the victim of a cyberattack is not. That’s why advanced planning is so essential, and why it’s worth attending some ABA TECHSHOW programs whose relevance may not seem as obvious as they should.
Plan for the worst, hope for the best. It is a lesson that was reinforced at TECHSHOW in 2008 and continues to be true today.