chevron-down Created with Sketch Beta.

Law Practice Magazine

The Finance Issue

What is CrowdStrike and Why Should Lawyers Care About It?

Daniel J Siegel

Summary

  • CrowdStrike's update error caused global disruptions, affecting various sectors including law firms.
  • The incident highlights the importance of robust cybersecurity measures for law firms.
  • Law firms should implement regular audits, incident response plans, and employee training to mitigate risks.
What is CrowdStrike and Why Should Lawyers Care About It?
iStock.com/Valerii Apetroaiei

Jump to:

Confess. Like many, you were likely unaware of CrowdStrike's existence until a software update mishap catapulted the obscure cybersecurity firm into the limelight. Naturally, when such an error causes a global disruption of computers and businesses, it garners widespread attention.

Law firms, like many other businesses, were not immune from the impact. According to Law.com, “The impacts on law firms have been varied, with one Am Law 200 CEO on the West Coast indicating that the firm’s servers were back online, albeit with some isolated outages remaining, and another Am Law 100 executive describing issues with delays in emails and document management systems.”

Even if law firms were able to conduct business, many of the industries with whom they work or rely on were impacted or even shut down temporarily, including:

  • Airlines. Major airlines, including Delta, United and American, experienced significant disruptions. More than 2,000 flights were canceled, and countless more were delayed because of the outage.
  • Banks. Financial institutions were among those hard-hit by the update error, leading to delays and security concerns.
  • Hospitals and emergency services. Hospitals and medical services faced significant operational challenges. The outage led to cancellations of elective surgeries and delayed medical appointments.
  • Businesses. Numerous businesses that rely on Microsoft services experienced outages, ranging from retail to manufacturing, and caused operational disruptions.
  • Government agencies. Government agencies that use Microsoft services for their operations were impacted, disrupting e-filing, public services and administrative functions.
  • General IT infrastructure. The error affected approximately 8.5 million devices running Microsoft Windows, according to the software giant.

We have all done software updates, ranging from the frequent Microsoft Windows updates to the apps we install on our smartphones. It seems that, whenever we do updates, there is always some trepidation. Will it work, or will it turn your computer into a brick? Essentially, the CrowdStrike error caused the “blue screen of death” (BSOD) on computers and servers, and it happened to major businesses all over the world, literally at once.

What Is CrowdStrike, and What Happened?

Founded in 2011, CrowdStrike operates in over 170 countries, has about 29,000 customers and reported more than $900 million in revenue for the quarter that ended in April, according to Reuters. CrowdStrike not only provides security software to industries, but it also investigates hacks and tracks hackers. In short, the company is huge; it focuses on cybersecurity, and its software is installed on major computers everywhere.

CrowdStrike’s primary software product is called Falcon. It is a comprehensive cybersecurity platform designed to provide advanced threat detection, prevention and response capabilities.

Falcon features threat detection, threat prevention and antivirus protection, all designed to prevent known and unknown threats in real time. It also protects against malware, ransomware and other advanced threats. Its threat intelligence protection is designed to identify threats and provide customers with tools to protect against emerging threats. In short, if you are not using CrowdStrike, you can be sure that the companies you deal with are.

Why Did the CrowdStrike Outage Happen?

A statement from CrowdStrike said the outage was caused by a defect in a content update to its Falcon cybersecurity defense software for Windows hosts. Computers with Mac and Linux operating systems were not impacted, and CrowdStrike said a cyberattack did not cause the incident.

In short, what really happened was relatively simple. CrowdStrike deployed an update to its customers. The customers installed the updates. The updates apparently had one line in the code that was wrong. The result was simultaneous BSOD all over the world and a crashing halt to a slew of businesses everywhere.

What Are Some of the Implications of the CrowdStrike Incident for Lawyers?

The CrowdStrike update error serves as a stark reminder of the vulnerabilities in our digital world. For law firms and lawyers, understanding these impacts is crucial for advising clients on risk management and mitigating similar disruptions in the future and for understanding our interconnected world. With law firms increasingly relying on sophisticated cybersecurity solutions to protect sensitive client information and maintain operational integrity, the impact of the incident is profound.

There are many implications of the CrowdStrike update error for law firms and lawyers. CrowdStrike has many law firm clients, and it is safe to say that, with its reach, lawyers all deal with firms that have their software. On its website, it touts its services for “Law Firms and Insurance,” which enables the company to “[r]espond to a breach with speed and precision and reduce the cost of cyber claims with CrowdStrike Incident Response and Advisory Services.”

Government cybersecurity agencies around the world are alerting businesses and individuals about new phishing schemes that involve malicious actors posing as CrowdStrike employees or other tech specialists offering to assist those recovering from the outage.

Law firms must protect client information and maintain the integrity of their operations. The CrowdStrike update error raises concerns about professional negligence and ethical obligations. If a law firm’s operations are significantly impaired, resulting in missed deadlines or compromised client data, the firm could face claims of professional negligence from clients.

Thus, at its core, the CrowdStrike outage is a stark reminder that lawyers are in a relatively small and interconnected world, and there are risks when we all rely on the same companies. Of course, the fact that the companies have such a large share of the market makes it inevitable.

What Should Law Firms Do as a Result of the CrowdStrike Incident?

Lawyers must consider a variety of issues, whether they are from a solo firm, a small firm or a larger firm:

  • Duty of care. All law firms must ensure that they have implemented reasonable measures to protect client data and maintain operational continuity. For example, if your internet went down, would all operations cease? Do you have alternative ways of connecting to the internet, or will all your employees have nothing to do? Is your client data accessible at all times, or is it only available if you have internet access? Firms with internet-based solutions should ponder whether those solutions are adequate or whether they should have appropriate backups.
  • Client communication. Does the firm have alternate ways of contacting clients? If you lose internet and have a VoIP system, is communication compromised? Finally, firms have a duty to promptly inform clients about the incident, potential impacts and steps being taken to mitigate risks.
  • Ethical obligations. Despite the absence of any reference to technology in the ABA Model Rules of Professional Conduct, it is peradventure that lawyers have an affirmative duty to maintain ethical competence in any technologies that impact their practices. Thus, not only do attorneys have to be competent in research, practice management and other software, but they also have an obligation to ensure the same level of competency that affects their firms. Many lawyers will grudgingly admit, however, that they had not really contemplated such software as CrowdStrike. Now that they have been warned, they need to know.

The incident highlights the necessity for having and continuously maintaining robust cybersecurity practices within law firms. To do so, lawyers must work closely with IT professionals to ensure that their cybersecurity measures are up-to-date and effective. Best practices include:

  • Regular audits. Every firm must conduct regular cybersecurity audits to identify and address vulnerabilities. These audits help firms understand their current cybersecurity posture, detect potential weaknesses and implement measures to strengthen their defenses against cyber threats.
  • Incident response plans. Firms must develop and test comprehensive incident response plans to ensure a swift and effective reaction to cybersecurity incidents. An incident response plan is a set of written instructions that outline an organization’s response to data breaches, data leaks, cyberattacks and security incidents. It contains specific directions for various cyberattack scenarios and aims to avoid further damages, reduce recovery time and mitigate cybersecurity risk
  • Employee training. Every firm must mandate ongoing training to staff on cybersecurity best practices. Training should emphasize the importance of vigilance in protecting sensitive information. Training should cover various aspects of cybersecurity, including how to recognize phishing attempts, the proper handling of sensitive data, the use of secure passwords and the importance of regular software updates. It should also inform employees about the firm’s specific cybersecurity policies and procedures, as well as the potential consequences of a security breach.

The common thread to these cybersecurity must-haves is that they require, for smaller firms, outside consultants; for larger firms, staff can do the testing and training if qualified. Otherwise, it is one area where outside assistance is a must.

The relationship between a law firm and its clients is built on trust. Cybersecurity incidents, like the CrowdStrike update error, can erode this trust if not handled properly. Maintaining client confidence requires transparency, effective communication and proactive measures to address the incident.

What Additional Client Protections Should Lawyers Have?

Lawyers should:

  • Communicate transparently. Lawyers should clearly and promptly inform clients about incidents, potential impacts and steps being taken to mitigate risks. It also means addressing cybersecurity incidents, not ignoring them or minimizing them. Finally, it means making reasonable efforts to ensure that communications with clients are secure and not subject to inadvertent or unauthorized breaches.
  • Offer reassurance. They must provide credible assurances that the firm is taking all necessary measures to protect client information and prevent future incidents.
  • Demonstrate competence. Lawyers should showcase the firm’s commitment to cybersecurity protections by detailing the steps being taken to enhance security measures and prevent similar incidents in the future.

The Incident is Another Reminder Why Law Firms Need Cyber Insurance

In addition, cyber insurance is an essential component of every law firm’s risk management strategy. In the context of the CrowdStrike update error, evaluating the scope of cyber insurance coverage is critical. The essentials of a cyber insurance policy typically include:

  • First-party coverage. This covers the costs associated with investigating and responding to a cyber event and the financial impact on an organization’s business operations. It may include forensic investigations, breach legal counsel and notifications to affected individuals.
  • Third-party liability insurance. This provides financial indemnity because of claims for damages due to a cyber event.
  • Regulatory defense and penalties coverage. This covers the costs of fines by state or federal agencies for breaching consumer privacy.
  • Notification costs. This covers the costs of notifying affected individuals after a data breach.
  • Cyber extortion coverage. This protects against demands for money to prevent a threatened attack or to end an ongoing one.

The legal industry must recognize the evolving nature of cybersecurity threats and the increasing sophistication of cyberattacks. Hackers are continuously developing new methods to exploit vulnerabilities, and they are employing advanced technology to enhance their attacks.

To address these challenges, law firms should 1. invest in advanced cybersecurity technologies, 2. foster a culture of cybersecurity awareness, 3. collaborate with cybersecurity experts, 4. regularly update and test security protocols and 5. develop comprehensive incident response strategies.

By taking these steps, law firms can better protect themselves and their clients from the ever-changing landscape of cybersecurity threats. It’s not just about having defensive measures in place; it’s about being proactive and staying one step ahead of potential attackers.

The CrowdStrike update error is a stark reminder that even trusted cybersecurity providers can experience disruptions, necessitating a proactive and dynamic approach to cybersecurity. As a result of the incident, the Cybersecurity & Infrastructure Security Agency reports that “cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts.”

In addition, the CrowdStrike blog reports that “threat actors have been distributing a malicious ZIP archive file,” and there are reports of others taking advantage of the perceived opportunity. While this activity appears to be targeting Latin America–based CrowdStrike customers, no one can feel comfortable with the knowledge that these actors are out there.

The CrowdStrike update error has far-reaching implications for law firms and lawyers, and highlights the critical importance of robust cybersecurity protection, effective risk management strategies and proactive client communication. By understanding the legal liabilities, data protection challenges and best practices for mitigating future risks, law firms can enhance their cybersecurity protections and maintain client trust. 

    Author