August 06, 2018

Courting disaster: Being unprepared for cyberattacks can prove costly

Cyberattacks of our election process have dominated the headlines the past two years. But cyberattacks that affect our nation’s court system also can cause devastating harm to our democracy.

During the American Bar Association’s 2018 Annual Meeting in Chicago, the program,“Cyberattacks and the Courts — What Attorneys Should Know to Protect Sensitive Client Information,” looked at just how widespread the problems already are.

The computer networks of state and federal court systems are under daily attack by cybercriminals. Michael Neuren, I.T. programs manager for the administrative office of the courts of Georgia, led off the panel with the story of how the city of Atlanta was taken hostage.

Hackers infiltrated the city’s computer network and held it for ransom, asking for $51,000 in bitcoin. The city contacted the FBI, Homeland Security and their vendors and did everything they were supposed to do. Authorities recommended that they not pay. For several weeks, Atlantans could not pay water bills online, get driver’s licenses reinstated or get access to the court system.

It took until June, at a cost of more than $12 million, to get everything up and working again.

So, should Atlanta have paid the $51,000 instead? Shoba Pillay, assistant U.S. attorney for the Northern District of Illinois, said it is usually better to pay, especially if you do not have a working backup. She said Hollywood Presbyterian Medical Center in California was hit by a ransomware attack in 2016; they paid $17,000 to get back online rather than risk the lives of their patients.

Pillay pointed out the hard truth that most of these hackers are either in foreign countries, outside the reach of U.S. law enforcement, or children, who cannot be prosecuted to the full extent as adults. She said court breaches are more common than most people think and that most occur through spear phishing. Phishing messages usually appear to come from a large and well-known company or website, such as PayPal. In the case of spear phishing, however, the apparent source of the email is likely to be an individual within the recipient’s own company – generally, someone in a position of authority – or from someone the target knows personally.

Daniel A. Cotter of Latimer LeVay Fyock LLC in Chicago warned against using thumb drives, which too many people pick up as giveaways at events. These can be infected with a virus that is loaded into your computer and system when you plug it in. “Using thumb drives is like using gas station restrooms,” Cotter quipped. “You don’t know who used it before you and what they may have left behind.”

Most breaches are the result of human error. In fact, 81 percent of hacks result from weak or stolen passwords. The panel recommended training people on password security, and suggested limiting use of administrative passwords that might make the job easier, but also allows hackers access to your entire system if the acquire it.

Groups that use ransomware are generally business people looking for a payday and set their ransoms at a relatively reasonable rate, which makes groups more willing to pay. Other hackers infiltrate systems purely for the challenge and thrill, “to achieve the unachievable,” as Pillay described it. Other groups, known as hacktivists, may breach a system to prove a point or cause disruption.

Courts, while not particularly wealthy, do have valuable information such as personal data on citizens (driver’s license numbers, Social Security numbers, etc.). Court filings also can contain trade secrets or information on criminal proceedings that are worth stealing.

Since courts and attorneys store this information, there is an ethical responsibility to protect it, said Kenneth T. Lumb of Corboy & Demetrio in Chicago. Each state has its own rules and statutes, a “fragmented framework,” Lumb called it, but all 50 states have some sort of notification rule that includes a “reasonable timeframe.”

As more states have adopted e-file and, in wake of last year’s massive Equifax breach, a greater awareness has been given to notification responsibilities. California has the strictest, with a 72-hour notification requirement.

The Model Rules of Professional Conduct require a lawyer to keep abreast of “the benefits and risks associated with relevant technology.” Lawyers need to understand how things work and take measures to protect client information. The panel recounted several instances where lawyers filed documents that were incorrectly redacted, making it simple for the press and others to view what they believed was redacted.

Malpractice insurance may not cover lawyers if data is stolen, and cyber insurance should be carefully reviewed to make sure it covers all types of information theft. But the entire panel agreed that paying money up front for security, backups and insurance saves a whole lot of money down the road.

Of course, budget constraints are always a concern, but as Marcia M. Meis, the director of the Administrative Office of the Illinois Courts pointed out, “cyber security has to be a priority. You just have to use your resources in the best way possible.”

Yearly check-ups of your systems and security measures were recommended, but balance was also stressed, both in how you use your resources, but also between locking a system up too tight so that people cannot work effectively. Cyberattacks are a reality and will remain with us. For lawyers, being prepared and cautious is critical.

The session ended with each of the panelists offering up a quick bit of advice on how to avoid cyberattacks::

  • Securing passwords and adequately training employees.
  • Do not to click on unknown links or attachments.
  • Training, awareness and communication. If you see something, say something to your IT staff.
  • Follow through on security updates and patches.
  • Do not assume your people know even the basics. Some people need to be reminded that they are not related to a Nigerian prince who will send them money.
  • Always have a Plan B and a continuity plan if the worst occurs. Don’t get caught by surprise.