Computer systems at law firms, governments, companies, courts, and high-profile organizations have been targets of increasing numbers of cyber attacks as perpetrators become more sophisticated in their ability to steal information. As recently as July, the North Atlantic Treaty Organization and the United States’ Central Intelligence Agency were targeted. The CIA’s web site was shut down for several days as a result, while the hackers who attacked NATO claimed they had infiltrated the organizations’ computers and obtained classified documents; the United Nations, law firms in Canada and the United States, and Ontario’s courts have been hacked over the last several months.
Such attacks can result in the theft or destruction of information, along with the release of spyware that will give the perpetrator access to monitor any and all information on the target’s computers. And unfortunately, there are no signs the vulnerability to hacking attacks will subside any time soon as the villains who want to access data are highly creative and dedicate tremendous time towards achieving their goal.
Chris Bennett, a partner at Davis LLP in Vancouver whose practice is focused on information technology and intellectual property law, had a client whose web site was hacked in July. The site’s content was replaced with bogus materials that made the corporate client look bad. The client brought in a number of technology security professionals to see if they could find the source of the attack and whether the company had any particular weaknesses in its computer security or firewall. “It’s usually very hard to discover the identity of the hackers,” says Bennett.
The web site serving all of Ontario courts was hacked on the afternoon of April 25. A ministry spokesman said the offending page was removed later that evening and the site was down only for a short period. An investigation into what happened followed shortly and showed that the hackers hadn’t got far. “I can advise you that as a result of the hacking incident on the Ontario courts’ web site, the hosting service and courts’ technical staff conducted an investigation. Only the ‘splash page’ showing the crests of all three courts was altered,” Susan Kyle, executive legal officer for the Ontario Court of Justice, told Canadian Lawyer. “Access was likely gained through an unrelated web site hosted by the same service provider. The courts took immediate steps to improve security and monitoring controls for the web site.” There was no mention of who was responsible for the hack, so the investigation might not have revealed it.
A company or law firm can be particularly vulnerable to computer hacking when there is a merger or acquisition or other business-related deal that has not been finalized. “I think with any pending transaction that hasn’t closed and is being negotiated, there is an increased risk of having information that is confidential and of value to other parties or competitors obtained” through a hacking attack, says Bennett. There are additional vulnerabilities for law firms and their clients regarding international transactions, he notes. “That’s just the international nature of transactions that involve other countries and it could certainly increase the risk for law firms of being hacked.”
Organizations must ensure they have very strict protocols for employees about opening attachments, a frequent method for hackers to unleash spyware into a computer system, he says. Most importantly, any law firm or company can retain a so-called “ethical hacker” to test its computer system to see if it can be breached. “These can be very good as you just set them loose on your computers to test just how far someone can go to access your information.”
While the target of the spring hack on a Toronto law firm remains a mystery to all but the firm and the Internet security team that worked on the problem, in many of the instances in which law firms have been cyber-attacked, firms have been facilitating an international merger and acquisition for a client. The perpetrators will hack the law firm’s computer system in order to get information that could benefit a competitor or to purchase shares on a stock exchange to make a significant amount of money.
John Dozier, founder of Dozier Internet Law PC in Glen Allen, Va., says his firm’s web site was hacked into recently, targeted by hackers from Europe based on a freedom of speech issue based on the firm’s track record of representing clients in hacking issues, defamation, and infringement of trademarks and copyright. “We fell under attack regarding the First Amendment free speech rights and the hackers, from Europe, gained access to our web site and put up some child pornography,” he says. The motivation was based on a court challenge wherein the U.S. Supreme Court asserted that the federal Communications Decency Act is an unconstitutional restriction for web sites, which has been a controversial issue for many years in the U.S.
Dozier surmises that the hackers who hit his law firm’s site were vindictive that the U.S. has affirmed the right of free speech. “I’m sure they were trying to make a point because they don’t have the full extent of our freedoms.”
He acknowledges that law firms, in particular, must take extraordinary measures to stave off hackers as it could have significant legal ramifications for both the firm and its clients. “There are some incredibly sophisticated hackers out there so the law firm must determine what information they want to post on their web site and how it could relate to any international cases that they have handled,” he says. He also says that all lawyers and their staff must ensure they don’t open attachments from unknown senders as they can contain spyware that could let third parties obtain confidential client information. In some instances, hackers have “spoofed” the e-mail address of a lawyer within the firm to send an attachment that contains spyware or malware, which poses a significant problem as it could go undetected for months. “Because the hackers are so sophisticated, it can pose a big problem for law firms because it is hard to know what attachment to open if it is from a lawyer,” he says. “There are so many ways for professional hackers to hide their identity and they are basically untouchable.”
He adds that U.S President Barack Obama has proposed that the penalties under the Computer Fraud and Abuse Act be increased significantly in response to the recent increase in cyber attacks on both government organizations and the private sector.
If, in fact, a law firm discovers it has been hacked, it should first and foremost notify its clients. But most law firms tend to try to handle hacking incidents on their own through their in-house technical staff who may not be up to speed on cutting-edge techniques hackers are using, says Marc Zwillinger, founding partner of ZwillGen PLLC in Washington D.C., a firm that specializes in Internet-related laws and litigation. “Law firms store a lot of confidential information so law firms can be more of a target especially when they enter markets in other countries,” he says. “At the same time, lawyers are always looking for more business and may receive an e-mail from a prospective client with a link that purports to be to the company’s web site, but it contains spyware and compromises the law firm’s information.”
He says many law firms in the U.S. realize they need to outsource their technical security to a company that deals specifically with cyber-attack protection. “It could take months or years to resolve a hacking incident, especially if people sue,” he says. “Any company or law firm could be sued if they did an inadequate job of implementing programs and security to protect information, which can be assessed by a private computer technology company.”
He says his firm often gets hired by companies that have been hacked to help with their response and notification to clients. “Once you figure out what’s been compromised, you could have contracts, people’s personal information, and other information that you have to notify customers about.” He has had a number of corporate clients that were compromised and the result had widespread ramifications and affected a large number of customers. It led to an inquiry by state and federal governments to ascertain the magnitude of the information was obtained by the hackers. “These can be very time-consuming and protracted as well,” he says.
He says the number of hacking incidents in the last 18 months has grown and they are getting the kind of publicity that has resulted in law firms taking much more proactive measures and advising their clients to do so as well. “Law firms are taking computer security more seriously and I’m pleased with that because the hacking incidents that have happened recently have been a huge wake-up call for them,” he says.
Most hackers that target law firms want information that will give them an advantage in their competitive market. So any law firm dealing with a client trying to register intellectual property or conduct an acquisition or merger should ensure they take all precautions to protect their client from potential breaches, says Mark Hayes, founding partner of Hayes eLaw LLP based in Toronto. “Hackers are often looking for information that would be of commercial value to them and they usually target the law firm’s server to be able to search for what they want,” he says.
To target the server through spyware or malware, hackers often have to troubleshoot passwords in order to access the documents they want, which is why passwords should be changed often. “Password vulnerability is the primary means for hackers to get into a server, so it’s very important that they are changed,” he says.
Another way law firms and their clients often leave themselves susceptible to hacking is when an employee is terminated. In that circumstance, it is imperative that the firm advise its client that any and all passwords be radically changed as many employees who want to join a competitor will hack their former employers’ systems.
Hayes also says any law firm or corporate client that outsources its technology services must thoroughly investigate the provider’s background and credibility. “Many law firms and companies outsource some or all of their computer technology, so the vulnerability could be within the service provider. But when you ask a company or law firm what they have done to vet their technology service provider, often their answer is not a heck of a lot,” he says. “But any company or law firm has to make sure that the company they have hired for their technology services is credible and can provide secure services under any and all circumstances, and is up to date on all the violations that hackers can use to compromise valuable information.”
There are many law organizations that have information to help ensure the security of a law firm’s computer system, such as the Lawyers’ Professional Indemnity Company (LawPRO) and other provincial counterparts that can assist law firms with means to minimize any allegations of wrongdoing that would result in a lawsuit.
Steve Rogers, a computer security expert with a company called Digital Evidence International Inc. in London, Ont., assists law firms with computer security and electronic discovery. The firm also does forensic analysis for law firms in the event they are hacked. He agrees that law firms are especially vulnerable to computer hacking due to the work that they do. “Even though law firms are very diligent at trying to make sure the security of their network is sufficient to protect the privacy of their clients, there are some very smart people out there who have the skill and ability to breach firewalls and hack into their systems and steal information that could be problematic,” he says.
Ultimately, law firms must be exceedingly diligent as a hacking incident could have far-reaching and long-term ramifications for both the firms and their clients. “There are so many things that can go wrong for law firms if their system is breached,” he says. “They need to have the best security and firewalls possible so this doesn’t happen to them.”
With files from Robert Todd.