Law Firms Under Cyber-Siege: Hackers target law firms to access confidential information

Posted by: Mike Naughton 4 years, 3 months ago

Law Firms Under Cyber-Siege

Hackers target law firms to access confidential information

Michael C. Naughton, North Coast Technology Consulting, LLC

Copyright March 2018

Law firms are increasingly the targets of hackers and the news is replete with examples of firms’ confidential material exposed by hackers.In a recent hack in Panama City, over 11.5 million documents were exposed from Mossack Fonseca, a law firm in Panama.1 To put that in perspective, the 2013 N.S.A. leak by Edward Snowden involved at least 1.5 million documents. The “Panama Papers” breach is one of the largest leaks in history and its impact was felt around the globe, uncovering the offshore accounts of 140 politicians and public officials.2

In 2016, hackers were arrested and indicted for hacking into several prominent U.S.-based international law firms with offices in New York. According to the Department of Justice, the hackers allegedly targeted at least seven law firms and other entities in an effort to unlawfully obtain valuable confidential and proprietary information.3  

There is no 100% fool-proof mechanism to protect organizations from intrusions. However, lawyers must be more cognizant of the security measures in place within their practices in order to better protect their clients and their own information.

The CIA-triad (confidentiality, integrity and availability) serves as a conceptual framework for computer and information security, commonly referred to as InfoSec.4 The genesis of the triad can be traced to 1975.5 At that time, security specialists recognized three categories of threats to information: Unauthorized information release (confidentiality), unauthorized information modification (integrity), and unauthorized denial of use (availability).6 The term CIA-triad the first appeared in 1989 in the Johnson Space Center-NASA  Information Security Plan.7 In the ensuing years, adoption of the CIA-triad theoretical model grew among information security practitioners.
Organizations are confronted by threats to their information security daily. These threats occur from within and outside of the organization. Outside risks include those from malicious parties looking to steal data, intellectual property and user credentials. Malicious parties may also compromise software or data quality and introduce deleterious code into systems causing them to fail.8 Additionally, careless behavior by employees, customers and partners may also cause systems’ vulnerabilities. According to research conducted in prominent information security journals, “InfoSec incidents can damage an organization’s reputation and financial health.”9
There is hope for organizations seeking to protect information and data. InfoSec security practitioners seek to prevent, prepare, detect and respond to InfoSec incidents. Ensuring 100% prevention of information security events is impossible.10 However,  those organizations that contemplate and construct InfoSec strategies and internal policies are better equipped to prevent InfoSec events and respond when they occur.

Legal practices, as organizations that maintain sensitive data, must be mindful of security threats. The ABA Model Rules of Professional Conduct set forth the duties and responsibilities expected of lawyers. These include providing competent representation that requires legal knowledge, skill thoroughness and preparation.  The Model Rules also highlight the duty of a lawyer to not reveal information related to the representation of a client without client consent and should make reasonable efforts to prevent inadvertent/unauthorized disclosure of or access to information related to the representation of a client. Lastly, the Model Rules state that a lawyer shall store clients’ property, in connection with a representation, separate from the lawyer’s own property.

ABA Formal Opinion 477R, published in 2017, confronted the transmission of information over the internet related to the representation of a client.11 In the Opinion, the committee recognized the sophistication of InfoSec threats and noted that some forms of electronic communication may be vulnerable. Pointing to Model Rule 1.6(c), the committee cited the following “reasonable efforts” determination factors:
Consistent with this analysis, it was found that “particularly strong protective measures, like encryption, are warranted in some circumstances.”13 Considering InfoSec and protecting client information, the opinion offered seven considerations for lawyers:
  1. Understand the nature of the threat.

  2. Understand how client confidential information is transmitted and where it is stored.

  3. Understand and use reasonable electronic security measures.

  4. Determine how electronic communications about clients matters should be protected.

  5. Label client confidential information.

  6. Train lawyers and nonlawyer assistants in technology and information security.

  7. Conduct due diligence on vendors providing communication technology.14

Accordingly, legal practices ranging from solo-practitioners to multi-national firms are mandated to maintain the confidentiality, integrity and availability of information related to the representation of clients. Lawyers must take appropriate steps to identify and defend against InfoSec events. The CIA-triad and the ABA Model Rules of Professional Conduct provide models that can assist legal practitioners to consider the implications of InfoSec events and tactics to use within their businesses to mitigate problems.


To maintain client confidentiality, a lawyer should understand and apply security measures to protect client information and communications. There are myriad tools including Virtual Private Networks (VPN), adoption of a password manager that utilizes unique and complex passwords changed periodically, utilization of firewalls and antivirus software on devices holding client information and maintenance of hardware by applying security patches to software.

Attorneys should learn about and apply encryption on devices. When an item (such as a device, folder or file) is encrypted, it is digitally transformed into an inaccessible format that can only be accessed once unlocked. Lawyers should encrypt devices that contain confidential information, such as smart phones, tablets, laptops and desktop computers. Encryption should also be used for the transmission of materials via email.

Lawyers should take stock of the data in their possession and mark confidential client communications as “privileged and confidential.” Such disclaimers can be affixed to emails, letterheads and other communication methods to alert third parties that the information in the communication is intended to be confidential.


The integrity of data refers to the protection of information from cyber criminals or external interference during transmission and reception with some common tracking methods, so data cannot be tampered without the system catching the threat.15        

In order to maintain the integrity of client data, lawyers should fully understand how client confidential information is transmitted and where data is stored. Lawyers should determine whether files are stored on a local computer, a shared network or on a cloud platform and  evaluate the security measures in place, including authentication, unique and complex passwords and encryption.

Lawyers should be careful with how he or she communicates with clients. To maintain integrity of communications and information transmitted between parties, lawyers should warn the client about inherent risks in sending and receiving communications on devices or accounts that may be accessible to a third party.       


Lawyers will want to ensure that client confidential materials are available, but only to those people or entities authorized to have access. Availability is the ability to ensure timely and reliable access to and use of information,16

Lawyers will want to ensure their storage mechanisms have robust security in place but also permit access for the lawyer or third party with authorization to access. Access to such data should be limited and monitored to ensure data is not inappropriately accessed.

Many organizations and law firms employ cloud-based solutions for storage of client materials. Lawyers will want to conduct due diligence on the use of third-party vendors providing cloud solutions. When considering vendors, it is important to consider reference checks and review vendor credentials and security policies, consider the vendor’s hiring practices, implement confidentiality agreements, consider the vendor’s conflicts check system to filter for adversity, and what legal forum or legal relief is available for violations of the agreement.17


Now, more than ever, lawyers and the confidential materials held by them are at risk and attorneys must be vigilant. Hackers are increasingly attacking law firms seeking to obtain confidential and proprietary information. However, despite best efforts, no defensive mechanism is completely fool-proof to prevent the leak of confidential materials but measures can be taken to decrease the risk. Regardless of the size of the legal practice, lawyers must be knowledgeable about strategies available to better safeguard confidential client materials. The CIA-triad framework, together with the Model Rules of Professional Conduct, provide conceptual frameworks for lawyers to prevent, prepare, detect and respond to attacks on confidential materials. Failure to do so not only puts clients in peril, but also may be a violation of a lawyer’s ethical duties.

About the author: Michael C. Naughton is a co-Owner North Coast Legal, PLC and North Coast Technology Consulting, LLC. North Coast Legal, PLC and North Coast Technology Consulting, LLC are based in Traverse City, Michigan and represent clients across the country.

1 M. Schmidt and S. Myers, “Panama Law Firm’s Leaked Files Detail Offshore Accounts Tied to World Leaders”, New York Times, April 3, 2016.

2 Id.

3 See December 27, 2016 Department of Justice Press Release at

4 M. Whitman and H. Mattord, “Principles of Information Security”, 4th ed., Cengage Learning, 2012.

5 Y. Cherdantseva and J. Hilton, “A Reference Model of Information Assurance & Security”, SecOnt workshop (2-6 September, 2013, Regensurg, Germany).

6 J. Saltzer and M. Schroeder, “The Protection of Information in Computer Systems”, Proceedings of the IEEE 63(9), pp. 1278-1308, 1975.

7 D. Parker, “Our Excessively Simplistic Information Security Model and How to Fix It”, ISSA Journal, pp.12-21, July, 2010.

8 M. McLaughlin and J. Gogan, “InfoSec Research in Prominent IS Journals: Findings and Implications for the CIO and Board of Directors”, Proceedings of the 50th Hawaii International Conference on System Sciences, 2017.

9 Id.

10 Id.

11 See

12 Id. at page 5.

13 Id.

14 Id., pages 6 – 10.

15 M.U. Farooq, M. Waseem, A. Khairi, and S. Mazhar, “A Critical Analysis of the Security Concerns of Internet of Things (IoT)”, International Journal of Computer Applications, Volume 111 – No. 7, February 2015.

16 See NISTIR 7298, Glossary of Key Information Security Terms, at page 17.

17 See pages 9-10.




800 Cottageview Drive
Suite 1080
Traverse City, MI   49684

Phone: (231) 421-7076
Fax: (231) 613-4560