Wake-Up Call: Law Firms in the Cybersecurity Crosshairs
Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit. Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.” The lawsuit makes no claim that any client information has been stolen or misused. Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.
The plaintiffs – two former Johnson & Bell clients seeking to represent a yet-to-be-certified class of the firm’s clients – allege three specific vulnerabilities in the firm’s data security practices. First, the complaint alleges that Johnson & Bell’s ten-year-old online time-tracking software, JBoss, was “out-of-date” and “known to be insecure.” Second, the firm’s virtual private network (VPN) was allegedly configured improperly so as to allow “man-in-the-middle” attacks – that is, attacks where the intruder appears to the VPN server to be an authenticated VPN user. And third, the firm’s email server was allegedly vulnerable to specific known attacks called “DROWN” and “FREAK” attacks (acronyms that stand for “decrypting RSA with obsolete and weakened encryption” and “factoring RSA export keys,” respectively).
A DROWN attack can rapidly decrypt sensitive communications. DROWN attacks, first publicly reported in March 2016, specifically target servers that, while running up-to-date transport layer security (TLS) protocols for encryption, nevertheless also support an older encryption protocol called SSLv2. In some cases, the 1990s-era precursor to TLS renders the communications stored on such servers relatively easy to decrypt. Ars Technica reported in March 2016 that more than 5.9 million Web servers, comprising 17% of all HTTPS-protected machines, supported SSLv2, as did at least 936,000 TLS-protected email servers.
According to a recent report, more than 60% of over 1,200 law firms reviewed are exposed to DROWN attacks. This is one of the major conclusions reached by the cybersecurity firm BitSight, in a report on data security in the legal industry issued on December 8, 2016. There is speculation that the attacker who obtained the “Panama Papers” from Panamanian firm Mossack Fonseca may have used a DROWN exploit.
The Johnson & Bell complaint alleges that the firm’s vulnerabilities put confidential client information at risk, and that the firm was “on notice” of the data security risks. The plaintiffs premise their damages claim, in part, on the firm’s alleged breach of its retainer agreements, which allegedly contained an implicit promise to use reasonable care in safeguarding clients’ confidential information.
On the day the complaint was unsealed, Johnson & Bell posted a statement on its web site calling the suit “specious” and stating that the firm’s “data systems are secure” and that the firm’s “clients’ information is protected.” Court papers show that the security vulnerabilities alleged in the complaint have been fixed.
Despite the concerns raised by this lawsuit, the BitSight report observes that law firms are actually near the top end in cybersecurity preparedness, among the six industries BitSight reviewed. Only the financial industry received higher ratings, with retail nearly as well-prepared as the legal industry, and healthcare, energy/utilities, and government lagging considerably behind. Despite the legal industry’s high overall security ratings, the BitSight report noted, law firms remain a “key target for cyber criminals,” in light of the high concentration of confidential data on their servers, including IP, corporate strategic plans, and financial data. BitSight rates the cyber-preparedness of firms it reviews as “Basic,” “Intermediate,” or “Advanced.” Over the last twelve months, the report found, about 40% of reviewed law firms were rated “Advanced,” about 50% “Intermediate,” and less than 10% “Basic.” By contrast, while the finance industry had roughly the same proportion of firms in the “Basic” category, more than half of finance firms BitSight reviewed were in the “Advanced” category. In government, on the other hand, more than 20% of the entities BitSight reviewed had only “Basic” cyber-preparedness. The report looked at more than 20,000 organizations across the six industries reviewed.
While the relatively high cybersecurity marks the legal industry received from BitSight are encouraging, there is certainly no cause for complacency. On December 7, 2016, Fortune reported that it had seen evidence that individuals with ties to the Chinese government were behind high-profile hacks of several prestigious law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges. These hacks were originally reported by the Wall Street Journal in March 2016. According to Fortune, one firm was attacked over a 94-day period starting in March 2015, and around seven gigabytes of data were stolen – the equivalent of tens or hundreds of thousands of emails. Fortune says it “obtained reliable information that indicates the breach took place as part of a larger initiative by the Chinese government.” Fortune also reported that, in addition to the law firms named in March 2016 by the Wall Street Journal, the China-affiliated hackers attempted to target other prominent firms. An investigation into the attacks by the US Attorney’s Office for the Southern District of New York is ongoing.
Jay Edelson – principal of Edelson PC, which brought the suit against Johnson & Bell – also stated in March 2016 that he had identified fifteen additional law firms with security vulnerabilities, and planned to sue them all. He recently implied that other suits have been filed, but are not yet public.
We will continue to monitor data security developments affecting the legal industry, including the Johnson & Bell putative class action.