If the Law Matters, if Justice matters, Then Cyber-Security, Matters.

Law firms are almost perfect targets for Hackers. Lawyers gather, store, and handle, extremely confidential client information. Medical records, Tax returns, Bank statements. Such confidential data, is an integral part of almost every aspect, of every lawyer’s, day-to-day existence.

Continued and timely access to any required documents, emails, and notes, is also clearly critical. Not to mention there is a very obvious need, to ensure that such data, hasn’t been altered in any way. Chain of evidence in the modern world, isn’t just about physical documents; digital documents have to be able to stand up to scrutiny and verification too.

Imagine needing to appear in court ‘tomorrow morning,’ only to find access to everything from written client instructions, to the actual evidence which needs to be presented in court, blocked by Ransomware. Everything encrypted and inaccessible. Every server, desktop computer, laptop, data file, backup file, and even cloud backup file, owned by a law firm, rendered utterly useless.
This isn’t just a hypothetical problem. Many law firms around the world, have been forced to face exactly such a nightmare in real life. Just as an arsonist can burn down your office; a hacker can delete your entire digital existence.

Hackers leverage panic. Hackers leverage value. Hackers leverage the fact that the last thing any law firm wants, or can afford, is to suffer the massive reputational loss, of being successfully breached by a hacker. And once a hacker has had control of a law firm’s computer systems, it becomes almost impossible to trust any of the data stored on those systems, even if control has supposedly been restored to the law firm concerned.

There is almost no way to know if something is missing. Law firms deal with millions (and millions) of pages of information; it would be a Herculean task to check and verify all of these pages, even if the time and budget existed to do so. More than almost any profession, the legal profession is founded on information, so much of which, is both critical and confidential.

The concept of ‘attorney-client privilege,’ or to use the phrase more specific to Hong Kong law, ‘legal advice privilege,’ becomes largely moot, if the lawyer offering the advice, hasn’t secured their computers, networks, and mobile devices. Yet in Hong Kong, so few lawyers seem to take cyber-security seriously.

This is despite it being required by the Law Society, despite it being required on an extremely practical level, and despite it being not only protection against hackers, but also, one would imagine, protection against being sued by extremely angry clients.

Hackers have changed. Some thirty-years ago, their goal was to (perhaps) delete your data, and (somehow) make themselves, ‘famous.’ They typically did this by acting like childish vandals, breaking into your office, destroying your property, and spray-painting your walls with graffiti.

But over time, hackers realized they could use their technical skills to make a lot of money. Ransomware alone, is now estimated to be a USD 10 billion-a-year industry.
Over time, even Ransomware itself has evolved.

Traditionally, Ransomware encrypted your data, displayed a countdown clock on your computer screens, and threatened to delete all of your files if you didn’t pay the Hackers, if and when the countdown clock hit zero.

However, companies soon realized that having a good data backup, was effective protection from such an attack. Formatting all infected devices, and restoring them from a recent high quality data backup, would render the Ransomware attack ineffective.

This has led to modern Ransomware variants, which infect networks, taking their time to spread to every device connected to these infected networks, targeting any backup systems possible, including backup systems in the Cloud, and then going onto steal as much confidential data as possible.

This confidential data is sent back to the Hackers, usually overseas, in a country which the Hong Kong Police has no jurisdiction over. Only then, does the Ransomware encrypt, and make access to the victim’s confidential data, impossible.

This kind of double-edged attack, gives the Hacker two different bargaining chips. The first is the stranglehold on the victim’s operational continuity, and access to its critical confidential data. The second, and probably even more critical for a law firm, is the threat of publishing the stolen confidential data on the Internet, giving the whole world access to their privileged documents.

The legal profession, more than almost any other profession on earth, is founded on such confidential information. Imagine if opposing council were to suddenly have access to privileged client documents; imagine in the case of a criminal trial, the potential jury pool having access to privileged information they were not supposed to even know exists.       

Cyber-attacks can come in the form of direct disruptions to a law firm’s on-premises physical file servers; but they can equally be attacks on servers located at a third-party data centre, or indeed, virtual servers located in-the-cloud. In the end, there are computer servers located somewhere, running some form of operating system, storing some form of digital data file. Hackers can go after these, wherever they happen to be.  

It is also really important to note, Ransomware is only one form of cyber-attack. Just as being shot using a gun, is only one form of physical-attack. If someone is trying to kill you, there are so many ways they can do so. They could burn you. They could stab you. They could drown you. They could poison you. They could push you down the stairs. The list is almost endless.

In the digital world, Hackers have an even wider spectrum of tools they can use to attack you with, and which they can use to steal your confidential data with. For lawyers in particular, the number of potential cyber-threats targeting them, is legion.

Some recent high profile, successful cyber-attacks, have actually stemmed from third-party data breaches, which had no direct relationship with the victim firm.

The Colonial Pipeline in the United States, which was shut down by Hackers using Ransomware, found that hackers had gained access, using a password that other hackers had stolen from a member of their staff, and posted onto the Dark Web. This was a member of the Colonial Pipeline’s staff, who had registered an account on a website belonging to a completely different organization, but who had used exactly the same password as they used at work.

Monitoring the Dark Web would almost certainly have prevented that shutdown.

In the end, a ransom of US$ 4.4 million was paid to a Russia-linked cybercrime organization called Darkside, before the critical network systems could be released, and the oil pipeline reopened. (Interestingly, the FBI managed to recover US$ 2.3 million in Bitcoin, from the Hackers. Ironically, this was apparently also due to some poor password management, this time on behalf of the Hackers themselves.)       

Yet how many Law Firms in Hong Kong, are monitoring the Dark Web for Credential Leaks?

Hackers don’t discriminate. Every Law Firm needs to protect itself. Small law firms are not exempt from cyberattacks; hackers are not going to ignore your law practice just because it isn’t famous, or because it doesn’t employ hundreds of lawyers.

In actuality, many cyberattacks, such as Ransomware attacks, are random in nature. A small law firm is just as likely to become a victim, as a large law firm. The biggest difference, may be that a large law firm, will probably be more able to absorb the overall disaster, including the hit to its reputation, better than a small law firm.

In the USA, where reporting data breaches is required in certain cases, various Law Firms have admitted to getting hacked, and that hackers have published everything from plaintiffs’ ‘pain diaries’ in personal injury cases, to client-attorney fee agreements, to details of all manner of confidential contracts and agreements.

Such data breach disclosure requirements, could be required in Hong Kong too, some point soon.

Yet, despite the very clear, extremely obvious, absolutely critical, need, for effective cyber-security to be in place at every Hong Kong law firm; it simply isn’t. Not even close.

When it comes to cyber-security that includes real-time push updates to keep ahead of cyber-threats; cyber-security that is certified and audited to internationally recognised standards; cyber-security that is backed-up by actual experts who monitor and manage the required systems around the clock; most of Hong Kong’s Law Firms and Chambers are simply not protecting themselves.

Perhaps the ludicrousness of all this can be summed up in this short, real, sad, conversation I had with a leading Hong Kong Barrister.

The Barrister had asked me to visit his Chambers, to explain the need for cyber-security to him, which I did. At the end of the meeting, he walked with me to the lifts, and said, “I didn’t realise how incredibly precarious our data security is.”

“So, you will actually have proper cyber-security installed, to protect yourself?” I said.

“No need. We trust in the law. If a hacker dares to attack us, we shall simply sue them for damages.” He said.

At first, I thought he was joking. Then depressingly, I realised he wasn’t.     

It doesn’t make sense. Even from pure financial perspective, for a small Law Firm to be professionally protected, by a fully managed, certified, cyber-security service provider, would cost them no more than a few thousand Hong Kong Dollars a month. That’s about the price of an hour’s billings, for one lawyer, allowing for the protection of an entire law practice.

Every firm’s Managing Partner should work out how much the utter disaster of being compromised would cost; then work out how much being properly protected would cost. The two figures cannot even be remotely compared. Not just in terms of money either; a hard-won reputation gained over many decades, can be lost in a single moment. Get protected. Now. Frankly, not being protected should be illegal. Maybe one day it will be.

Jurisdictions