Ransomware and its Implications on the Legal Field

June 1, 2015

A recent trend in law firm server hacking is something called Ransomware. Ransomware “is a type of malware that prevents or limits users from accessing their system. Once infected the malware will lock the user out of their data, or hide the data until the user pays a ransom to get access back. Some of the more recent Ransomware has the capability to “encrypt files over network shares even if they are not mapped to a drive letter.” This happened in February to a California law firm. After notifying the FBI the firm then notified clients that the firm had been hacked, but that the firm was refusing to pay the hackers in order to get access to their data back.
This week a sleeper Ransomware called “Locker” came alive in computers across the nation. This Ransomware is just the most recent to wreak havoc on computers. One screenshot from a user whose computer was hacked showed a ransom letter stating: “Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!” The letter then stated that in order to uninstall the Ransomware from the computer the user must transfer 0.1 Bitcoin (around $23 dollars) into an account, by a certain date. The ransom in this case is fairly small compared to the usual amount asked for, which is around $500 dollars.
My aunt, a partner at a large law firm in the southeast, recently told me that people try to hack her firm’s servers every single day. If you think about the number of firms out there, the amount of data that each of those firms’ servers holds, the payday for those who create Ransomware will probably only grow. In the midst of all the potential growth law firms will need to consider whether or not they would pay the kidnappers of their data. If they choose not to do so what will be the implications for their firm? These implications include the ethical obligation to keep client information confidential. It also includes the impact on the business side of the firm, and having to reconstruct countless man-hours of work just to get the firm back to where they were before the hack.

Law firms will also need to think about ways to improve their data security, and about how they will notify clients, other firms, and the government in the event of a breach.

In a recent report released by Citigroup, law firms as a whole were called out for not doing enough to protect data and for being unwilling to acknowledge breaches. This report said that law firms were “’high risk for cyberintrusions’ and would ‘continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.’”
In addition to dealing with what to do when hackers attack, law firms are also dealing with what to do about liability issues that stem from these attacks. A recent article in Corporate Counsel tries to answer this question. This article discusses Data Breach Liability by exploring the trend of IT service providers to try to resist unlimited liability for data and privacy breaches. Instead of allowing unlimited liability, IT companies are arguing that: “they offer unlimited liability for breaches of confidentiality, asserting the customer’s risk of a data breach would be covered as a breach of confidentiality, and arguing that unlimited liability for breaches of data protection obligations is simply double dipping.” As a result of this stance law firms, as well as consumers, will need to start protecting themselves not only against would-be data kidnappers but also against their IT service providers. This article suggests that customers should be “Defining ‘confidential information’ to ensure it encompasses all personal data the customer may disclose to the IT service provider,” including obligations on the IT service provider that will satisfy the federal and state rules that the customer must follow, and seeking to increase the liability cap for data breaches.
For more discussion regarding this topic consider attending the NC JOLT 2016 Symposium on Data Privacy. Look for more Symposium details coming this Fall.