Chicago-based Seyfarth Shaw, one of the country’s largest law firms, suddenly found itself under attack in October 2020. Hackers had breached the firm’s IT system, then held it for ransom. The firm called the breach “a sophisticated and aggressive malware attack” that encrypted many of the firm’s computer networks.
Given that Seyfarth Shaw was No. 63 on American Lawyer’s 2021 Am Law 200 ranking of the country’s largest firms, the cybercriminals locked up a huge amount of sensitive information.
Then there was the May 2020 hacking of high-profile New York firm Grubman Shire Meiselas & Sacks. The data the cybercrooks stole included client Lady Gaga’s contracts and 169 emails relating to Donald Trump.
Most law firms don’t have such hot stuff in their electronic data vaults. Still, legal practices have data that cybercriminals value. And a law firm is just as good a target as any business for the innumerable ransomware gangs running rampant worldwide.
The proportion of law firms reporting a cybersecurity breach rose from 26 percent in 2019 to 29 percent in 2020, according to a report by the American Bar Association Legal Technology Resource Center. Remote work in the wake of the pandemic hasn’t made data protection any easier. Curiously, many firms still haven’t taken some basic steps to protect their digital systems. Of the lawyers surveyed in the ABA report, only 43 percent said they encrypt their files, and less than 40 percent said they use security strategies such as two-factor authentication to access their networks.
Twin Cities-area law firms are well aware of the risks. They’ve established robust protocols to protect client data. Law firms are increasingly advising their business clients on cybersecurity issues and are speaking from experience based on how they’ve strengthened their own cyber defenses. The best practices can provide guidance not only to other law firms, but also to other species of professional services firms.
Communications with clients are “privileged and confidential,” says Christopher Yetka, a shareholder at Bloomington-based Larkin Hoffman Daly & Lindgren. “Almost all of the data we hold is not for public consumption, with the exception of our website and promotional materials.” Larkin Hoffman, which has 75 attorneys, has a strong intellectual property practice. “We have copyright materials and patent information, as well as all sorts of information from clients that requires a higher level of protection,” Yetka says.
He notes that hackers, while still attacking companies, have extended their efforts to vendors. With businesses putting protections in place, their vendors, including their legal representatives, need to do likewise.
So, like many businesses, Larkin Hoffman’s digital devices function something like virtual shells. Any laptop or computer that a lawyer or staff member uses, whether in the office or remotely, “doesn’t have actual information on it,” Yetka says. Each digital device serves as a portal to a virtual machine safely ensconced in the firm’s server.
“That way, if a cellphone or a computer is lost, there isn’t confidential information on that machine,” Yetka says. Were Larkin Hoffman’s server to be shut down by a ransomware gang, the firm would still have access to its document management system and Outlook. It also requires attorneys and staffers to access the network using two-factor authentication and to change their passwords on a regular basis, Yetka says.
Last fall, to further boost its cybersecurity efforts as well as its other technology capabilities, Larkin Hoffman hired Cory Behrendt as its first chief information officer (CIO). Though the firm has had IT managers, Behrendt “can look at this not only from an expert’s point of view on how to manage information, but also from a fiduciary standpoint on mitigating risk,” Yetka says.
Tami Diehm, CEO and president of Minneapolis-based Winthrop & Weinstine, notes that “law firms, like all businesses, have recognized that cybersecurity is something that is increasingly important to their operation. You can’t help but focus on it when you see news stories about attacks that are happening across all industries. It has caused law firms to pause and look internally to make sure that they are doing everything they need to do to help keep data safe.”
Like Larkin Hoffman and many other firms, Winthrop & Weinstine operates largely on the cloud, with access protected by two-factor authentication. The firm also taps the expertise of outside consultants, since cybersecurity is an area that is changing rapidly and continually, Diehm says. She adds that while the firm has “a fantastic internal team of IT specialists,” those outside eyes can monitor its network 24/7 “and alert us to anything that seems out of the ordinary or suspicious.”
These external guardians provide different layers of alerts, Diehm says. “Global-level alerts” identify any potentially suspicious activity on the firm’s network that hints at a possible hack. “Those have become more frequent than they were a number of years ago,” she says. There are also “high-level alerts,” where it appears there’s serious potential for a problem. High-level alerts are pretty rare, Diehm says.
To provide yet another layer of protection, Winthrop & Weinstine established a cybersecurity committee that works with the firm’s general counsel and its IT department to provide ongoing security education to all employees. These efforts include video presentations and phishing exercises. One of the easiest and most common ways for cyberattackers to get access to a system is by sending employees emails that look real—perhaps even sent by the head of the firm. These emails include a link that, once the employee clicks it, opens the door for hackers to steal data or implant malware or both.
Winthrop & Weinstine’s training is intended to keep cybersecurity “top of mind for everyone—reminding them that they need to question the things they’re receiving and are looking at,” Diehm says, “and to make sure that the procedures they’re following are in line with best practices.”
Read more from this issue
Following best practices is something more clients are demanding from their legal counsel. Minneapolis-based Fredrikson & Byron regularly receives requests from clients seeking details about cybersecurity programs and practices in the firm, which employs 340 attorneys.
These assessments “tend to be very thorough and robust,” says Sten-Erik Hoidal, chair of Fredrikson’s data protection and cybersecurity practice group. Clients, he adds, sometimes ask hundreds of questions and request documentation about the firm’s information security program. The number of these assessments that Fredrikson has been asked to participate in has increased significantly in recent years.
“Like we tell our clients, cyberthreats are an enterprise-wide risk, not just an IT risk,” Hoidal says. “At Fredrikson, we address that risk from all levels of the organization, from our board to our newest employee. To that end, we’ve developed a comprehensive information security program.”
His firm benchmarks that program against national security standards and has it evaluated regularly by a third-party vendor. “Ultimately, it’s overseen by our privacy and security committee, which analyzes our organizational risk and provides input on strategies and objectives for meeting that risk,” says Hoidal, who chairs the committee.
In addition to a CIO, a security officer, and a privacy officer, Fredrikson has dedicated a three-person team to cybersecurity. That’s on top of its other IT staff, though the two teams work together. It also contracts with vendors that provide 24/7 help desk services as well as security incident and event management (SIEM) monitoring, which identifies potential threats before they can penetrate the firm’s cyber defenses.
Fredrikson has had information security safeguards and controls in place for quite a while, Hoidal says. “But as an overarching program, it’s something you’re always looking at, always evaluating, and always looking to improve.”
Beefing up security
Minneapolis-based Halunen Law, a 15-attorney firm that specializes in employment and whistleblower cases, doesn’t have an internal IT team, much less the kinds of security staffing that big firms have.
But that doesn’t mean Halunen takes a casual attitude toward cybersecurity. It contracts with an outside vendor that monitors the firm’s software and servers, connections, and firewalls. Internally, access to the system requires two-factor authentication and complex passwords. The firm also has local and cloud backups in case of a worst-case scenario, says Halunen attorney Nathaniel Smith.
It seems to be working: Smith says his firm has suffered no breaches. And to keep its attorneys and staff cyber-conscious, “we’ve been starting to do more proactive testing, particularly with remote work,” he adds. Halunen’s IT vendor regularly sends out what appear to be legitimate emails to see how employees might be particularly susceptible to phishing. The consultant then follows up with training and digital resources to help boost the vigilance of both attorneys and staffers.
Of course, small firms have data that needs protection just as much as that held on the systems of Am Law 200 firms. That’s certainly true for Minneapolis-based Anthony Ostlund Louwagie Dressen & Boylan, a 22-lawyer “litigation boutique” that specializes in shareholder disputes.
“Not everything results in a lawsuit, but typically [a conflict] is in connection with a potential dispute ruling,” says Anthony Ostlund shareholder Arthur Boylan. “So we take confidentiality and security of our clients’ information pretty seriously—even more so when we’re dealing with closely held businesses, because often that sort of information is not public.”
Boylan says that during his legal career, cybersecurity strategies have evolved from “pretty rudimentary protections” to increasingly sophisticated approaches.
“We’ve remained in step with the latest in the industry in terms of multiple login [factors], updating passwords, making sure we’re accessing information only from certain locations—all those sorts of practices,” he adds. Anthony Ostlund was able to continue those security practices after the pandemic’s arrival and the need to work remotely.
It’s not always easy to persuade busy legal professionals to use best practices to stay safe online. “It does take a little bit of patience as security systems get updated, and it also requires diligence from all the professionals on our team to make sure we’re complying with the protocols and security systems we have in place,” Boylan says. “In that regard, it hasn’t changed very much. You have to be patient with the system, and you have to be mindful about clicking on things you shouldn’t. So far, we’ve been good.”