Cyber Threats and the Legal Industry

POSTED JULY 30, 2019 // BY JOHN CARDANI-TROLLINGER

Between November 2017 and September 2018, state-sponsored Chinese hackers attacked the systems of an unnamed law firm, known for its expertise in intellectual property. Representing clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, the law firm was one of three victims included in a strategic and targeted campaign. The group known as APT10 used stolen user credentials to access third-party software used by the target organizations and leverage that access to further encroach upon internal systems.

While this may sound like the plot to a blockbuster movie, it is unfortunately an all-too-real scenario. Law firms are increasingly a target for hackers not only because they are often lacking in cyber security, but also because they are a means to an end. That is, as in the case with the unnamed law firm, the companies for whom the law firm represented were the target, and the law firm was just a way to gain access to the data. According to the American Bar Associations’ 2018 Cybersecurity TechReport, one out of every four law firms is a victim of a data breach. As in our example above, the motivation behind the attacks is often to target client data.

The ABA 2018 Legal Technology Survey Report explored the security threats, incidents, and safeguards that attorneys and law firms use to protect themselves. This report uncovered an alarming amount of law firms that are not using security measures that are viewed as “basic” by security professionals and are used more frequently in other businesses and professions.

ABA Formal Opinion 483

ABA Formal Opinion 483

“Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability facing the legal profession. As custodians of highly sensitive information, law firms are an inviting target for hackers. In one highly publicized incident, hackers infiltrated the computer networks at some of the country’s most well-known law firms, likely looking for confidential information to exploit through insider trading schemes. Indeed, the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked, and those that will be.”

ABA Formal Opinion 483

Recognizing the Cybersecurity Risk to Law Firms & Legal Services

Information security starts with understanding both what needs to be protected, as well as from what or whom. According to Law Technology Today, these can be generally broken down into 4 key areas:

  • Phishing/Hacked Email Accounts
  • Ransomware
  • Leaking of Sensitive Data
  • The Risk of Legal Malpractice Allegations due to Poor CyberSecurity

Phishing/Hacking the Email Accounts of Law Firms

Phishing is an attack in which a target or targets are contacted, most commonly through email, by someone posing as a legitimate person or institution, to lure individuals into providing password credentials, launch fraudulent transactions, or to trick someone into downloading malware.  According to the 2018 DBIR, phishing represents 90% of social engineering incidents and 93% of breaches, with email continuing to be the most common vector at 96%. As most law firms utilize online tools such as Dropbox or DocuSign (that users connect with their emails for login purposes), they are a likely target for email phishing scams. For example, in one recent incident targeting clients of a law firm in Colorado, victims received a phony .pdf file that appeared to come from the law firm. When the client clicked on the document, they were redirected to a phishing website.

Ransomware in Law Firms

Ransomware and its variants are a common threat uniquely associated with phishing attacks. Together, they have become a serious global threat. The two largest and most discussed ransomware attacks in history – WannaCry and NotPetya, were launched in 2017. Together, within just 24 hours, they infected more than 200,000 machines in more than 100 countries. In most instances, phishing has been the preferred and most successful method of attack for threat actors, with spam emails acting as the initial infection point of the network, before launching more destructive attacks (as in the case with ransomware). In these cases, highly targeted attacks use social engineering, relying on themes that are relevant, interesting, or appropriate to the targeted individual. When users click the links provided in the phishing email, they are directed to a malicious site or open an attachment carrying malware and inadvertently allow access into their network. It is at this point that the threat actor can either launch destructive malware, or propagate throughout the network, utilizing the information they have gleaned from the initial attack to gain access to critical client data, confidential corporate data, and sometimes, military secrets.

Sensitive Data Leakage for Law Firms

If law firms don’t have strong information security policies, they could be at a higher-than-average risk for attacks that make confidential information public. In a recent March 2018 attack, Duncan Lewis, a firm serving England and Wales was hacked. The firm was faced with loss of reputation and legal action when their client and employee data was broadcast on Twitter via a folder.

The Risk for Legal Malpractice Due to Poor Cybersecurity

As the alarming data from the 2019 ABA Legal Technology Survey uncovered, a fourth of all law firms in the US experienced a data breach in 2018. This percentage is climbing in comparison to previous years. Law firms must not only protect their networks and servers from malicious attacks and security threats, they must also do so at the risk of loss of files, data, and reputation.

Solution: Bandura Cyber Threat Intelligence Gateway

First and foremost, user education and awareness are key to preventing phishing attacks. However, even after training, errors can be made. Law firms must also implement security processes and tools that prevent phishing from reaching users in the first place and mitigate the effects of phishing if threat actors succeed in penetrating the network.

The Bandura Cyber Threat Intelligence Gateway (TIG) can block phishing attacks and their associated ransomware attacks by identifying and blocking the known malicious IP addresses and domains from which they originate, as well as protecting the network from outbound malware, inadvertently opened, from inside the network

Bandura Cyber enables Law Firms of all sizes use and take action with threat intelligence in an easy, automated, and scalable way, improving network protection and the efficiency of security operations. Based on patented technology, the Bandura Cyber Threat Intelligence Gateway (TIG) solution is purpose-built to filter network traffic against a massive volume of threat intelligence (IP and domain indicators). Bandura Cyber TIG aggregates, automates, and operationalizes massive amounts of threat intelligence, blocking known threats and unwanted traffic in a more efficient way than traditional network security controls.

The Bandura Cyber TIG helps Law Firms:

  • Strengthen Edge Defenses: Powerful day one edge protection with significant “out of the box” threat intelligence from multiple sources. Easily integrate and take action on threat intelligence from any source, providing threat intelligence flexibility and choice. Massively scalable with the ability to filter traffic against over 100+ million unique IP and domain indicators at near-line speeds.
  • Reduce Staff Workload: Helps to reduce alert overload. Eliminates manual threat feed management and reduces the burden of managing highly-dynamic access control lists (ACLs), blacklists, and firewall rules.
  • Maximize the Value of Current Security Investments: Increases the value of existing threat intelligence investments (feeds, SIEMs, TIPs, SOAR) through automated threat detection and blocking, and enhanced threat intelligence-driven context. Improves the ROI and efficiency of existing network security controls like Next Generation Firewalls (NGFWs) and Intrusion Prevention Systems (IPS) by reducing the volume of traffic requiring deep packet inspection and firewall rule processing.

Law firms worldwide use Bandura Cyber TIG to increase the intelligence and efficiency of their edge security. Reach out today for a demo or a risk-free 30-day trial.

End User License Agreement

This is an End User License Agreement (the “Agreement“) between Bandura Cyber, Inc. (“Bandura“), You (or “User” or “your”) and the insurance company affiliate of American International Group, Inc. that issued the insurance policy providing the IP Blocking Solution to you (with its affiliates, “AIG“) (each, a “Party” and collectively, the “Parties“).
Subject to the terms and conditions of this Agreement, Bandura is providing the User, as a qualified policyholder of a cyber insurance policy issued by AIG, one Bandura threat intelligence network security appliance (the “Network Appliance“), including Bandura’s IP Blocking software (together with any third party proprietary software, and any patches, updates, improvements, additions and other modifications or revised versions that may be provided by Bandura or its licensors from time to time, the “Licensed Software“) and open source code software programs (each, an “Open Source Program” and together with the Licensed Software, the “Software“) provided to User as necessary to deliver the blacklist IP blocking service (“IP Blocking Service“). This Agreement is valid and becomes effective upon User’s electronic acceptance of its terms. BY CLICKING THE “I ACCEPT” BUTTON YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS.

1. Grant of License.

User acknowledges and agrees that: (i) AIG has contracted with Bandura to make the Licensed Software, IP Blocking Service and associated services available to you at no cost to you; (ii) the Licensed Software, IP Blocking Service and all associated services are being licensed and provided by Bandura, and not by AIG; (iii) neither Bandura nor AIG shall be liable for any damages to User caused by the Licensed Software, IP Blocking Service or any associated services; (iv) Bandura will have access to certain of your information and has developed a policy, which can be viewed at https://banduracyber.com/privacy-policy/ to address your privacy concerns; and (v) AIG will have access to certain of your information and has developed a policy, which can be viewed at www.aig.com, to address your privacy concerns.

Subject to this Agreement, Bandura grants User a non-exclusive, non-assignable, non-transferable, revocable, limited right and license to use the Licensed Software and IP Blocking Service, together with Bandura’s release notes or other similar instructions in hard copy or machine readable form supplied by Bandura to User that describes the functionality of the Network Appliance and/or the Software purchased or licensed hereunder (the “Documentation“). User shall not (i) license, sublicense, lease, sublease, sell, resell, transfer, assign, reverse engineer, decompile, disassemble, sublicense or distribute or otherwise make available to any third party the Licensed Software, IP Blocking Service, or the Documentation, (ii) modify or make derivative works based upon the Licensed Software, IP Blocking Service, or the Documentation; (iii) commercially exploit the Licensed Software, IP Blocking Service or Documentation in any way, or (iv) create Internet “links” to the Licensed Software or “frame” or “mirror” the Licensed Software on any other server, wireless or Internet-based device; (v) impersonate another user of the Licensed Software or IP Blocking Service; (vi) use the Licensed Software or IP Blocking Service to violate the rights of or cause injury to any person or entity; (vii) remove, alter or obscure any proprietary or copyright notice, labels, or marks on the hardware components of the Network Appliance or within the Software; or (viii) disable or circumvent any access control or related security measure, process or procedure established with respect to the Network Appliance or any Software or any other part thereof.

You are solely responsible for maintaining the confidentiality of the access information provided to you for access to the Licensed Software (“Credentials“), and you agree to keep this information confidential. You are solely responsible for all activity that occurs through use of the Credentials. You will not: (1) use another user’s Credentials to obtain copies of or access to the Licensed Software; (2) use your Credentials to download unauthorized copies of or grant others access to the Licensed Software; (3) use the Licensed Software in a way that violates any third party’s rights or any applicable law; (4) upload any files or software that may damage or provide unauthorized access to the data, software or hardware of another; or (5) interfere or allow interference with the proper functioning of the Licensed Software.

If the User is entitled to and elects to receive the IP Blocking Service, Bandura will provide one (1) Network Appliance at no additional charge. Title to and ownership of such Network Appliance provided to the User in connection with the IP Blocking Service will transfer to the User. Bandura will determine the appropriate IP Blocking Service to deliver to each User. Additional Network Appliances can be purchased from Bandura.

The scope of use of any Open Source Programs shall be governed by the applicable open source license agreement included with the Licensed Software. User acknowledges that each Open Source Program is distributed under the Open Source Program license applicable to such Open Source Program, and only such license, and this Agreement in no ways supplements or detracts from any term or conditions of such open source license agreement (the “Open Source License“). Notwithstanding anything to the contrary in this Agreement, User agrees and acknowledges that the rights attached to any Open Source Programs provided hereunder are separate from and do not depend on the Open Source Programs being part of, or used in connection with, the Software or the Network Appliance.

2. Proprietary Rights.

User acknowledges that ownership of and title in and to all intellectual property rights, including patent, trademark, service mark, copyright, and trade secret rights, in the Licensed Software and IP Blocking Service are and shall remain in Bandura. User acquires only the right to use the Licensed Software and IP Blocking Service and does not acquire any ownership rights or title in or to the Licensed Software or IP Blocking Service. All modifications, updates, revisions and extensions to the Licensed Software, IP Blocking Service and Documentation shall be considered part of the Licensed Software, IP Blocking Service and Documentation for purposes of this Section 2. All data, information, content, graphics, text and other materials or applications prepared by User through the use of the Licensed Software, added by User or integrated by User with the Licensed Software, shall be the sole property of User. You understand that neither Bandura nor AIG has any obligation to monitor the areas of the Licensed Software through which the User can supply information or material.

3. Warranty and Indemnification.

Bandura represents, warrants and covenants that it owns the Licensed Software, including all intellectual property rights therein, and that Bandura has all rights necessary to license and/or provide, in accordance with the terms of this Agreement, the Licensed Software, IP Blocking Service and appropriate Network Appliance, if any, to User.

3.1 Indemnification of AIG:

Bandura shall indemnify and hold AIG harmless against claims, liabilities, and costs, including reasonable attorneys’ fees, incurred in the defense of any claim brought against AIG by User or any other third party in connection with the Licensed Software and/or IP Blocking Service, including, but not limited to, malfunction of a Network Appliance, User’s inability to use the IP Blocking Service or Network Appliance, and/or any damage to User’s network.

3.2 Indemnification of User:

Bandura shall indemnify User against claims, liabilities, and costs, including reasonable attorneys’ fees, reasonably incurred in the defense of any claim brought against User by third parties alleging that User’s use of the Licensed Software, IP Blocking Service or Network Appliance infringes or misappropriates: (i) any patent; (ii) a copyright; or (iii) trade secret rights, provided that, User promptly notifies Bandura in writing of any such claim and Bandura is permitted to control fully the defense and any settlement of such claim as long as such settlement shall not include a financial obligation on User. User shall cooperate fully in the defense of such claim and may appear, at its own expense, through counsel reasonably acceptable to Bandura.

3.3 Indemnification of Bandura and AIG:

To the extent permissible by law, User shall indemnify Bandura, AIG, and their licensors, against all third party claims, liabilities, and costs, including reasonable legal fees, reasonably incurred in the defense of any claim (other than for the infringement of intellectual property rights specified in Section 3.2 above), arising out of User’s breach of its representations and warranties under this Agreement or User’s unauthorized use of the Licensed Software, IP Blocking Service or Network Appliance, and other proprietary information licensed under this Agreement, provided that, Bandura or AIG promptly notifies User in writing of such claim and that User is permitted to control fully the defense and any settlement of the claim.

4. Term and Termination.

This Agreement will become effective on the date User accept its terms and conditions or accesses the Licensed Software or IP Blocking Service and will remain in force until User or AIG terminates this Agreement. AIG will be deemed to have terminated this Agreement and the User’s right to use of the Licensed Software and the IP Blocking Service immediately without notice if User: (i) fails to comply with the terms and conditions of this Agreement, or (ii) no longer has an in-force cyber insurance policy with AIG or one of its insurance company affiliates. Notwithstanding, AIG reserves the right to terminate User’s use of the Licensed Software and IP Blocking Service, for any reason whatsoever, with ten (10) days written notice to User. Email notice to User is deemed to be sufficient notice under this Agreement.

Unless otherwise agreed by User and Bandura, User is not required to return any Network Appliance intentionally provided by Bandura as part of the IP Blocking Service.

5. Waiver.

No waiver of any right under this Agreement shall be effective unless in writing, signed by a duly authorized representative of the Party to be bound. No waiver of any past or present right arising from any breach or failure to perform shall be deemed to be a waiver of any future right.

6. Severability.

If any provision in this Agreement is invalid or unenforceable, that provision shall be construed, limited, modified or, if necessary, severed, to the extent necessary, to eliminate its invalidity or unenforceability, and the other provisions of this License shall remain unaffected.

7. Governing Law.

Except as otherwise restricted by law, this License shall be governed by the internal laws of the State of New York (as permitted by Section 5-1401 of the New York General Obligations Law or any similar successor provision), without giving effect to any choice of law rule that would cause the application of the laws of any jurisdiction other than the internal laws of the State of New York to the rights and duties of the Parties. The Parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods Act shall not apply to this Agreement.

8. Export Control Notice.

Regardless of any disclosure made by User to Bandura or AIG of an ultimate destination of the Licensed Software or IP Blocking Service (including any Network Appliance provided in connection therewith), User acknowledges that if the Licensed Software, IP Blocking Service or Network Appliance is being released or transferred to User in the United States that it is subject to the U.S. and European Union export control laws. User acknowledges its exclusive obligation to ensure that its exports from the United States are in compliance with the U.S. export control laws. User shall also be responsible for complying with all applicable governmental regulations of any foreign countries with respect to the use of the Licensed Software, IP Blocking Service or Network Appliance outside of the United States. User agrees that it will not submit the Licensed Software, IP Blocking Service or Network Appliance or any related content to any government agency for licensing consideration or other regulatory approval without the prior written consent of Bandura. Customer shall defend, indemnify, and hold Bandura and AIG harmless from and against any and all claims, judgments, awards, and costs (including reasonable legal fees) arising out of User’s noncompliance with applicable U.S. or foreign law with respect to the use or transfer of the Licensed Software, IP Blocking Service or Network Appliance outside the United States by User and its affiliates.

The Licensed Software, IP Blocking Service and Network Appliance provide services and use software and technology that may be subject to United States export controls administered by the U.S. Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, and other U.S. agencies. The User acknowledges and agrees that the Licensed Software, IP Blocking Service and Network Appliance shall not be used, and none of the underlying information, software, or technology may be transferred or otherwise exported or re-exported to any countries to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. By using this Licensed Software and IP Blocking Service, User represents and warrants that it is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. User agrees to comply strictly with all U.S. export laws.

9. Warranty Disclaimer.

EXCEPT AS OTHERWISE RESTRICTED BY LAW, NEITHER BANDURA NOR AIG MAKE ANY REPRESENTATION, WARRANTY, OR GUARANTY AS TO THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, TRUTH, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE LICENSED SOFTWARE OR IP BLOCKING SERVICE. BANDURA AND AIG DO NOT REPRESENT OR WARRANT THAT (A) THE USE OF THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL BE COMPLETELY SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEM OR DATA, (B) THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL MEET USER’S REQUIREMENTS OR EXPECTATIONS, (C) ANY STORED DATA WILL BE ACCURATE OR RELIABLE, (D) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY USER THROUGH THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL MEET USER’S REQUIREMENTS OR EXPECTATIONS, (E) ERRORS OR DEFECTS WILL BE CORRECTED, (F) THE LICENSED SOFTWARE OR IP BLOCKING SERVICE OR THE SERVER(S) THAT MAKE THEM AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR (G) THE SECURITY SERVICES ARE SUITABLE FOR ALL NETWORKS.
THE LICENSED SOFTWARE AND IP BLOCKING SERVICE IS PROVIDED TO USER STRICTLY ON AN “AS IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW BY BANDURA AND AIG.

10. Internet Delays.

User acknowledges that access to the Licensed Software and IP Blocking Service may be subject to limitations, delays, and other problems inherent in the use of the Internet and electronic communications. Bandura and AIG are not responsible for any delays, delivery failures, or other damage resulting from such problems.

11. Limitation of Liability.

EXCEPT AS OTHERWISE RESTRICTED BY LAW OR AS STATED HEREIN, BANDURA AND AIG SHALL NOT BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES (IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE), INCLUDING BUT NOT LIMITED TO, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF DATA, REVENUE, PROFITS, USE OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE LICENSED SOFTWARE OR IP BLOCKING SERVICE, INCLUDING BUT NOT LIMITED TO THE USE OR INABILITY TO USE THE LICENSED SOFTWARE OR IP BLOCKING SERVICE, , ANY INTERRUPTION, INACCURACY, ERROR OR OMISSION, REGARDLESS OF CAUSE AND/OR FITNESS FOR A PARTICULAR PURPOSE, EVEN IF ADVISED OF THE POSSIBILITY OF THOSE DAMAGES.

IN FURTHERANCE, AND NOT IN LIMITATION OF, THE FOREGOING, BANDURA AND AIG ASSUME NO RESPONSIBILITY, AND SHALL NOT BE LIABLE FOR, ANY DAMAGES TO, OR VIRUSES THAT MAY INFECT, YOUR COMPUTER EQUIPMENT OR OTHER PROPERTY AS A RESULT OF YOUR ACCESS TO, USE OF, OR YOUR DOWNLOADING OF ANY MATERIALS, DATA, TEXT, IMAGES, VIDEO, OR AUDIO ARISING OUT OF OR RELATING TO THE LICENSED SOFTWARE OR IP BLOCKING SERVICE.

12. Confidentiality.
As used herein, “Confidential Information” means any non-public technical or business information of Bandura (or its licensors), including without limitation, any information, relating to Bandura’s techniques, algorithms, software, know-how, current and future products and services, research, engineering, designs, financial information, procurement requirements, manufacturing, customer lists, business forecasts, marketing plans and information, the terms and conditions of this Agreement, and any other information of Bandura (or its licensors) that is disclosed to User. Customer will take all reasonable measures to maintain the confidentiality of Bandura’s Confidential Information, but in no event less than the measures User uses to protect its own confidential information. User will limit the disclosure of Bandura’s Confidential Information to its employees with a bona fide need to access such Confidential Information in order to exercise its rights and obligations under this Agreement; provided that all such employees are bound by a written non-disclosure agreement that contains restrictions at least as protective as those set forth herein. User agrees that Bandura will suffer irreparable harm in the event that User breach any obligations under this Section 12 and that monetary damages will be inadequate to compensate Bandura for such breach. In the event of a breach or threatened breach of any of the provisions of this Section 12, Bandura, in addition to and not in limitation of any other rights, remedies or damages available to it at law or in equity, shall be entitled to a temporary restraining order, preliminary injunction and/or permanent injunction in order to prevent or to restrain any such breach.

13. Entire Agreement.

This Agreement sets forth the entire understanding and license between User, Bandura and AIG. This Agreement may be amended joint notice from AIG and Bandura to User concurrently with User’s renewal of the insurance policy with AIG. No other person is authorized to modify this Agreement or to make any warranty, representation or promise, which is different than, or in addition to, the warranty, representations or promises herein.