Cyber Threats and the Legal Industry

POSTED JULY 30, 2019 // BY JOHN CARDANI-TROLLINGER

Between November 2017 and September 2018, state-sponsored Chinese hackers attacked the systems of an unnamed law firm, known for its expertise in intellectual property. Representing clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, the law firm was one of three victims included in a strategic and targeted campaign. The group known as APT10 used stolen user credentials to access third-party software used by the target organizations and leverage that access to further encroach upon internal systems.

While this may sound like the plot to a blockbuster movie, it is unfortunately an all-too-real scenario. Law firms are increasingly a target for hackers not only because they are often lacking in cyber security, but also because they are a means to an end. That is, as in the case with the unnamed law firm, the companies for whom the law firm represented were the target, and the law firm was just a way to gain access to the data. According to the American Bar Associations’ 2018 Cybersecurity TechReport, one out of every four law firms is a victim of a data breach. As in our example above, the motivation behind the attacks is often to target client data.

The ABA 2018 Legal Technology Survey Report explored the security threats, incidents, and safeguards that attorneys and law firms use to protect themselves. This report uncovered an alarming amount of law firms that are not using security measures that are viewed as “basic” by security professionals and are used more frequently in other businesses and professions.

ABA Formal Opinion 483

ABA Formal Opinion 483

“Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability facing the legal profession. As custodians of highly sensitive information, law firms are an inviting target for hackers. In one highly publicized incident, hackers infiltrated the computer networks at some of the country’s most well-known law firms, likely looking for confidential information to exploit through insider trading schemes. Indeed, the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked, and those that will be.”

ABA Formal Opinion 483

Recognizing the Cybersecurity Risk to Law Firms & Legal Services

Information security starts with understanding both what needs to be protected, as well as from what or whom. According to Law Technology Today, these can be generally broken down into 4 key areas:

  • Phishing/Hacked Email Accounts
  • Ransomware
  • Leaking of Sensitive Data
  • The Risk of Legal Malpractice Allegations due to Poor CyberSecurity

Phishing/Hacking the Email Accounts of Law Firms

Phishing is an attack in which a target or targets are contacted, most commonly through email, by someone posing as a legitimate person or institution, to lure individuals into providing password credentials, launch fraudulent transactions, or to trick someone into downloading malware.  According to the 2018 DBIR, phishing represents 90% of social engineering incidents and 93% of breaches, with email continuing to be the most common vector at 96%. As most law firms utilize online tools such as Dropbox or DocuSign (that users connect with their emails for login purposes), they are a likely target for email phishing scams. For example, in one recent incident targeting clients of a law firm in Colorado, victims received a phony .pdf file that appeared to come from the law firm. When the client clicked on the document, they were redirected to a phishing website.

Ransomware in Law Firms

Ransomware and its variants are a common threat uniquely associated with phishing attacks. Together, they have become a serious global threat. The two largest and most discussed ransomware attacks in history – WannaCry and NotPetya, were launched in 2017. Together, within just 24 hours, they infected more than 200,000 machines in more than 100 countries. In most instances, phishing has been the preferred and most successful method of attack for threat actors, with spam emails acting as the initial infection point of the network, before launching more destructive attacks (as in the case with ransomware). In these cases, highly targeted attacks use social engineering, relying on themes that are relevant, interesting, or appropriate to the targeted individual. When users click the links provided in the phishing email, they are directed to a malicious site or open an attachment carrying malware and inadvertently allow access into their network. It is at this point that the threat actor can either launch destructive malware, or propagate throughout the network, utilizing the information they have gleaned from the initial attack to gain access to critical client data, confidential corporate data, and sometimes, military secrets.

Sensitive Data Leakage for Law Firms

If law firms don’t have strong information security policies, they could be at a higher-than-average risk for attacks that make confidential information public. In a recent March 2018 attack, Duncan Lewis, a firm serving England and Wales was hacked. The firm was faced with loss of reputation and legal action when their client and employee data was broadcast on Twitter via a folder.

The Risk for Legal Malpractice Due to Poor Cybersecurity

As the alarming data from the 2019 ABA Legal Technology Survey uncovered, a fourth of all law firms in the US experienced a data breach in 2018. This percentage is climbing in comparison to previous years. Law firms must not only protect their networks and servers from malicious attacks and security threats, they must also do so at the risk of loss of files, data, and reputation.

Solution: Bandura Cyber Threat Intelligence Gateway

First and foremost, user education and awareness are key to preventing phishing attacks. However, even after training, errors can be made. Law firms must also implement security processes and tools that prevent phishing from reaching users in the first place and mitigate the effects of phishing if threat actors succeed in penetrating the network.

The Bandura Cyber Threat Intelligence Gateway (TIG) can block phishing attacks and their associated ransomware attacks by identifying and blocking the known malicious IP addresses and domains from which they originate, as well as protecting the network from outbound malware, inadvertently opened, from inside the network

Bandura Cyber enables Law Firms of all sizes use and take action with threat intelligence in an easy, automated, and scalable way, improving network protection and the efficiency of security operations. Based on patented technology, the Bandura Cyber Threat Intelligence Gateway (TIG) solution is purpose-built to filter network traffic against a massive volume of threat intelligence (IP and domain indicators). Bandura Cyber TIG aggregates, automates, and operationalizes massive amounts of threat intelligence, blocking known threats and unwanted traffic in a more efficient way than traditional network security controls.

The Bandura Cyber TIG helps Law Firms:

  • Strengthen Edge Defenses: Powerful day one edge protection with significant “out of the box” threat intelligence from multiple sources. Easily integrate and take action on threat intelligence from any source, providing threat intelligence flexibility and choice. Massively scalable with the ability to filter traffic against over 100+ million unique IP and domain indicators at near-line speeds.
  • Reduce Staff Workload: Helps to reduce alert overload. Eliminates manual threat feed management and reduces the burden of managing highly-dynamic access control lists (ACLs), blacklists, and firewall rules.
  • Maximize the Value of Current Security Investments: Increases the value of existing threat intelligence investments (feeds, SIEMs, TIPs, SOAR) through automated threat detection and blocking, and enhanced threat intelligence-driven context. Improves the ROI and efficiency of existing network security controls like Next Generation Firewalls (NGFWs) and Intrusion Prevention Systems (IPS) by reducing the volume of traffic requiring deep packet inspection and firewall rule processing.

Law firms worldwide use Bandura Cyber TIG to increase the intelligence and efficiency of their edge security. Reach out today for a demo or a risk-free 30-day trial.

BANDURA CYBER, INC.

TERMS OF SERVICE AGREEMENT 

IMPORTANT: UNLESS OTHERWISE AGREED IN WRITING SIGNED BY BOTH PARTIES, THIS TERMS OF SERVICE AGREEMENT (THE “AGREEMENT”) GOVERNS ALL USE BY YOU AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, “CUSTOMER”) OF THE BANDURA SOFTWARE AND THE BANDURA EQUIPMENT (THE “EQUIPMENT”) INCLUDING ALL SOFTWARE EMBEDDED IN THE EQUIPMENT AND ALL SOFTWARE (THE “SOFTWARE” AND TOGETHER WITH THE EQUIPMENT, THE “SOLUTION”) PROVIDED BY BANDURA CYBER, INC. (“BANDURA”) FOR USE IN CONNECTION WITH THE EQUIPMENT.

BANDURA IS WILLING TO PROVIDE THE SOLUTION TO CUSTOMER ONLY UPON THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY REQUESTING AN EVALUATION OF THE SOLUTION, ACCEPTING A QUOTE FOR THE SOLUTION, SUBMITTING AN ORDER FOR THE SOLUTION, OR BY USING ANY PART OF THE SOLUTION, CUSTOMER IS BINDING ITSELF TO ALL TERMS OF THIS AGREEMENT. IF CUSTOMER DOES NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN BANDURA IS UNWILLING TO LICENSE THE SOFTWARE OR PROVIDE THE EQUIPMENT TO IT AND (A) CUSTOMER MAY NOT USE THE SOFTWARE OR THE EQUIPMENT, AND (B) CUSTOMER MAY RETURN THE EQUIPMENT FOR A FULL REFUND. CUSTOMER’S RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM BANDURA OR AN AUTHORIZED BANDURA RESELLER, AND APPLIES ONLY IF CUSTOMER IS THE ORIGINAL END USER PURCHASER.

The following terms of Agreement govern Customer’s access and use of the Software.

License. Conditioned upon compliance with the terms and conditions of this Agreement, Bandura grants to Customer a nonexclusive and nontransferable license to use the Software and the Documentation for which Customer has paid any and all required license fees, as limited in time or scope by any Solution quotation, evaluation or order documents. “Documentation” means written information contained in user or technical manuals, training materials, and specifications specifically pertaining to the Software and made available by Bandura for use with the Software or the Equipment in any manner (including on CD-ROM, or on-line).

Customer’s license to use the Software shall be limited to, and Customer shall not use the Software except in connection with, the Equipment.

Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as embedded in the Equipment for Customer’s internal business purposes only.

General Limitations. This is a license, not a transfer of title, to the Software and Documentation. Unless otherwise stated in any other documentation agreed by the parties, title to Equipment shall pass to Customer upon delivery.  Bandura retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of Bandura, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided in this Agreement, Customer shall have no right, and Customer specifically agrees not to

  • transfer, assign or sublicense its license rights to any other person or entity, or use the Software except in connection with the Equipment, and any attempted transfer, assignment, or sublicense shall be void;
  • modify, adapt, alter, or otherwise change the Software or create derivative works based upon the Software, or permit third parties to do the same;
  • reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction;
  • use or permit the Software to be used to perform services for third parties, whether on a service bureau or time sharing basis or otherwise, without the express written authorization of Bandura; or
  • disclose, provide, or otherwise make available the Software or trade secrets contained within the Software and/or Documentation in any form to any third party without the prior written consent of Bandura. Customer shall implement reasonable security measures to protect the Software and such trade

Software, Upgrades and Additional Copies. For purposes of this Agreement, “Software” shall include (and the terms and conditions of this Agreement shall apply to) computer programs, including firmware, as provided to Customer by Bandura, or an authorized Bandura reseller, or embedded or installed in the Equipment, and any upgrades, updates, bug fixes or modified versions thereto (collectively, “Upgrades”) or backup copies of the Software licensed or provided to Customer by Bandura or an authorized Bandura reseller.

NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID ANY AND ALL APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES; (2) USE OF UPGRADES IS LIMITED TO THE EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.

Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary notices onallcopies,inanyform,oftheSoftwareinthesameformandmannerthatsuchcopyrightandotherproprietary notices are included on the Software. Except as expressly authorized in this Agreement, Customer shall not make any copies or duplicates of any Software without the prior written permission ofBandura.

Term and Termination. This Agreement and the license granted herein shall remain effective for such period indicated in the quotation or order documents, provided that any fees therefor are paid by Customer.  Customer’s rights under this Agreement will terminate immediately without notice from Bandura if Customer fails to comply with any provision of this Agreement. Upon termination, Customer shall destroy any and all copies of the Software, Upgrades and Documentation in its possession or control.

All confidentiality and indemnity obligations of Customer, all limitations of liability, all disclaimers and all restrictions of warranty contained in this Agreement shall survive termination of this Agreement.

Export Restrictions. The Equipment, Software and/or Documentation are subject to the export control laws and regulations of the United States, including, but not limited to, the U.S. Export Administration Act of 1979, as amended, and any successor U.S. legislation, and the Export Administration Regulations (“EAR”) administered by the U.S. Bureau of Industry and Security (“BIS”), in particular because the Equipment, Software and/or Documentation incorporate cryptographic functionality. Accordingly, Customer shall not export, reexport, transfer, or otherwise distribute or disseminate the Equipment, Software and/or Documentation without first obtaining any and all necessary licenses or approvals from BIS, including the issuance either to Bandura or Customer of a Commodity Classification and Automated Tracking System (CCATS) determination from BIS in accordance Section 740.17 or Section 742.15 of the EAR, and any other responsible U.S. Government agency. In particular, except as specifically authorized, Customer shall not export, reexport, transfer, or otherwise distribute or disseminate the Product (i) in or to any country then under U.S. embargo, currently Cuba, Iran, Sudan, Syria, and North Korea; (ii) to any entity or individual on the U.S. Treasury Department’s List of Specially Designated Nationals and Blocked Persons, or on the Entity List, Denied Persons List, or Unverified List, each if which is maintained by BIS; or (iii) for any end use prohibited pursuant to Part 744 of the EAR. Furthermore, Customer agrees not to export, reexport, transfer, or otherwise distribute or disseminate the product to any end user in a country other than the countries listed in Supplement No. 3 to Part 740. Customer will defend, indemnify, and hold BANDURA harmless from and against all fines, penalties, liabilities, damages, costs, and expenses incurred by BANDURA as a result of any violation of the U.S. export control laws and regulations.

U.S. Government End User Purchasers. The Software and the Documentation qualify as “commercial items,” as that term is defined at Federal Acquisition Regulation (“FAR”) (48 C.F.R.) 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Software License Agreement may be incorporated, Customer may provide to Government end user or, if this Agreement is direct, Government end user will acquire, the Software and Documentation with only those rights set forth in this Software License Agreement. Use of either the Software or Documentation or both constitutes agreement by the Government that the Software and Documentation are “commercial computer software” and “commercial computer software documentation,” and constitutes acceptance of the rights and restrictions herein.

 

Warranty, Disclaimer and Limitation of Liabilities

 

BANDURA WARRANTS, DURING THE TERM OF ANY LICENSE OR SUBSCRIPTION FOR THE SOLUTION IN EFFECT PURSUANT TO THIS AGREEMENT, THAT THE SOFTWARE WILL OPERATE IN ACCORDANCE WITH THE DOCUMENTATION IN ALL MATERIAL RESPECTS.  BANDURA’S SOLE OBLIGATION AND CUSTOMER’S SOLE REMEDY FOR ANY BREACH OF THE FOREGOING WARRANTY SHALL BE TO REPAIR THE SOFTWARE OR OTHERWISE MODIFY THE SOLUTION SO THAT THE SOFTWARE OPERATES IN ACCORDANCE WITH THE FOREGOING WARRANTY.  NO WARRANTY IS GIVEN FOR EQUIPMENT, BUT BANDURA WILL PROVIDE REASONABLE COOPERATION TO OBTAIN THE BENEFIT OF ANY EQUIPMENT WARRANTY FROM THE MANUFACTURER.  EXCEPT FOR THE EXPRESS WARRANTIES STATED HEREIN BANDURA DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED WITH RESPECT TO ANY SOFTWARE OR EQUIPMENT FURNISHED BY BANDURA.

 

BANDURA SPECIFICALLY DISCLAIMS AND DOES NOT AGREE TO ANY IMPLIED WARRANTY, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTIBILITY, ANY IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR OR ANY IMPLIED WARRANTY THAT THE HARDWARE OR SOFTWARE WILL NOT INFRINGE ANY PATENT, TRADEMARK, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHTS.

 

EXCEPT FOR ANY REMEDY SET FORTH IN THIS LIMITED WARRANTY, IN NO EVENT WILL BANDURA OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY LOSS, DAMAGES, CLAIMS OR COSTS WHATSOEVER INCLUDING ANY CONSEQUENTIAL, INDIRECT OR INCIDENTAL DAMAGES, ANY LOST PROFITS OR LOST SAVINGS, ANY DAMAGES RESULTING FROM BUSINESS INTERRUPTION, PERSONAL INJURY OR FAILURE TO MEET ANY DUTY OF CARE, OR CLAIMS BY A THIRD PARTY, EVEN IF A BANDURA REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS, DAMAGES, CLAIMS OR COSTS. REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL BANDURA OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE OR OTHERWISE AND EVEN IF BANDURA OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

 

IN NO EVENT SHALL BANDURA’S OR ITS SUPPLIERS’ OR LICENSORS’ LIABILITY TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY, OR OTHERWISE, EXCEED THE PRICE PAID BY CUSTOMER DURING THE 12 MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO LIABILITY.

 

THE FOREGOING LIMITATIONS AND EXCLUSIONS APPLY TO THE EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of whether Customer has accepted the Equipment, the Software or any other product or service delivered by Bandura. Customer acknowledges and agrees that Bandura has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties.

Miscellaneous. The Agreement shall be governed by and construed in accordance with the laws of the State of Maryland, without reference to or application of choice of law rules or principles.

If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force and effect.

Except as expressly provided herein, this Agreement constitutes the entire agreement between the parties with respect to the license of the Software and the Documentation and supersedes any conflicting or additional terms contained in any purchase order or elsewhere, all of which terms are excluded.

Any controversy or claim arising under or related to this Agreement shall be settled by arbitration in the State of Maryland, United States of America in accordance with the arbitration rules of the American Arbitration Association before a single arbitrator and judgment upon the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Bandura and Customer shall each select an arbitrator, and those two selected arbitrators will select the single arbitrator to hear the controversy or claim.