As the saying goes, you can’t judge a book by its cover. But can you judge a firm’s cybersecurity practices by its law firm website? Two recent cybersecurity breaches involving small law firms suggests that the answer is a resounding yes.
The first incident involved a ten-lawyer, Rhode Island firm, Moses, Afonso & Ryan. According to a recent ABA Journal story, the firm fell prey to a ransomware attack when one of its lawyers unwittingly opened an email attachment, enabling a virus to infect the firm’s computer network, resulting in loss of all of the firm’s documents. Over the course of the next three months, the law firm twice paid ransom to the hackers in an effort to restore their documents. The firm is now suing its insurance provider for business losses to the tune of $700,000 in lost billings caused by the firm’s inability to access its documents over a three month period.
The second incident involved a Six Figure Swindle in connection with a seemingly routine real estate closing with both the buyer and seller represented by attorneys. The problems began shortly after the closing when the sellers were informed by their bank that it had stopped payment on the $100,000 check they’d received for the sale. Turned out that Johnson & Finnegan, the firm representing the buyers, had received instructions from someone claiming to be the sellers’ attorney to stop payment on the check and wire the $100,000 to an account in Texas. Of course, as it turned out, Johnson & Finnegan had been duped by a scammer who gathered enough information to make the request.
In both of these situations, you have to wonder what these firms were thinking. Though without more information, it’s tough to fault the Moses, Alfonso attorney for opening the email attachment (after all, attorneys open lots of attachments, and most likely, this was from a known contact), why didn’t the firm retain redundant backup in the cloud? Even if the firm had been using something as basic as Dropbox, it could have easily restored its files and been able to avoid paying ransom to the hackers, not to mention $700k in billing losses.
As for Johnson & Finnegan, first of all, most folks even remotely familiar with the Internet recognize that a request to wire funds is a big red flag signaling a scam. And while wire transfers are more common in transactional law practices, nevertheless because they are often used by scammers, a request to wire funds deserves closer scrutiny — particularly when the request represents a change from the initial payment form.
Although both firms’ clients suffered as a result of these security breaches — imagine how mortifying it would be for any attorney who may have referred those clients to one of these firms. Yet how can you avoid referring clients to law firms with sub-standard security practices? Used to be that lawyers who referred cases harbored a fear that the attorney receiving the case might have been the subject of a disciplinary action that hadn’t been disclosed. But now, thanks to the magic of sites like Avvo and online disciplinary databases maintained by both bars, it’s fairly easy to run a quick background check on a potential referral recipient. Likewise, a firm’s won-loss record or quality of work can be corroborated by review of its reported case results and case filings which can be accessed through online court dockets. But is there any quick way to determine whether a firm that you might refer work to employs best security practices?
There is. Take a look at the law firm’s website because it’s a fairly accurate proxy for a firm’s technology and security savvy.
A quick visit to both the Moses, Alfonso and Johnson Finnegan websites makes my point. Though the Moses, Alfonso site has a pleasant, clean design, the site is bare-bones. There are no links to the attorneys’ articles or cases (in fact, there’s no content on the site at all), no links to social media accounts on LinkedIn, Facebook or Twitter and no blog. In fact, the site lacks a responsive design theme, and thus, isn’t mobile friendly. The Johnson Finnegan site is even worse: it’s essentially, a scant online ad without of any content or even the names of the attorneys listed on the website. Neither site has web forms, downloadable content, PDF documents or anything that would make them somewhat interactive with visitors.
When it comes to security practices, these websites are worth 1000 words. Websites like these broadcast that these firms haven’t kept pace with technology and don’t recognize its value. As such, these attorneys aren’t likely to be well-schooled in, or familiar with even basic security practices needed to protect clients in the digital age.
I realize that using a website as a litmus test for security seems shallow — but as these two incidents bear out, a law firm’s commitment to cyber-security is too important to ignore. If a firm’s website presence is the only clue to its likely security practices, well, that’s better than nothing. And certainly better than the embarrassment of referring a client to a law firm that has a client’s $100,000 stolen out from under it.