Cybersecurity Scaries: Beware of Cyber “Tricks” That Look Like “Treats”

Taryn Reichow*

I. Introduction

Cybersecurity has become a hot button issue this past year after the roll out of artificial intelligence (AI).¹ “[T]he global annual cost of cybercrime is predicted to reach $9.5 trillion by the end of 2024.”² Businesses all over the United States have suffered huge cybersecurity breaches in 2024.³ And it’s not just standard businesses; it’s law firms too. In May 2024, at least twenty-one law firms reported cybersecurity breaches.⁴ This is on pace to be the biggest year in the history of law firm data breach reports.⁵

This should be a concern to all legal practitioners because law firms are a prime target for cyberattacks as custodians of client information.⁶ Lawyers are held to the Model Rules of Professional Conduct when it comes to protecting client confidential information.⁷ And with the Model Rules of Professional Conduct tasking lawyers to be competent in technological advances, it is important to review the threats facing lawyers today and how lawyers can help combat cyberattacks.⁸

II. Cybersecurity Issues Facing Lawyers Today

With each passing year, cyberattacks evolve and create new cybersecurity risks.⁹ For 2024, the top cybersecurity concerns facing law firms are evolving malware threats including enhancements in ransomware and AI-enhanced malware, and state-sponsored attacks.¹⁰

A. Evolving Malware Threats

Malware is a coded program engineered with malicious intent.¹¹ Malware is “particularly potent [in] its ability to conceal its existence, bypass security measures, and exploit vulnerabilities.”¹² After the launch of AI, cyberhackers now can use AI algorithms to optimize malware programs.¹³ AI algorithms can learn and adapt to cybersecurity roadblocks which makes them extremely difficult to identify and stop.¹⁴ And once cyberhackers gain access to this sensitive information, they encrypt it and threaten to release it unless the victim pays a ransom.¹⁵ Attackers have gone as far as creating ransomware as a service (RaaS) which is where creators of ransomware can rent out their malware to other attackers.¹⁶ This is a concerning emergence because it creates a lower entry barrier for people to become cyberhackers.¹⁷

B. State-Sponsored Attacks

State-sponsored attacks occur when a government carries out a cyberattack against another government or organization.¹⁸ These attacks—even when targeting organizations other than law firms—can wreak havoc on the entire IT infrastructure, impacting multiple businesses, organizations, and government entities.¹⁹ And sensitive legal information is a main target for these attacks.²⁰

III. What Can Lawyers Do to Combat Cyberattacks

A. Be Familiar with the General Data Protection Regulation (GDPR)

In 2018, the European Union put into effect the GDPR.²¹ “[I]t imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the European Union (EU).”²² Because law firms and lawyers must retain sensitive client information, they must comply with GDPR regulations.²³ To comply with these regulations, lawyers and law firms should closely monitor document retention activities and maintain records of data processing activities.²⁴

B. Have an Incident Response Plan in Place

The Center for Professional Responsibility at the American Bar Association released an article helping lawyers and law firms establish incident response plans for cyberattacks.²⁵ The first step of risk management is taking time before a security incident occurs to consider (1) how information enters and moves through the firm, (2) what information is stored and how it is accessed by lawyers and staff, and (3) what information is highly sensitive or confidential information.²⁶ This will help determine what safeguards should be put in place.²⁷ The next step is creating a response team of internal and external members that are assigned specific roles when a security incident occurs.²⁸ Finally, an incident response plan should be flexible and capable of addressing any type of cyberattack.²⁹

C. Training and Awareness

A crucial part of firm cybersecurity is regular training for attorneys and staff.³⁰ Frequent training creates a firm culture where cybersecurity is everyone’s responsibility, and it encourages reporting of suspicious activity.³¹

IV. Conclusion

In conclusion, cyberattacks are not going anywhere. Even with government initiatives like the National Cybersecurity Strategy³² and the GDPR,³³ cybersecurity will always be an uphill battle. So, it is even more important to stay up to date on emerging cybersecurity issues.

---

* Taryn Reichow, J.D. Candidate, University of St. Thomas School of Law Class of 2025 (Managing Editor).

1. See generally National Cybersecurity Strategy, The White House (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf [https://perma.cc/7FWM-X4N5]. ↩︎
2. The Biggest Data Breaches of the Year (2024), Bluefin (July 10, 2024), https://www.bluefin.com/bluefin-news/biggest-data-breaches-year-2024/ [https://perma.cc/GH9K-G6UX]. ↩︎
3. See id. ↩︎
4. Dan Roe, Law Firm Data Breach Reports Show No Sign of Slowing in 2024, The Am. Law. (May 23, 2024, 5:00 AM), https://www.law.com/americanlawyer/2024/05/23/law-firm-data-breach-reports-show-no-signs-of-slowing-in-2024/ [https://perma.cc/229T-R5B6]. ↩︎
5. Id. ↩︎
6. A Guide to Cybersecurity Compliance for Law Firms, The Nat’l Trial Laws., https://thenationaltriallawyers.org/article/cybersecurity-compliance-guide/ [https://perma.cc/CZU6-JTY2] (last visited Sept. 12, 2024). ↩︎
7. Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 2024). ↩︎
8. Model Rules of Pro. Conduct r. 1.1 (Am. Bar Ass’n 2024); see also Model Rules of Pro. Conduct r. 1.1, cmt. 8 (Am. Bar Ass’n 2024) (“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”) (emphasis added). ↩︎
9. The Top 5 Cybersecurity Concerns Facing Law Firms Going into 2024, TRUTechnology, https://www.trutech.com/the-top-5-cybersecurity-concerns-facing-law-firms-going-into-2024/ [https://perma.cc/Q7DC-R6KC] (last visited Sept. 12, 2024) [hereinafter Top 5]. ↩︎
10. Id. ↩︎
11. The Evolution of Malware: From Intricacies to Solutions, CanaryTrap (Jan. 19, 2024), https://www.canarytrap.com/blog/malware-evolution/#:~:text=The%20evolution%20of%20malware%20represents,organizations%2C%20and%20even%20entire%20nations [https://perma.cc/KK55-GPD4]. ↩︎
12. Id. ↩︎
13. Top 5, supra note 9. ↩︎
14. Top 5, supra note 9. ↩︎
15. Top 5, supra note 9. ↩︎
16. Top 5, supra note 9. ↩︎
17. Top 5, supra note 9. ↩︎
18. Why State-Sponsored Cyber Attacks are a Global Threat, MRINetwork (Feb. 23, 2024), https://mrinetwork.com/hiring-talent-strategy/why-state-sponsored-cyber-attacks-are-a-global-threat/#:~:text=What%20Is%20a%20State%2DSponsored,computer%20systems%20and%20IT%20infrastructure [https://perma.cc/5XL6-CAXR]. ↩︎
19. Id. ↩︎
20. Top 5, supra note 9. ↩︎
21. Ben Wolford, What is GDPR, the EU’s New Data Protection Law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/ [https://perma.cc/7PCV-3ZC9] (last visited Sept. 12, 2024). ↩︎
22. Id. ↩︎
23. Ann Nickolas, GDPR Compliance and Why It Matters to Your Law Firm, Legal Management, https://www.alanet.org/legal-management/2018/july-august/departments/gdpr-compliance-and-why-it-matters-your-law-firm#:~:text=GDPR%20regulations%20determine%20how%20long,employees%20determine%20the%20appropriate%20lifespan [https://perma.cc/2D9S-FLYT] (last visited Sept. 12, 2024). ↩︎
24. Top 5, supra note 9. ↩︎
25. See generally Steven M. Puiszis, Prevention and Response: A Two-Pronged Approach to Cyber Security and Incident Response Planning, 24 The Pro. Law. 25 (2017). ↩︎
26. Id. at 27. ↩︎
27. See id. ↩︎
28. Id. at 28–29. ↩︎
29. Id. at 29. ↩︎
30. A Guide to Cybersecurity Compliance for Law Firms, supra note 6. ↩︎
31. Guide to Cybersecurity Compliance for Law Firms, supra note 6. ↩︎
32. National Cybersecurity Strategy, supra note 1. ↩︎
33. Commission Regulation 2016/679 of Apr. 27, 2016, O.J. (L 119/1). ↩︎