What if criminals broke into your attorney’s office and stole all of your client files, and could do whatever they wanted with them? Hackers could mine them for valuable data, sell them on the dark web or threaten to publish them. This nightmare may be an unfortunate reality for hundreds of thousands of individuals and businesses.

Last month TrialWorks, a popular cloud hosting provider for attorneys, was hit with ransomware. Over 40,000 users from 2,500 firms around the country lost access to their client data. Attorneys missed deadlines and fumed as TrialWorks scrambled to restore the data. But the scarier issue is one that hasn’t been widely reported in the news: the criminals may also have taken data.

Ransomware is often the last stage of a cyber intrusion. Before criminals infect an organization with ransomware, they have to have infected the network first. Criminals may first enter an organization’s network when a user clicks a link in a phishing email, or through a compromised remote access tool used by an IT vendor. Once inside, they often lurk for weeks or months, stealing data such as passwords, personally identifiable information, banking details, and sensitive files.

Commercial hacking toolkits are often configured to exfiltrate data automatically, so criminals don’t even have to push a button to steal files. They simply infect victim computers and wait for all of the files to be uploaded to their servers. Then, they sift through the stolen files at their leisure. After the criminals have all the data they want, they install ransomware. In some cases, criminals analyze stolen financial reports in order to determine an appropriate ransom demand.

When organizations get locked up with ransomware, the focus is often on the short-term operational impact. Hospitals, schools, and governments serve the public, and so the impact is very quickly felt—and publicized. In the case of TrialWorks, reporters focused on missed court deadlines. “[W]e are partnering with multiple top cyber security firms to help ensure that the security incident has been remediated,” said TrialWorks in an update. “Once the incident has been resolved and our systems are secure, we will focus on restoring customer access.”

Acknowledging the Elephant in the Room

The big question for attorneys and their clients is: Was client data breached?  The answer depends on what exactly happened, as well as the type of data involved, combined with relevant state and federal laws. Health information, for example, may fall under federal laws that require ransomware to be investigated as a data breach. (TrialWorks advertises that it has a “HIPAA compliant data center,” so presumably it stores some HIPAA-regulated data.)  According to the Department of Health and Human Services, “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information)…”

Should attorneys notify clients that their data may be at risk? This may be the ethical answer, and the correct legal response as well, in many cases.  However, few, if any, affected law firms appear to have notified clients that their data is at risk, and clients are in the dark. TrialWorks itself has provided very little information about the details of the attack, even to affected law firms, and the affected firms themselves may not know enough about cloud data breaches to demand answers.

Cloud data breaches can have far-reaching, often unanticipated consequences, as the case of TrialWorks demonstrates.  Consider:

  • One single cloud provider has been hacked.
  • 2,500 law firms are now at risk of a potential cloud data breach, along with all the reputational damage and financial consequences that go along with that.
  • Hundreds of thousands (if not millions) of clients served by these law firms may have had their confidential viewed or stolen by criminals.
  • An untold number of people’s confidential information may have been included in client files, potentially involving their employees, affiliates, and vendors.

How to Prevent a Cloud Data Breach

Are you prepared for a cloud data breach? Here are some tips that will help you reduce your risk, and respond properly.

  1. Vet your cloud providers carefully. Check out LMG’s tip sheet on Vetting Your Cloud Provider for a handy checklist.
  2. Contractually obligate suppliers to adhere to your cybersecurity standards and provide you with regular reports (typically this is done on an annual basis). Make sure that your suppliers, in turn, are required to carefully vet their suppliers, including cloud software vendors.
  3. Ensure that all of your suppliers are required to notify you in the event of a suspected cloud data breach involving your data. It’s important to set a specific time frame and verify that you and your supplier are on the same page regarding what constitutes a potential data breach.
  4. Require suppliers to share details with you during an investigation, when it’s your data on the line. Be specific about precisely what information suppliers must share with you, so that you have the details you need to take appropriate action.
  5. Prioritize your cybersecurity review of cloud suppliers based on the volume and sensitivity of the data they store and process on your behalf.
  6. Include top-priority suppliers in your cloud data breach response plans. Make sure you have appropriate contact information so that you know who to reach in the event of a time-sensitive issue such as a cloud data breach.
  7. Conduct tabletop exercises to test your response processes, and make sure to involve top-priority suppliers.

If you need assistance creating proactive prevention strategies for a cloud data breach, or resources for responding to an active incident, please contact LMG’s team of cybersecurity experts. We are here to help.