In 2020, the number of cyberattacks sharply rose across industries around the globe and has continued in an upward trend. According to the 2020 FBI Internet Crime Report, internet crime complaints rose 69.4% from 2019 to 2020, and the use of techniques like phishing increased 110%. FBI Internet Crime Complaint Ctr., Internet Crime Report 2020 (Mar. 2021). While cybercrime has increased across the board, many new threat groups emerging in 2021 began increasingly targeting the energy sector, including oil and gas companies and renewable energy. Dragos, Cybersecurity Year in Review 2021. Cyberattacks have been modified to aim at those companies considered part of the United States’ critical infrastructure, like power and utilities, oil and gas, mining, and forestry. Aon Cyber Solutions, Natural Resources: Operational Technology and Resilience in a Changing Cyber Threat World (2022). This new focus is largely based on the significant impact a successful attack can have on such a large scale, fueled by geopolitical tension and scarce resources. Id.
In early 2021, a water system in Florida was targeted, resulting in an intrusion into a city’s water treatment system. The attack attempted to poison the water supply by changing the proportion of lye to toxic levels. See Vickie Sutton, Preparing for (and Defending Against) a Cyberattack on the Energy Sector (Rocky Mt. Min. L. Fdn. 2021). In March of 2021, Honeywell, which produces a range of industrial products used by oil and gas companies in North America, reported a malware intrusion that disrupted a number of its information technology systems. Dragos, supra. In May 2021, the Colonial Pipeline was impacted by a ransomware attack. The Colonial Pipeline provided approximately 45% of the gasoline consumed on East Coast. In addition to creating panic, this attack halted operations of the pipeline, resulting in widespread gas shortages. Id. This trend continued for the energy and natural resource industry last year, which saw record highs in cybersecurity incidents in 2022. See S&P Global, Energy Security Sentinel: Cyberattacks Surge in 2022 as Hackers Target Commodities (Oct. 10, 2022).
With this magnitude of the threat to critical infrastructure in the United States, cybersecurity is no longer a risk simply to business but a national security concern. Current geopolitical unrest reminds us that the world is more interconnected than ever. The Secretary of Homeland Security, Alejandro Mayorkas, summarizes the threat landscape well, noting that “[w]ith a keystroke, our adversaries can disrupt power or water to a small city, mine troves of Americans’ personal data, or steal intellectual property. The means by which we address the myriad of cyber-attacks, which are growing in number and gravity, are linked to our role and responsibilities on the global stage.” Press Release, Alejandro Mayorkas, Dep’t of Homeland Sec., Secretary Mayorkas Remarks at the Center for Strategic and International Studies (Dec. 5, 2022).
As an attorney practicing in the energy and natural resource area, it is easy to dismiss this threat to clients as one outside the scope of your representation or obligations. While technically correct, doing so would ignore what has become a very serious reality for the legal industry. A law firm has not only the risks associated with operating as a business in the normal course, but also the imputed threat from every industry and client it serves.
Cyberattacks targeting law firms are not new. Cyber criminals know that law firms house sensitive data for their clients. See Jill Rhodes, Robert Litt & Paul Rosenzweig, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (3d ed. 2022) (ABA Cybersecurity Handbook). Based on the very nature of legal work, firms aggregate massive amounts of sensitive and confidential information related to their representation. This frequently includes information that attackers can use to successfully infiltrate or damage the client entities. It is not surprising, then, that law firms have frequently been described as a “treasure trove” of information attractive to cyber actors, including foreign state actors. See Ellen Rosen, Most Big Firms Have Had Some Hacking: Business of Law, Bloomberg (Mar. 10, 2015). Law firms then become a major target for cyber actors trying to secure sensitive and confidential information on their ultimate targets.
The frequency and severity of attacks against law firms continues to trend upward, and much faster than firms have caught up and adapted. One in four law firms reported a data breach in 2021. See David G. Ries, 2021 Cybersecurity, ABA TechReport 2021 (Dec. 22, 2021). But many reports suggest that number, and particularly the number of breaches that end up publicly reported, represents just the very tip of the iceberg as far as firm breaches go. See Rosen, supra. Historically, this underreporting has occurred because the firms may not know they were hacked until notified by law enforcement. For example, as far back as 2009, a large U.S. law firm received notification from the FBI that the firm’s files were found on a server outside of the United States. The firm had been unaware all of its client files had been exfiltrated and it was left with no ability to get the files back. See Jill D. Rhodes & Vincent I. Polley, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2013).
Given the cost and risks associated with cybercrime, the legal obligations of clients and firms alike for data security are evolving. Lawyers have always had a heightened obligation to safeguard client data under the ABA Model Rules of Professional Conduct. Under Rule 1.1, lawyers have an obligation to provide competent representation. In order to “maintain the requisite knowledge and skill” necessary to provide competent representation, “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Model Rules of Pro. Conduct r. 1.1, cmt 8. Lawyers also have an obligation to maintain the confidentiality of information. “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent” or otherwise meets a limited exception under the rule. Id. r. 1.6(a). Additionally, a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Id. r. 1.6(c). Understanding and taking reasonable precautions in light of cybersecurity risks appears key in order to provide competent representation in an age where technology is not just helpful but entirely necessary and vital to a modern law practice.
Although there are a number of different threats to law firms, social engineering and particularly phishing remain the most common sources of a breach. See ABA Cybersecurity Handbook, supra. Social engineering exploits human error through manipulating individuals to divulge information or provide access to systems to facilitate the attack. Essentially, someone contacts a target, by email, by phone, or even in person, and pretends to be someone else to gain information, access, or knowledge that will help carry out the scheme. The most common example is a phishing email, such as what appears to be a request from a co-worker to buy gift cards. It may seem like an easy threat to brush off—sure, you get those emails frequently, but they are usually easy to spot and you do not plan to fall for the most common request. Phishing attempts, however, have continued to become more sophisticated and pose an even greater risk than ever to your firm as well as your clients.
Business email compromise (BEC) is a great example of the magnitude of risk and potential for harm that can be posed to clients from something originating as a phishing email. BEC scams start out with a phishing email, or a spoof of an email account or website. The target will initially think the source is accurate, which leads the recipient into providing confidential information or initiating a payment. For example, the most common BEC scheme targets a business that performs wire transfers. By posing as the entity that would normally receive the payment, through gaining access to the email account or spoofing the account to look real, the attacker will request the payment be made to a new bank account. The recipient thinks the request is legitimate and makes the transfer—resulting in lost funds. But BEC schemes have continued to evolve beyond wire transfer requests to include attempts to transfer or access sensitive information or to corrupt server systems.
If you have a client, vendor, or even co-counsel from another firm whose email becomes compromised, the chances of the attacker being able to access sensitive information about how the firm works, the relationship between individuals, or the nature of representation are high. See ABA Cybersecurity Handbook, supra. Once the attacker has access to an email account, they can go back through the sent emails and use similar or identical language from past emails. This may include forwarding on a previous email chain that was legitimate but with a “new” attachment. There would be no reason to question an additional email in a chain that was legitimate. The attachment may seek to gain credentials (username and password) to the email accounts of those individuals it is sent to, or as a means to install malware—like ransomware—on the recipient’s system.
Once into an individual’s system, the attacker may spend weeks or months gathering information, exfiltrating data slowly to remain undetected, and learning about the target. For an attorney with sensitive files on a client, like proprietary information, trade secrets, merger and acquisition–related information, and even client data reviewed for potential production in litigation all provide a wealth of information on the client entity. For example, a firm may have a large volume of data swept up from a search of the client’s system for search terms related to litigation. The attorney will then review and narrow that set for production, but it could include anything from the client’s system, like organizational charts, internal communications, system instructions, or proprietary information. All of that would be considered highly valuable to someone trying to infiltrate the client entity. But something as simple as an email from an attorney account with an attachment sent on to a client to phish for account credentials is very hard to detect as malicious—putting your client at risk. The Colonial Pipeline ransomware attack was the result of one person’s compromised password, and the 2021 FBI Internet Crime Report estimates losses of $2.4 billion as a result of BEC. See FBI Internet Crime Complaint Ctr., Internet Crime Report 2021 (Mar. 2022).
The threat and magnitude of risk from a cyber incident are high. Attorneys—and especially those representing high-target clients like natural resource and energy companies—must make sure that they are stepping up to their obligation to protect and safeguard client data or risk being the cause of a breach. While you may have information more sensitive in nature, like data you are reviewing related to litigation or information about how the client entity functions, even routine correspondence has the potential to create issues if in the wrong hands. As the threat to your client increases, so too does the imputed threat to your firm.
