Legal Ramifications of a Ransomware Attack

Written by

Ransomware strikes again, and this time the culprit is known as ‘NotPetya’! Coalfire's labs team have already issued some guidance on how to mitigate the ransomware and this should support tactical removal.

Petya/NotPetya has started to cause havoc in some fairly large organizations. One of the most striking was a major international law firm having to announce that they had been affected by the outbreak, and people were tweeting signs from outside of their offices showing a complete 'outage' of services with staff advised not to re-boot their computers or dock them.

As vendors and security professionals build awareness of the upcoming GDPR deadlines, it’s also worth keeping in mind that other professions also have their own enforcement bodies who take a serious view of poor protection of data.

In the UK, the Law Society and The Solicitors Regulatory Authority (SRA) have the ability to heavily penalize law firms who have been subject to a compromise. Being in the fortunate position of having a brother who is a lawyer, we regularly get into the weeds on this sort of topic. In this instance as well as putting case material at risk, which could hamper defenses or prosecutions, there is a fundamental regulatory requirement which underpins the whole of the legal profession around the world. That is, that law firms and lawyers personally have a duty to maintain client confidentiality. Not managing the cybersecurity of their case management, client records or even just the systems used to access client information would be a serious breach of these principles.

The Solicitors Regulation Authority (SRA) has issued guidance on several occasions on the importance of managing cyber-risk highlighting common threats such as phishing, or spoofed emails. The law professionals we all work with are subject to a huge amount of trust and therefore hold significant amounts of information which is of a confidential nature.

They are also the vehicle for many types of transactions from home purchases to mergers and acquisitions, and so a simple attack such as a spoofed email with new bank details could derail a transaction and see significant amounts of client funds being transferred to an incorrect/malicious/criminal bank accounts.

Law firms are all subject to the Legal Service Act 2007 which requires them to proportionately allocate resources to manage risks, under Principle 10 regulated firms have a responsibility to 'protect client money and assets' – cyber-attacks are a significant threat to this requirement, as well as Outcome 4.1 (SRA code of conduct) requires that law firms 'keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents'.

Law firms would be well advised to be aware of threats that both target them and that are indiscriminate but that could lead to very significant consequences.

What’s hot on Infosecurity Magazine?