Everyone in the legal industry, regardless of their position, has access to information which must remain secure. The very nature of attorney-client privilege is built on law firm data security. Privacy, security, and trust is a cornerstone of any democratic nation with a reliable judicial process.
Unfortunately, there are those who do not respect this legal maxim and want to exploit the exchange of information between attorneys and their clients, as well as other attorneys and those they work with. This can come from hackers looking to exploit information, and private investigators hired by opposing counsel.
Law firm data security issues
There are some truly startling statistics regarding the hacking and theft of data from law firms:
- 14% of law firms experienced a digital data breach in 2016.
- 22% of law firms experienced a digital data breach in 2017. Hacks are escalating and will continue to until more law firms step up their cybersecurity practices.
- Only 11% of law firms notified clients about a breach in 2017, which raises a host of other questions.
Looking at the size of firms affected, no one was safe but there is an interesting conclusion to draw from the data:
- 35% of firms with 10-49 attorneys were attacked
- 33% of firms with 50-99 attorneys were attacked
- 27% of firms with 2-9 attorneys were attacked
- 23% of firms with 10-49 attorneys were attacked
- 10% of solo firms were attacked
What could the difference be here for solo and smaller firms being attacked less? They share information, via messages and other forms, less frequently than larger firms. More communication back and forth of data leads to a larger attack surface for hackers as data is so vulnerable during transport. It could also be the smaller firms don’t know they’ve been hacked in the first place, a trend in small business data security, which is worse.
The hack of a Moroccan lawyer
Abdessadak El Bouchtaoui—a human rights lawyer from Morocco—was forced into exile after discovering that his phone was hacked while representing protesters from the Hirak Rif movement. These were non-violent people protesting the very violent death of a fishmonger.
El Bouchtaoui was nothing more than a lawyer representing these clients, who had as much of a right to a fair trial as anyone else, but he wound up being attacked digitally by someone with the NSO Group’s Pegasus malware tool. His awakening to what had happened to his phone progressed like this:
- Before defending Hirak Rif protestors he had no fears of surveillance.
- While defending the protestors he spoke on the phone with another protestor who was not involved with any legal proceedings, but was immediately arrested after the conversation.
- He surmised that someone had put a trace on his phone and they were going to arrest anyone he spoke to, compromising his ability to give legal advice or even speak to new clients.
The issue here is the Pegasus malware tool. Here’s what it can do:
- Read text messages
- Track phone calls
- Collect passwords entered into the device
- Track the phone’s location through GPS
- Access the microphone and video camera of the device (without you knowing)
- Steal information from other apps
To make it clear—if Pegasus is installed on your phone you no longer own your phone, the person who installed and controls Pegasus does. How do people get infected with Pegasus? By clicking one bad link sent to their phone.
Pegasus only works on iPhones, which is over 40% of smartphone users. Android users aren’t off the hook as there are plenty of spyware tools out there for Android as well, and they’re not even hard to find as they’re commercially advertised and have their own indexed websites that you can find with a search using Google.
How this lawyer could’ve protected himself
Here’s how SKY ECC would have protected this lawyer against the attack:
- SKY ECC devices are managed so only SKY ECC itself can be installed on the device. No new apps can be installed. Pegasus can’t get a foothold on a SKY ECC device.
- The Pegasus malware couldn’t impact SKY ECC as the app itself is installed within a protected container on the phone, separating it from any malware.
- The malicious link itself would’ve never reached his SKY ECC app because, for one, he must approve contacts before they can get hold of him.
- Even if the attacker did trick him to adding them as a contact the app was built specifically to stop attacks like this from happening by disabling link clicks to websites outside of the Sky network.
- All messages sent over Sky devices are encrypted with our proprietary 521-bit ECC encryption, preventing anyone without the encryption key from intercepting and reading messages.
- Not only are messages secured by our encryption, but our SIM cards also connect through a secured and private tunnel.
- GPS is turned off, preventing all tracking attempts.
- The microphone and camera on all SKY ECC phones is disabled outside of SKY ECC, specifically to prevent this type of attack.
There are numerous security features built into SKY ECC which were created specifically to stop this type of attack from happening. This is a perfect law firm data security use case for SKY ECC as the targeted device—his phone—is our specialty.
The fallout from a lack of law firm data security
This hack caused the worst case scenario as this lawyer is no longer a lawyer standing up for human rights and is instead now living in fear in exile from his home in Morocco. He is constantly surrounded by police presence for his own safety, living a (rightfully) paranoid existence.
You may feel that this isn’t possible in your country, with a firm democracy and a noble judiciary, but your feelings would be wrong. This can happen in any country to any lawyer, and is happening right now to someone in your country on some level. Protect yourself, your clients, and those you work with today by improving your law firm’s data security with SKY ECC.