Email Archiving & Encryption: The Keys to Legal Orgs’ Digital Security for Legal Firms


Thought Leadership

Email Archiving & Encryption: The Keys to Legal Orgs’ Digital Security for Legal Firms

David Bisson

In the past few years, the security community has documented numerous instances in which threat actors targeted legal organizations. Here are a few of those incidents that made headlines:

  • Moses Afonso Ryan Ltd.: In May 2017, Providence Journal revealed that an unknown attacker had encrypted the files of Providence law firm Moses Afonso Ryan Ltd. and had subsequently demanded $25,000 in ransom. The firm’s records remained encrypted for a period of three months while the organization negotiated an initial ransom payment and then renegotiated the ransom after a decryptor provided by the attackers failed to restore its data. This period of activity cost the company approximately $700,000 in lost billings.
  • DLA Piper: Just two months later, DLA Piper temporarily disabled digital operations in its offices around the world, thereby preventing employees from accessing their email and critical legal documents. Early reports of the incident attributed the incident to Petya ransomware. But as noted by Fortune, security experts determined that the malware was a new threat that had reused some of Petya’s code and had acted as a wiper by writing over an infected computer’s master boot record. They named the malware “NotPetya.”
  • TrialWorks: Fast forward to 2019. On October 13, TrialWorks notified customers of a hosting outage at one of its data centers; it clarified that ransomware was responsible for the outage soon after. While not a legal organization itself, TrialWorks built up a reputation as one of the top-rated providers of legal case management software for law firms and attorneys. Attorneys at various law firms couldn’t access their cases as a result of the outage and therefore requested extensions in court, reported Bleeping Computer.

The Need for Cybersecurity among Legal Organizations

Legal organizations haven’t ignored the threats discussed above, among others. In its cybersecurity survey of the legal industry, American Layers Media found that formal security assessments, data breach plans, forensic expert partnerships and drills of cybersecurity systems had appeared in more legal organization’s’ digital strategies in 2017 than they had a year ago.

That being said, many legal organizations still have a way to go in terms of strengthening their digital security. LOGICFORCE discovered as much in its Q4 2019 Cybersecurity Scorecard of the legal industry. Specifically, it found that just over a third of law firms were vetting the cybersecurity and data management policies of their third-party service providers at the time of the study. Even less than that (24%) had implemented SOC monitoring.

These findings are concerning, as they indicate that some law firms have not taken adequate defensive measures against their worst fear: someone using email to gain unauthorized access to sensitive client data. This threat is especially relevant given the new trend of ransomware actors’ stealing the data of victims who refuse to pay the ransom and posting this information online.

Law firms are not exempt from these attacks. In fact, Emsisoft observed in early February that the Maze ransomware group had successfully infected five law firms and threatened to post their information online unless they complied with their demands. Not only would such a data leak damage these firms’ reputation among potential clients, but it might also place them in violation of PCI DSS, HIPAA and other regulatory standards if the leak contained clients’ payment card details, medical information and other sensitive data. Such violations could cost law firms tens of thousands of dollars in noncompliance fees.

How Legal Firms Can Bolster their Email Security

Legal organizations can defend themselves against the threat of a data breach by bolstering their email security. In particular, they should consider automatically archiving all digital correspondence without.  They don’t want to spend paying for unnecessary unnecessarily on third-party eDiscovery solutions bills, either,. Ultimately, the chosen solution so whatever solution they go with should be able to classify those emails for the purpose of rapid assessment, investigation and management.

Additionally, legal organizations should consider using an email encryption solution driven by policy filters to automatically encrypt messages and attachments that contain sensitive information. That capability should also allow legal organizations to quarantine a sensitive email, at which point employees, mangers and IT personnel can review it for potential policy violations.