We called the ransomware attack on Allen & Overy last week the "latest" law firm cyber attack. Because it's not the first, and it certainly won't be the last.
Think about it. If attackers regard governments, sovereign wealth funds and trillion-dollar corporates as fair game, what is a law firm to them? What fight can A&O put up in a world in which a $6 billion law firm, Kirkland & Ellis, is as exposed as any far less-protected entity?
“It proves that nobody is immune,” Zach Olsen, president of communications firm Infinite Global, said earlier this year.
Let's set law firms aside a moment.
Within the past decade, Saudi Aramco, Colonial Pipeline, Sony PlayStation, the U.K.'s National Health Service, Yahoo and Uber have all fallen victim to shrewd and technologically matchless hackers.
The 2016 attack on Uber—itself a technology company—exposed the confidential data of 57 million customers and drivers. Much like the A&O incident, this was a ransomware campaign, where attackers hacked a server and held the data within for ransom. At the time, Bloomberg reported that Uber paid the hackers $100,000 to delete the stolen data.
And that seems to be where we are now. Cough up and shut up.
Even lawyers have conceded that, sometimes, the best thing you can do is pay up—even at the risk of landing yourself on a "sucker's list" of easy marks. But, for most commercial entities, paying up will be the least of their worries. Most law firms that find themselves in a ransom situation will undoubtedly have in place at least some insurance coverage, as the Association of British Insurers highlights.
Large law firms will understand that what matters far more than a six or even seven-figure payout is how clients or prospective clients react, particularly when it's their data—whether personal or data that's tangentially connected to them—that's held ransom.
"There will be some [client] tolerance," a U.S. firm partner told me the day after the A&O attack was reported. "They will know all about cyber threats of all their various kinds. Maybe they've paid a ransom before. It's just how it is, and they know that. But there's a limit."
Yes. A limit. If you have in place all the cyber defences that a law firm can reasonably be expected to implement, then, one hopes, a client may show some understanding and, one hopes, the reputational risk is somewhat contained.
"It's not like [the client is] going into a law firm relationship blind," the partner said. "They're handing over their data to a third party and, no matter how trustworthy it is, they're accepting some risk in doing that."
Leave your laptop on a train, you might find that client sympathy—and indeed the sympathy of your colleagues—is thin. There's only so much a firm can do about human error. But what else can they do? Is a ransomware saga preventable or forever inevitable?
Here's one possibility: Stop holding client data...