In Wake of Cyber Threats, Federal Courts Change Process for Filing Sealed Records | Virginia Lawyers Weekly

The U.S. District Courthouse for the Eastern District of Virginia in Norfolk. (NATE DELESLINE III)

In brief

Within weeks of each other, Virginia’s two federal District Courts announced that sealed documents filed to the court are subject to “hard copy” handling requirements.

The identical orders, issued by the U.S. District Court for the Eastern District of Virginia on July 29 and the Western District on Aug. 11, state that the policy change is “[i]n response to recent cyberattacks directed at public and private sector computer systems.”

“This measure preserves the integrity of the PACER and CM/ECF systems by shielding documents properly designated as non-public from unauthorized electronic access by nefarious actors,” the orders state.

The actions come on the heels of an announcement from the Administrative Office of the U.S. Courts, which announced on Aug. 6 that the federal judiciary is “taking additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system.”

While the court did not elaborate on the nature of the cyberattack, Roanoke attorney Beth Burgin Waller said the attacks have “been linked in the media to Russian state involvement and is said to have possibly compromised confidential informant information.”

The attacks highlight a persistent challenge for legal professionals of all kinds: how to keep information and systems safe from cybercrime in the digital age.

“Cybercrime is absolutely on the rise,” Richmond attorney John Danyluk said. “It goes up every year, and law firms are no different. In fact, they’re one of the most lucrative targets for cybercriminals.”

Virginia Beach attorney Kellam Parks said that in the digital age, it is important for attorneys to be aware of how to protect against cyber threats.

“It’s not something you can ignore,” Parks said. “You don’t have to be a tech expert, but you need to hire somebody who is. You really need the experts to protect yourself, and we have ethical duties to protect client data.”

‘Prime target’

The recent news from the federal courts illustrates a growing problem as more of our personal and professional lives are conducted in cyberspace – the threat of bad actors stealing sensitive data and information.

Danyluk said that in the last year, 40% of law firms were hit by a cyber-attack.

“You’ve got almost a 50-50 chance of your law firm in any given year being hit with a cyber-attack,” Danyluk said. “And the reason for that is pretty simple, it’s because law firms have a gold mine of confidential information.”

“The legal profession- be it private firms, courts, or the public sector is a prime target for cyber crime because of the client or other confidences our IT infrastructure can hold,” Waller said.

The legal profession can be an easy target for a cybercriminal to gain access to sensitive information.
— Beth Burgin Waller, Roanoke

Beyond the nature of the data housed digitally by law firms, cybersecurity attorneys agreed that law firms can also be a softer target for criminals.

“Poor cyber hygiene such as failing to implement multi-factor authentication on a VPN connection can lead to an opening that can be exploited by a cybercriminal,” Waller said.

Specifically, smaller firms could be targets if their computer protections are not up to modern standards.

“For law firms, they are just looking for vulnerabilities, and unfortunately a lot of solo attorneys and small firms do not have the protections in place to allow them to catch this stuff soon enough,” Parks said.

With the recent embrace of artificial intelligence, many law firms are seeing benefits in learning about and navigating the new technology and integrating it into their practice. While Al has helped law firms, Parks said it also creates more opportunity for cyber criminals.

“One of the dangers of Al is it makes it a lot easier to automate for people that maybe aren’t the best hackers in the world to get some of this out there,” Parks said. “In that sense, it’s just a little easier for people to try to attack these firms.”

How does cybercrime look?

In popular culture, a computer hacker is often portrayed as a solo actor typing away furiously at a keyboard while targeting a specific system. In reality, cybercrime is more complex, ranging from smaller actors to criminal organizations and even nation-states casting a wide net aiming to secure sensitive data.

“Many nation-states use cyber crime to support their espionage or intelligence gathering,” Waller said. “The legal profession can be an easy target for a cybercriminal to gain access to sensitive information about other companies or individuals.”

One of the most likely threats a law firm can face digitally is via phishing attacks, where an attacker impersonates a legitimate sounding person or entity via a false email, urging the recipient to reveal sensitive information or to click and download an attachment containing malware.

“For these solo and small attorneys, it’s almost always an email vulnerability,” Parks said. “It either has an attachment that they open and runs a program, or it has a link, and they click that link and it goes to a bad place.”

Parks cited one example where an attacker used a false aol.com email address, with a capital I replacing the lowercase l in AOL.

Another threat Parks said law firms can face is through those bad links, which can ask for a Microsoft 365 password for access. If a person falls for the scam email and does this, those credentials are now shared with the hacker.

“Once they are in your Microsoft 365 account, which is what a lot of law firms are on, they can migrate over to SharePoint and maybe have your client data,” Parks said. “There you have your financial information, and then it is a disaster.”

Danyluk cautioned that once a firm’s computer system is compromised, the hacker now has “a treasure trove of valuable information.”

“I liken it to like if you break into a bank vault, and each vault floor is this different corporation’s most important secrets and private information,” Danyluk said. “It’s going to be a target for criminals.”

Protecting your firm

While the threats that loom in the digital age may seem daunting, Virginia cybersecurity attorneys said there are many ways for firms of all sizes to keep client data secure.

Many of the strategies are simple and extensively covered in any organization’s cybersecurity trainings: establishing multi-factor authentication on important accounts and working with or hiring competent IT staff to provide support.

The odds that your place is going to catch fire is exponentially less than that you’re going to have a cyber incident.
— Kellam Parks, Virginia Beach

Parks specifically highlighted three important tools: establishing multi-factor authentication, having an endpoint detection response system and having a managed secured operations center.

Establishing these protective measures can protect your firm from attacks unrelated to the office, Parks noted.

“I had a client who used the same password for one of their credit card accounts that they use for the law firm,” Parks recalled. “That credit card company got hacked, and the bad guys said ‘oh, this is a lawyer, I wonder if they use the same password and login for Microsoft.’ And the next thing you know, those people are in the law firm’s 365 account.”

Parks cautioned that in this example, the law firm did not get hacked, but the client’s firm was compromised because they did not have MFA.

Danyluk said for law firms, the “obvious answer” to protecting the firm is investing in cybersecurity, with an endpoint detection and response solution and a printed, hard copy incident response plan.

“You can have the best cybersecurity in the world, but one of the most important thigs you can do is having written plans that the key stakeholders are aware of and can access in a moment of crisis,” Danyluk said. “When you walk into your law firm on a Monday morning and networks are locked down and your printers are spitting out ransom notes, that’s a crisis situation.”

Waller said that additionally, maintenance of IT systems is also key in protecting against cybercrime.

“Many of the incidents I see in my cyber practice can be traced back to simply running out of date unpatched servers or failing to implement multi-factor authentication,” Waller said.

For Parks, who has advised law firms on cybersecurity and authored a guide on the topic, proper planning begins with adequate cybersecurity insurance, which a lot of law firms may be tempted to overlook when buying insurance for the business.

“A lot of companies either don’t have enough or they don’t have a separate policy,” Parks noted.

And in the modern age, cybersecurity insurance can come into play more often than a business might realize.

“You’re much more likely to get hacked than you are for your building to burn down,” Parks said. “But people always have fire insurance, right? I don’t know any law firm in the world that doesn’t have general liability insurance that covers a fire, but the odds that your place is going to catch fire is exponentially less than that you’re going to have a cyber incident.”

Danyluk said that law firms and lawyers must take effort to mitigate cyber risk for the overall success of themselves and their firm.

“The better job you do to protect your client’s information, it’ll protect the law firm bottom line, it’ll protect their reputation, and it’s part of the [Rule 1.6 of the] Rules of Professional Conduct to protect confidential client information,” Danyluk said. “It’s definitely something that should be taken seriously.”

“We have an ethical obligation to protect client competences,” Parks noted. “If you don’t take reasonable steps to secure your client data, you could potentially lose your license in addition to having a business loss.”