shutterstock.com

The most striking thing about the recent cyber scam lawsuitfiled against Holland & Knight—which alleges that the firmmistakenly sent $3 million to a fraudulent account in Hong Kong—maylie not in the dollar figure, but the frequency of similar allegedattacks against firms.

"These attacks are super common," said Lewis BrisboisBisgaard & Smith data security partner Christopher Ballod aboutwire transfer scams. "The number is big, but I will tell you I havea few cases that are above [$1 million transferred] rightnow. Above a million is uncommon, but I wouldn't even categorize itas rare."

Law firms are at an even greater risk of cybersecurity liabilitythis year, with scores of law firm employees working fromhome as well as data-related regulatory laws and subsequentenforcement actions both trending upward.

Ballod, who advises companies and law firms that have suffereddata breaches, said he's already seen a massive uptick in breaches,involving wire transfers and other types of cyber fraud.

"We're extremely busy," Ballod said. "There's a simple principleat play: If you broaden the attack surfaces, you'll havemore attacks at play," he added, referring to theincreased risk from more network entry points.

According to the recent lawsuit against Holland & Knight,the law firm was hired to oversee a $3 million stock sale. But amidthe deal, scammers intercepted emails between the firm andplaintiffs. They then assumed the plaintiff's identity and askedthat the wire be sent to an account based in Hong Kong instead ofthe original account.

The plaintiffs, the Sorenson Impact Foundation and the James LeeSorenson Family Foundation, allege that Holland &Knight did not call to verify the account change, nor did theysecure a medallion guarantee—a guarantee from a financialinstitution—as put forth in the merger agreement between the firmand involved parties. For that, the plaintiffs are alleging breachof contract and negligence and that the firm breached its fiduciaryduties.

In a previous a statement on the lawsuit, Holland & Knightspokeswoman Olivia Hoch said the firm's "information technologysystem was not compromised in any way." She added that theplaintiffs were not clients, and "the firm acted on wiringinstructions received from the plaintiff's email system byproviding the instructions to the paying agent."

The allegations are eerily similar to a case involving Dentons' Canadian arm in 2017.According to a court ruling in that case, Dentons mistakenly sent$2.5 million to a fraudulent Hong Kong-based account after scammersbreached emailed communications and assumed the identity of thecompany receiving the money.

Behind the assumed identity, scammers told the firm that theiroriginal account was being audited and directed Dentons to send themoney to a new, Hong Kong-based account.

In that case, Dentons called the recipient to confirm theaccount change but didn't get through and left a voicemail. Thescammers then forged documents and authorization letters and sentthem to the firm. Although they never got a call back from the realrecipients, the firm sent the money anyways.

In a previous statement on the case, Dentons Canada spokeswomanNeetisha Seenundun said that the firm has not beentargeted by the phishing scheme at any other point, and that thefirm provides "extensive training" to its lawyers and employees oncybersecurity issues.

In wire transfer scam cases, the bad actorsleverage what cybersecurity experts call the "human firewall"by manipulating employees and attorneys to hand over theircredentials. These sorts of vulnerabilities circumvent technologyby targeting employees who, for one reason or another, let theirguard down or forgot their training.

Many scams could likely be avoided if an attorney calls toverify over the phone the transfer information, as is bestpractice, Ballod said. While working from home may increase generalcybersecurity liability, attacks like a wire transfer scheme canhappen regardless of whether an employee is at home or in theoffice, cybersecurity experts add.

Total costs

Looking at cybersecurity liability in general, security firmLogicForce found last year that, despite recent strides, the legalindustry "remains very vulnerable to cybersecurity attacks." Lessthan the majority of law firms surveyed implement advanced dataprotection techniques such as multifactor authentication or fulldisk encryption on all devices, its 2019 report found. Only abouthalf of the companies surveyed have an executive-level ITspecialist.

The litigation costs resulting from a cybersecuritylapse can be substantial. In cases of wire fraud where multipleparties are at some fault—a law firm for not calling forverification and the intended recipient's email securitymeasures being breached—both sides usually come to a compromisebefore litigation.

In other cases, failure to contain a breach can lead to classaction lawsuits, unaffordable legal malpractice premiums or harm tothe firm's reputation.

With the rise of data privacy laws in Europe and theU.S., potential liability now increasingly includes regulatory andcompliance litigation, said David Shonka, a data privacy partner atWashington, D.C., firm Redgrave. The California Consumer PrivacyAct, or CCPA, began enforcement July 1. The law lays out breachreporting requirements, noncompliance fines and allows Californiaconsumers a way to bring private actions for data breaches.

Europe has long had its own privacy laws. Brazil and India havealso passed similar versions as well. And Shonka said there'sindications that more states will adopt similar laws.

READ MORE:

• Report: Executives likely to be targeted forcybercrime
• Employee emails and other causes of databreaches
• Nearly $100,000 stolen from participant in EsteeLauder 401(k) plan