Tuesday, May 26, 2020
In May, while the world was still trying to adjust to life during quarantine, the Texas Office of Court Administration was hit by a ransomware attack. While the details are still a bit sketchy because of an ongoing investigation, we do know that the State refused to pay the demanded ransom, shut down the infected systems, and has struggled since then to continue its work via alternate channels.
For appellate attorneys, this has been particularly frustrating. The systems that were shut down include some of the case notification mechanisms, so attorneys are finding out via social media whether they won or lost an appeal. In some cases, the court's access to the record appears to have been lost, so advocates are being asked to help provide case information and records back to the court. Throughout it all, Texas courts have somehow managed to not only continue to work but to lead in holding remote oral arguments and hearings and in continuing to push their dockets despite the quarantine and a crippled IT infrastructure.
In a past life, I worked as a systems administrator and technician, and even wore a "white hat" while hacking to test security. So I am familiar with the challenges in preventing ransomware attacks. This post, however, isn't written for the IT crowd. I hope to give some advice to the attorneys and professors who generally ignore such posts, but are often the source of the problem.
First, you need to know that ransomware attacks generally follow a set pattern. The attackers implant software that helps them gain control of a system, usually be encrypting data so it is no longer usable. They then notify the victim of the attack and demand a ransom, usually in bitcoin or another cryptocurrency. If the ransom is paid, they promise to decrypt the data. Sometimes they do, sometimes they do not.
Where do you, the user, fit into this scheme? Usually, you are the point of infection. By taking a few precautions you might prevent the next attack, or help with the restoration that follows.
1. Don't be the Source of the Infection.
Most ransomware is spread by Phishing, or emails that entice you to click a link that then loads the software onto your computer. Your IT department is serious when it asks you not to click on links from outside sources. The same goes for email attachments, and for links sent via text.
Some attacks start with "social engineering," or gaining access to sensitive information from users that can be used to guess passwords. Avoid the social-media posts that ask you cute personal questions and share with your friends. Even if your password isn't related to your date of birth, favorite pet, child's name, or other seemingly harmless bit of data, one of your friends' passwords might well be. Or, the attacker might use that information to personalize an email phishing attack that is just too hard to resist.
Finally, avoid using public wifi, or if you do, use the VPN that your employer has most likely set up for you. This is probably less common now that we are trying to stay in place, but is still a common source of attack.
2. Help Preserve your Data.
If there is an attack, the target is the sensitive data that you hold. Most likely, that data will be locked away and inaccessible for awhile, if not forever. If your firm or court is going to recover, it needs your help.
Make sure that you keep up with backups. And, if you are working from a court's electronic record available online, do yourself (and the court) a favor and download that information rather than just relying on the online version. After suffering data corruption and other issues, I even email myself drafts of briefs as I progress in writing so that nothing is lost. The idea is to keep multiple copies on multiple storage devices, so that if one fails, there is still a way to recover. Some sensitive data will have to be more restricted, but in general, on appeal at least, we are working with public records that can be stored in multiple places.
3. Remember that Confidentiality is a Ethical Responsibility.
Ransomware attacks are up across the board. There are even some healthcare providers that have been targeted, although some of them have been offered "discounts" on the ransom because they are essential service providers. Don't think that you are not a target. More importantly, don't think that your client's confidential information is not a target.
Indeed, law firms are increasingly the target of security intrusions. To protect clients, Comment 8 to Rule 1.1 of the ABA Model Rules imposes a duty of competence that includes keeping abreast of the "benefits and risks associated with relevant technology." Recently, Formal Opinion 483 clarified that the lawyer's duties include both taking all reasonable efforts to protect clients from data breaches and informing them when one occurs.
In the end, protecting client data is the professional responsibility of the attorney. You can't just blindly rely on your IT department or contractor and avoid that responsibility. Instead, you must be aware of the vulnerable world we live in, and take steps to be safe with not just your personal health, but the health of your data as well.
(Image attribution: "Virus" by kai Stachowiak, CC0 public domain license)