Earlier this month, users of the popular WordPress CMS were advised to upgrade to the latest version of the software to patch “an undisclosed critical vulnerability.” At the sound of that dogwhistle, hackers pounced, targeting the many sites whose users had not immediately pushed the update.
In the weeks since, some 1.5 million websites have been exposed and defaced, including what appear to be the sites of several hundred law firms — their marquees tagged prominently with the aliases of their attackers.
This is not a particularly good look for some large subset of the law firm community, whose less tech-savvy practitioners are the subject of mounting scrutiny for their inability to adapt to the increasingly data-intensive practice of law — even as clients continue to entrust them with their most sensitive information. The sharpest criticism tends to focus on the weaknesses of their IT systems, workflows and processes, which, by and large, are outdated and ill-equipped to handle the complexity of modern litigation — let alone the persistent threat of cybercrime.
While the WordPress hacks may seem harmless, if embarrassing — and, to be sure, pale in comparison to recent high-profile breaches at Mossack Fonseca, Cravath and Weil Gotshal among others — it is not unlikely that, for some compromised firms, attacks on their websites have opened inroads to their internal systems and, potentially, client data.
“There’s a corner case where there could be a risk of client files being compromised: if a firm was self-hosting its website from machines on premises,” explained Ansel Halliburton, an IP litigator at Kronenberger Rosenfield in San Francisco. “In that scenario, a hacked WordPress site would be a beachhead, and attackers could get into the rest of the network from there.”
The refrain that lawyers practice law, not technology is common. But the reality is that law and technology are now largely inseparable. A growing number of professional and ethical standards, as well as state and federal laws, that bear directly on a lawyer’s responsibility to protect client data attest to this. The emergence of these rules — such as the New York state’s new cybersecurity regulations — is holding legal professionals to a higher standard, and putting a spotlight on their fitness to withstand both cybercrime and the far more common instances of accidental data breach.
Unfortunately for law firms, the consequences for failing to meet these standards have also become more clearly defined and, in some instances, more severe. In recent years, aggrieved clients have slapped firms with malpractice suits for everything from badly bungling complex e-discovery to failing to secure internal technology systems. And there are, no doubt, an untold number of disputes arising from law firm security breaches that have been settled quietly out of public forums, likely culminating in disgorgement of fees or other payment.
But it is often the non-monetary fallout of these breaches that do the most damage, as the victims of the WordPress hacks will likely experience. When a website is hacked, unless it is immediately recovered, its ranking in search engines quickly plummets. For small firms dependent on web traffic, such a hit can be ruinous.
“The bigger thing to learn from this episode is to not host your own WordPress instance. Pay WordPress to do it. They employ an excellent security team and write the damn software; you don’t,” Halliburton said.
As attorneys come to grips with the data-centric nature of today’s legal practice, and the professional burdens this imposes on them, they may consider taking that advice — “they write the damn software, you don’t” — to heart. While lawyers must have a sufficient understanding of the risks technology presents, they are certainly not obliged to be experts on these issues — only to know what they don’t know, and responsibly trust the experts with the rest.