shutterstock.com shutterstock.com

The most striking thing about the recent cyber scam lawsuit filed against Holland & Knight—which alleges that the firm mistakenly sent $3 million to a fraudulent account in Hong Kong—may lie not in the dollar figure, but the frequency of similar alleged attacks against firms.

"These attacks are super common," said Lewis Brisbois Bisgaard & Smith data security partner Christopher Ballod about wire transfer scams. "The number is big, but I will tell you I have a few cases that are above [$1 million transferred] right now. Above a million is uncommon, but I wouldn't even categorize it as rare."

Law firms are at an even greater risk of cybersecurity liability this year, with scores of law firm employees working from home as well as data-related regulatory laws and subsequent enforcement actions both trending upward.

Ballod, who advises companies and law firms that have suffered data breaches, said he's already seen a massive uptick in breaches, involving wire transfers and other types of cyber fraud.

"We're extremely busy," Ballod said. "There's a simple principle at play: If you broaden the attack surfaces, you'll have more attacks at play," he added, referring to the increased risk from more network entry points.

According to the recent lawsuit against Holland & Knight, the law firm was hired to oversee a $3 million stock sale. But amid the deal, scammers intercepted emails between the firm and plaintiffs. They then assumed the plaintiff's identity and asked that the wire be sent to an account based in Hong Kong instead of the original account.

The plaintiffs, the Sorenson Impact Foundation and the James Lee Sorenson Family Foundation, allege that Holland & Knight did not call to verify the account change, nor did they secure a medallion guarantee—a guarantee from a financial institution—as put forth in the merger agreement between the firm and involved parties. For that, the plaintiffs are alleging breach of contract and negligence and that the firm breached its fiduciary duties.

In a previous a statement on the lawsuit, Holland & Knight spokeswoman Olivia Hoch said the firm's "information technology system was not compromised in any way." She added that the plaintiffs were not clients, and "the firm acted on wiring instructions received from the plaintiff's email system by providing the instructions to the paying agent."

The allegations are eerily similar to a case involving Dentons' Canadian arm in 2017. According to a court ruling in that case, Dentons mistakenly sent $2.5 million to a fraudulent Hong Kong-based account after scammers breached emailed communications and assumed the identity of the company receiving the money.

Behind the assumed identity, scammers told the firm that their original account was being audited and directed Dentons to send the money to a new, Hong Kong-based account.

In that case, Dentons called the recipient to confirm the account change but didn't get through and left a voicemail. The scammers then forged documents and authorisation letters and sent them to the firm. Although they never got a call back from the real recipients, the firm sent the money anyways.

In a previous statement on the case, Dentons Canada spokeswoman Neetisha Seenundun said that the firm has not been targeted by the phishing scheme at any other point, and that the firm provides "extensive training" to its lawyers and employees on cybersecurity issues.

In wire transfer scam cases, the bad actors leverage what cybersecurity experts call the "human firewall" by manipulating employees and lawyers to hand over their credentials. These sorts of vulnerabilities circumvent technology by targeting employees who, for one reason or another, let their guard down or forgot their training.

Many scams could likely be avoided if a lawyer calls to verify over the phone the transfer information, as is best practice, Ballod said. While working from home may increase general cybersecurity liability, attacks like a wire transfer scheme can happen regardless of whether an employee is at home or in the office, cybersecurity experts add.

Total Costs

Looking at cybersecurity liability in general, security firm LogicForce found last year that, despite recent strides, the legal industry "remains very vulnerable to cybersecurity attacks." Less than the majority of law firms surveyed implement advanced data protection techniques such as multifactor authentication or full disk encryption on all devices, its 2019 report found. Only about half of the companies surveyed have an executive-level IT specialist.

The litigation costs resulting from a cybersecurity lapse can be substantial. In cases of wire fraud where multiple parties are at some fault—a law firm for not calling for verification and the intended recipient's email security measures being breached—both sides usually come to a compromise before litigation.

In other cases, failure to contain a breach can lead to class action lawsuits, unaffordable legal malpractice premiums or harm to the firm's reputation.

With the rise of data privacy laws in Europe and the U.S., potential liability now increasingly includes regulatory and compliance litigation, said David Shonka, a data privacy partner at Washington, D.C., firm Redgrave. The California Consumer Privacy Act, or CCPA, began enforcement July 1. The law lays out breach reporting requirements, noncompliance fines and allows California consumers a way to bring private actions for data breaches.

Europe has long had its own privacy laws. Brazil and India have also passed similar versions as well. And Shonka said there's indications that more states will adopt similar laws.

Read More

Holland & Knight Sued Over Botched Wire Transfer

Dentons Lawyer Wired $2.5 Million to Scam Bank Account in Elaborate Con