Cybersecurity lawyers have been warning for years about what could happen if the legal community does not do more when it comes to protecting its data. And in 2019 many of those dire predictions came to pass.

Although law firms and courthouses have long been the target of cybercriminals, the issue was front and center in 2019 like never before. Over the past year, the Pennsylvania legal community saw continued attacks on law firms, as well as a trail of data breaches at government facilities—one of which hobbled the state's largest court system.

But, according to at least one data security-focused lawyer, most attorneys in Pennsylvania are still not fully prepared.

"Lawyers need to wake up. It's a matter of when, not if, because we're easier targets, we have information that's valuable, like birth dates and Social Security numbers, and that's what people are looking for," Havertown-based attorney Daniel J. Siegel said. "It's really a necessity for your business and for your ethical obligations."

Siegel, who hosts presentations about data security needs for attorneys across Pennsylvania, said he does not think lawyers often take the needed proactive steps to ensure safety of their data, but awareness, he said, does seem to be on the rise—especially after the past year.

Court Attacks

In Chester and Lebanon counties, government computers were breached as a result of malware attacks. Although it appears those hacks were stopped before any court-related computers could be affected in those counties, other court systems in Pennsylvania were not as lucky.

According to the Times-Leader, in late May a virus was detected on Luzerne County Courthouse servers, which led the county administration to shut down some computers and servers in an effort to quarantine the problem. The breach affected civil filings, probation matters and property assessment records, the paper said.

Following the breach, Administrative Services Division Head David Parsnik told The Times Leader he suspected that the hackers got into the system through an email attachment that a worker unknowingly opened.

According to the article, Parsnik said it was not a ransomware attack and he did not believe any confidential information had been taken. Instead, he suggested the virus had likely been designed to remain dormant until the computer system could be activated at a time when there would be little change of it being detected, noting that the weekend before Memorial Day—which is around when the virus was detected—would fit that criteria.

The article also noted that the attack came a year after the county added an advanced threat protection program—at $26,000 a year—to help combat what the county IT director characterized as an uptick in cyberattacks and "a steady increase in the level of sophistication employed by cybercriminals."

The servers and computers that were taken offline following the attack were put back online after more than a week.

The Philadelphia court system, however, did not fare as well.

The First Judicial District's digital system was shuttered for six weeks over the summer after the system was hacked. Like the Luzerne County hack, the infiltration in Philadelphia was detected in late May.

According to a city spokesman, the move was done to "safeguard" the systems after the FJD experienced a "virus intrusion on a limited number of computers." The shutdown left the FJD's website, online civil docket search and e-filing system for civil and criminal cases inaccessible.

The shutdown also left attorneys scrambling to revert to "old school" ways of filing motions and staying on top of their case load. Several firms dispatched couriers to the courthouse daily, and many also imposed internal deadlines and administrative procedures to ensure that the couriers—who at the beginning of the shutdown reportedly faced upward of an hour to submit their filings—would be able to make it to court before it closed at 5 p.m.

After hiring a Montgomery County-based IT consulting firm in late June, the court system was back up and running by July.

There were some continued disturbances to the online filing system in the month after the system got back online, but overall attorneys reported to The Legal it was a "big relief."

"Hopefully everything's up and running and we can return to the way it was," Jeffrey Goodman of Saltz Mongeluzzi Barrett & Bendesky said at the time.

Law Firms

For years, firms and attorneys have been the subject of cyberattacks, but the growing threat of so-called "spear-phishing" attacks saw a new focus on Pennsylvania law firms in 2019.

The older, more traditional email scams typically involve a hacker posing as a colleague or loved one pretending to be stranded in a foreign locale in need of fast cash, but spear-phishing schemes offer a more sophisticated and subtle twist. The newer schemes tend to involve very convincing emails that appear to be coming from partners, or clients, which give detailed instructions for writing large sums of money. In the many cases, the cybercriminals are able to pull off these elaborate impersonations because they have accessed confidential information about specific transactions and, in some cases, have been monitoring real emails between attorneys and clients.

In the late summer 2019, attorneys reported to The Legal having been the subject of new schemes in which they received emails from prospective clients who, after some research, proved not to be who they claimed.

Bryn Mawr-based attorney Mark Schwartz, who represents whistleblowers, said he fended off a phony inquiry from a supposed disgruntled Pfizer employee in a scheme that involved a spoofed email address and a forged check.

Jon Ostroff, leader of Ostroff Injury Law, also reported having received multiple inquiries from potential clients claiming to have been bitten by a dog with a wealthy owner.

The elaborate plot involved a lengthy, but fake Facebook account, a very convincing background story, a forged check, and even faked phone calls from the supposed plaintiff. The ruse was enough to fool his bank into giving Ostroff the OK to disburse the settlement funds from his account, but persistent skepticism and some investigation by the firm led Ostroff to walk away from the deal at the last minute. According to Ostroff, it could have meant the firm taking a $120,000 hit.

Ostroff said he was subsequently targeted with several similar scams, but with increased security measures and a healthy skepticism about fast-moving cases that seem to good to be true, the plots were unsuccessful.

While some attorneys are starting to take their security seriously, according to Siegel, too often lawyers are reluctant to take the needed steps to secure their data until they themselves become the victims.

"It's the view of, so many things in life of, it's never going to happen to me," he said.

He had strong doubts that deep-rooted mentality will be changing in the new year.