Areas of

What's the plan if a cyberattack hits your firm?

Monday, December 07, 2020 @ 1:17 PM | By Jennifer Brown

Jennifer Brown %>
Jennifer Brown
Lawyers across the country no doubt collectively gasped and wondered about their firm’s vulnerability when in April, two Manitoba law firms were hit by a prolific ransomware strain called MAZE, bringing their operations to a standstill.

The firms were not named, but a notice on the Law Society of Manitoba website explained that as a result of the incident, the firms had no access to e-mail, Microsoft Word, accounting software or any of their backups, including cloud backup. It was suspected that someone clicked a link that infected the firms’ systems.

The attacks occurred at the very early part of the pandemic just as phishing e-mails were proliferating, playing on fears related to the pandemic.

“Attackers know these messages are going to cause an emotional reaction in people, and they try to exploit people — not the technology. It’s a human being that is being compromised, not necessarily the technology,” said Tyler Hatch, a former lawyer and founder and CEO of DFI Forensics in Langley, B.C., who sees a lot of incidents involving business e-mail compromises (BEC).

Lawyers and their staff are inherently intelligent and suspicious people and will typically be more aware than most professionals when viewing phishing scams; however, the attacks are getting more sophisticated and with many working away from the office and less likely to have ready access to an IT professional, incidents can occur.

Someone in accounting might receive an e-mail that says: “You were in an environment last night where there was a COVID outbreak — click on this link.” The scammers play on our fears and urgency to get people to click on a link, or open e-mails that, in hindsight, they could see was a wrong move.

Law firms are high-value targets as they are seen as having valuable information and as being wealthy victims. “The perception is they can and will pay,” said Hatch.

Statistics show the majority of data risk events arise from intentional or unintentional employee activity, but employees can also serve as the first line of defence. According to Ryan Berger, a privacy and employment lawyer at Lawson Lundell LLP in Vancouver who advises organizations on data protection and breach response, education and development of a cybersafe workplace culture go a long way to the prevention and lowering of your risk.

“I see as many rogue employee cases as external hacking cases,” he said.

What are the threats?

The three most common attacks that hit law firms are:
  • a ransomware attack;
  • a business e-mail compromise; and
  • data breach.

The good news is that law firms can take steps to secure themselves if they put some time and attention into creating a plan.

“The law firm partners should have meetings about how they are going to deal with a threat to their business that may or may not come up,” said Hatch. “So many people when they consider the problem of cyberattacks and cybersecurity, they almost exclusively focus on preventing it, and nobody is planning for when one of these things will go through.”

Always contemplate worst-case scenario

You probably have plans for a fire drill, so why not a plan for the possibility of a cyberattack? Develop an incident response plan that everyone is aware of and make sure each person understands what they should do should an incident occur.

“The primary thing lawyers and law firms can do is be aware and ask questions — don’t assume your IT people are taking care of it,” said Hatch. “Never assume you’re too small to be a target and ask questions about how you can be more secure.”

If you have IT professionals on staff, don’t assume they have cybersecurity skills. Moreover, part-time cybersecurity courses can benefit everyone on staff by giving workers the ability to recognize and report vulnerabilities before they become security breaches.

Your plan should include how your IT people and key decision makers will respond. Will you shut the network down to prevent the spread of this malware? Who makes that decision — the IT leader or the partners? Are you going to pay the ransom? The leaders of the organization should discuss this possibility. Do you have an alternate means to pay? How are you going to communicate with your clients and the public as well as your regulatory body?

It may be necessary to access outside services to determine if data has been accessed or stolen. You may want to retain counsel to do this for you.

“If it turns out that yes, there has been a data breach, and your practices have not been reasonable you don’t want to have to disclose a report that says that — you probably want to keep it privileged,” he said.  


Consider the technology you are using and how you share information internally and develop a policy for communicating higher value data other than e-mail attachments.

Berger advises against using Microsoft Outlook as a stand-alone filing system. An organized and secure document management system is integral to safeguarding critical data and personal information. It is a better practice to ensure key records are saved in an organized fashion so the organization can securely and routinely delete old e-mails in accordance with a retention policy. Old e-mails in an e-mail inbox are a big liability and compliance risk. Canadian privacy law is moving towards an expectation that an organization will have an organized document management system.

Using Google Drive or Microsoft One Drive, you can send a link to another party that they can download but is password-protected. If you are using something like Office 365, which is designed to communicate between multiple devices, you could be a target if it is not secure. Internally, consider using Slack and Microsoft Teams that only verified people in the organization can use.

Cyberinsurance coverage

Review your professional liability insurance to see if you have coverage and what the limitations are.

“I know of an employment lawyer in B.C. who had a business e-mail compromise, and her commercial liability and professional liability didn’t cover the matter, and she was left paying back a large sum of money,” said Hatch.

Lawyers should also look to invest in good cyberinsurance coverage that recognizes training plans and education in assessing the nature of the coverage and premiums.

If you haven’t contemplated what your firm’s response would be to a sudden cyberattack, perhaps it’s a good time to review what you have in place for the year ahead.

Jennifer Brown is a legal journalist and the editor of

Photo credit / wildpixel ISTOCKPHOTO.COM

Interested in writing for us? To learn more about how you can add your voice to
The Lawyer’s Daily, contact Analysis Editor Richard Skinulis at or call 437- 828-6772.