In this episode of Reimagining Law, we talk to attorneys Aaron W. Brooks and Josef R. Kurlinkus about hacking, ransom, and law firms. Aaron and Josef explain what happens when law firms get hacked, how they should respond (including if they should pay a ransom), and what steps firms can take to protect their data.
Subscribe to our YouTube channel to stay up to date on new episodes of Reimagining Law!
- 0:40 – What happens when you get hacked?
- 1:46 – Should you pay a ransom? What factors go into that evaluation?
- 3:22 – If people have proper data backups is that their main source of protection?
- 5:27 – What is the main thing you can do to prevent getting hacked?
- Client Portals: A Tool of Convenience or Ethical Competency?
- How to Identify and Avoid Phishing Scams
- How to Ethically Store and Transmit Client Information in the Cloud
Aaron W. Brooks
Aaron W. Brooks is the founder of Brooks Law and Consulting, LLC, and he also serves as the Security Officer and Chief Information Officer of HolmstromKennedyPC.
He focuses his practice on privacy/security compliance and technology transactions. Typical projects include: (i) Providing guidance to clients who manage highly sensitive data; (ii) designing and implementing compliance strategies for HIPAA, CCPA, GDPR, and other privacy and security frameworks; and (iii) representing clients on technology acquisition, implementation and data migration projects.
Aaron is currently the Vice-Chair of ISBA’s Intellectual Property Section Council, CLE Coordinator for ISBA’s Committee on Legal Technology, and Chair of the DCBA Law Practice Management & Technology Section.
Josef R. Kurlinkus
Josef Kurlinkus is an attorney at Kurlinkus Law Office, LLC and Of Counsel to Sosnowski Szeto, LLP. He concentrates his practice in the areas of municipal and local government law, zoning and land use, and administrative law.
Josef also serves as an arbitrator in the Illinois 17th Judicial Circuit. When working with municipal clients, Josef not only provides guidance on issues of general legal compliance but also seeks to provide counsel to elected and appointed officials with the framing and implementation of their policy objectives.
Josef often assists staff and municipal officials in the implementation of employment and labor best practices to ensure compliance with state and federal employment regulations, including drafting employee handbooks and policies tailored to the specific needs and objectives of client employers. He also advocates on behalf of his municipal and corporate clients in civil court proceedings and before state and local administrative agencies.
Connect with Josef
About Reimagining Law
The Reimagining Law video series explores how legal and judicial professionals are adapting the delivery of services to meet the unique needs of today’s consumers. Reimagining Law is produced by the Illinois Supreme Court Commission on Professionalism.
Note – Transcription has been edited for clarity.
Mark Palmer 0:07
Hi, I’m Mark Palmer. Welcome to Reimagining Law. Today I’m joined by Aaron Brooks of Brooks Law Consulting in Naperville, Illinois, and Joe Kurlinkus from Kurlinkus Law in Roscoe, Illinois. Before we jump in, I want to remind our viewers to like this video and subscribe to our channels for new episodes. So with all the news of companies and government entities getting hacked and attacked by ransomware, I want to go and get some thoughts from these two experts, particularly as it concerns the legal profession.
Mark Palmer 0:40
So Aaron, let’s set the stage a bit what happens when you get hacked? What’s going on here.
Aaron Brooks 0:45
So if you’re looking at it from the perspective of a hacker, the hacker has somehow gained unauthorized access to your information. So maybe they’ve intercepted unencrypted email, or they have brute force, you know, or kind of a fancy word of saying that they’ve guessed your password to an online account, like your email account. Or maybe you’ve handed it to them. You know, that’s, that’s what we call phishing. And you get an email that says, hey, you have a fax, you have a voicemail, click here to log in, and you enter your username and password, and you’ve just handed over your, your credentials for the account. And that’s, that’s another way being hacked. You could ask the same question was it you know, what happens when you get hacked from the perspective of the person, the person who’s been hacked? And the scary answer to that, what may happen is nothing. You know, you may not notice it. And, and so this is a reason that we deploy intrusion detection systems. And we, you know, do active monitoring to see if there’s unauthorized access to the system.
Mark Palmer 1:46
Now, many times we see in the news, a lot of discussion on these small amounts, but many times large amounts of ransom sometimes being paid, sometimes being refused to be paid, be at a company or be at a government entity and the like, what have you heard about whether you should pay a ransom? Is that a good idea? What factors go into that evaluation?
Josef Kurlinkus 2:10
I think the problem with that is is that it’s going to depend on your data, what data you’ve got, what data you need to have, even if you have backups, how fast those can get back up online. Employing a pipeline, that was the one that was fairly recent here, that sort of shut down the east coast. They made a decision to pay that ransom of 4.4 million because that was something they needed to have up and running immediately. You know, the smaller firm that, you know, maybe you have backups, or you have your documents are stored elsewhere, maybe you don’t need to have those immediately available to you or maybe you do have those immediately available. So it’s all going to depend on depending on what, what you need. Then also what the insurance too. You know, right now, these are very lucrative, you know, $4.4 million for, you know, a little bit of work on the side of the hackers. As long as those keep being paid out, they’re going to continue to go forward with this. And that’s the issue right now we’re seeing across the world, I think at this point. As long as you continue to pay those out where they continue to payout, you’re gonna have those, you’ll have those problems.
Mark Palmer 3:22
So I just wanted to, follow up on that briefly. And, Aaron, I want to hear, what do you do see if people have proper data backups? Is that is that like, the main protection? Or can they just turn to the ransom holder and say, well, that’s great. You have that data, but I have a backup. So have a nice day. Goodbye. Is that enough?
Aaron Brooks 3:42
Yeah. Well, it depends on what you mean by a proper backup. But that definitely is the solution is to not have it happen. And so you have to really, really carefully think through your backup and disaster recovery plan and kind of brainstorm you know, that you have to understand the nature of ransomware. And how it can sort of sit like a time bomb inside of a backup, you know, so just because you have data backed up doesn’t mean you haven’t also backed up the ransomware time bomb. And the flip side of that is you have to constantly test your backups. You know, it’s not enough to say, yeah, we do backups. If you haven’t actually done a disaster recovery drill, and you can actually restore your backup data, then then you don’t have a backup or at least you can’t prove it. The other thing I want to mention if it does turn out that you have critical data that they absolutely need to, restore and paying the ransom to get the encryption key is the only option that you have. I would note two things. First of all, the insurance as was mentioned, you have to do that in coordination with your carrier. That’s not something you should be unilaterally doing because you’re going to have to go through the loss process that your insurance carrier provides. So you can’t just pay the ransom and then come back and expect to collect insurance remuneration. And the other thing I want to point out is that last fall, the FCC did issue an advisory warning against making ransomware payments. And because it is a national security issue, and so you’re gonna have to work with the federal government, you’re gonna have to make notifications, not just your insurance carrier and any appropriate officials and federal government, but this is also probably going to be a breach notification issue. So you’re gonna have to notify clients and other attorneys, things like that.
Mark Palmer 5:27
So let’s talk about prevention. what’s the main thing you can do? If you’re an attorney watching this video? Where do I begin, Aaron?
Aaron Brooks 5:36
Sure. So and I do webinars on cybersecurity. So I just did a couple for the DCPA. If you want to, if you remember, you can look at those, or ISBA, you could look at those. But to very briefly summarize it. What I normally like to tell people is that you have to update your information security program, in a framework way with a framework mentality. So what that means is you can’t sort of in a scattershot, brainstorming way, think of everything you need to be thinking about. You need to use a security framework, like the NIST cybersecurity framework, which is a globally recognized national best practice kind of checklist. And you have to do a security risk assessment. So you take a framework like NIST, you work through it step by step by step by step, and you ask the hard questions, and you give the answers that are uncomfortable, you know, like I just said, you know, have we done a disaster recovery drill for our backup in the last month? No. what about the last year? No. What about ever? You know, those are difficult questions to ask. But you got to be brutally honest and say, okay, we’ve got some remediation to do here. And then you got to do that work.
Mark Palmer 6:44
Yeah. Joe, what can you add?
Josef Kurlinkus 6:47
Talk to your IT person. Understand what they are saying. That’s the biggest I’ve seen with different attorneys I’ve worked with and with different smaller firms. We don’t have a big, huge IT department. Maybe the partners aren’t tech-savvy, they do the law, they don’t do the IT. Make sure you can have your advisor, your tech advisor, explain what all of this means to you. What the backup is, where it is, not just oh, yeah, we’re backing it up to off-site. You know, NAS, whatever. Make sure that you understand those words that they’re explaining to you, and take them seriously. Listen to them, make them explain it to you. If you don’t understand it. You need somebody else to help explain to you. You need somebody at another firm and another IT department and their IT consultants.
Mark Palmer 7:29
Yeah, we certainly constantly hear that the human factor is always continually the biggest risk and you need to address that first and understand what’s going on in your on your desktop and your employees and your staff at the same time. You know, the legal profession obviously deals in a lot of private information consistently. So it’s not just the backups, but it’s securing that information and getting out in the world and having to control it because we have that duty to our clients every day, day in day out. Thank you Aaron and Joe for joining me for this session. Thank you to all of you for watching. Please like and share and subscribe to our channel for more information. We’ll have some information down below on how to stay connected and how to connect with Aaron and Joe as well. Thank you for watching.
Recorded on June 23, 2021.
Check out more episodes of Reimagining Law here.