Will Ransomware Attack Make Law Firms 'WannaCry'?

Employees the world over were locked out of their computers on May 12 and over that following weekend as an insidious and widespread cyberattack nicknamed “WannaCry” rolled through the Internet and into headlines. See, “WannaCry Ransomware: What We Know Monday,” NPR.org (May 15, 2017). The ransomware attack, which for now seems to have been halted, encrypts a computer or network's data and demands $300 in the online currency bitcoin to unlock the data. See, “'Accidental Hero' Halts Ransomware Attack and Warns: 'This Is Not Over,'” The Guardian (May 13, 2017).

While data breach experts said the attack was not particularly complex — it was distributed through an infected email attachment and could have been prevented by staying up-to-date with a Windows patch — the scale of the breaches served as a reminder of the seemingly ubiquitous risk of cyberattacks.

Luckily for U.S. law firms, those same experts said it was unlikely that this particular ransomware attack hit many of them. The targets were disproportionately located overseas and in the health care industry. However, experts fear that the aftershocks could be felt here. See, “Ransomware's Aftershocks Feared as U.S. Warns of Complexity,” New York Times (May 14, 2017).

Ransomware Prevention

That means that law firms need to do more to prevent ransomware attacks, such as a shutdown caused by ransomware in March that recently led a small Rhode Island firm to sue its insurer for $700,000 that the firm alleges it lost as a result of being locked out of its computers for months. See, “'Ransomware' Locks Down Prominent Providence Law Firm,” Providence Journal (May 1, 2017).

In a complaint filed in Rhode Island state court and recently moved to federal court in Providence, 10-lawyer Moses Afonso Ryan said it was hit with a ransomware attack in May 2016 that disabled its computers for about three months. During that time, the firm scrambled to buy bitcoin — one can purchase only a limited amount of the digital currency each day — in order to make contact with the hackers and negotiate a $25,000 ransom.

Ultimately, the firm said it had to negotiate a second ransom payment after the decryption tools it acquired after the first payment failed to unlock the files on its computer network.

Moses Afonso Ryan's suit claims the firm had insurance through Sentinel Insurance Co. Ltd. — a subsidiary of investment and insurance giant The Hartford Financial Services Group Inc. — that covered an unlimited loss of business income, which it measured at $700,000. Name partner Thomas Moses did not return an email seeking comment on the case.

But Sentinel, advised by Robinson & Cole, claims in court filings that its policy is capped at $20,000 via another clause related to damages caused by a computer virus. The case, filed April 21, remains pending. But security experts said it represents a worst-case scenario for firms struck by ransomware.

“There have been a few of our clients who have been locked out of their computers without disaster recovery systems,” says Bryan Cave partner David Zetoony, head of his firm's consumer protection practice. “So they're locked out, basically, until they pay or they put up new systems. For us, that's less than five percent of our client base.”

Zetoony also leads Bryan Cave's Data Breach Hot Line, which he says was curiously quiet over the weekend of the WannaCry attack.

According to the New York Times article referenced earlier, the cyberattack hit 200,000 computers in more than 150 countries. Most notably, a number of hospitals in the UK were infected, causing emergency rooms to divert patients and cancel surgeries. Those hit in the U.S. included FedEx Corp., while telecommunications giant Telefónica SA was impacted in Spain and automaker Renault stung in France. Chinese universities, Germany's federal railway system and Russia's Interior Ministry also got hit.

Ransomware and Cyberinsurance

Stephanie Snyder, a U.S. cyber expert at insurance and risk management organization Aon plc, says losses from ransomware and other attacks can be covered by most cyberattack policies. But law firms are not among the largest contingent of purchasers of those policies, she says.

In general, 30% to 40% of companies have specific cyberinsurance, and that number is as high as 70% for industries such as hospitality, which have a lot of customer data. But she said professional services firms, including law firms, have not been as quick to purchase insurance, with the caveat that some firms seek coverage through professional liability insurance.

Still, Snyder says that number has grown as attacks like the one over the weekend proliferate.

“I would say 2016 was the year of ransomware and it certainly has bled over into 2017,” she says.

*****
Roy Strom is based in Chicago, where he writes about the business of law and the changing nature of law firm client relationships for ALM. He can be reached at [email protected]. On Twitter: @RoyWStrom.

Employees the world over were locked out of their computers on May 12 and over that following weekend as an insidious and widespread cyberattack nicknamed “WannaCry” rolled through the Internet and into headlines. See, “WannaCry Ransomware: What We Know Monday,” NPR.org (May 15, 2017). The ransomware attack, which for now seems to have been halted, encrypts a computer or network's data and demands $300 in the online currency bitcoin to unlock the data. See, “'Accidental Hero' Halts Ransomware Attack and Warns: 'This Is Not Over,'” The Guardian (May 13, 2017).

While data breach experts said the attack was not particularly complex — it was distributed through an infected email attachment and could have been prevented by staying up-to-date with a Windows patch — the scale of the breaches served as a reminder of the seemingly ubiquitous risk of cyberattacks.

Luckily for U.S. law firms, those same experts said it was unlikely that this particular ransomware attack hit many of them. The targets were disproportionately located overseas and in the health care industry. However, experts fear that the aftershocks could be felt here. See, “Ransomware's Aftershocks Feared as U.S. Warns of Complexity,” New York Times (May 14, 2017).

Ransomware Prevention

That means that law firms need to do more to prevent ransomware attacks, such as a shutdown caused by ransomware in March that recently led a small Rhode Island firm to sue its insurer for $700,000 that the firm alleges it lost as a result of being locked out of its computers for months. See, “'Ransomware' Locks Down Prominent Providence Law Firm,” Providence Journal (May 1, 2017).

In a complaint filed in Rhode Island state court and recently moved to federal court in Providence, 10-lawyer Moses Afonso Ryan said it was hit with a ransomware attack in May 2016 that disabled its computers for about three months. During that time, the firm scrambled to buy bitcoin — one can purchase only a limited amount of the digital currency each day — in order to make contact with the hackers and negotiate a $25,000 ransom.

Ultimately, the firm said it had to negotiate a second ransom payment after the decryption tools it acquired after the first payment failed to unlock the files on its computer network.

Moses Afonso Ryan's suit claims the firm had insurance through Sentinel Insurance Co. Ltd. — a subsidiary of investment and insurance giant The Hartford Financial Services Group Inc. — that covered an unlimited loss of business income, which it measured at $700,000. Name partner Thomas Moses did not return an email seeking comment on the case.

But Sentinel, advised by Robinson & Cole, claims in court filings that its policy is capped at $20,000 via another clause related to damages caused by a computer virus. The case, filed April 21, remains pending. But security experts said it represents a worst-case scenario for firms struck by ransomware.

“There have been a few of our clients who have been locked out of their computers without disaster recovery systems,” says Bryan Cave partner David Zetoony, head of his firm's consumer protection practice. “So they're locked out, basically, until they pay or they put up new systems. For us, that's less than five percent of our client base.”

Zetoony also leads Bryan Cave's Data Breach Hot Line, which he says was curiously quiet over the weekend of the WannaCry attack.

According to the New York Times article referenced earlier, the cyberattack hit 200,000 computers in more than 150 countries. Most notably, a number of hospitals in the UK were infected, causing emergency rooms to divert patients and cancel surgeries. Those hit in the U.S. included FedEx Corp., while telecommunications giant Telefónica SA was impacted in Spain and automaker Renault stung in France. Chinese universities, Germany's federal railway system and Russia's Interior Ministry also got hit.

Ransomware and Cyberinsurance

Stephanie Snyder, a U.S. cyber expert at insurance and risk management organization Aon plc, says losses from ransomware and other attacks can be covered by most cyberattack policies. But law firms are not among the largest contingent of purchasers of those policies, she says.

In general, 30% to 40% of companies have specific cyberinsurance, and that number is as high as 70% for industries such as hospitality, which have a lot of customer data. But she said professional services firms, including law firms, have not been as quick to purchase insurance, with the caveat that some firms seek coverage through professional liability insurance.

Still, Snyder says that number has grown as attacks like the one over the weekend proliferate.

“I would say 2016 was the year of ransomware and it certainly has bled over into 2017,” she says.

*****
Roy Strom is based in Chicago, where he writes about the business of law and the changing nature of law firm client relationships for ALM. He can be reached at [email protected]. On Twitter: @RoyWStrom.