The Oklahoma Bar Journal December 2022

high-dollar cases, it is recom mended they have an outside cybersecurity firm perform a security assessment.

HOW CAN LAWYERS AND LAW FIRMS GUARD AGAINST HACK-FOR-HIRE SCHEMES? The first line of defense for attorneys is to educate themselves, other attorneys and staff in their firms, and even their clients, about the tactics of hack-for-hire firms and the types of emails used in their schemes. A good place to start would be to check out Reuters’s “Hacker Hit List,” which shows how the mercenary hackers hunted lawyers’ inboxes in the emails obtained during its investi gation. 22 Techniques for breaking into attorneys’ emails varied. The hit list shows the hackers imi tated services such as LinkedIn or YouPorn and the subject lines the hackers used to entice their targets. The hackers tried to rouse attorneys’ interest with news about colleagues or subject lines with weird or scandalous news. Sometimes the hackers imperson ated social media services or even porn sites. 23 It is probably a good idea for lawyers to look at the hit list so they can instruct employees on what the emails looked like – law firm cybersecurity training should always be top of mind for law firms. Users must also be edu cated on how they must be careful to avoid clicking on any links in an email from an unknown source or that have not been authenti cated as genuine. 24 Other important defenses include the use of email spam filters, multi-factor authentication and enabling advanced protec tions on email accounts. 25 And let us not forget what makes cyber security experts tear their hair out: applying security patches and updates quickly upon their release. Users should always update their devices, operating systems and software promptly. Finally, for larger firms or attor neys handling high-profile or

ENDNOTES

1. Rachel Satter and Christopher Bing, “A Reuters Special Report: How mercenary hackers sway litigation battles” (June 30, 2022), https://reut.rs/3UjTGD2. 2. Shane Huntley, “Updates from Threat Analysis Group (TAG): Countering hack-for-hire groups” (June 30, 2022), https://bit.ly/3DXNCL0. 3. Satter, supra note 1.

ABOUT THE AUTHORS

4. Id. 5. Id. 6. Id. 7. Id. 8. Id. 9. Id.

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of

10. Id. 11. Id. 12. Id. 13. Id. 14. Id. 15. Id. 16. Two of the most relevant statutes are the Computer Fraud and Abuse Act (18 U.S.C. §1030) and the Stored Communication Act (18 U.S.C. §121), which make it unlawful to intentionally access emails or information stored remotely on servers without permission from the account holder. There are too many statutes and regulations to provide a comprehensive list, but the Texas Lawyers’ Insurance Exchange website has a good summary of state and federal laws and regulations related to law firm data security breaches (or links where to find them). See Jet Hanna, “The Risk of Data Breaches in Law Firms” (accessed Oct. 21, 2022), https://bit.ly/3FGU9uV. 17. Rule 8.4 of the ABA Model Rules of Professional Conduct (which has been adopted in Oklahoma) provides: Maintaining The Integrity Of The Profession Rule 8.4 Misconduct It is professional misconduct for a lawyer to: 1. violate or attempt to violate the Rules of Professional Conduct, knowingly assist or induce another to do so, or do so through the acts of another; 2. commit a criminal act that reflects adversely on the lawyer’s honesty, trustworthiness or fitness as a lawyer in other respects; 3. engage in conduct involving dishonesty, fraud, deceit or misrepresentation… 18. David G. Ries, ABA Tech Report 2021 (Dec. 22, 2021), https://bit.ly/3WlfH6e. 19. Id. 20. Comment 6 to Rule 1.1 of the Oklahoma Rules of Professional Conduct provides that the duty of competency includes the duty to “maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject, including the benefits and risks associated with relevant technology .” 21. Ries, supra note 16. 22. Satter, supra note 1 . 23. Id. 24. Cedric Pernet, “The business of hackers-for-hire threat actors” (July 1, 2022), https://tek.io/3Wlgiou. 25. Ries, supra note 16.

the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. Ms. Nelson is a co-author of 18 books published by the ABA. She may be contacted at snelson@senseient.com. John W. Simek is

the vice president of Sensei Enterprises Inc. He is a certified information systems

security professional (CISSP), a certified ethical hacker (CEH) and a nationally known expert in the area of digital forensics. He and Ms. Nelson provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm. Mr. Simek may be contacted at jsimek@senseient.com. Michael C. Maschke is the CEO/director of Cybersecurity and Digital an EnCase-certified examiner, a certified computer examiner (CCE #744), a certified ethical hacker and an AccessData-certified examiner. He is also a certified information systems security professional. Mr. Maschke may be contacted at mmaschke@senseient.com. Forensics of Sensei Enterprises Inc. He is

DECEMBER 2022 | 27

THE OKLAHOMA BAR JOURNAL