Africa / The Weakest Link

Author: Mwenda Tevin Gitonga

As the Covid-19 pandemic forces lawyers to adopt and embrace technology in their practices a danger is looming and one that can easily be overshadowed in the glitz of adopting new technologies in the legal industry. Imagine this; your law firm has gone through the full digital transformation. All the documents and data related to your clients are stored on the cloud and office servers, everyone has a laptop and they work on the go. One day, you enter your office switch on your laptop and on your screen is a ransomware request. Hackers have compromised your systems and stolen a trove of your clients’ Data.

The law firm Grubman Shire Meiselas & Sacks an entertainment law firm whose clients include the biggest entertainers in the world such as Lady Gaga, Nicki Minaj, Madonna and Bruce Springsteen found itself in the situation above. The unnamed hacker group, using ransomware dubbed “REvil,” launched the cyber attack against the internal data systems of the law firm; they asked the law firm for $21 million in exchange for the 756 gigabytes of stolen data. The law firm refused to cooperate and opted to hire a cyber-extortion specialist to combat the ransomware demands. The hackers responded by releasing 2.4 gigabytes batch of files. These files contained private confidential transactions involving the entertainers who are the law firm’s clients. The hackers further proceeded to increase the ransom to $ 42 million dollars making it one of the highest ransoms ever requested.

In the context of Kenya, the threat of such a fate befalling a law firm is not a matter of if but when. According to the Communication Authority of Kenya Statistical Quarterly Report covering the months of October to December 2019; the Authority managed to detect 37.1 million cyber threats which was a 47% rise from the previous quarter.

Kenya has various laws dealing with cyber-attacks namely the Kenya Information and Communication Act, the Computer Misuse and Cybercrimes Act and the Data Protection Act. All these Acts provide adequate provisions for reporting, penalties for breach of systems and data being compromised. However, the laws do not tend to be prescriptive on the measures one should take to protect themselves. Even though Kenya has adequate laws around cyber security this has not deterred cybercriminals from compromising systems. As seen in the report above the numbers are only increasing.

Thus as lawyers embrace technology and particularly in the post Covid-19 era they will also have to be actively aware of the cyber threats that come with technology. These threats touch on the cornerstone of the legal profession, confidentiality. In Kenya the Evidence Act under section 134 states that advocate-client information is privileged information and thus protected. The same is also highlighted in Law Society of Kenya Code of Standards of Professional Practice and Ethical Conduct which states that the rationale for this is to instill public trust and confidence in the administration of justice.

Bodies such as the Kenya Law Society and the East Africa law Society will need to come up with policies that prescribe to lawyers the best practices regarding safeguarding client’s information in the era of technology.

There should be a reporting mechanism specifically for lawyers if their systems have been compromised. In addition, this reporting mechanism should act as a database in which lawyers can identify how a certain breach occurred and the best way to prevent such a breach. The reporting mechanisms for example in Kenya can be in line with the Data Protection Act that requires under Section 43 that if Data has been compromised and it poses a real risk the Data Commissioner should be informed within 72 hours of the breach. Lawyers can apart from the Data Commissioner inform the Law Society of Kenya of the breach.

Law firms will need to invest a substantial amount of money and resources in ensuring that their systems are secure and up to date. This will entail investing in Information Technology specialists and systems that ensure data is stored in an encrypted and anonymized manner. Emerging technologies such as Blockchain may also prove valuable to lawyers, when it comes to storage of data as they are distributed ledgers that ensure in case the data is lost on one system it can always be retrieved in another system. The best use of Blockchain systems is perhaps seen in Estonia and its use in the development of the country’s digital identity system. Blockchain was adopted by the government after they experienced the worst cyber-attack ever conducted on a country.

If the lawyer and the law firm do not have the capacity to store their data, they may consider outsourcing this service to trusted and secured cloud storage providers. Further, there is a need to invest in adequate office security measures such as encryption of computer systems and simple tools such as anti-viruses.

In addition, most Data breaches are due to human errors and law firms are especially susceptible to this. At the 2017 International Bar Association Conference, a cyber security expert decided to do an experiment by setting  up a WIFI hotspot during the conference. The network was named the same as the WIFI network of the conference and had the same password. A number of lawyers actually connected to his network and he was easily able to monitor the internet traffic from their devices that were passing through their WIFI hotspot. When it comes to WIFI any traffic that passes through a WIFI network can easily be viewed using a tool called [address resolution protocol] spoofing. These are tools that can easily be found online.

Therefore, as lawyers embrace technology there will be need for adequate training for lawyers and their staff on the importance of safeguarding the electronic tools that they use, how to safely store their client’s data, the current industry best practices when it comes to handling and storing information, the latest technologies available in securing data and what to do if they suspect that their client’s data has been compromised. Further, as some cyber-attacks tend to be inside jobs, lawyers need to pay close attention to who they hire and trust with sensitive client data.

Lawyers are finding themselves having no choice but to embrace the digital transformation in order to remain competitive in a market that is getting crowded. However, this has presented a new challenge to lawyers. They must now work harder to protect their client’s information and maintain confidentiality at all costs as this is the cornerstone of the legal profession. Lawyers hold some of the most valuable and sensitive information belonging to a person. If this information ends up in the wrong hands it can easily be exploited at the expense of the clients. As demonstrated from the case of Grubman Shire Meiselas & Sacks it is only a matter of time before cyber criminals realise lawyers are the weakest link in the chain and the information they have is equivalent to gold.

Mwenda Tevin Gitonga is a Lawyer from Kenya with an LLB from Strathmore University Law School he is currently a Pupil at Kangwana and Co and a researcher at Kenya ICT Action Network.