The law firm of choice for internationally focused companies

+263 242 744 677

admin@tsazim.com

4 Gunhill Avenue,

Harare, Zimbabwe

Cyber, Slider. We Got Insurance, Right?  – Above the Law

Posted on by TSA Press

Now
here’s
a
good
one.
With
all
the
publicity
about
lawyers
not
checking
cites,
it’s
good
to
be
reminded
that
we
aren’t
the
only
dumbasses
in
the
world.

According
to
a

report
in
HackerNews,

KNP
Logistics
Group,
which
had
been
in
business
some
158
years,
recently
shut
its
doors.
 Why?
One
of
its
employees
had
an
easily
guessed
password.
There
was
no
sophisticated
phishing
attack
or
zero-day
exploitation.
The
hacker
just
got
into
the
company’s
system
and
found
an
employee
who
didn’t
use
multifactor
authentication.
Then,
using
highly
sophisticated
logic
and
complicated
algorithms
(aka
someone
who
doesn’t
have
multifactor
authentication
probably
has
an
easy-to-guess
password),
they
punched
in
1-2-3-4
or
something
similar
and
voila,
in
like
Flynn.

Once
in,
the
hackers
had
a
field
day.
They
deployed
ransomware
across
the
whole
infrastructure.
Then,
perhaps
just
to
get
a
good
laugh
at
the
employee
and
the
company,
they
destroyed
the
company’s
backup
and
recovery
systems.
So,
there
was
no
way
for
the
company
to
recover
anything.


One
Slight
Miscalculation

But
the
hackers
did
make
a
slight
miscalculation:
they
demanded
more
ransom
money
than
the
company
had.
And
KNP’s
cyber
insurance
didn’t
cover
enough
of
the
demand
to
keep
KNP
going.
The
company
operated
a
transport
business
with
500
trucks
and
700
employees
and
just
like
that,
it
was
gone.

I
used
to
see
companies
plead
the
“poverty
defense”
in
litigation
all
the
time

meaning
don’t
bother
pursuing
me,
I
can’t
pay
any
judgment
anyway.
Usually,
they
didn’t
want
to
offer
proof
of
their
financial
condition
either
because
their
condition
was
not
that
bad
or
they
didn’t
want
to
open
up
their
books
to
the
other
side.
But
when
they
did,
it
was
effective.
Guess
KNP
couldn’t
convince
the
bad
guys,
though.


Lessons
for
Lawyers

Of
course,
there’s
lots
of
lessons
for
law
firms
here.
Law
firms
all
too
often
think
that
security
by
obscurity
is
great
protection,
just
like
pleading
poverty
will
get
you
off
the
hook
in
a
lawsuit.

But
law
firms
forget
how
valuable
their
data
is.
First
there’s
the
ethical
requirement
that
we
take
reasonable
steps
to
protect
our
clients’
confidences.
That
means,
of
course,
if
we
are
hacked,
we
a)
must
tell
our
clients,
which
is
not
a
pleasant
conversation
and
b)
we
may
have
violated
the
canons
of
ethics.
So
even
if
our
data
has
little
intrinsic
value
to
someone
else,
it
clearly
has
a
lot
of
value
to
us.

And
we
can’t
sell
the
notion
that
our
data
is
valuable
to
others
short:
we
have
lots
of
secrets
locked
up
in
our
files
that
could
be
exploited
for
monetary
gain.

So,
you
(like
a
good
lawyer)
say,
well,
we
have
cyber
insurance,
so
not
to
worry.
Not
so
fast.
You
had
better
read
the
policy.
And
the
sublimits.
(If
you
don’t
know
what
that
is,
you’re
already
in
trouble.)
And
you
better
read
what
security
you
committed
to
have
in
place
before
the
carrier
issued
the
policy

like
maybe
multifactor
authentication,
for
a
start.
You
might
also
want
to
check
what
security
your
corporate
clients
demanded
you
have
in
place
before
they
hired
you.

Oh
well,
it
can’t
be
that
bad,
right?
I
mean,
we
aren’t
like
KNP;
we’ll
just
go
back
to
work,
and
it
will
be
business
as
usual.
Yeah,
right,
try
billing
hours
when
all
your
files
are
locked
up
and
your
systems
have
cratered.
That
is,
if
you
still
have
clients
to
bill
to.


The
Sad
Truth:
Excuses
Galore

The
sad
truth
is
that
law
firms
and
lawyers
just
aren’t
as
security
conscious
as
they
need
to
be.
It’s
classic
hear
no
evil,
speak
no
evil,
see
no
evil.
 

Far
too
often,
they
view
security
protocols
as
a
pain
in
the
butt
that
interferes
with
their
getting
to
their
work
(and
billing
time).
I’ve
seen
partners
and
associates
circumvent
security
protocols
because
they
didn’t
want
to
take
the
time
to
comply
with
them:
“I’ve
got
work
to
do
I
can’t
be
burdened
with
multifactor
authentication.”

Here’s
another
one:
“I
don’t
have
time
to
change
my
password
every
so
often.
I
got
too
much
important
shit
to
do
to
remember
a
bunch
of
passwords.
I
need
to
get
to
my
work
quickly
without
having
to
plug
in
a
complicated
password.”

And
always
hubris:
do
lawyers
really
want
to
listen
to
those
“non-lawyers”
who
work
for
them,
like
IT
people?
And
of
course,
there
is
the
notion
that
it
can’t
happen
to
me.
Lawyers
often
just
don’t
want
to
invest
in
improved
security
or
don’t
listen
when
IT
talks
about
it.
I
mean,
it’s
boring,
right?

And
finally,
there
is
always
the
training
conundrum.
It
takes
time
away
from
billable
hours
to
be
trained
on
risks
and
how
to
avoid
them.

I
mean,
after
all,
we
got
insurance,
right?



Stephen
Embry
is
a
lawyer,
speaker,
blogger,
and
writer.
He
publishes TechLaw
Crossroads,
a
blog
devoted
to
the
examination
of
the
tension
between
technology,
the
law,
and
the
practice
of
law.