Privacy for Lawyers

Lawyers are frequently targets of online abuse and real life threats because of their jobs. How can you protect yourself?

Demanding clients, an ever-changing legal environment, and long hours are just some of the things that make practicing law one of the most stressful jobs in the world. Plus recent increases in cyberattacks and other online threats haven’t made lawyers’ jobs any easier, either.  When it comes to cybersecurity, research shows that the majority of law firms — and, by extension, lawyers working for these firms — are ill-equipped to deal with cyber threats.


Regardless of whether you’re a criminal lawyer, a family lawyer, an estate planning lawyer, or any other kind of legal professional, you need to know how to protect yourself, your clients, and your firm online and offline. Keep on reading to learn about the kinds of risks lawyers face, whether there are any legal remedies against them, and the steps you can take to ensure your privacy.

Risks and Threats to Lawyers

Lawyers face several risks to their privacy, both online and offline. The most common threats to lawyers include doxxing, phishing, ransomware attacks, harassment and stalking (behavior that often starts online), identity theft, and reputational damage. Below, we discuss each one of these threats in greater detail, providing real-world examples where appropriate.

Doxxing

There are numerous reasons why someone may dox another person, with the most common one being revenge. By leaking their victim’s sensitive information, doxxers typically hope to not only intimidate them but also to target them for harassment, public humiliation, identity theft, stalking, or extortion.  

Doxing, or doxxing, refers to the practice of researching and publicly exposing someone’s personal data, like their name, phone number, and home address. Doxxers usually acquire this type of personal information via:

  • Publicly available databases
  • Social media sites
  • Companies that trade in people’s sensitive data (aka data brokers)
  • Hacking techniques 
  • Phishing scams.

While lawyers are often consulted on doxxing cases, that doesn’t mean that they can’t get doxxed themselves. In 2020, for example, two attorneys were doxxed on Twitter for working on a case related to the U.S. presidential elections. The tweet included the lawyers’ names, phone numbers, email addresses, and photos. It was shared several thousand times before Twitter removed it for violating the company’s rules. 

Phishing

Phishing is a cybercrime in which scammers pose as legitimate individuals or entities to trick their victims into revealing sensitive information, like usernames, passwords, and credit card details.

A 2018 poll of law firms showed that almost 80% experienced phishing attempts. This isn’t surprising considering that lawyers receive hundreds of emails (the primary vehicle for phishing scams) a day and often rely on online tools like DocuSign or Dropbox to make their jobs easier. 

Phishing schemes can take many forms. It’s not unusual for attackers to impersonate bar associations, government agencies, fake prospective clients, and law firms’ vendors and suppliers. 

  • In 2016, hackers targeted New York attorneys by pretending to be the New York Attorney General’s office representatives. The email asked the lawyers to respond to an official complaint accessible via a hyperlink. In reality, the hyperlink redirected to a website that installed malicious software on the victim’s device. 
  • According to Texas Lawyers’ Insurance Exchange, in 2017, a lawyer about to close a transaction received an email from the “seller” requesting that the funds be transferred to a different account than initially discussed. The lawyer complied with the instructions, but the seller later complained that the funds were never transferred and disputed that they ever sent an email with new wiring directions. A jury found the lawyer liable for the loss.

Ransomware

Ransomware, a type of malware that encrypts a person’s files, emails, and other data before demanding a ransom payment to regain access, is on the rise. According to research by Check Point, ransomware claims a new victim every 10 seconds.

Ransomware, a type of malware that encrypts a person’s files, emails, and other data before demanding a ransom payment to regain access, is on the rise. According to research by Check Point, ransomware claims a new victim every 10 seconds.

The legal sector is especially vulnerable to these kinds of cyberattacks due to the volume of sensitive data, financial responsibility, and authority that law firms and lawyers generally hold. For example, at the start of 2020, hackers exfiltrated data from at least five law firms, three of them in 24 hours.

The size of your business doesn’t matter to cybercriminals, either. In October 2020, cybercriminals encrypted Seyfarth Shaw’s systems. Far from a small shop with weak defenses, Seyfarth Shaw is an international law firm with more than 300 of the Fortune 500 firms as its clients. On the other hand, hackers are just as interested in small and medium-sized businesses, mostly because they’re less likely to be prepared for such an attack. 

Even worse, nowadays, attackers don’t just restrict access to your data when carrying out ransomware attacks. Many also steal it and threaten to post it online if you refuse to pay up. In May 2020, Grubman Shire Meiselas & Sacks (GSMS), a prominent entertainment law firm, fell prey to a ransomware attack that resulted in leaked celebrity contracts.

Unfortunately, paying a ransom doesn’t necessarily guarantee that an organization will regain access to their files. In 2017, hackers locked down a law firm’s database for over three months, demanding $25,000 in digital currency in exchange for it. However, when the law firm did pay the ransom, the cybercriminals failed to provide a workable decryptor key. 

Harassment and stalking

Although harassment and stalking are similar, they’re not the same type of offense. Harassment is when someone intentionally targets another person with behavior that intimidates, annoys, or humiliates them. Stalking is similar to harassment but generally centers on unwanted surveillance, either in real life or online (i.e., cyberstalking). Worryingly, stalking is often co-perpetrated with other crimes, like assault.

According to a 10-year study conducted by a Utah attorney Stephen Kelson, between 35.5% and 46.5% of registered attorneys in 22 states have been either threatened or assaulted (or both) throughout their career. Common threats to lawyers include:

  • Menacing phone calls, emails, texts, online posts, and letters
  • Stalking (in a Michigan survey, a lawyer confided that “the opposing party [known to carry guns and use them to threaten people] followed me after mediation.”)
  • Verbal threats of violence (from vandalism to tampering with vehicles and even physical assaults) or death (in the Michigan survey, one lawyer said, “plaintiff handed me a bullet while in court and said he had another with my name on it” and another noted that “an opposing party tried to run me down with a tractor.”) 
  • Attempts to hire hitmen. 

It’s not just clients and litigants that threaten lawyers. There have been cases where lawyers have been targeted by other lawyers, too. In 2015 an attorney was sentenced to between 6 and 20 years in prison for attempting to hire a hitman to take out a rival. 

Although family and criminal law attorneys are at most risk, lawyers that work in “safer” fields, like commercial real estate, are not immune to harassment and stalking, either. 

Moreover, while most acts of intimidation and violence against lawyers tend to happen at courthouses or the lawyer’s office, some lawyers have been targeted while traveling or at their homes. For example, one lawyer reported that he was chased on the Interstate-75 for over 60 miles, with the person that followed him “speeding up, passing me, getting in front of me and slowing down.” Another lawyer said that gutted animals were left in his driveway. 

Worryingly, Kelson found that few attorneys report threats to law enforcement. Many don’t feel threatened and “shrug it off” when they receive threats.

Identity theft

Although relatively rare, identity theft — the crime of using another person’s personally-identifying information without their permission for the purpose of committing fraud — can and does happen to lawyers.

In one instance, a perpetrator tried using a lawyer’s identity to sneak tobacco into jail. In another, the ex-husband of a client attempted to frame a lawyer for a financial crime he did not commit.

Reputation damage

If your firm experiences a cyberattack that exposes your clients’ data, it’s only natural that your reputation is going to take a blow. But what if your reputation is damaged on purpose by aggrieved third parties?

Unfortunately, lawyers often receive false-negative reviews on lawyer rating websites or social media. In some cases, disgruntled individuals may even file baseless bar complaints. 

What Does the Law Have to Say About That?

As a lawyer, you’re probably well aware that state and federal laws protect individuals against most online and offline threats (with a few exceptions, of course). Need a quick refresher? Here’s what the law has to say about each one of the above threats to lawyers.

Doxxing

Revealing someone’s private information isn’t illegal if the information exposed is part of the public record. Typical public records include birth records, court records, marriage records, property information, and bankruptcies, among other things. 

However, doxxing may be considered illegal if:

  • The data leaked is not public record (like credit card numbers.
  • The information is posted to scare the victim, invade their privacy, harass them, have them stalked, or cause them harm.
  • Someone’s details were obtained through illegal means, like hacking their accounts or device.

Phishing

As of right now, 23 states and Guam have legislation addressing phishing schemes. That being said, all states have laws that address computer crime, identity theft, and obtaining someone’s data fraudulently or deceptively.

There isn’t a single federal statute that criminalizes phishing. However, there are broader federal criminal laws that can apply to the crime. 

Ransomware attacks

Only a handful of states — including California, Connecticut, Michigan, Texas, West Virginia, and Wyoming — have laws that specifically address either ransomware or computer extortion. 

At the federal level, there isn’t a law that directly makes ransomware a crime. However, the federal government has passed several laws relating to cybercrime, which can be used to bring charges across the country. Most ransomware cases are prosecuted under the Computer Fraud and Abuse Act (CFAA). 


Harassment and stalking

All states have anti-harassment laws, but the definition of “criminal harassment” differs from state to state. Nevertheless, criminal harassment usually entails behavior that alarms, annoys, or terrorizes someone. Generally, for a crime to be considered criminal harassment, the perpetrator’s behavior needs to create a credible threat to the victim’s safety or the safety of their family. 

As for stalking: some states include harassment and stalking under the same statute, but not all, moreover, some states have specific laws against cyberstalking. 

Stalking and harassment are also federal crimes. Indeed, it’s illegal to travel across state lines to harass, intimidate, or stalk someone. Additionally, federal law also makes it a crime to stalk someone online. 

Identity theft

Every state has a law that deals with identity theft or impersonation. However, criminal penalties and restitution provisions vary from state to state.

Federal law also makes identity theft illegal. The Identity Theft and Assumption Deterrence Act was passed in 1998. The Theft Penalty Enhancement Act followed it in 2004 (which defined aggravated identity theft and established penalties for it). This was in turn followed by the Identity Theft Enforcement and Restitution Act in 2008 (which increased federal prosecution of identity theft crimes while also improving restitution for victims).

Reputational damage

When someone publishes false statements about a person that damages their reputation, that is known as defamation. 

Defamation laws vary from one state to the next. However, to sue someone for defamation, you typically have to prove that they have published or communicated a statement about you that is false, injurious, and unprivileged. There are no federal defamation laws. 

At the federal level, there isn’t a law that directly makes ransomware a crime. However, the federal government has passed several laws relating to cybercrime, which can be used to bring charges across the country. Most ransomware cases are prosecuted under the Computer Fraud and Abuse Act (CFAA). 


How to Protect Your Privacy As a Lawyer

Protecting your privacy as a lawyer is easier than you think, but you have to be proactive. That means Googling your name, removing your personal information from data brokers and other online sources, and backing up your data regularly, among other things (which we discuss below).

1. Find out what personal information about you is out there

How easy could someone find personal information about you online? To figure that out, search for your name on Google, but make sure to use incognito or private mode. You don’t want your search history and logged in accounts (like your Google account) impacting the results.

You may need to Google yourself several times, using variations of your name, including misspellings. If you have a common name, consider adding modifiers like your city or state, company name, school name, and anything else that may distinguish you apart from others. 

Look beyond page one of Google results. Some information may be buried in later pages. Also, use Google’s image search and video search to see whether there are any multimedia assets of you out there, like headshots or videos.

Note that you may want to Google your name at least once a month, if not more often, to keep on top of the information that appears about you on the web. Setting up Google Alerts with your name and other related search results is the easiest way to quickly find out when a new Google search result about you is added online.

2. Remove your name from the internet

Are you happy with the results you found when you searched for your name online? If not, and the information about you online is too revealing, you may want to take some of it down.

Start by opting out of data brokers. These are companies that collect information about people from various online and offline sources, such as social media and public records (i.e., motor vehicle records, marriage licenses, voter registration information, and other publicly available sources).

Thanks to data brokers, acquiring someone’s sensitive information (like their phone number or address) is all too easy — and dangerous in the wrong hands.

We have a comprehensive guide on how to go about deleting your name from data brokers and people search sites. But we can do it for you if you’re short on time, as well.

Next, see if any other sites feature your data. These may include independent blogs, social media, and review websites. For independent blogs, you’ll need to email the owner directly. You can typically find their information under the “Contact Us” page or using Whois. If you can’t get in touch with the owner or they refuse to delete the information, you could turn to Google. However, Google will only remove personal data that creates an immediate risk of identity theft, financial fraud, or similar. The process is similar for review websites, in that you’ll also need to contact the review website itself. 

As for social media: if it’s your own profile that pops up, see what it looks like to strangers and if it’s not private, make it so immediately. On the other hand, if someone is trying to slander your name on social media, you can report the post.

3. Don’t trust anyone

There’s a reason phishing attacks are still around — they work. With scammers regularly updating their tactics, spotting a fake email or text message is getting increasingly harder, especially if cybercriminals target you directly (known as spear-phishing).

If you have the slightest doubt that the text or email you received is genuine, call the sender directly to confirm their request. But — and this is important — don’t use the details provided in the text or email itself. Instead, Google the organization’s name and use the contact details that come up. 

It’s also a good practice to be wary when clicking web links and opening email attachments. There are tools that can help you check if a link or document leads to or contains malware or other security threats.

4. Use secure passwords and multi-factor authentication

Did you know that 80% of hacking-related breachesare linked to weak passwords? If you want to keep both your personal and client data safe, you must have strong, unique passwords for all your accounts.

Of course, coming up with unhackable passwords is no easy feat, and neither is remembering them. Luckily, a password manager can help. Password managers, like Abine’s Blur, will not only help you create strong passwords, they’ll also store them for you. 

To go a step further, enable multi-factor authentication (MFA) wherever possible, as well. MFA adds an additional layer of security. Even if a hacker manages to crack your password, they’d still be unable to log into your accounts unless they could also prove your identity in some other way (for example, by entering a PIN from your phone app).

5. Encrypt data

From cloud applications to local hard drives to email, encrypting your law firm’s data can help you keep it more secure. Encrypted data means that it’s unreadable. Even if you lost your device or your emails were intercepted, cybercriminals still wouldn’t be able to access sensitive information if it was encrypted.

To start with, if you’re using a cloud-based SaaS service, they likely provide encryption already. Nonetheless, ask them if you’re not sure. 

Similarly, most recent mobile devices have encryption enabled automatically. If yours doesn’t, you can easily switch it on. Don’t forget to protect your smartphone with a strong password, too. When it comes to laptops, all you have to do is turn on a setting to enable encryption. Again, make sure your device is password-protected, as well. The internet privacy company DuckDuckGo has instructions on how to encrypt your devices (but remember to back up your data first in case something goes wrong — more on that below)

Don’t forget email encryption, as well. Unfortunately, very few attorneys use encryption when sending and receiving sensitive client data through email. While Gmail automatically encrypts your emails when possible, both the sender and the receiver have to have Google’s email encryption protocol enabled. Other email providers may require that you enable encryption manually, as well. Comparitech has a blog post on how you can do that.

6. Backup your data

What would happen if you fell victim to a ransomware attack, experienced a hardware failure, or suffered another accident that wiped your client, firm, and case data? If you don’t want to lose days, weeks, or even months of business, it’s vital that you backup your data daily.

Ideally, you want to follow the backup rule of three: have three copies of your data, stored on at least two different media types, with at least one of the three copies offsite.

7. Monitor your credit report

Financial identity theft is the most common form of identity theft and can happen to pretty much anyone, including lawyers. Regularly reading your credit report and financial statements can help you spot suspicious activity.

8. Keep your software up-to-date

Although software updates are annoying and time-consuming, you’re not doing yourself any favors by postponing them. That’s because many malware attacks exploit software vulnerabilities in common applications, like your operating system.

Software updates tend to include patches to security holes, which help protect your data. As a bonus, software updates often come with new and enhanced features that improve the application’s functionality.

Helpful Resources

For additional information on how you can protect yourself online, check out the below resources:

  • AccessNow, a non-profit that protects and extends people’s digital rights, explains how to dox yourself.
  • Abine Blur password manager creates strong passwords and stores them for you. 
  • DeleteMe is a subscription service that deletes your personally identifiable information from data brokers and people search sites. 
  • Have I Been Pwned? lets you see if your sensitive data, like your emails and passwords, have been compromised by hacks.
  • IdentityTheft.gov is where you can report identity theft. It also provides information on how you can recover from this crime. 
  • Phishing.org, a resource for IT specialists and other internet users, has useful information on phishing. It also provides a list of free tools, such as a Phishing Security Test.
  • The No More Ransom project offers tips and tricks on how you can prevent a ransomware attack. It also has decryption tools in case it’s too late and you’ve already experienced a ransomware attack. 
  • VirusTotal checks files and URLs for malware.