As a young lawyer the only technology that graced my office was an IBM Selectric electric typewriter, a dicta-phone, and a photocopier. Sigh- those were indeed the “good old days”!
Nowadays, even the most technologically challenged amongst us are forced to grapple with the mysteries of computers, computer networks, and the internet, when all we really want to do is practice law. The Bar Associations of a number of States in the US have actually amended their codes of professional conduct to provide that failure to keep up with technology constitutes professional negligence. Yikes!
You need to be aware of the meta-data that lurks in the Word documents you send to opposing counsel, how to ferret out evidence in a digital world, and most importantly, how to keep your client’s data safe and secure, both on your office network, and in the cloud. For those of us of a certain age, it can be bewildering.
Now I discover a new threat to law firm security which my old analog mind hadn’t even considered. It is the danger posed by internet domain abandonment. We all purchase internet domains, if only to obtain a professional email address. After all, nobody wants to deal with a lawyer who can only be contacted via a Hotmail account. Typically the domains we choose mirror our law firm names- its simple branding.
Ah, but here’s the rub- over time we tend to accumulate multiple domains, as our firms undergo name changes. Name partners come and go, firms merge, or shut down, or re-brand. Domains whose email accounts we once used to log into government registries, legal industry portals, or cloud services such as Dropbox fall by the wayside, lost in the shuffle, and no longer renewed. Often we re-establish new online accounts, using fresh email credentials, all the while forgetting that the original accounts remain valid, if inactive, and forgetting too that old clients still have our old email address lodged in their contact list.
What happens when an internet domain is abandoned? Truth to tell, I had never thought about it, but I now learn that an abandoned domain remains intact, still plugged into all of the online connections that were established when it was active. They lack only a domain owner, but are now publicly available for re-registration.
Iron Bastion, a ‘white hat’ hacking firm based in Australia conducted a test, with horrifying results. They shopped the official domain name “drop list’ ( which lists up to 1,000 newly expired domains a day) ; identified a number of available domains that had previously belonged to law firms, and re-registered them. That allowed them to gain control over all incoming emails to the domains, which, of course is where password resets are sent, along with orphaned emails addressed to former employees.
Iron Bastion was able to reset passwords and log into law firms’ Office 365, G-suite and Dropbox, One Drive and Google accounts, as well as several popular law office management systems, and ultimately access confidential documents and personal information of former clients, confidential internal information of the law firms themselves, and even information pertaining to ongoing files being conducted by successor firms.
Some of the sources of leaked information were surprising. Opposing counsel on a current matter would include the old firm email address, as an additional c.c. on an email containing sensitive information, for example. A fair bit of traffic came via LinkedIn, since lawyers get sloppy about updating their profiles, leaving old email addresses as a point of contact. Then too, clients from years previous would send instructions ( including sensitive information) to the outdated email addresses in their contact list.
While of particular concern to lawyers, given our duty to safeguard our clients confidential information, the domain abandonment issue is a live one for any business with a presence on the internet (and that would be just about everyone!).
This is scary stuff – I wonder if its too late to simply stuff the genie back in the bottle and dust off my old IBM Selectric again !