Ellen A. Wright knew she had a problem on her hands when her paralegal told her the Tewksbury firm’s Google email account couldn’t be accessed.

I was getting calls from my unstaffed office at midnight, which was absolutely terrifying.”

— Ellen A. Wright, Wright Family Law Group

But the family law attorney only began to comprehend the magnitude of the problem when she discovered none of her internet service providers had tech support available to take her phone calls seeking help in battling the hacker who had seized her email and hijacked her website.

“What’s scary is we were in a two-week blackout where we were just dead in the water,” Wright says.

Life is starting to return to normal for the five-lawyer firm. But it took trips to Middlesex Superior Court and U.S. District Court in Boston — as well as the help of a cybertech expert — to get things up and running again.

‘Absolutely terrifying’

The nightmare is documented in a state court complaint filed in a lawsuit that was ultimately removed to federal court.

In April 2014, Wright’s firm, Wright Family Law Group, contracted with New York-based Wix, Inc., for web-hosting services. On its website, Wix bills itself as “The Place to Create Professional Websites.”

According to the complaint, the law firm’s contract with Wix called for payment of an annual fee for premium website services that included access to a GSuite email platform. Under the terms of the contract, Wix agreed to provide a secured platform that only Wright Family Law Group would have access to with a provided user name and password.

On Feb. 22, 2019, the firm’s account was hacked by an unknown third party and Wright Family Law Group’s website was removed. The hacker, who has yet to be identified, also took control of the firm’s Gmail account provided through the GSuite platform.

“We were locked out for no real reason,” says Wright.

One of the firm’s laptops was stolen a few weeks before the hacking occurred. Wright believes there was a connection between the two events, even though the laptop was password protected. She adds that she and her paralegal have been security conscious in their office practices.

“We’ve always been really good about changing passwords, doing all the due diligence that we’re supposed to do to keep everything secure,” she says.

To add insult to injury, Wright says her office phones were hacked.

“I was getting calls from my unstaffed office at midnight, which was absolutely terrifying,” she recalls.

‘A battlefield landscape’

Wright says the experience has taught her that hackers are never to be underestimated.

“There really isn’t anything out there that they can’t hack,” she says. “I work with friends and colleagues who are also solos or small-firm types. They use a lot of the free email that’s offered through Gmail and Yahoo. These hackers can cut through that email like butter, even with the advanced passwords.”

Think of it as a battlefield landscape. The bigger the landscape, the more people involved, the more varied your risks are.”

— Christopher E. Hart, data security lawyer

Because even Fortune 500 companies with the best technical support can be hacked, Boston privacy and data security lawyer Christopher E. Hart says attorneys need to think in terms of risk management rather than risk prevention when considering cybersecurity needs.

“That means identifying the sensitive data that you have and who has access to it,” he says. The degree of risk in part is a function of the number of “end point users” who have access to it, he explains.

“Anybody who is touching the data, that creates a risk, and anywhere where data is stored, that creates a risk,” Hart says. “Think of it as a battlefield landscape. The bigger the landscape, the more people involved, the more varied your risks are.”

While there might be five lawyers in a group sharing data and working on the same cases, there are still ways to reduce the risk posed by the number of end-point users, Hart says.

“You don’t necessarily have to have everybody have access to all the information in a central location, because that obviously creates a huge risk if that central location is compromised,” he says.

‘They don’t care about me’

In the weeks following the hacking of her email and firm website, Wright says she made multiple requests to Wix to reset her username and password. She claims the company failed to respond in a timely manner, allegedly allowing the hacker to keep control of the account by continually resetting the password him or herself.

“This whole thing could have been fixed in an hour if someone had only picked up the phone,” she says.

On March 6, Wright Family Law Group sued Wix in Middlesex Superior Court, alleging damages due to the company’s failure to provide prompt customer service to help the firm recover its account. The plaintiff asserted claims of negligence, breach of contract, and unfair trade practices under G.L.c. 93A. It also named Google as a defendant, seeking a preliminary injunction to prevent it from automatically purging any emails that the hacker may have deleted.

On April 10, Wright Family Law Group voluntarily dismissed Wix with prejudice on the ground that it had learned the breach had not occurred through a Wix system. Google removed the case to federal court on June 13. Google and the firm subsequently stipulated to a dismissal on June 20.

Citing a confidentiality agreement, attorney Wright declines to comment on the ultimate resolution of her claims against Wix and Google.

While pursuing legal remedies against her service providers, Wright says she was able to get immediate help from David Jooste, whose Colorado business, Cyber Tech Connection, provides cybersecurity and threat-monitoring services.

Wright calls Jooste the real “hero” of her story. She connected with the cybertech expert through an online help site, and he immediately began working to restore the firm’s website.

“We were without a website for two weeks, and after we got it back we changed website providers,” Wright says.

Wright adds that Jooste was able to restore her email access even before Google responded to her lawsuit.

“They’re out in California, and they take their sweet time about everything,” she says. “I’m not a Fortune 500 company, so they don’t care about me.”

According to Jooste, though vendors have made “staggering efforts” to enable customers to protect their online accounts, there is no such thing as “100 percent secure.”

“Security is never guaranteed, and in the event of a breach, clients are at the mercy of these major players,” Jooste says. “Retrieving data and information from these vendors is always preceded by some sort of legal action.”

While providers are responsible for the security of their systems, they are not responsible for the security of client devices connecting to online accounts, he adds.

Lesson learned

Wright says she learned two important lessons from the experience.

First, attorneys need to confirm that the online service vendors they’re thinking about hiring have robust customer support — specifically support staff members who are there to pick up the phone in an emergency.

“You have to make sure that you’re going to be able to get in touch with a live person and not just receive hollow, canned emails promising assistance,” she says. “In my particular situation, I was getting emails back, but it wasn’t timely. The hacker was able to keep up with it. When every second counts, you’re completely backed into a corner [without live support].”

Hart agrees that lawyers shopping for service providers need to be educated consumers.

“One way of thinking about risk mitigation is not just identifying risks, but also frankly reading through the terms of service on what [a vendor’s] security looks like, taking the time to understand the features, what’s shared, what isn’t, how the vendor will actually protect data, and what’s done in the event of a breach,” he says.

Lesson no. 2, Wright says, stems from the fact that the hacker made an attempt to use the firm’s email to get personal information from a client. The firm was on to the hacker right away and no harm was done, but Wright says it reinforced for her the necessity of setting up a two-factor authentication protocol with clients.

“If the hacker impersonates you and tries to contact your client asking for their bank information, make sure your clients know that you are never going to solicit personal information from them via text or email,” she warns.

Wright says she is paying for credit monitoring for all the individuals affected by the hacking of her firm in compliance with her professional ethics requirements.

Jooste, meanwhile, recommends that law firms secure online accounts with “Multi-Factor Authentication.”

“This can be by means of a text message authentication, or more preferred, a token application or device such as Google Authenticator,” Jooste says.

He also suggests creating recovery codes for online accounts and recovery email addresses, and setting up a “secondary” admin account to restore operations when lawyers lock themselves out or an account has been hacked. For particularly sensitive data, lawyers should think about having a monitoring service that can block and record suspicious behavior.

Google was represented by Boston attorneys Sarah P. Kelly and James W. Gately, who did not respond to a request for comment prior to deadline. Wix was represented by New York attorney Serrin Turner and Michael H. Rubin of San Francisco, who also did not respond.

Author:

Patrick M. Murphy,  Esq.
Reporter
Massachusetts Lawyers Weekly
Rhode Island Lawyers Weekly
New England In-House
440-729-2347