June 26, 2025

BOLO: Lawyers Face Critical Risk from 2025's 16 Billion Password Data Leak 🔒⚖️

June 26, 2025/ The Tech-Savvy Lawyer.Page/ Michael Eisenberg

lawyers were your client’s pii hacked from your computers and software?

Lawyers across the nation need to take immediate action following the exposure of 16 billion login credentials—covering platforms from Apple and Google to Facebook and countless others—in what researchers describe as one of the largest exposures of sensitive data in history. While headlines have suggested a catastrophic, single-source breach, the reality is more nuanced but equally concerning for legal professionals. This leak is not a new, isolated hack of a major provider. Instead, it's a massive aggregation of credentials collected over years from various infostealer malware campaigns and previous breaches, now compiled and exposed in over 30 datasets.

What Is the Nature of This Breach? Is It "New"? 🕵️‍♂️

The so-called "16 billion password breach" is not the result of a single event. Instead, it's a compilation of old and some recent credentials, gathered from infostealer malware, credential stuffing lists, and previously leaked databases. Some datasets are fresh and weaponizable, including session tokens and cookies that can bypass multi-factor authentication, but much of the data is recycled or duplicated. The scale, however, means nearly every major online service is potentially implicated, and the risk of credential stuffing and account takeover is real—especially for those who reuse passwords or have not updated them in years.

Why Should Lawyers Care? ⚠️

Lawyers are high-value targets for cybercriminals due to the sensitive nature of client data and privileged communications. The legal profession has already seen significant cybersecurity challenges, with 29% of law firms encountering cybersecurity breaches in 2023, and the average cost of a data breach for law firms reaching $5.08 million. A compromised password can lead to unauthorized access to confidential files, emails, and client records, exposing firms to malpractice claims, regulatory penalties, and reputational harm. The legal sector's increasing reliance on cloud platforms and digital workflows makes robust credential management non-negotiable for lawyers.

🚨

Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!

🚨 Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!

What Should Lawyers Do Now? 🛡️

Immediate Steps:

Reset passwords for any account that may be affected, especially if you reuse passwords across sites.
Check your exposure using tools like "Have I Been Pwned" to see if your email or credentials are part of known breaches.
Enable Multi-Factor Authentication (MFA) on all accounts—this is the single most effective way to prevent unauthorized access, even if a password is leaked.

Long-Term Best Practices:

Adopt a password manager (such as 1Password* or similar) to generate and store unique, complex passwords for every account.
Educate your staff on phishing, social engineering, and the dangers of password reuse.
Implement passkeys and biometrics where possible, reducing reliance on passwords alone.
Regularly monitor for compromised credentials using security tools and services that alert you to new breaches.
Never store passwords in plaintext or unsecured documents; use encrypted vaults and secure delivery for sensitive credentials.

What Should Law Firms and Lawyers Be Doing to Stay Secure? 🏛️

Lawyers need to be active in protecting their client’s pii!

Review and update firm-wide password policies to mandate unique, strong passwords and regular changes.
Ensure all devices and cloud services used for legal work are protected with MFA and monitored for suspicious activity.
Consult with cybersecurity counsel or specialists to assess your firm's exposure and compliance with data protection regulations.
Stay informed about new threats and regularly audit your digital security posture.

Essential Resources from The Tech-Savvy Lawyer 📚🎧

For deeper insights into cybersecurity best practices for legal professionals, explore these valuable resources from The Tech-Savvy Lawyer.Page:

Blog Posts:

"🚨 BOLO: Zoom Remote Access Attacks – Critical Security Alert for Legal Professionals 🚨" - Learn about sophisticated cyberattacks targeting legal professionals through video conferencing platforms and how to protect your practice.
"BOLO: Is LastPass on its Last Leg?! 🧐 Is it time to get a new password manager? 😳" - Essential guidance on password manager security following the LastPass breach, with recommendations for alternative solutions like 1Password.
"🚨 BOLO: Apple's Latest Update Activates AI - Lawyers, Protect Your Clients' Data! 🚨" - Critical analysis of how automatic AI features can impact attorney-client privilege and data security.

Podcast Episodes:

🎙️ Ep. 104: The Importance of Data Backup & Cybersecurity w "Mr. Backup", Curtis Preston! - Expert insights on what lawyers are doing wrong with cybersecurity, e-discovery best practices, and ransomware response strategies.
🎙️ Ep. 106: "How Lawyers Can Protect Client Data in the Age of AI - A conversation with Erich Dylus!" - Essential guidance on maintaining client confidentiality while leveraging AI tools.
🎙️Episode 99: "Navigating the Intersection of Law Ethics and Technology with Jayne Reardon" - Practical insights for lawyers with limited to moderate tech skills on strategic legal tech adoption.

These resources provide actionable guidance specifically tailored for legal professionals navigating cybersecurity challenges while maintaining ethical obligations under the ABA Model Rules.

Lawyers Must Act Now - Your Practice's Security Is Your Clients' Trust 🔐

Follow The Tech-Savvy Lawyer.Page for breaking news and bolos that lawyers need to know!

The 16 billion password leak serves as a stark reminder that cybersecurity is not optional for today's legal professionals—it's an ethical imperative that lawyers cannot ignore. While this massive data aggregation may seem overwhelming, it presents an opportunity for lawyers to strengthen their firm's digital defenses and demonstrate their commitment to protecting client confidentiality.

Remember, as outlined in ABA Model Rule 1.1, Comment 8, lawyers must maintain reasonable competency in technology, including understanding "the benefits and risks associated with relevant technology". The steps outlined above are not just technical recommendations for lawyers—they're essential components of competent legal representation in the digital age.

By implementing robust password policies, enabling multi-factor authentication, and staying informed through resources like The Tech-Savvy Lawyer.Page, lawyers are not just protecting data—they're preserving the foundational trust that defines the attorney-client relationship. In an era where cyber threats evolve daily and law firms face increasing risks, lawyers' proactive approach to cybersecurity becomes a competitive advantage and a mark of professional excellence.

Lawyers must take action today. Your clients' trust—and your practice's future—depend on it.

June 11, 2025

Word of the Week: “Phishing” 🎣 in the Legal Profession - What Every Lawyer Needs to Know in 2025 🛡️

June 11, 2025/ The Tech-Savvy Lawyer.Page/ Michael Eisenberg

Lawyers Battle phishing on a daily basis.

Phishing is one of the most persistent and dangerous cyber threats facing law firms today. Phishing is a form of computer and internet fraud in which criminals use fake emails, websites, or messages to trick recipients into revealing sensitive information such as passwords, bank details, or client data. For lawyers and legal professionals, the stakes are especially high: law firms hold vast amounts of confidential client information, making them prime targets for cybercriminals. The American Bar Association (ABA) Model Rules for Professional Conduct, particularly Rule 1.6 (Confidentiality of Information) and Rule 1.1 (Competence), require lawyers to protect client data and maintain competence in technology relevant to their practice.

How Phishing Targets Law Firms

Phishing attacks against law firms have become more sophisticated in 2025. Criminals now use generative AI to craft emails that closely mimic real communications from clients, colleagues, or even senior partners. These messages often create a sense of urgency, pressuring recipients to act quickly—such as transferring funds, sharing login credentials, or downloading malicious attachments. Business Email Compromise (BEC) scams are particularly damaging, as attackers impersonate managing partners or clients to divert wire transfers or request sensitive documents.

Impersonation: The Hidden Dangers in Your Inbox

Attackers often use email spoofing to manipulate the display name and email address, making a message appear to come from someone you trust. The display name (the name that appears in your inbox) can be set to any familiar contact, but the actual email address may be subtly altered or completely fake. For example, a scammer might use “john.smith@lawfirm.com”or “John Smith of ….” as the display name, but the underlying address could be “jjohn.smith@lawf1rm.com” or “john..john.smith@lawfirm.co@lawfirm.co.” These changes are often just a single character off, designed to trick you into replying or clicking a malicious link.

Lawyers should always examine the full email address, not just the display name, before responding or acting on any request. On many smartphones and email clients, only the display name is shown by default, so you may need to click or tap to reveal the actual sender’s email address. If the message requests sensitive information, money transfers, or urgent action, verify the request through a separate communication channel, such as a phone call using a known number—not one provided in the suspicious email. This vigilance aligns with ABA Model Rule 1.1, which requires lawyers to maintain competence, including understanding risks associated with technology.

Recent Phishing Incidents Involving Lawyers

Phishing Email Threatens Law Firm Cybersecurity Defense

In a widely reported scam, secretaries and junior lawyers at several law firms received emails that appeared to come from senior partners. The emails requested the purchase of iTunes gift cards for an “urgent presentation.” Victims, unfamiliar with the scam, were tricked into sending the codes to the attackers, who then sold or used them at the victims’ expense.
In another case, scammers stole the identity of Western Australia’s Attorney-General, John Quigley, sending emails that claimed he was representing a deceased person with a large inheritance. The emails phished for personal information and requested payments for fake legal fees.
Large law firms have also suffered massive data breaches following phishing attacks. In 2024, Orrick, Herrington & Sutcliffe agreed to pay $8 million after cybercriminals accessed personal and health data of over 600,000 people. Similarly, Gunster Yoakley & Stewart settled for $8.5 million after a breach exposed sensitive information of nearly 10,000 individuals.

What Lawyers Should Watch For

Impersonation: Always check the sender’s full email address, not just the display name. Watch for addresses that are off by one or more characters.
Urgency and Pressure: Be cautious of emails that demand immediate action, especially those involving money or confidential data.
Suspicious Links or Attachments: Hover over links to check their true destination, and never open unexpected attachments.
Unusual Requests: Be wary of requests outside normal procedures, such as buying gift cards or changing payment instructions.

Prevention and Best Practices

Employee Training: Regular cybersecurity awareness training is crucial. Staff should be able to recognize phishing attempts and know how to report them. This supports ABA Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistance).
Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to access accounts even if credentials are compromised.
Incident Response Plan: Every law firm should have a clear plan for responding to phishing incidents, including communication protocols and legal obligations for breach notification.
Client Education: Educate clients about phishing risks and encourage them to verify any unusual requests that appear to come from your firm.

Professional Responsibility and Phishing

lawyers need to be proactive Against Cybersecurity Threats in 2025!

The ABA Model Rules make clear that lawyers must take reasonable steps to prevent unauthorized access to client information (Rule 1.6(c)). Lawyers must also keep abreast of changes in technology and its associated risks (Rule 1.1, Comment 8). Failing to implement basic cybersecurity measures, such as phishing awareness and email verification, may expose lawyers to disciplinary action and civil liability.

Final Thoughts

Phishing is not just an IT problem—it’s a business risk that can compromise client trust, cause financial loss, and result in legal liability. By staying vigilant, investing in training, and adopting robust security measures, lawyers can protect themselves, their clients, and their reputations in an increasingly digital world. Compliance with the ABA Model Rules is not optional—it's essential for ethical and effective law practice.

June 05, 2025

📖 Word(s) of the Week (Woow): "Service as a Service" (SaaS) & "Hardware as a Service" (HaaS)!

June 05, 2025/ The Tech-Savvy Lawyer.Page/ Michael Eisenberg

SaaS vs. HaaS: What Law Firms Need to Know About Service as a Service and Hardware as a Service in 2025 ⚖️💻

Legal practices are rapidly embracing cloud-based solutions, and two models stand out: Software as a Service (SaaS) and Hardware as a Service (HaaS). Understanding these models is essential for law firms seeking efficiency, security, and cost-effectiveness in 2025.

What is SaaS?
SaaS is a cloud-based software delivery model. Instead of buying software outright and installing it on each device, law firms subscribe to web-hosted applications. This means no more managing physical servers or complex installations. Leading SaaS providers handle updates, security, and maintenance, freeing attorneys to focus on clients and cases.

Benefits of SaaS for Law Firms:

Centralized, secure document management—enabling paperless workflows and real-time collaboration.
Cost savings by eliminating expensive hardware and IT support. Firms pay only for what they use and can scale up or down as needed.
Remote access to case files, calendars, and billing from anywhere, supporting hybrid and remote work environments.
Automatic updates and improved security, with providers responsible for compliance and data protection.
Specialized legal features, such as document automation, calendaring, and legal billing, tailored for law practices.

Legal Considerations for SaaS:
SaaS agreements replace traditional software licenses. They must clearly define service levels, data privacy, and compliance with regulations. SaaS lawyers play a crucial role in drafting contracts, protecting intellectual property, and ensuring regulatory compliance across jurisdictions.

What is HaaS?
HaaS provides physical hardware—like computers, servers, or networking equipment—on a subscription basis. Law firms avoid large upfront purchases and instead pay a monthly fee for access, support, and maintenance. HaaS often includes installation, configuration, troubleshooting, and ongoing monitoring.

Benefits of HaaS for Law Firms:

Knowing your SAAS and Haas agreement terms is essential to maintaining client confidentiality and security

Predictable budgeting with no surprise hardware expenses.
Up-to-date equipment and proactive maintenance, reducing downtime.
Comprehensive support agreements, including warranties and rapid response times.
Enhanced security and compliance, as providers manage device updates and data protection.

Legal Considerations for HaaS:
HaaS contracts should specify the scope of services, pricing, service-level agreements (SLAs), liability, data privacy, and dispute resolution. Clear terms protect both the law firm and the provider, ensuring accountability and compliance with industry standards.

Challenges Law Firms Face in Using SaaS and HaaS

Law firms adopting SaaS and HaaS face several notable challenges:

Security Vulnerabilities: SaaS platforms can be susceptible to misconfigured access controls, inadequate monitoring, and insufficient threat detection. These weaknesses make law firms prime targets for cyberattacks, such as unauthorized access and data breaches, as seen in high-profile incidents involving major firms.
Data Breaches and Compliance Risks: Sensitive client data stored in SaaS environments is at risk if proper security measures are not in place. Breaches can expose confidential information, leading to regulatory penalties, reputational damage, and class action lawsuits if firms fail to notify affected parties promptly.
Integration Challenges: As law firms rely on multiple SaaS vendors, integrating various software platforms can become complex. Poor integration may disrupt workflows and reduce efficiency, especially if systems do not communicate seamlessly.
Shared Responsibility Confusion: SaaS providers typically secure the platform, but law firms are responsible for data security and access controls. Many firms mistakenly believe vendor security alone is sufficient, which can leave critical data exposed.
Reliable and consistent internet access: Reliable and consistent internet access is essential for law firms using SaaS and HaaS, as these cloud-based solutions require an active connection to access software, documents, and case management tools; any internet outage or slow connectivity can disrupt workflows, limit access to critical information, and impact client service. (What if you are on travel and the airplane, hotel, or location does have (reliable) internet connection - how do you get your work done?)
Business Email Compromise (BEC): SaaS ecosystems increase the risk of BEC attacks. Compromised email accounts can be exploited for fraud, impersonation, and data theft, often going undetected for extended periods.
Data Classification and Visibility Issues: Rapid adoption of SaaS can lead to scattered data across multiple platforms. Without a formal data classification strategy, firms may lose track of where sensitive information resides, complicating compliance and incident response.
Legal and Contractual Complexities: SaaS contracts involve nuanced licensing agreements, third-party vendor relationships, and service level commitments. Discrepancies between vendor terms and client expectations can result in disputes and legal challenges.
Dependency on Providers: Both SaaS and HaaS models make firms dependent on external vendors for uptime, support, and updates. Service disruptions or vendor instability can directly impact firm operations.
Hardware Lifecycle Management: With HaaS, firms avoid upfront hardware costs but must rely on the provider for timely upgrades, maintenance, and support. Poor vendor performance can lead to outdated equipment, downtime, or security gaps.
Cost Over Time: While SaaS and HaaS reduce initial capital expenditures, ongoing subscription fees may add up, potentially exceeding the cost of traditional ownership in the long term if not carefully managed.

Lawyers need to know the pros and cons in using saas and haas products!

While SaaS and HaaS offer significant advantages, law firms must address these risks through robust security practices, careful contract negotiation, and ongoing vendor management to protect sensitive data and maintain operational integrity. This may be easier for large law firms but difficult if not nearly impossible for mid- to small- to solo-size law practices.

Why Law Firms Should Care
Both SaaS and HaaS offer flexibility, scalability, and security that traditional IT models cannot match. By leveraging these services, law firms can modernize operations, improve client service, and reduce risk. The right contracts and due diligence are critical to ensure business continuity and compliance in a rapidly evolving legal tech landscape.

Blog

🚨

Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!

🚨 Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it! 🚨 Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!

The Tech Savvy Lawyer

🚨 Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!