Are Law Firms Targets for Hacking

Are Law Firms a Target of Cyber-Hackers

Peter Ely | Apr 25, 2016

How Smart Firms Mitigate Cyber Vulnerabilities in Electronic Faxing

In a 2015 report, “Cyber Security Practices for Law Firms,” surety company CNA points out that the FBI recently warned the country’s 200 largest law firms that their networks are increasingly tempting targets for cyber hackers. In fact, the report points to a study by security firm Mandiant that found roughly 80% of the largest 100 law firms by revenue had been the victims of a data breach since 2011.

While CNA’s report focuses primarily on the methods hackers are most often using to attack law firms’ data networks — exploiting weaknesses in mobile devices, unsecured wireless networks, security vulnerabilities created by untrained staff, etc. — the key takeaway for our purposes here is the reason that legal practices are such juicy hacking targets. Like healthcare organizations, law firms hold vast amounts of highly sensitive, personally identifiable client information, mergers & acquisition information, etc., which holds great value for cyber thieves. (By the way, if you’d like to see our tips for defending against cyber attacks, you can read our blog recent blog post, Four Tips for Defending Against Cyber Attacks here).

Law firms must fortify all methods of document transmission and storage against attack — including fax

One common method of legal-industry communication that is not addressed at all in the cyber-security report is fax. But because it still represents a considerable portion of all documents sent, received and archived by law firms, faxing also represents a potential point of attack for sophisticated cyber criminals or breach by negligent insiders. Which means your firm might want to revisit physical and IT security around your fax processes to lower your firm’s faxing security risks.

Here is a brief overview of those risks.

Security risks that can exist with in-house fax servers

Fax servers can create several security vulnerabilities.


First, because fax servers have limited storage capacity on their hard drives, the IT team might find themselves periodically either deleting or “purging” each server’s drive to make room for new faxes being sent and received — often by printing out the stored documents for paper filing. This can obviously lead to unauthorized personnel viewing or even removing a firm’s clients’ PII or highly confidential business transactions, etc.

Second, if proper security protections are not put in place to protect the contents of the hard drives of fax servers (like encryption and access controls) they can be accessed and browsed like a shared file server on a network as well.

The security risks inherent in desktop fax machines

The security vulnerabilities inherent to fax machines are even more obvious.


Because they are typically situated in mail rooms or common areas within a law firm’s office, fax machines present an ongoing risk of exposure of confidential client information. Anyone who has worked at a law firm has seen mail rooms with fax machines spewing forth numerous fax documents, all of which are consolidated and put in interoffice envelopes by clerks for delivery to attorneys or paralegals, for example. Are these documents secure and compliant with confidentiality and other rules?

Finally, employees also often send paper faxes from an office fax machine and then leave the area without retrieving the hard-copy documents. Even a fax innocently but mistakenly removed from a fax machine and then lost or not properly destroyed can still expose the firm to a security leak or ethics violation.

Securing client data is not merely good business — it's the law

The fact that hackers are specifically targeting their data means that law firms must take reasonable precautions to secure their networks at all times. But there is another risk to the law firm, beyond simply exposing confidential information and damaging their reputation.

Legal practices, like healthcare and banking organizations, often fall under several federal and state regulations requiring the protection of personally identifiable information (PII) — regulations such as the Fair and Accurate Credit Transactions Act (FACTA), the Gramm- Leach Bliley Act (GLBA), and even the Health Insurance Portability and Accountability Act (HIPAA).

Additionally, nearly every state in the union has enacted its own laws requiring any entity holding PII to notify the affected individuals if that data is ever breached. Finally, the legal industry imposes its own ethical obligations on all practicing lawyers — such as ABA Model Rule 1.6 — demanding they make reasonable efforts to prevent any disclosure of their clients’ information to protect Confidentiality.

For Your Company’s Security, it’s Time to Explore Upgrading to Cloud Fax

Your law firm can eliminate all of these (and the many other) security weak points in your legacy, in-house fax infrastructure: upgrade to an enterprise-class cloud fax service.

With our fax solution as your firm’s faxing partner, you can outsource all of your fax infrastructure and support pain points to a trusted cloud provider — and enjoy a significant boost in your overall fax security.

eFax Corporate uses the latest TLS encryption for all faxes-by-email across our global, secure network with strong audit trails and access controls – a potentially significant security enhancement to your existing fax processes.

Furthermore, our secure fax servce can provide the highest levels of protection for your fax data at rest with AES 256-bit encryption. Our geographically dispersed and redundant network includes Tier 3 and 4 secure colocations which have current SOC 2 and SSAE16 certifications, and are protected 24/7 with redundant physical security and intrusion detection systems.

This is why eFax Corporate, part of j2 Global®, is entrusted every day to transmit millions of pages of sensitive corporate documents by businesses in the most heavily regulated industries — including over 50% of top law firms.
Peter Ely

About Peter Ely

Currently responsible for the Enterprise Partner Program for j2 Cloud Services, Peter Ely is a 28-year technology veteran, having held senior executive positions looking after presales, product management, product marketing and technical evangelist teams across two continents and three countries in the telecommunications and data networking arenas.
Subscribe to our Blog

Subscribe Today