🚨 BOLO: Zoom Remote Access Attacks – Critical Security Alert for Legal Professionals 🚨

/ The Tech-Savvy Lawyer.Page/

Zoom Attack Exposes Lawyers to Major Cyber Risk: Why Vigilance Is Now an Ethical Imperative!

Lawyers need to be able to Spot fake Zoom invites—protect your client data now!

A sophisticated cyberattack targeting Zoom users has recently emerged, with direct implications for lawyers and legal professionals. The attack, detailed by Malwarebytes, involves a crime group dubbed ELUSIVE COMET that lures victims into Zoom meetings and tricks them into granting remote access. This enables the installation of malware and theft of sensitive data, including financial assets and confidential client information, e.g., PII.

How the Attack Works

  • Attackers pose as reputable contacts (e.g., media invitations) and set up Zoom calls.

  • During the meeting, the attacker often sends a remote control request with their camera off, disguising their screen name as “Zoom” to appear legitimate.

  • If the victim approves, the attacker gains full control of the victim’s system, installs malware, and can access files, emails, and even financial accounts.

Why Lawyers Must Be Extra Cautious

Ethical Duties Under ABA Model Rules

You need to be careful who you let into your zoom conferences!

  • Competence (Rule 1.1): Lawyers must provide competent representation, which now explicitly includes technological competence. Comment 8 to Rule 1.1 states:
    To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

  • Confidentiality (Rule 1.6): Attorneys are ethically obligated to protect client information from unauthorized disclosure. Allowing remote access to your device can expose privileged communications, work product, and sensitive client data to malicious actors.

  • Failing to maintain technological competence or safeguard client data can result in ethical violations, malpractice claims, and reputational harm.

Best Practices to Prevent Zoom-Based Attacks

  • Never accept remote control requests from unknown or unverified participants.

  • Use Zoom via your web browser when possible, as the browser version does not support remote control, reducing risk.

  • Enable meeting passwords and waiting rooms to control access.

  • Restrict screen sharing and disable remote control features unless absolutely necessary.

  • Verify all meeting invitations-scrutinize the sender’s identity, and be wary of unsolicited requests, especially those involving media opportunities or unfamiliar contacts.

  • Keep Zoom and all security software updated to address known vulnerabilities.

  • Educate staff and colleagues about the risks and proper protocols for virtual meetings.

What to Do If You Suspect a Breach

You control access—deny hackers, defend your practice.

  • Disconnect from the internet immediately to limit further access.

  • Contact your IT or cybersecurity team and initiate your incident response plan.

  • Notify affected clients and relevant authorities as required by law and ethical rules.

  • Document the incident and steps taken for compliance and potential reporting obligations.

  • Review and update your security protocols to prevent future incidents.

Let’s be careful out there - it could cost you your job or, worse yet, your bar license if you don’t!

Happy Lawyering!!!

MTC: Legal Cybersecurity Crisis - How the CVE System's Defunding Compromises Digital Safety for Law Firms 🚨

/ The Tech-Savvy Lawyer.Page/

In the chaos, Lawyers need to defend client data as CVE shield may be in jeopardy!

CVE Program’s Last-Minute Rescue: What Lawyers Must Learn from the Cybersecurity Near-Crisis 🚨

The legal world narrowly avoided a digital disaster last week week. The Common Vulnerabilities and Exposures (CVE) program—the backbone of global cybersecurity—came within hours of losing its federal funding, sending shockwaves through the legal and cybersecurity communities. In an eleventh-hour move, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for MITRE to continue operating the CVE program, averting a shutdown that could have left law firms and their clients exposed to unprecedented cyber risk. The episode is a wake-up call for every legal professional: Our reliance on a single, government-funded system for vulnerability intelligence is a vulnerability in itself.

The Alarm: How Close We Came to Losing the CVE Program ⚠️

On April 16, 2025, MITRE, the non-profit that manages the CVE database, announced its contract with the Department of Homeland Security would expire at midnight. The news triggered widespread alarm across the cybersecurity sector, as the CVE program is essential for tracking, cataloging, and sharing information about software vulnerabilities. Legal technology vendors, law firm IT teams, and risk managers all depend on CVE data to prioritize security updates and defend against cyber threats.

The potential consequences were immediate and severe. Experts warned that a lapse in CVE services would delay vulnerability disclosures, disrupt incident response, and create a dangerous window for attackers to exploit unpatched systems. Law firms, which handle highly sensitive client information, would have faced heightened risks of data breaches, malpractice claims, and regulatory penalties.

The Save: CISA Steps In—But Only for Now

CISA’s rescue: Legal cybersecurity lifeline survives—uncertainty remains.

In response to the outcry, CISA executed a last-minute contract extension, ensuring there would be no interruption in CVE services for at least the next 11 months. MITRE confirmed that the funding would keep the program running, and the global cybersecurity community breathed a collective sigh of relief.

Yet, this solution is temporary. The extension lasts less than a year, and the long-term sustainability of the CVE program remains uncertain. The episode has already spurred the formation of a new nonprofit, the CVE Foundation, aimed at ensuring the program’s independence and stability beyond government sponsorship.

Why This Matters for Lawyers and Law Firms ⚖️

The CVE program is more than a technical tool—it is a legal lifeline. The American Bar Association’s Model Rules require lawyers to safeguard client confidentiality, maintain technological competence, and supervise staff and vendors on cybersecurity practices. See MRPC 1.1[8] & 1.6. Without reliable, up-to-date vulnerability intelligence, law firms cannot meet these obligations.

If the CVE program had gone dark, lawyers would have faced:

  • Increased risk of data breaches: Without a unified system for tracking vulnerabilities, attackers would have more time and opportunity to exploit unpatched systems, putting client data at risk.

  • Malpractice exposure: Failing to implement timely security updates could be seen as a breach of the duty of competence and confidentiality, opening the door to claims of negligence or breach of fiduciary duty.

  • Compliance headaches: With regulatory requirements around breach notification and data protection tightening, law firms would struggle to demonstrate they had taken “reasonable efforts” to protect client information.

  • Vendor management chaos: Many legal technology providers rely on CVE identifiers to communicate security patches. Without them, law firms would face confusion and delays in applying critical updates.

Lessons Learned: What Lawyers Should Do Next 🛡️

The CVE funding scare revealed that even the most established cybersecurity programs can be vulnerable. For the legal profession, this is a clear signal to take proactive steps:

Lawyers have a duty to protect their clients’ PII from cyberattacks!

  • Diversify threat intelligence sources: Don’t rely solely on the CVE program. Lawyers and IT teams should monitor additional resources such as the National Vulnerability Database (NVD), CISA Alerts & Advisories, and vendor-specific feeds.

  • Review and update incident response plans: Ensure your breach response protocols account for the possibility of disruptions in vulnerability intelligence. Document your reliance on CVE and alternative sources for compliance purposes.

  • Strengthen vendor contracts: Require legal technology providers to maintain robust vulnerability management practices, even if the CVE system is disrupted.

  • Stay engaged and advocate: Support efforts to make the CVE program sustainable and independent. The legal community should join calls for diverse funding and governance to avoid future crises.

  • Educate staff and clients: Communicate the importance of cybersecurity vigilance and the evolving landscape. Make sure everyone understands their role in protecting client data.

Final Thoughts: A Fragile Peace and a Call for Vigilance 🔍

The CVE program’s last-minute rescue is a relief, but not a resolution. The legal sector must recognize that the stability of our cybersecurity infrastructure is not guaranteed. With only 11 months of assured funding, the risk of another crisis looms. The new CVE Foundation may provide a path forward, but it will require broad support from both public and private sectors.

Lawyers must remain vigilant, proactive, and informed. The next funding scare could come with less warning—and with even higher stakes for client confidentiality, professional responsibility, and the very trust that underpins the legal profession.

MTC

🚨 BOLO: Apple's Latest Update Activates AI - Lawyers, Protect Your Clients' Data! 🚨

/ The Tech-Savvy Lawyer.Page/

Attention tech-savvy lawyers! 📱💼 Apple's recent iOS and macOS updates have automatically enabled Apple Intelligence, raising significant concerns about client confidentiality and data privacy. As legal professionals, we must remain vigilant in protecting our clients' sensitive information. Here's what you need to know:

The Stealth Activation 🕵️‍♂️

In the last 24 hours, Apple released iOS 18.3, iPadOS 18.3, and macOS Sequoia 15.3, which automatically activate Apple Intelligence on compatible devices. This AI-powered suite offers various features, including rewriting text, generating images, and summarizing emails. While these capabilities may seem enticing, they pose potential risks to client confidentiality. 🚨

Privacy Concerns 🔒

Apple claims that Apple Intelligence uses on-device processing to enhance privacy. However, the system still requires 7GB of local storage and may analyze user interactions to refine its functionality. This level of data access and analysis raises red flags for lawyers bound by ethical obligations to protect client information.

Ethical Obligations ⚖️

Check your apple setting if you want to turn off “Apple Intelligence”!

The ABA Model Rules of Professional Conduct, particularly Rule 1.6, emphasize the duty of confidentiality. This rule extends to all forms of client data, including information stored on devices or accessed remotely. As tech-savvy lawyers, we must exercise reasonable care to prevent unauthorized disclosure of client information.

Potential Risks 🚫

Using AI-powered features without fully understanding their implications could lead to inadvertent breaches of client confidentiality. As we've discussed in our previous blog post, "My Two Cents: With AI Creeping Into Our Computers, Tablets, and Smartphones, Lawyers Need to Be Diligent About The Software They Use," lawyers must be cautious about adopting new technologies without proper vetting.

Lawyers MUST maintain reasonable competency in the use of technology! 🚨 ABA MRPC 1.1 [8] 🚨

Lawyers MUST maintain reasonable competency in the use of technology! 🚨 ABA MRPC 1.1 [8] 🚨

Steps to Take 🛡️

  1. Disable Apple Intelligence: Navigate to Settings > Apple Intelligence & Siri to turn off specific features or disable the entire suite.

  2. Educate Your Team: Ensure all staff members are aware of the potential risks associated with AI-powered features.

  3. Review Privacy Policies: Carefully examine Apple's privacy policies and terms of service related to Apple Intelligence.

  4. Implement Additional Safeguards: Consider using encrypted communication tools and secure cloud storage solutions for client data.

Final Thoughts 🧐

As we navigate this rapidly evolving technological landscape, it's essential to balance innovation with ethical obligations. Lawyers can thrive as tech-savvy professionals by embracing technology to enhance their practice while safeguarding client trust. Remember, maintaining reasonable competency in the use of technology is not just advisable—it’s an ethical duty. See Comment, #8, to ABA Model Rule, #1.1.

Subscribe to The Tech-Savvy Lawyer.Page for updates on this developing situation, news on the evolving impact of AI on the practice of law. Together, we can navigate the complexities of legal technology while upholding our professional responsibilities.

Stay safe, stay informed, and stay tech-savvy! 🚀📚💻

Happy Lawyering!