Client Confidentiality Requirements
Every jurisdiction with an established legal profession imposes strict confidentiality obligations on attorneys. In the US, ABA Model Rule 1.6 prohibits lawyers from revealing client confidential information without informed consent. In the UK, the Solicitors Regulation Authority Code of Conduct imposes similar duties. In the EU, GDPR adds additional data protection obligations.
These obligations don't stop at the network edge. If an attorney accesses client confidential information over a compromised WiFi network — whether through an Evil Twin, DNS hijacking, or any other WiFi attack — the firm may have breached its confidentiality obligations without even knowing it.
Most data breach notification laws (GDPR Article 33, US state laws) require notification to affected parties within 72 hours of discovering a breach. If a law firm doesn't know its WiFi was compromised — because the attack was invisible — the 72-hour clock may never start. This creates potential liability for a breach the firm didn't even know occurred.
Case Study Potential
The value of information in a law firm's systems varies enormously by matter type:
| Matter Type | Information Value | Attack Relevance |
|---|---|---|
| M&A Due Diligence | Deal valuation, target weaknesses, negotiation strategy | Insider trading, deal sabotage, blackmail |
| Litigation Strategy | Case theories, witness lists, expert reports | Settlement leverage, witness tampering |
| Patent Portfolio | Pending applications, filing strategies | IP theft, competitive intelligence |
| Regulatory Investigations | Government communications, response strategies | Market manipulation, regulatory evasion |
| Corporate Restructuring | Bankruptcy strategies, creditor negotiations | Front-running, competitive intelligence |
| Celebrity/Political Cases | Personal information, settlement terms | Blackmail, reputation destruction |
Real Scenario: The M&A Deal That Leaked
A senior partner at an international law firm was reviewing a client's $2.3 billion acquisition proposal from her hotel room in Singapore. She connected to the hotel's "Singtel_Guest" WiFi and accessed the deal room via her law firm's VPN. An attacker on the hotel network ran bettercap, capturing the VPN session cookies and the law firm's file share authentication.
Three weeks before the deal was announced, a journalist at a financial publication received anonymous documents containing the exact acquisition price, target company's key vulnerabilities identified in due diligence, and the law firm's internal deal timeline. The journalist published a story that moved the target company's stock by 8% before the announcement.
The SEC opened an investigation into potential insider trading. The law firm faced a difficult situation: had its systems been compromised? Was the leak from its network, the client's network, or another source? They couldn't prove the attacker's identity or method with certainty. The client relationship was damaged. The law firm ultimately spent $1.2 million on forensic investigation and crisis PR.
Defense Requirements for Law Firms
- Mandatory VPN for all remote access to firm systems — no exceptions for any network, including "trusted" hotel networks
- Full tunnel VPN mode only — no split tunneling for any firm devices
- DNS over HTTPS (DoH) enforced on all firm devices to prevent DNS hijacking even on VPN
- Hardware security tokens (YubiKey) for VPN and email authentication
- Remote browser isolation (RBI) for accessing sensitive firm applications — renders WiFi MITM irrelevant
- Firm-issued devices only for accessing deal room and confidential client data
- Pre-travel security briefings for all attorneys and staff who handle sensitive matters
- Mobile hotspot (cellular) as preferred connectivity method for sensitive work while traveling
- WiFi Security addendum to all engagement letters — informing clients of firm security practices and requirements
- Annual penetration testing that includes WiFi attack simulations from nearby locations