WannaCry Scenario: Morrison & Associates Case Crisis
Planning Resources
Scenario Details for IMs
Opening Presentation
“It’s Friday morning at Morrison & Associates, and the law firm is in the final sprint toward Monday’s critical court filing deadline. The $500M class-action case represents two years of work by 20 attorneys, and the case management systems contain irreplaceable depositions, expert witness reports, and legal research. But since Thursday evening, computers throughout the firm have been displaying ransom messages, and critical case files are being encrypted faster than they can be backed up. In the legal profession, missing a court deadline can mean losing a case entirely.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Senior associate reports inability to access key depositions needed for motion drafting
- Hour 2: Expert witness calls reporting economic analysis files are inaccessible
- Hour 3: Opposing counsel files motion requesting dismissal due to “plaintiff preparation failures”
- Hour 4: Court clerk confirms no extensions available - Monday 5 PM deadline is absolute
Evolution Triggers:
- If document recovery fails, two years of legal work becomes inaccessible before deadline
- If network isolation affects e-filing systems, court submissions cannot be completed
- If attorney-client communications are compromised, ethical violations and malpractice claims arise
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency document recovery protecting critical case files
- Worm containment prevents spread to email servers and attorney-client communications
- Network segmentation preserves legal research and court filing capabilities
Business Success Indicators:
- Critical case documents recovered enabling Monday court filing deadline compliance
- Attorney-client privilege maintained throughout cybersecurity incident response
- Law firm operations continue without malpractice exposure or ethical violations
Learning Success Indicators:
- Team understands worm propagation through professional service networks and shared file systems
- Participants recognize unique cybersecurity challenges in legal profession and privileged communications
- Group demonstrates coordination between IT security, legal operations, and professional compliance
Common IM Facilitation Challenges:
If Legal Deadline Pressure Is Underestimated:
“Your technical analysis is thorough, but Patricia just confirmed that missing Monday’s deadline will result in automatic case dismissal, and 10,000 plaintiffs will lose their legal recourse. How does this change your response priority?”
If Attorney-Client Privilege Is Ignored:
“While you’re containing the worm, James just realized that encrypted systems may contain privileged attorney-client communications. How do you ensure professional ethical compliance during incident response?”
If Professional Service Context Is Missed:
“Dr. Kim’s expert economic analysis represents two years of specialized research that cannot be recreated by Monday. What’s your strategy for protecting irreplaceable professional work product?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish law firm deadline crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and professional service deadline vulnerabilities.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of legal profession cybersecurity challenges. Use the full set of NPCs to create realistic court deadline pressures. The two rounds allow WannaCry to spread toward attorney-client communications, raising stakes. Debrief can explore balance between case preservation and security controls.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing court filing deadlines, attorney-client privilege, case file recovery, and professional ethical obligations. The three rounds allow for full narrative arc including worm’s legal-profession-specific propagation and impact.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate case management system updates causing unrelated access issues). Make containment ambiguous, requiring players to justify legal-deadline-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and professional service security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Network forensics reveal WannaCry ransomware worm exploiting unpatched Windows SMB vulnerability (MS17-010) in document management systems. The worm is spreading autonomously through shared case file repositories across all three law firm offices, encrypting legal documents faster than manual containment efforts.”
Clue 2 (Minute 10): “File analysis shows systematic encryption of case files, depositions, and expert witness reports for Monday’s filing. Timeline analysis reveals the attack began Thursday evening during late-night document preparation, and approximately 60% of critical case materials are already encrypted with military-grade encryption.”
Clue 3 (Minute 15): “Real-time monitoring shows WannaCry propagating toward email servers containing attorney-client privileged communications and cloud-based e-filing systems. Network architecture assessment reveals the law firm delayed security patches to avoid disrupting ongoing litigation, creating the vulnerability that enabled worm entry and rapid propagation.”
Pre-Defined Response Options
Option A: Emergency Network Isolation & Document Recovery Priority
- Action: Immediately isolate all networked systems to stop worm propagation, implement emergency document recovery from offline backups for Monday filing, establish isolated e-filing system for court submission.
- Pros: Completely stops worm spread and enables recovery of critical case documents; protects attorney-client privileged communications from compromise.
- Cons: Requires complete network shutdown affecting all legal operations; backup recovery may not include Thursday evening’s final document revisions.
- Type Effectiveness: Super effective against Worm type malmons like WannaCry; prevents autonomous propagation through network isolation.
Option B: Selective Quarantine & Case File Triage
- Action: Quarantine confirmed infected systems, implement network segmentation to protect e-filing and communication systems, prioritize recovery of Monday filing documents from partially encrypted systems.
- Pros: Allows continued access to unencrypted legal research and filing systems; enables selective document recovery for critical deadline.
- Cons: Risks continued worm propagation in segmented network areas; may not recover all case materials needed for comprehensive Monday filing.
- Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate autonomous spread risk.
Option C: Ransom Payment & Rapid Decryption
- Action: Pay ransomware demand to obtain decryption key, attempt rapid document recovery to meet Monday deadline while implementing network security improvements.
- Pros: Potentially fastest path to document recovery for court deadline; maintains law firm operations and case file access.
- Cons: No guarantee decryption will work or complete before Monday; funds criminal enterprise and may violate professional responsibility standards; doesn’t address underlying worm propagation.
- Type Effectiveness: Not effective against Worm malmon type; addresses encryption symptom but not worm propagation; ethically problematic for legal profession.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Critical Document Protection & Worm Containment (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Network monitoring shows unprecedented SMB traffic surge across law firm systems. IT Director James Liu reports, “We’re seeing automated port 445 scanning from infected document management servers spreading to attorney workstations and case file repositories - this is autonomous worm propagation through our entire legal document infrastructure.”
- Clue 2 (Minute 10): Security logs reveal successful exploitation of EternalBlue vulnerability (MS17-010) on unpatched Windows systems throughout the firm. The worm spreads without user interaction - every unpatched system containing legal documents is vulnerable.
- Clue 3 (Minute 15): Managing Partner Patricia Morrison reports critical case deadline impact: “Our $500M class-action filing is due Monday at 5 PM. The case files, depositions, and expert witness reports are encrypting. Two years of legal work representing 10,000 plaintiffs is at risk. Missing this deadline means automatic case dismissal.”
- Clue 4 (Minute 20): Expert Witness Dr. Sarah Kim discovers her economic analysis is inaccessible: “My specialized research took two years to complete and is essential for the Monday filing. The data cannot be recreated in this timeline. It’s stored on the law firm’s encrypted servers.”
Response Options:
- Option A: Emergency Network Isolation with Document Recovery Priority - Immediately isolate all networked systems to stop worm spread, disconnect case management infrastructure, prioritize emergency recovery of Monday filing documents from offline backups, establish air-gapped system for court submission.
- Pros: Halts worm propagation to all legal systems; enables focused recovery of critical case files; protects attorney-client privileged communications from further compromise.
- Cons: Complete network shutdown affects all legal operations; backup may not include Thursday evening’s final document revisions; inter-office communication severely disrupted.
- Type Effectiveness: Super effective against Worm - prevents autonomous spread to remaining legal systems but creates significant operational challenges.
- Option B: Deploy Kill Switch with Selective Document Triage - Register or access the domain found in WannaCry malware code to activate kill switch, halt encryption while maintaining network connectivity for case file assessment and selective recovery of Monday deadline materials.
- Pros: Immediately stops encryption without network disruption; allows continued access to unencrypted legal documents; elegant technical solution enabling deadline-focused recovery.
- Cons: Only effective against this specific WannaCry variant; doesn’t remove existing infections; requires rapid execution during case crisis; already-encrypted documents remain inaccessible.
- Type Effectiveness: Highly effective against WannaCry Ransomware specifically; stops further encryption but doesn’t recover encrypted case files.
- Option C: Case File Priority with Rapid Selective Recovery - Focus all resources on recovering specific documents needed for Monday filing, attempt selective decryption or backup restoration of critical case materials, accept worm propagation in lower-priority practice areas temporarily.
- Pros: Ensures court deadline compliance through targeted document recovery; addresses immediate legal obligation to clients; demonstrates case-first legal practice values.
- Cons: Worm continues propagating to other client files and attorney communications; may compromise attorney-client privilege in other matters; creates differential security across cases.
- Type Effectiveness: Partially effective - addresses deadline impact but allows continued worm propagation threatening broader legal practice.
Round 2: Professional Compliance & Legal Practice Recovery (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (isolation) was chosen: Attorneys report inability to access legal research databases and e-filing systems needed for Monday submission. “We need electronic access to complete the filing - but safely.”
- Clue 5 (Minute 30): If Option B (kill switch) was chosen: While encryption has stopped, approximately 60% of critical case materials remain encrypted and inaccessible. Backup restoration is required but may not include final Thursday revisions essential for filing.
- Clue 5 (Minute 30): If Option C (selective) was chosen: The worm has now spread to email servers containing attorney-client privileged communications for multiple client matters. Ethical notification obligations and potential malpractice exposure have emerged.
- Clue 6 (Minute 40): Legal ethics counsel confirms that compromised attorney-client communications create mandatory disclosure obligations to affected clients under professional responsibility rules. “We may have ethical violations requiring bar association reporting.”
- Clue 7 (Minute 50): Opposing counsel Michael Rodriguez files court motion arguing plaintiff inability to meet filing deadline demonstrates case mismanagement warranting dismissal. “The court should dismiss this action with prejudice due to plaintiff counsel’s failure to maintain adequate case management.”
- Clue 8 (Minute 55): Analysis reveals that law firm backup systems were not properly isolated, and some backup data may also be compromised. Recovery strategy must account for potential backup integrity issues while meeting Monday deadline.
Response Options:
- Option A: Comprehensive Legal Emergency Response - Activate law firm emergency protocols, engage cybersecurity counsel for privilege protection, implement full network remediation with legal-specific security controls, request court extension citing extraordinary cyber circumstances, notify affected clients of potential communication compromise.
- Pros: Full professional response ensuring ethical compliance; court may grant extension given extraordinary circumstances; demonstrates responsible legal practice during crisis.
- Cons: Court extension not guaranteed - judge may deny request; client notifications create reputation and malpractice risk; opposing counsel will argue negligence.
- Type Effectiveness: Super effective for Legal Profession Worm Incidents - comprehensive response ensuring professional compliance and client protection.
- Option B: Staged Recovery with Deadline Focus - Maintain case filing priority using manual document reconstruction where necessary, implement phased network restoration starting with case-critical systems, coordinate expert witness alternative data sources, prepare for Monday filing under all circumstances.
- Pros: Balances professional obligations with security recovery; minimizes client impact through deadline compliance; targeted approach to complex legal document challenges.
- Cons: Extended recovery timeline for full firm restoration; attorney burden from manual procedures during case crisis; potential document quality impacts from rushed reconstruction.
- Type Effectiveness: Moderately effective - maintains client service while enabling gradual secure recovery.
- Option C: Accelerated Patch Deployment with Accept Risk - Immediately deploy EternalBlue patches to all law firm systems regardless of testing requirements, accept short-term document access risks to prevent continued worm spread, implement enhanced monitoring for system stability issues, prioritize Monday filing above all else.
- Pros: Fastest path to closing vulnerability across all legal systems; demonstrates decisive security action; minimizes worm propagation window; enables aggressive document recovery.
- Cons: May cause document management system instability affecting case file access; potential data integrity issues from unvalidated patching; risk to e-filing capability.
- Type Effectiveness: Effective against Worm propagation but creates significant legal practice operational and document integrity risks.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether Morrison & Associates faces complete network isolation challenges (segmentation approach), dependency on kill switch effectiveness (domain-based solution), or continued worm propagation with ethical implications (selective approach). Regardless of choice, the situation evolves when opposing counsel Michael Rodriguez files a motion for dismissal citing plaintiff preparation failures, and legal ethics counsel confirms that compromised attorney-client communications create mandatory disclosure obligations to affected clients. The court clerk reiterates that Monday 5 PM deadline is absolute with no extensions available. Backup integrity assessment reveals potential compromise complicating recovery strategies. The team discovers that this is not just a technical incident but a test of legal professional responsibility, client representation obligations, court deadline compliance, and attorney-client privilege protection - all while containing a rapidly spreading worm that threatens the firm’s ability to practice law and serve clients effectively.
Debrief Focus:
- Recognition of worm propagation mechanics through professional service networks and document systems
- Balance between court deadline compliance, attorney-client privilege, and comprehensive security response
- Legal profession-specific challenges including professional responsibility rules, privileged communications, and malpractice exposure
- Kill switch discovery and deployment as emergency response technique for deadline-facing organizations
- Importance of backup isolation and document recovery planning in professional service environments
Full Game Materials (120-140 min, 3 rounds)
Round 1: Critical Case Crisis & Emergency Legal Response (35-40 min)
Opening Scenario:
It’s Friday morning at Morrison & Associates, and Managing Partner Patricia Morrison is reviewing the final checklist for Monday’s critical court filing. The $500M class-action lawsuit represents two years of intensive legal work by 20 attorneys, thousands of hours of depositions, and expert witness analysis that cannot be recreated. The filing deadline is Monday at 5 PM - absolute and non-negotiable.
Patricia’s phone rings with urgency. “We have a major problem,” IT Director James Liu says. “Systems started failing Thursday evening during document prep. Now I’m seeing ransom messages across the network, and case files are encrypting. This is spreading through our document management infrastructure.”
Senior Associate Jennifer Chen bursts into Patricia’s office. “I cannot access the depositions needed for the summary judgment motion. The expert witness files are showing encryption errors. We’re 72 hours from the most important filing of our careers, and I cannot access the case materials.”
Dr. Sarah Kim, the expert economic witness, calls moments later. “My analysis is on your servers and I cannot retrieve it. Two years of specialized research essential for your Monday filing. This cannot be recreated in time.”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- Network forensics reveal WannaCry ransomware worm exploiting EternalBlue vulnerability (MS17-010) in unpatched document management systems
- File analysis shows systematic encryption of case files, depositions, expert witness reports, and legal research documents
- Timeline reconstruction indicates initial infection during Thursday evening document preparation, followed by rapid autonomous propagation through shared legal file repositories
- Malware analysis discovers embedded kill switch domain name that could halt WannaCry encryption if properly activated
Protector-focused investigations:
- Real-time monitoring shows worm spreading faster than containment - dozens of legal document systems infected per hour
- Critical system assessment reveals case management databases, e-filing systems, and attorney work product at imminent risk
- Network architecture review shows inadequate segmentation between client matters and practice areas due to operational convenience and resource sharing
- Backup integrity assessment discovers some law firm backup systems may be compromised due to inadequate isolation from production networks
Tracker-focused investigations:
- Traffic analysis reveals automated SMB vulnerability exploitation creating network storm affecting law firm connectivity across three offices
- Propagation mapping shows worm moving systematically from document management toward email servers containing attorney-client privileged communications
- External communication analysis indicates potential spread to cloud-based legal research platforms and electronic court filing systems
- Network topology assessment reveals legacy Windows systems in case management infrastructure cannot be easily patched due to document compatibility concerns
Communicator-focused investigations:
- Attorney interviews reveal Thursday evening work on case filing created infection opportunity when security monitoring was minimal and IT staff unavailable
- Legal staff describe critical dependence on encrypted systems for Monday deadline with no viable manual alternatives for complex case materials
- IT staff explain security update delays to avoid disrupting ongoing litigation and document version control requirements
- Expert witness reveals irreplaceable specialized research stored only on law firm servers with no independent backup copies
NPC Interactions:
- Patricia Morrison (Managing Partner): Focused intensely on case preservation and deadline compliance. “This case represents 10,000 plaintiffs seeking justice against corporate wrongdoing. Two years of legal work, millions in case costs, and our firm’s reputation depend on Monday’s filing. We cannot fail our clients.”
- James Liu (IT Director): Overwhelmed by legal profession scope. “The worm is spreading through document systems faster than I can isolate them. Law firms share everything for collaboration - case files, research, communications. That convenience created the vulnerability enabling rapid propagation.”
- Dr. Sarah Kim (Expert Witness): Concerned about irreplaceable research. “My economic analysis required specialized data collection over two years. I don’t have independent copies - it was all maintained on the firm’s secure servers. Without that analysis, your case loses its damages foundation.”
- Michael Rodriguez (Opposing Counsel): (appears via email) Opportunistically exploiting the situation. “I understand plaintiff counsel is experiencing technical difficulties. My client moves for dismissal with prejudice given plaintiff’s apparent inability to manage case materials and meet court deadlines.”
Pressure Events:
- Minute 10: Senior associate reports that key depositions for summary judgment motion are completely inaccessible
- Minute 20: Court clerk confirms Monday 5 PM deadline is absolute - no extensions available regardless of circumstances
- Minute 30: Expert witness Dr. Kim reports cannot access her own backup data - firm servers were her primary repository
- Minute 35: Opposing counsel files formal motion for dismissal citing “plaintiff counsel gross negligence in case management”
Round 1 Response Strategy:
Teams must develop initial response balancing immediate worm containment with critical case file recovery for Monday deadline. Options might include emergency network isolation, kill switch deployment, selective document triage, or aggressive backup restoration. The team must decide whether to pursue court extension (likely to be denied) or focus entirely on technical recovery enabling filing.
Facilitation Questions:
- “How do you balance stopping worm propagation with recovering critical case documents for Monday’s absolute deadline?”
- “What is your recommendation to Patricia Morrison about case filing capability and client obligations?”
- “How do you address attorney-client privilege protection while the worm is actively spreading through legal communications?”
Victory Conditions:
- Worm propagation contained before reaching all attorney-client privileged communications
- Critical case documents recovered or reconstructed enabling Monday filing capability
- Clear communication established with legal leadership about filing capability and professional obligations
Round 2: Professional Responsibility & Document Recovery (35-40 min)
Opening Scenario:
The team’s Round 1 response has created a new legal practice reality. If they chose network isolation, attorneys are now disconnected from legal research and e-filing systems needed for submission. If they deployed the kill switch, encryption has stopped but 60% of case materials remain inaccessible. If they chose selective recovery, the worm continues spreading to other client matters and privileged communications.
Patricia Morrison convenes an emergency partner meeting. “We need comprehensive strategy addressing our legal obligations. We have duties to the class-action clients, ethical responsibilities for attorney-client privilege, court filing deadlines, and potential malpractice exposure. What is our path forward?”
Investigation Clues:
- Clue 1 (Minute 45): Legal research reveals that similar ransomware incidents have resulted in bar association discipline for attorneys who failed to adequately protect client confidential information. Professional responsibility obligations extend beyond just the current case.
- Clue 2 (Minute 50): Document assessment shows that critical expert witness analysis, key depositions, and essential legal memoranda are among the encrypted files. Manual reconstruction would require weeks of work that cannot be completed before Monday deadline.
- Clue 3 (Minute 55): Email server analysis reveals the worm is approaching systems containing attorney-client privileged communications for dozens of client matters beyond the class-action case. Broader ethical notification obligations may be triggered.
- Clue 4 (Minute 60): Court filing specialist reports that even if documents are recovered, final assembly, citation checking, and electronic filing procedures require minimum 24 hours with functioning systems. The timeline is extraordinarily tight.
NPC Interactions:
- Patricia Morrison: Evaluating all options. “I can attempt to negotiate with opposing counsel for agreed extension, but Michael will demand major concessions that harm our clients. I can request court mercy, but judges rarely grant extensions for law firm technical failures. Or we push for Monday filing despite all obstacles.”
- James Liu: Planning technical recovery. “Comprehensive remediation requires patching every system, rebuilding document servers, and implementing proper network segmentation - that’s weeks of work. We need to decide between minimal recovery enabling Monday filing versus thorough security restoration.”
- Dr. Sarah Kim: Offering alternatives. “I can attempt to reconstruct summary analysis from my independent research notes, but it won’t have the depth or precision of the original two-year study. It may be sufficient for initial filing but will weaken the case substantially.”
- Michael Rodriguez: (via phone) Increasing pressure. “My client is prepared to agree to extension if plaintiff counsel acknowledges case management deficiencies and accepts liability limitations. Otherwise, we proceed with dismissal motion and your clients get nothing.”
Pressure Events:
- Minute 70: Law firm malpractice insurance carrier requests incident details and warns about potential coverage issues if professional negligence is established
- Minute 80: Several class-action plaintiff representatives call asking about case status and Monday filing confidence
- Minute 85: Legal ethics hotline confirms that compromised attorney-client communications may require client notification under professional responsibility rules
- Minute 90: Senior partner calculates that case dismissal would result in approximately $3M in unrecoverable costs and catastrophic firm reputation damage
Round 2 Response Strategy:
Teams must develop comprehensive legal profession recovery strategy addressing technical remediation, case filing capability, professional responsibility compliance, client communication, and malpractice risk management. The response should balance Monday deadline with long-term professional obligations.
Facilitation Questions:
- “How do you coordinate document recovery, ethical compliance, and case filing preparation simultaneously?”
- “What is your recommendation to Patricia Morrison about accepting opposing counsel’s extension offer versus pursuing Monday filing?”
- “How do you ensure attorney-client privilege protection and professional responsibility compliance while implementing security remediation?”
Victory Conditions:
- Comprehensive legal practice response strategy balancing all professional obligations
- Clear plan for Monday filing or acceptable alternative protecting client interests
- Path forward addressing immediate case needs and long-term firm security and ethical compliance
Round 3: Legal Practice Resilience & Professional Ethics (35-40 min)
Opening Scenario:
The incident has evolved from immediate case crisis into comprehensive questions about legal profession cybersecurity, professional responsibility, and law firm risk management. The team’s previous responses have shaped Monday filing capability, but now they must address fundamental questions about protecting privileged information, preventing future incidents, and maintaining professional ethical standards.
Patricia Morrison addresses the team. “Regardless of Monday’s outcome, we have broader obligations. How do we protect client confidential information? How do we prevent this from happening again? How do we maintain professional responsibility compliance? And how do we do this while serving clients effectively in a competitive legal market?”
Investigation Clues:
- Clue 1 (Minute 100): Comprehensive assessment reveals the worm exploited systemic law firm IT weaknesses: shared networks for collaboration efficiency, delayed patching for document compatibility, inadequate backup isolation due to cost constraints, and minimal cybersecurity expertise on staff.
- Clue 2 (Minute 110): Review of legal ethics opinions reveals that law firms have professional responsibility obligations for “reasonable cybersecurity measures” to protect client confidential information, and ransomware incidents have triggered bar discipline in some jurisdictions.
- Clue 3 (Minute 115): Analysis of similar law firm ransomware incidents shows that proper security infrastructure, isolated backups, and incident response planning could cost hundreds of thousands annually - expenses that must be balanced against competitive billing rates and client cost sensitivity.
- Clue 4 (Minute 120): Malpractice insurance specialist indicates that law firm cyber policies may not cover all incident costs, and premiums will likely increase significantly following this event. Long-term financial implications extend beyond immediate recovery costs.
NPC Interactions:
- Patricia Morrison: Evaluating firm future. “We built this practice on client service and legal excellence. Now I’m learning we failed in our duty to protect client information through adequate cybersecurity. How do we rebuild trust while making necessary security investments that affect our competitive positioning?”
- James Liu: Proposing IT transformation. “I can design a resilient legal IT architecture with proper segmentation, isolated backups, and comprehensive security monitoring. But implementation requires significant investment and will change how attorneys work - less convenience, more security protocols.”
- Dr. Sarah Kim: Considering expert witness relationship changes. “Going forward, I need to maintain independent copies of all analysis rather than relying solely on law firm servers. This incident shows the risk of depending on any single repository, even supposedly secure legal systems.”
- Michael Rodriguez: (later reflection) “Your firm’s security failure created opportunity for my client. In future litigation, law firm cybersecurity capabilities will be a factor in case strategy. Firms with weak security are vulnerable to disruption during critical case phases.”
Pressure Events:
- Minute 125: Local bar association announces continuing legal education requirement on law firm cybersecurity and professional responsibility obligations for client information protection
- Minute 130: Legal industry publication contacts firm about article on “law firm ransomware vulnerabilities and professional ethics implications”
- Minute 135: Major client sends letter requesting assurances about law firm cybersecurity capabilities and client confidential information protection measures
- Minute 138: Partnership committee schedules meeting to discuss cybersecurity investment requirements and potential impact on firm profitability and partner distributions
Round 3 Response Strategy:
Teams must develop recommendations addressing not just technical recovery but broader questions of legal professional responsibility, client confidential information protection, law firm competitive positioning, and sustainable cybersecurity for professional service firms balancing security with service delivery.
Facilitation Questions:
- “How do you recommend Morrison & Associates balance cybersecurity investments with competitive legal billing rates and client cost expectations?”
- “What professional responsibility changes would prevent similar incidents while respecting the realities of law firm practice and client service?”
- “How should professional service firms approach cybersecurity given confidential information obligations, competitive pressures, and complex operational requirements?”
Victory Conditions:
- Comprehensive recovery plan restoring all legal practice capabilities securely
- Sustainable cybersecurity strategy appropriate for law firm professional responsibilities and economic realities
- Clear communication to clients and professional stakeholders about incident response, prevention, and ongoing information protection
- Recommendations addressing systemic legal profession cybersecurity challenges beyond immediate technical fixes
Debrief Focus:
- Technical understanding of worm propagation through professional service networks and document management systems
- Recognition of legal profession’s unique challenges: attorney-client privilege, professional responsibility, court deadlines, client confidential information
- Balance between immediate case service and long-term professional ethical compliance
- Coordination between IT security, legal practice operations, professional responsibility, and client service
- Professional service-specific considerations in cybersecurity decision-making and resource allocation
Advanced Challenge Materials (150-170 min)
Additional Complexity Elements:
Red Herrings & Misdirection
- Legitimate System Updates: Law firm IT had scheduled document management system updates for this week, creating confusion about whether file access issues are attack-related or planned maintenance complications.
- Unrelated Document Issues: Some attorneys report missing files that are actually due to incorrect folder organization unrelated to the attack, creating noise in incident investigation.
- Opposing Counsel Tactics: Michael Rodriguez sends multiple communications that could be legitimate legal strategy or attempts to exploit the firm’s technical difficulties - team must assess his intentions.
- Client Anxiety: Multiple clients call with various concerns that pull attorney attention away from incident response and case filing preparation.
Removed Resources & Constraints
- No External Threat Intelligence: Remove access to pre-existing WannaCry knowledge - team must deduce worm behavior, kill switch mechanism, and EternalBlue vulnerability details from legal environment investigation alone.
- Limited IT Expertise: IT Director Liu has general technology knowledge but no advanced incident response experience - team cannot rely on NPC technical cybersecurity guidance.
- Budget Constraints: Law firm partnership is cost-conscious and questions expensive security solutions - emergency expenditures require partner approval creating decision delays.
- Backup Uncertainty: Complete uncertainty about backup integrity and recovery capability due to inadequate backup testing and documentation.
Enhanced Pressure & Consequences
- Client Impact Stories: Specific narratives of individual plaintiffs in the class-action case who will lose legal recourse if Monday deadline is missed - personalizes the case filing pressure.
- Professional Reputation: Local legal community learns of the incident, creating reputation pressure and potential competitive disadvantage for the firm’s future client development.
- Bar Association Inquiry: State bar association’s professional responsibility committee sends inquiry letter about the incident and client information protection measures.
- Expert Witness Dependency: Dr. Kim’s analysis is truly irreplaceable and cannot be adequately reconstructed - team must recover the encrypted data or accept significantly weakened case.
Ethical Dilemmas
- Court Extension Request: Should the firm request extension acknowledging technical failures (potentially harming client interests through opposing counsel concessions) or push for Monday filing with incomplete materials?
- Client Notification: Should the firm immediately notify clients about potential attorney-client privilege compromise creating reputation risk, or wait until full scope is determined?
- Ransom Payment: Is paying ransom ethically acceptable for law firms given professional responsibility standards and the imperative to recover client confidential information?
- Security vs. Service: Should the firm implement strict security controls that reduce attorney efficiency and convenience, or maintain accessible systems accepting some security risk?
Advanced Investigation Challenges
- Privilege Protection: Investigation must protect attorney-client privilege even while analyzing compromised communications - creates complex forensic constraints.
- Multi-Office Complexity: Worm spread across three law firm offices with different network configurations requires coordinated investigation and response.
- E-Discovery Implications: If privileged communications were compromised, opposing counsel may argue they are no longer privileged - creates legal and technical investigation complexity.
- Vendor Dependencies: Document management and e-filing systems require vendor support for recovery, but vendors have limited weekend availability during critical deadline period.
Complex Recovery Scenarios
- Document Version Control: Recovery reveals multiple versions of critical documents creating uncertainty about which versions contain final attorney revisions essential for filing.
- Citation Verification: Recovered legal documents may have citation errors from partial encryption requiring time-intensive verification before court submission.
- E-Filing Technical Requirements: Court electronic filing system has strict formatting requirements that may be disrupted by recovery process creating last-minute technical compliance challenges.
- Expert Witness Coordination: Dr. Kim is traveling with limited availability during recovery period, complicating coordination for alternative analysis if primary data cannot be recovered.
Advanced Debrief Topics
- Professional Responsibility & Cybersecurity: How should legal professional responsibility rules address law firm cybersecurity obligations for client confidential information protection?
- Professional Service Constraints: What unique challenges do law firms face in cybersecurity compared to other professional service organizations or corporate environments?
- Deadline-Driven Security: How can professional service organizations approach cybersecurity realistically when client deadlines create pressure for operational convenience over security protocols?
- Privileged Information Protection: How should legal profession balance attorney-client privilege protection with necessary incident response investigation and remediation?
- Competitive Pressures: How do law firms justify cybersecurity investments to cost-conscious clients and competitive billing rate pressures?
Advanced Challenge Debrief Questions:
- “How did professional responsibility obligations and court deadline pressure affect your incident response decision-making differently than corporate environment scenarios?”
- “What unique approaches might legal profession require for cybersecurity compared to other industries with similar confidential information?”
- “How do you balance attorney-client privilege protection with necessary technical investigation during cybersecurity incidents?”
- “What systemic changes would make law firms more resilient to cybersecurity threats while respecting professional ethics, competitive economics, and client service obligations?”