Every law firm is vulnerable to cybersecurity breaches, just like virtually any other business today. However, law firms are particularly attractive targets for hackers. At the same time, law firms are subject to not only the laws that apply to any other businesses, but to legal ethics rules as well.
Unfortunately, every law firm will eventually have some kind of cybersecurity incident or breach (if they haven’t already). What sets those firms apart is: (1) how well they minimize the odds of an incident occurring, and (2) how well they’re able to detect, respond, and recover from one.
Many attorneys remember the days when law firms relied on typewriters, snail-mail, and land-line phones (with actual bells in them). Those days are long gone, and attorneys who haven’t learned how to securely use today’s technology are not only failing to take advantage of sound business practices, but are also putting their clients, their firms, and their careers at serious risk.
In the headlines: law firm cybersecurity breaches
In the last year, law firm cybersecurity breaches were consistently making national and global headlines. To mention a few highlights: in March, news broke about several of the biggest U.S. law firms being hacked, including Cravath and Weil Gotshal. Later that month, the FBI issued an alert about a Russian hacker recruiting other cybercriminals to hack into 48 U.S. law firms.
Then in April, we learned about one of the biggest data breaches in history, that of Panamanian law firm Mossack Fonseca, in which 11.5M files (now known as the “Panama Papers”) were stolen and leaked to the media. As a result of this breach, the world learned that the firm helped international clients (global leaders, businesspersons, and celebrities) launder money, escape sanctions, evade taxes, etc. And, it resulted in Iceland’s PM Hunnlaugsson’s resigning over revelations about his offshore investment company.
That same month, an IT manager from the law firm Locke Lord was sentenced for deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts.
In May, plaintiffs’ firm Edelson, PC filed a class action lawsuit against Chicago-based law firm Johnson & Bell for lacking appropriate cybersecurity, the first class action of its kind- more on this below.
In December, the Colorado Supreme Court’s Office of Attorney Regulation Counsel issued a warning about a phishing scam that was targeting lawyers in several states, in which hackers were sending attorneys an email that claimed a disciplinary action had been filed against them, and invited the reader to click on a link to respond. Unfortunately, clicking on that link or other attachments in the email contained ransomware, a form of malware that encrypts the user’s data until a ransom is paid for decryption.
Concerned about your law firm yet? You should be.
Why are law firms a favorite target of hackers?
Hackers view law firms as being less secure back doors to clients’ information. And of course, hackers interested in obtaining client information could hack one client at a time, but they know they can hack one law firm and get the information regarding many clients at the same time and place, a one-stop shop for valuable information which they can steal and use, sell, or hold for ransom.
Law firms are also attractive targets due to the value of the information that can be stolen.
In the movie Wall Street, Gordon Gekko (Michael Douglass) said: “The most valuable commodity I know of is information.” And what did his protégé, Bud Fox (Charlie Sheen) do? He went to a law firm dressed as building maintenance and secretly copied M&A information to use for insider trading. As they did in the 80’s, law firms still have valuable M&A information, only today it is much easier for hackers to steal it. Other information hackers would like to steal from law firms includes:
- client intellectual property, including patent, copyright, and trade secret information;
- personally identifying information (PII), such as health information, financial accounts, tax information, etc. of clients, firm employees, and even third parties (for example, sensitive information obtained via discovery regarding opposing parties, witnesses, etc.);
- payment card information;
- case and litigation strategy; and
- a firm’s own sensitive information (credit cards, bank accounts, etc.).
Law firm duty to secure information
Law firms’ duty to protect secure information comes from multiple sources. In the U.S., there is no one federal cybersecurity or data privacy law; rather, we have an overlapping “patchwork” of federal and state laws and regulations, and common law.
A few examples of federal laws that law firms need to be aware of include:
- The FTC Act, which prohibits “unfair” or “deceptive” acts or practices. The FTC has pursued enforcement actions against organizations under the “deceptive” theory for misrepresenting (1) their cybersecurity measures, and/or (2) how they used or disclosed PII. Enforcement actions under the “unfair” theory include instances where an organization with inadequate cybersecurity has a data breach.
- The Health Information Technology for Economic and Clinical Health Act (HITECH), which imposes cybersecurity obligations on HIPAA covered entities and business associates of covered entities (such as, possibly law firms).
- The Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transaction Act (FACTA), which cover cybersecurity, identity theft, and the disclosure of consumer reports.
As of January 1, 2017, 47 states have breach notification laws that require organizations to notify individuals (and sometimes state authorities) when a data breach affects their PII. And, an incentive to encrypt your clients’ data- many states exclude breaches of encrypted data from their breach notification requirements. In addition, at least 31 states have laws regarding the secure disposal of records that include PII. And some states, such as Massachusetts, have stringent minimum information security requirements. Importantly, the state law that applies to your firm is often based on the residence of the individual whose information was breached, not the location of your firm.
Industry guidance and self-regulation
In addition to federal and state laws and regulations, some industries (for example, the payment card industry) issue guidelines that are considered industry best practices which some law firms may be contractually obligated to adhere to (either by the industry itself or by a client who is part of that industry).
As cybersecurity incidents have been on the upswing, law firms have been increasingly targeted in malpractice suits based on common law (negligence, breach of implied contract, etc.). One such case is plaintiffs’ firm Edelson PC’s class action against the Johnson & Bell law firm on behalf of Johnson & Bell’s former clients. This case is interesting because it isn’t based on a data breach (there was no breach), but rather on alleged cybersecurity vulnerabilities that risked client information– “a data breach waiting to happen.”
According to the complaint, Johnson’s alleged malpractice is based on its use of an outdated version of a time-keeping application that NIST identified as being vulnerable to ransomware attacks, use of a virtual private network (VPN) that was vulnerable to “man-in-the-middle” attacks (in which a hacker can access confidential communications between parties), and use of an outdated email system which made the firm vulnerable to attacks that would decrypt email content.
Again, there is no allegation of a data breach, or even an attempted breach. You may be wondering: what about damages? The main basis of alleged damages is this: part of the fees paid by the plaintiffs was for adequate cybersecurity that wasn’t provided, and the plaintiffs wouldn’t have paid Johnson, or would have paid less, if Johnson had disclosed the alleged cybersecurity vulnerabilities. This case is currently proceeding in arbitration, and news reports have indicated that several other such lawsuits are pending under seal or will be filed in the near future. I, for one, will be watching these cases closely.
Legal ethics rules
Of course, law firms are also bound by legal ethical rules that impose cybersecurity obligations. For example, the American Bar Association (ABA) revised Comment 8 to Model Rule of Professional Conduct 1.1, pertaining to competence, which now states that an attorney “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology …” What this means is that lawyers now need to know what technology to use for a client, and how to use it securely, in order to competently represent clients.
Another revision is found in Model Rule 1.6(c), pertaining to confidentiality, which now sates that an attorney “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” What are reasonable efforts? Fortunately Comment 18 to Rule 1.6 lists factors to consider:
- the sensitivity of the information;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost of employing additional safeguards;
- the difficulty of implementing the safeguards; and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
I’m often asked about the ethical implications of an attorney using outside service providers, such as a cloud service. This is covered by Comment 3 to Model Rule 5.3, which essentially says that this is generally permissible if the attorney makes “reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.”
The consequences of a data breach could potentially put your firm out of business. Does this seem like an extreme statement? Consider the following: initial expenses include those for forensic investigation, legal counsel, crisis management and public relations, breach notification, credit monitoring services for those impacted by the breach, replacement of software or hardware, and state and federal compliance obligations. And of course, the even bigger consequences could include regulatory fines, ethics complaints, malpractice lawsuits, attorney downtime and loss of billable hours, and the damage to your firm’s reputation.
The intent of this blog post isn’t to keep you up at night (although I’d understand if it did). In part 2 of this post, I’ll address measures you can take to prevent, detect, respond to, and recover from cybersecurity incidents. And, hopefully after reading it you’ll sleep more soundly too.