Hacked and Smacked: The Lurking Danger and Costly Ramifications of a Data Breach
By Scott R. Schaffer, Esq. and May Li, Esq., Wilson Elser LLP
Law firms, whether large or small, are prime targets for cybercriminals, who view them as warehouses that can provide access to employee identification data, banking information, trade secrets, non-public details on client transactions, and other highly sensitive information.
Over the past two years, numerous high-profile data breaches involving attorneys made national and international news:
- June 2017, a leading U.K.-headquartered international law firm, suffered a ransomware attack that left the firm and its employees without phones and email for three days.
- December 2016, Preet Bharara, then United States Attorney for the Southern District of New York, unsealed an indictment that charged three defendants with amassing profits of more than $4 million by trading on insider information that they obtained by hacking into the networks and servers of at least seven well-known U.S.-based international law firms that specialize in corporate mergers and acquisitions.
- December 2016, the U.S. District Court for the Northern District of Illinois unsealed the first public data security class action complaint against a Chicago-based law firm arising from a breach of the firm’s computer network.
- April 2016, Mossack Fonseca, a Panamanian law firm that was once the world’s fourth largest offshore firm, suffered a massive data breach in which 11.5 million files were accessed. This breach led to the exposure of off-shore structures designed to minimize tax liabilities, and appeared to demonstrate links between organized crime and politicians, celebrities and private investors. Information from the breach was leaked to the media and led to resignations of heads of state in Iceland and Pakistan.
Most law firm data breaches are not disclosed to the public, but they are occurring with increasing frequency. The ABA’s 2017 Legal Technology Survey Report revealed that 22% of law firms experienced a cyberattack or data breach in 2017, which is an increase of 14% since 2016. The ABA Survey further revealed that law firms with 10−49 attorneys reported the most security breaches (35%), followed by law firms with 50−99 attorneys (33%), law firms with 2−9 attorneys (27%), law firms with 500 or more attorneys (23%) and solo practitioners (10%).
Causes and Consequences of a Data Breach
Cyber threats can be external, internal or a combination of the two. External threats include “phishing” (the practice of sending fraudulent emails purporting to be from reputable entities to induce individuals to reveal personal information) and the delivery of “malware” (software that is intended to damage or disable computers and computer systems) by hackers. Internal causes of a data security breach at a law firm may include (1) human error; (2) an attorney’s laptop, tablet or smartphone being misplaced or stolen; (3) employee misconduct; (4) improper or careless disposal of client records; (5) “hacktivism,” which is the use of hacking to promote political or social purposes (which can involve both internal or external actors); and (6) cyber espionage (again, involving persons within and outside a firm).
The ramifications that flow from a law firm’s data breach not only is costly to the firm but also can have a significant adverse impact on the reputations of the firm and its clients. On or about March 16, 2018, Mossack Fonseca announced that it was shutting down due to the “reputational deterioration” that was caused by the numerous scandals and public disdain resulting from the April 2016 data breach.
Ethical Obligations of a Lawyer
ABA Rules of Professional Conduct
Lawyers and law firms have ethical obligations under the rules of professional conduct in their jurisdictions to competently represent their clients, protect their clients’ confidential information, and supervise and train their staff on cybersecurity policies:
- Duty of Competence. Pursuant to ABA Model Rules of Professional Conduct, Rule 1.1, “a lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In 2012, recognizing the impact that technological advances have had on the practice of law, the ABA amended Rule 1.1 to include Comment 8 (Maintaining Competence), which explains that “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” Thus, the scope of professional competence includes understanding and staying current on technological advances and risks that attorneys face when using technology in the practice of law.
- Duty of Confidentiality. In addition to providing competent representation, safeguarding a client’s confidences is foundational to the lawyer-client relationship. ABA Rule 1.6 provides that “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is [otherwise] permitted.” In 2012, the ABA amended Rule 1.6 to include paragraph (c), which requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Significantly, Comment 18 of Rule 1.6 (Acting Competently to Preserve Confidentiality) sets forth several factors that are considered in evaluating the reasonableness of a lawyer’s efforts to prevent unauthorized access or disclosure, including but not limited to the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
- Duty to Supervise Staff. Client assignments often involve teamwork among lawyers, support staff and/or outside vendors. Lawyers are required to supervise more-junior attorneys, paralegals, secretaries, clerks and outside vendors who come into contact with client information. ABA Rules 5.1 and 5.3 provide that “a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance” that all lawyers and non-lawyers (whether or not employed by the firm) conform to the Rules of Professional Conduct.
In other words, a law firm should have policies in place and train all of its employees, including lawyers and non-lawyers, on cybersecurity practices to avert breaches and to safeguard client information. A best practice is to formulate written policies and assure that outside vendors understand, accept and comply with the firm’s cybersecurity procedures.
Security Breach Notification to Affected Individuals
All 50 of the United States, plus the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted legislation that requires private and government-related entities to notify individuals of a data breach involving the unauthorized access of client materials generally and personal identification information particularly. In some instances, attorneys may have a duty to inform non-clients of a data breach because data breaches expose information about potential business partners/investors, opposing litigants, potential witnesses or other non-clients.
A data breach may impact individuals who live in various jurisdictions, each of whom is entitled to protection under the laws and regulations in effect where they live. In the event of a data breach, a law firm must review state notification laws carefully to ensure compliance, as the following may vary by state: (1) definition of personal identification information, (2) definition of a breach, (3) timing of notification to the affected individuals, (4) notification to state regulators, and (5) available private remedies and enforcement actions.
In addition to state laws, there are federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), that require certain persons and entities, including law firms, to protect personally identifiable information and to provide notification to the affected individuals in the event of a breach.
Prevention and Response to Cyberattack
As we become more technologically advanced as a society, law firms must preemptively limit their vulnerability, risk and exposure to cyberattacks.
Cyber Liability Insurance Coverage in Addition to Lawyers Professional Liability Coverage
While law firms generally carry lawyers professional liability (LPL) insurance, a large number of firms do not also have stand-alone cyber liability coverage. In the event of a data breach, an LPL policy may provide coverage for third-party claims, depending on its terms, conditions and limitations. Law firms also face circumstances generally not covered under an LPL policy, such as first-party exposure to public relations/crisis management costs, business interruption, cyber extortion threats, data recovery costs, regulatory actions, and fines and penalties. A comprehensive cyber liability insurance policy may provide coverage that addresses these first-party losses suffered by law firms.
Establish an Incident Response Plan and Team Before a Cyberattack Occurs
Pursuant to Barack Obama’s February 12, 2013 Executive Order to improve critical infrastructure cybersecurity, in 2014 the National Institute of Standards and Technology issued a Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) that provided a set of standards, methodologies, guidelines and practices to help organizations manage cybersecurity risks. The Cybersecurity Framework provides the following five-step comprehensive cybersecurity program: (1) Identify, (2) Protect, (3) Detect, (4) Respond and (5) Recover.
Law firms should identify potential areas of cybersecurity vulnerability, develop remedial efforts to eliminate vulnerabilities, implement methods to detect occurrences of cyberattacks, establish an incident response team and plan to contain and remediate cyberattacks, and develop a plan to restore services. In addition, law firms should conduct a post-cyberattack incident evaluation to understand how the incident occurred, learn from the experience, grade the overall recovery and response, and update the incident response plan to incorporate lessons learned.
Cybersecurity experts indicate that the first 24 hours after a data breach are critical. A law firm’s incident response team should be multifaceted and include:
- Key internal law firm employees in the areas of management, IT, communications, HR and general counsel
- Outside vendors such as cybersecurity firms, computer forensics experts and public relations firms
- Specialists in handling notifications and tracking responses, setting up call centers, and providing credit/identity monitoring and restoration services.
As law firms vary in size, areas of practice, the types of data stored and IT infrastructure, each should develop an incident response team and plan tailored to its needs. One size does not fit all.
However, an incident response plan should at least specify the following:
- Contact information for the internal and external members on the incident response team as well as backup personnel
- Notification of breach protocols
- Data breach coach/lawyer’s contact information
- Lawyers professional liability insurance and cyber liability insurance information (policy number, claim submission timing requirements to avoid late reporting issues, methodology to submit a claim and the broker’s contact information)
- Procedures to contain and remediate the data breach and restore services after the breach has been cured.
A law firm’s employees are the first line of defense against cyberattacks. It is crucial that all employees receive cybersecurity training so they will: recognize the risks; be aware of current trends in cyberattacks; understand the importance of safeguarding law firm data; honor the ethical obligations of maintaining clients’ confidences; be cognizant of the firm’s social media policies and protocols; use the internet intelligently; and safeguard their own devices. Technology changes constantly as do cyber-hacking tactics and techniques. It is therefore recommended that law firms have cybersecurity refresher training every year.
Cyber intrusions are becoming more sophisticated and law firms are increasingly targeted. Law firms need to take proactive countermeasures to avoid being hacked by cybercriminals. Without these preventative measures in place, not only are clients at risk of being harmed but law firms also face a huge risk of significant financial loss and irreparable reputational harm. Therefore, in the ongoing battle against cybercriminals, preparation is paramount. Law firms need to invest the appropriate time and resources in cybersecurity now so that they are adequately prepared if and when a cyberattack occurs.