Law firms have become prime targets for many types of cyberattacks, including phishing scams, technological spying and hacking. It is no longer unusual to hear of valuable and confidential client information being leaked or stolen. Headlines have been replete with examples of law firms targeted by hackers seeking confidential client information.
It is not particularly surprising that an internal report issued by Citigroup in 2015 concluded that “digital security at many law firms, despite improvements, generally remains below the standards for other industries.” There has also been increased activity among the plaintiffs bar pursuing class actions or other suits against law firms targeted by hackers on the basis that the firms’ failure to properly protect confidential information from hackers violated the duties they owed to their clients.
Gone are the days when attorneys could easily identify an email scam written in broken English and using suspicious wording. Current phishing scams say the right things and use the right terminology. And, increasingly, they use confidential data in the newest form of corporate extortion. Of course, for attorneys and law firms, the risks are much more than financial. Bar rules obligate attorneys to protect client information with potential discipline lurking in addition to whatever financial damage a client may suffer.
The level of risk has increased to such an extent that even government agencies, including the Department of Defense, can be fooled. These incidents are also quite expensive. The Ponemon Institute found that the typical cyber crime costs a company $8.9 million in operating expenses, lost business, and theft of information assets. Lawsuits relating to unauthorized access to personal or confidential business data are also expensive to defend and settle.
Basically, law firms are the “next frontier” for hackers. This three-part series will discuss what law firms can do to protect themselves. Part I focuses on the scope of the problem, the risks, and attorney obligations of confidentiality. Part II will identify common mistakes made by law firms in their cybersecurity practice. Part III will offer some ideas for how to address this problem and reduce risk.
The most important starting point is recognizing that law firms are unique targets in that they maintain and store diverse information relating both to clients and employees. Attorneys often falsely assume that no one is interested in their confidential information. However, every attorney and law firm has in email, document systems, or networks a bevy of confidential information that is valuable to hackers or others who would gain access.
This information can relate to confidential business deals, bank account numbers, patent applications, or even Social Security numbers (of clients, employees, or members of a class). In addition, law firms often obtain sensitive information through discovery that does not relate to their own clients or employees, including trade secrets and insider information. Finally, law firms have trust accounts that contain client money.
While once such attacks seemed to be limited to mega-firms with significant overseas practices, that is no longer the case. The growth in web presence for attorneys, through use of internal networks, data storage, and personal devices, means that even solo practitioners are vulnerable.
Hacking is not the only risk. Another is the threat to data integrity from malware or viruses. Law firms also face internal cyber threats from their own employees, whether those employees intentionally access law firm systems for nefarious purposes or those employees inadvertently expose the network by losing a laptop or phone, falling victim to a phishing scam, or accessing secure law firm networks via an unsecure connection.
For law firms, the protection of information networks and sensitive information residing on those networks is a business and ethical necessity. In addition to the financial risks noted above, law firms also are concerned with ethical and professional duties, violations of which can lead to discipline. Specifically, per Connecticut Rule of Professional Conduct 1.6(e), “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The comments to Rule 1.6(e) sheds some light on what is expected of attorneys:
When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these rules.
Generally, this means that attorneys entrusted with confidential or personal data are the guardians of that data. Whether an attorney has an elevated duty to engage additional precautions depends on the facts and circumstances.
In evaluating whether an attorney has violated the rule, the comments to the rule indicate that a series of factors will be considered, including the sensitivity of the information, whether additional safeguards would have protected the data, and how expensive implementation of safeguards would have been. It is clear that law firms cannot ignore the issue.
Separately, courts have permitted suits against companies who were supposed to safeguard confidential or private information and protect it from hackers. It is not unreasonable to think that law firms, who regularly receive and store confidential data, whether it is details of a proposed merger or client records being reviewed in connection with litigation, or confidential business information needed for a counseling matter, could be held to a similar standard.
The first step is to recognize the risk, and don’t put it off for another day.
Shari L. Klevens is a partner at Dentons and serves on the firm’s U.S. board of directors. She represents and advises lawyers and insurers on complex claims and is co-chairwoman of Dentons’ global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Klevens and Clair are co-authors of “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.”