If attorney Richard Chargar happens to leave his iPhone in a taxi while rushing to meet clients, he can rest assured that no one will see confidential information from clients of his employee benefits and executive compensation practice. All information on the phone, from his grocery list and daily schedule to details about executive severence packages, would be erased through a security program his law firm has added.
“We get lots of questions from clients regarding security and privacy,” said Chargar, who as managing partner of the Stamford Office of Kelley Drye & Warren, advises clients on employee benefits plans. “My iPhone is set to be secure, so if I were to lose my phone, everything on it would be erased. Our firm would be able to do that from our office in New York.”
Just about every day brings word of hacker attacks, carrying with it the threat of data and security breaches that can lead to not only embarrassment, but liability and financial losses. With increasing frequency, clients are demanding to know what protections law firms have in place to protect sensitive, proprietary information from prying eyes. The newest threat to law firms and the clients whose information they hold is called hacktivism: the use of computers and computer networks as a means of protest.
“It’s a fast-growing area,” said Chuck Welsh, managing partner of Edwards Wildman in Hartford. His firm, where he handles high finance mergers and acquisitions in the insurance industry, has frequent informational sessions for clients and partners on the issue of cybersecurity.
The issues related to cybersecurity, he said, are on everyone’s mind these days. At McCarter & English, Eric Grondahl, managing partner of the Hartford office, said the firm has added several layers of protections against cyber-attacks, including additional log-in screens and extra “firewalls.”
The need for cybersecurity “affects the way we are all doing business,” said Grondahl, whose practice focuses on intellectual property.
One way the law business is adapting is through organized efforts to raise awareness about the risks of leaving sensitive information unprotected. Policies are being changed at many law firms to require desk spaces to be cleaned off each night and computer access protected with passwords that are difficult to duplicate or figure out, said
Steven J. Bonafonte, who is partner in Pullman & Comley’s cybersecurity, privacy and infrastructure protection practice groups in Hartford, was recently named general counsel of the Connecticut Chapter of the Association of Certified Fraud Examiners. In his new role, Bonafonte provides training to lawyers for continuing legal education programs and serves as a legal resource for members of the association.
The association, with 50,000 members in chapters across the U.S., trains lawyers and other professionals to be certified fraud examiners, who can then use the skills they learn to prevent data breaches from occuring in business settings where they work.
“Law firms don’t have secrets,” Bonafonte said. “It’s the client information that hackers want for the most part. Law firms should not be as concerned with managing their own secrets, as much as they are the secrets that belong to their clients.”
Such secrets include bank account numbers and personal information like social security numbers or lists of client addresses, which can typically be found in paperwork involving business sales or mergers, or discovery documents for trials.
Bonafonte said that part of the challenge facing law firms is that for some lawyers, cybersecurity can appear to be a “distraction” from traditional tasks such as deposing witnesses and preparing documents.
“Most lawyers are rightly first and foremost concentrating on their legal strategy and the facts and the law to defend their clients,” he said. “But they need to be aware that all of the information they hold is quickly transmittable around the world and lost. With all of the benefits of the technology, there are risks of the information being released without permission.”
According to the FBI, cybersecurity is a growing problem facing U.S. law firms. In a recent report, the cybersecurity firm Mandiant Corp. estimated that 80 major law firms were hacked last year. The breaches can create ethical problems for attorneys who are not vigilant in doing their best to protect against such attacks, Bonafonte said.
Lawyers are bound to maintain the confidentiality of client information, as the American Bar Association’s Model Rule 1.6 explains. In the old world of paper documents, the risk of inadvertent disclosure of client information was not as high. It might occur very rarely, for instance, in a large production of documents in litigation.
In the electronic world, however, the risk is much greater. Microsoft Outlook’s automatic address feature, for instance has caused many lawyers to send e-mails to the wrong person, which is a simple way for secure information to be released.
Hackers are constantly seeking ways to penetrate firewalls to access confidential information. “Track changes” and “comment” fields in Microsoft Word; a lost thumb drive, notebook or tablet computer that is not password protected; and online “cloud” data storage services that lack sufficient security measures are among other ways that technology ceases to become a lawyer’s friend.
Bonafonte said there are several policy changes underway which could eventually make their way into changes of the rules of professional conduct for lawyers in the state. To remind lawyers of cybersecurity risks, a new sub-paragraph is expected to be added next month to the ABA’s Rule 1.6. The rule will require lawyers to “make reasonable efforts” to prevent “inadvertent or unauthorized disclosure of, or unauthorized access to” confidential client information.
Survival Of Fittest
As more lawyers adopt state-of-the-art data protection techniques — or as malpractice carriers require such tools to be adopted — lawyers who are unable to afford to do so may be in jeopardy of being confronted with an allegation of a breach of a duty of care if an unauthorized or inadvertent disclosure occurs.
The competitive disadvantages that will arise for those who don’t adapt to the growing need for cyber security could lead to a factor that Bonafonte refers to as “natural selection.”
Some lawyers who fail to protect client information or who lose data because they are poorly protected could lose business, Bonafonte said, while those who are better protected “and do it well will have a practice enhancer.”
While being more technically savvy may not be a “competitive advantage, yet,” he said, it could be in the future.
The weakest links to any law firm, security experts say, will continue to be those who don’t understand that opening up phishing e-mails that hackers send or otherwise let their guard down. While no one “wants to have a target on their back” by publicly discussing their cybersecurity, Bonafonte said “clean desk policies” and extra log-ins can “keep prying eyes from looking.”
The best steps to minimize risks limiting the number of people who have access to a network. Such safety features, like phones and computer drives that automatically erase data when they are lost or stolen, allow attorneys to work in an environment in which information is secure.
“Those types of protections will be harder for smaller practitioners to obtain,” because of cost, he said.•