Law firms are, by their very nature, privy to some of the most sensitive and confidential information in the business world. For that reason, in this era of ever-growing technological advances, law firms face great risks of cyber attacks. Phishing scams, technological spying and hacking are becoming more and more common in the legal world.
From the seemingly manageable challenges of lost laptops and unsecured networks to the real life confirmation of targeting of firms by international computer hackers, cybersecurity is an issue that can be ignored no longer. It is a risk that grows every day.
Technological terrorists using sophisticated computer skills including hacking and spying are focusing on law firms more than ever. One recent scam, targeting 100 companies (approximately 20 percent of which were law firms), launched phishing attacks securing passwords, penetrating superficial firewalls, and gaining access to extremely sensitive information.
More and more, reports confirm that these are not isolated incidents. The American Bar Association confirmed that, in 2015, approximately one-quarter of all U.S. law firms with 100 or more lawyers had experienced a data breach through hacker or website attacks, break-ins, or lost or stolen computers or phones. In that same year, fifteen percent of all law firms overall, regardless of size, had reported an unauthorized intrusion into the firm’s computer files, up from ten percent in 2012.
Experts agree that many hackers view law firms as “one stop shopping” for electronically-stored information — accessing both the law firms’ information as well as the clients’. And, notwithstanding the greater risks, law firms generally have lower security than most of their corporate clients.
This three-part series will discuss what law firms can do to protect themselves. Part One focuses on the scope of the problem, the risks, and attorney obligations of confidentiality. Part Two will identify common mistakes made by law firms in their cyber security practice. Part Three will offer some ideas for how to address this problem and reduce risk.
The most important starting point is recognizing that law firms are unique targets. Attorneys often falsely assume that no one is interested in their confidential information. However, every attorney and law firm has — in email, document systems, or networks — a bevy of confidential information that is valuable to hackers or others who would gain access.
It is a mistake for small firms or even solo practitioners to think that only those law firms representing the Fortune 100 are vulnerable. While once such attacks seemed to be limited to mega-firms with significant overseas practices, that is no longer the case. The growth in web presence for attorneys, through use of internal networks, data storage, and personal devices, means that even solo practitioners are vulnerable. Nearly every attorney stores some confidential information on their networks.
This information can relate to confidential business deals, bank account numbers, patent applications, or even social security numbers (of clients, employees, or members of a class). In addition, law firms often obtain sensitive information through discovery that does not relate to their own clients or employees including trade secrets and insider information. Finally, law firms have trust accounts that contain client money.
Hacking is not the only risk. Another is the threat to data integrity from malware or viruses. Law firms also face internal cyber threats from their own employees, whether those employees intentionally access law firm systems for nefarious purposes, or those employees inadvertently expose the network by losing a laptop or phone, falling victim to a phishing scam, or accessing secure law firm networks via an unsecure connection.
For law firms, the protection of information networks and sensitive information residing on those networks is a business and ethical necessity. In addition to the financial risks noted above, law firms also are concerned with ethical and professional duties, violations of which can lead to discipline including suspension from the practice of law to disbarment. Specifically, per ABA Model Rule of Professional Conduct 1.6(c), “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This means that attorneys entrusted with confidential or personal data are the guardians of that data.
Although Texas is not among the states that have adopted this model rule, the ABA comments illustrate what precautions an attorney may be required to consider:
When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.
In evaluating whether an attorney has violated the ABA Model Rule, the comments to the rule indicate that a series of factors will be considered, including the sensitivity of the information, whether additional safeguards would have protected the data, and how expensive implementation of safeguards would have been.
Separately, courts have permitted suits against companies who were supposed to safeguard confidential or private information and protect it from hackers. It is not unreasonable to think that law firms, who regularly receive and store confidential data — whether it is details of a proposed merger or client records being reviewed in connection with litigation, or confidential business information needed for a counseling matter – could be held to a similar standard.
Step One: Recognize the risk and do not put it off until another day.
Shari L. Klevens is a partner at Dentons and serves on the firm’s U.S. Board of Directors. She represents and advises lawyers and insurers on complex claims and is co-chair of Dentons’ global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.”