Pop quiz. How many of the following items are you familiar with?
- Back door/trap door
- DNS poisoning
- IP spoofing
- Man-in-the-middle spoofing
- Network sniffing
- Password cracking
- Replay attacks
- Social engineering
- System penetration
- System tampering
- TCP/IP hijacking
- Website defacement
When lecturing about or assisting law firms with cybersecurity issues, I ask them to tell me what each of these items is, and not surprisingly, no one has ever gotten a perfect score. In fact, no one has ever come close to receiving a passing grade. Of course not, lawyers aren’t trained to be cybersecurity experts. Yet cybersecurity—which is the process of protecting a computer or computer network against the criminal or unauthorized use of electronic data—is something every law firm needs to know about and to protect against.
In the past few years, major law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, were victims of cyberattacks. In addition, more than 11.5 million files from Mossack Fonseca, the world’s fourth largest offshore law firm, were stolen because the firm failed to take the necessary steps to protect its confidential data, including updating the security of its web servers.
In most cases, data breaches can be avoided. Yes, your firm can hire a consultant to help, but you need to know more, and to take additional steps. Why? Because there are legal and ethical considerations that you should understand.
Under the Pennsylvania Rules of Professional Conduct, lawyers have a duty to protect confidential client information, and to respect the rights (including sensitive information) of third persons. For example, Rule of Professional Conduct 1.6(d) requires that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In other words, you can’t leave your computer network unprotected against hacking or ransomware. Comment 25 to this rule explains that “a lawyer [must] act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” In other words, when it comes to data on your computers, cellphones and servers, you must take appropriate security measures.
This comment further explains that lawyers “may be required to take additional steps to safeguard a client’s information to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information.” In other words, a law firm may have to comply with data breach notification laws and other statutes.
In addition. Rule 4.4(1) requires lawyers to respect the rights of third persons. While this rule states that lawyers should avoid taking actions that would embarrass a third party, its import in the realm of cybersecurity is becoming evident. In the past, lawyers filed documents electronically that contained personal information (such as Social Security numbers and financial account numbers), or confidential information (such as medical records with sensitive information) without considering what would happen if another person—such as the “nosy neighbor”—went online, read it, and disseminated it. Consider how your 12-year-old son would feel if his medical records revealed his chronic bed wetting, and those records were available online as part of the file in a custody action. That happened.
Now, lawyers must redact sensitive information under Pennsylvania’s Public Access Policy; numerous other states have enacted similar measures, all intended to prevent the disclosure of the types of personal information that we would all agree should not be freely available to a “nosy neighbor,” the press, or anyone other than the parties in the case.
Attorneys need to consider these obligations, as well as broader cybersecurity issues. At its core, cybersecurity always begins with physical security, in other words, preventing unauthorized access to your office network, cellphones, and any other electronic devices that contain confidential or sensitive information.
So, what should firms do? And is the task so daunting that solo, small and midsized firms should just throw in the towel? The answer is that every firm of every size should plan and take reasonable efforts to protect the interests of their clients and their firms. You must apply the same standard that has always applied to protecting paper files to your digital ones. You wouldn’t think of leaving client files in your lobby for anyone to see, so why would you leave your digital files vulnerable to anyone with the right technological knowhow to view?
In many cases, smaller law firms have advantages over larger entities because they don’t have the internal bureaucracy common to larger firms and can take proactive measures quickly. So, what are the steps firms should take to prevent cyberattacks?
First, firms should conduct a risk assessment, focusing on assessing potential threats. The assessment will consider how much data firms must protect, and areas must vulnerable to attack.
Second, firms should consider whether certain data should be isolated/segregated from other data. If your firm, for example, has the secret recipe for Coca-Cola, then that information should be handled differently from other data. There are many ways to do this, including storing certain data on servers that are not accessible through the internet to limiting who internally can access the data and the way access is controlled. These cybersecurity measures are practical, and do not generally costs considerable sums.
Third, firms must consider whether state or federal laws require additional protective measures. In those case, the applicable law, such as HIPAA, will govern how the data is stored. If a firm fails to store such data properly, they may find themselves subject to liability in the event of a security breach.
Fourth, remember to employ the basic cybersecurity measures that all computer users should take. These include installing anti-malware and antivirus software on all computers and mobile devices (including smartphones). Critical to these efforts is the need to regularly update the programs thatt should be installed in a company’s computers, and these programs must be updated regularly.
When the “WannaCrypt” software virus spread globally in May 2017, blocking customers from using data unless they paid a ransom using Bitcoin, Microsoft reminded its customers that it had released a security update to patch this vulnerability and to protect its customers. Microsoft issued a statement outlining the need for consumers to proactively maintain the security of their computers: “… this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers.”
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Microsoft said, continuing, “Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.”
In addition to installing anti-malware and antivirus, businesses that use a wireless network should protect them with a secure password, and the network encryption should be updated regularly to guard against attacks by hackers who prey on inadequately protected networks. Similarly, firms who allow access to data through their websites should require all users to have secure passwords, and should require users to log out of and close the webpage when their activity is concluded. Of course, this is like a business requiring staff to lock the doors when they leave the building.
These efforts require that staff be educated about a firm’s security requirements, as well as the reasons for them. Firms should require staff to report any suspicious activity, and should develop a Cybersecurity Breach Response Plan so that there are procedures in place to deal with concerns, whether it is a lost smartphone or unauthorized access to the firm’s servers.
Finally, because most legal malpractice insurance policies do not provide coverage for data breaches, and do not pay for such common breach remedies as identity protection monitoring, firms should purchase cyberinsurance. Comprehensive cyberinsurance covers a wide range of losses, including losses from damage to or corruption of a firm’s electronic data; business interruption protection; notification costs to persons whose data was accessed; payment of fines and statutory penalties; reimbursement for ransomware costs; legal liability for breaches of HIPAA and other state and federal privacy protection laws, and more.
The goal of cybersecurity is to protect law firms against foreseeable threats. While no one can guarantee that a firm will not be subject of a cyberattack, it remains incumbent on firms to plan for these situations by implementing measures that reduce the risk that a hacker will access confidential data or other information.
Daniel J. Siegel, principal of the Law Offices of Daniel J. Siegel, provides ethical guidance and Disciplinary Board representation for attorneys and law firms; he is the editor of “Fee Agreements in Pennsylvania (6th Edition)” and author of “Leaving a Law Practice: Practical and Ethical Issues for Lawyers and Law Firms (Second Edition),” published by the Pennsylvania Bar Institute. Contact him at firstname.lastname@example.org.