Avoiding the worst case scenario: Data theft during discovery
No attorney wants to expose a clients secrets to the world, but most do not realize how easily that can happen.
September 04, 2013 at 05:00 AM
7 minute read
The original version of this story was published on Law.com
Many lawyers hear “cybersecurity” and immediately tune out, thinking it does not pertain to them. However, they really should perk up their ears, as a security breach can have major ramifications for their practice. Corporate clients who do not insist their firms have security standards open themselves up to leaks of privileged information, and lawyers who do not ensure their firms are secure risk losing their largest corporate clients. Furthermore, not only can data be inadvertently exposed, but if data is not properly secured, firms may find themselves in violation of their ethical responsibilities. Below is the first of three real-world scenarios that could happen to any attorney and seriously impact a corporate client. Look for the next two scenarios in the coming months.
Scenario 1:
It is 9 p.m. A senior associate, Larry, is working on reviewing your documents for a large case, and the production deadline is tomorrow. Larry still has a few thousand documents to go, so to get a break and some needed caffeine, he leaves the office and hunkers down at the local coffee shop. Larry logs on to his mifi, which was provided by his law firm, and then enters security credentials and logs in on the document repository. He does another two hours of review while chugging down one espresso after another. Shaking from all the caffeine, Larry heads home. Once home, he boots up his home computer and logs back in on the document repository. He stays up a while longer and finally finishes reviewing the documents. Larry sends an email to the firm's litigation support department indicating that they can begin to run the production. One of the directions is that all documents need to be labeled “For Attorneys' Eyes Only” because a lot of the documents contain your company's trade secrets. Larry shuts down his computer and hits the sack for some much needed rest.
The production gets done on time and is submitted to your adversary. Outside counsel moves on to other aspects of the case, not giving that production a second thought. However, several months later it is brought to your attention that certain trade secrets have somehow been leaked. You spend tens of thousands of dollars on forensic examinations and hours upon hours personally interviewing employees in an effort to find the leak. After an exhaustive search, it turns out that the information was stolen from Larry's login credentials, as the senior associate at outside counsel. When you call Larry to find out what happened, he is honestly perplexed. He has never shared his credentials with anyone nor has he printed out any documents that could have been misplaced. What could have possibly gone wrong?
What Larry did was log in on the document repository from an unsecure network that was hacked. He violated no firm policies, but the trouble is that when he logged on to the firm-distributed mifi device, it was easily hacked by another patron while Larry was enjoying that last espresso. The hacker was able to obtain the credentials to the document repository and gain access to all of your sensitive documents. Now all those trade secrets you have spent millions to protect are in the public domain.
This hacking probably leads you to fire the firm, costing it an extremely profitable client. You may even have to consider embarking on costly litigation to recoup losses. How do you protect yourself from this and avoid endangering the relationships you have spent years building with trusted law firms? The answer is to work with your firms early on to ensure that they have adequate security policies in place to protect against such cyberthreats.
Firmwide policies should be drafted around working outside the office, and databases with very sensitive information should be locked so they can be viewed from secure locations only. However, it is not enough for your outside counsel to simply have these policies in place: Staff need to be trained on the policies and understand the implications if they are broken. All new employees must be made aware of the firm's security policies, and all current employees should be trained on the policies and retrained every time the policies are changed. All of your outside counsel should be compliant and enforce any and all policies you have in place to protect your own data.
Adding to the firm's predicament is that, in addition to losing you as a client, it may have violated its ethical obligations to you. The ABA Model Rules now require that all lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (See ABA Rule 1.6: Confidentiality Of Information.) This does not mean that lawyers are subject to an ethics violation for every data breach, but this obligation does require active efforts on the part of outside counsel to evaluate and implement technological safeguards. The comment to the rule notes that, when evaluating whether an attorney's efforts were reasonable, factors to be considered include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients.” As a practical matter, this requires attorneys to make fact-specific evaluations regarding both the information to be protected and the various technological means of protecting them. This suggests that more sensitive information might be subject to greater, more costly or more cumbersome technological controls, such as access restrictions and copying limitations.
To meet this standard, when the firm purchased mifi devices for employees, it became the firm's obligation to research the mifi devices and the network's security. It is also the obligation of the firm to draft policies around the use of this technology before distributing devices to employees. If these steps were adequately taken, then an ethical violation probably would not exist. However, if the devices were purchased and distributed without much thought of potential security breaches, then the law firm may have an ethical problem on its hands. Also, because the database had very sensitive client data, it should have been locked down so that it could only be accessed on a secure network.
No attorney wants to expose a client's secrets to the world, but most do not realize how easily that can happen. Attorneys need to take their heads out of the sand and proactively ensure the security of client data, and clients need to be aware of their firms' policies and be the catalyst for improvements if needed. While no one expects attorneys to be technologically savvy enough to put proper firewalls around data, it is their responsibility to make sure they are working with their firms' CIO to effectively protect client information. While we want to encourage people to function remotely so they can potentially work longer hours, there are inherent risks that must be considered. So perhaps the next time lawyers working on your case need a caffeine fix, they should bring that latte back to the office.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
What to Know About the New 'Overlapping Directorship' Antitrust Development
4 minute read
Tesla, Musk Appeal Chancery Compensation Case to Delaware Supreme Court
2 minute read
Ex-Marathon General Counsel Takes Legal Reins of Another Energy Company
Former Capital One Deputy GC Takes Legal Reins of AIG Spinoff
Trending Stories
- 1Brogdon: The Final Nail in Corbin’s Coffin in Premises Cases
- 2What to Know About the New 'Overlapping Directorship' Antitrust Development
- 3'Quiet, Appropriate End:' NY Court of Appeals Formally Removes Erin Gall From Bench
- 4Just One Cookie? Justices to Decide Liability for Half-Truths
- 540% Contingency: A New Ruling Just Cost This Plaintiff Team $827K in Legal Fees
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
