Law Firms Must Be Proactive to Prevent Cyberattacks
In the past few years, major law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, were victims of cyberattacks. In addition, more than 11.5 million files from Mossack Fonseca, the world's fourth largest offshore law firm, were stolen because the firm failed to take the necessary steps to protect its confidential data, including updating the security of its web servers.
April 26, 2018 at 02:25 PM
9 minute read
Pop quiz. How many of the following items are you familiar with?
- Back door/trap door
- Cracks
- DNS poisoning
- Eavesdropping
- Hackers
- IP spoofing
- Malware
- Man-in-the-middle spoofing
- Network sniffing
- Password cracking
- Phishing
- Ransomware
- Replay attacks
- Social engineering
- Spam
- Spyware
- System penetration
- System tampering
- TCP/IP hijacking
- Trojan
- Tunneling
- Viruses
- Website defacement
- Worms
When lecturing about or assisting law firms with cybersecurity issues, I ask them to tell me what each of these items is, and not surprisingly, no one has ever gotten a perfect score. In fact, no one has ever come close to receiving a passing grade. Of course not, lawyers aren't trained to be cybersecurity experts. Yet cybersecurity—which is the process of protecting a computer or computer network against the criminal or unauthorized use of electronic data—is something every law firm needs to know about and to protect against.
In the past few years, major law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, were victims of cyberattacks. In addition, more than 11.5 million files from Mossack Fonseca, the world's fourth largest offshore law firm, were stolen because the firm failed to take the necessary steps to protect its confidential data, including updating the security of its web servers.
In most cases, data breaches can be avoided. Yes, your firm can hire a consultant to help, but you need to know more, and to take additional steps. Why? Because there are legal and ethical considerations that you should understand.
Under the Pennsylvania Rules of Professional Conduct, lawyers have a duty to protect confidential client information, and to respect the rights (including sensitive information) of third persons. For example, Rule of Professional Conduct 1.6(d) requires that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In other words, you can't leave your computer network unprotected against hacking or ransomware. Comment 25 to this rule explains that “a lawyer [must] act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision.” In other words, when it comes to data on your computers, cellphones and servers, you must take appropriate security measures.
This comment further explains that lawyers “may be required to take additional steps to safeguard a client's information to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information.” In other words, a law firm may have to comply with data breach notification laws and other statutes.
In addition. Rule 4.4(1) requires lawyers to respect the rights of third persons. While this rule states that lawyers should avoid taking actions that would embarrass a third party, its import in the realm of cybersecurity is becoming evident. In the past, lawyers filed documents electronically that contained personal information (such as Social Security numbers and financial account numbers), or confidential information (such as medical records with sensitive information) without considering what would happen if another person—such as the “nosy neighbor”—went online, read it, and disseminated it. Consider how your 12-year-old son would feel if his medical records revealed his chronic bed wetting, and those records were available online as part of the file in a custody action. That happened.
Now, lawyers must redact sensitive information under Pennsylvania's Public Access Policy; numerous other states have enacted similar measures, all intended to prevent the disclosure of the types of personal information that we would all agree should not be freely available to a “nosy neighbor,” the press, or anyone other than the parties in the case.
Attorneys need to consider these obligations, as well as broader cybersecurity issues. At its core, cybersecurity always begins with physical security, in other words, preventing unauthorized access to your office network, cellphones, and any other electronic devices that contain confidential or sensitive information.
So, what should firms do? And is the task so daunting that solo, small and midsized firms should just throw in the towel? The answer is that every firm of every size should plan and take reasonable efforts to protect the interests of their clients and their firms. You must apply the same standard that has always applied to protecting paper files to your digital ones. You wouldn't think of leaving client files in your lobby for anyone to see, so why would you leave your digital files vulnerable to anyone with the right technological knowhow to view?
In many cases, smaller law firms have advantages over larger entities because they don't have the internal bureaucracy common to larger firms and can take proactive measures quickly. So, what are the steps firms should take to prevent cyberattacks?
First, firms should conduct a risk assessment, focusing on assessing potential threats. The assessment will consider how much data firms must protect, and areas must vulnerable to attack.
Second, firms should consider whether certain data should be isolated/segregated from other data. If your firm, for example, has the secret recipe for Coca-Cola, then that information should be handled differently from other data. There are many ways to do this, including storing certain data on servers that are not accessible through the internet to limiting who internally can access the data and the way access is controlled. These cybersecurity measures are practical, and do not generally costs considerable sums.
Third, firms must consider whether state or federal laws require additional protective measures. In those case, the applicable law, such as HIPAA, will govern how the data is stored. If a firm fails to store such data properly, they may find themselves subject to liability in the event of a security breach.
Fourth, remember to employ the basic cybersecurity measures that all computer users should take. These include installing anti-malware and antivirus software on all computers and mobile devices (including smartphones). Critical to these efforts is the need to regularly update the programs thatt should be installed in a company's computers, and these programs must be updated regularly.
When the “WannaCrypt” software virus spread globally in May 2017, blocking customers from using data unless they paid a ransom using Bitcoin, Microsoft reminded its customers that it had released a security update to patch this vulnerability and to protect its customers. Microsoft issued a statement outlining the need for consumers to proactively maintain the security of their computers: “… this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers.”
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Microsoft said, continuing, “Otherwise they're literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it's something every top executive should support.”
In addition to installing anti-malware and antivirus, businesses that use a wireless network should protect them with a secure password, and the network encryption should be updated regularly to guard against attacks by hackers who prey on inadequately protected networks. Similarly, firms who allow access to data through their websites should require all users to have secure passwords, and should require users to log out of and close the webpage when their activity is concluded. Of course, this is like a business requiring staff to lock the doors when they leave the building.
These efforts require that staff be educated about a firm's security requirements, as well as the reasons for them. Firms should require staff to report any suspicious activity, and should develop a Cybersecurity Breach Response Plan so that there are procedures in place to deal with concerns, whether it is a lost smartphone or unauthorized access to the firm's servers.
Finally, because most legal malpractice insurance policies do not provide coverage for data breaches, and do not pay for such common breach remedies as identity protection monitoring, firms should purchase cyberinsurance. Comprehensive cyberinsurance covers a wide range of losses, including losses from damage to or corruption of a firm's electronic data; business interruption protection; notification costs to persons whose data was accessed; payment of fines and statutory penalties; reimbursement for ransomware costs; legal liability for breaches of HIPAA and other state and federal privacy protection laws, and more.
The goal of cybersecurity is to protect law firms against foreseeable threats. While no one can guarantee that a firm will not be subject of a cyberattack, it remains incumbent on firms to plan for these situations by implementing measures that reduce the risk that a hacker will access confidential data or other information.
Daniel J. Siegel, principal of the Law Offices of Daniel J. Siegel, provides ethical guidance and Disciplinary Board representation for attorneys and law firms; he is the editor of “Fee Agreements in Pennsylvania (6th Edition)” and author of “Leaving a Law Practice: Practical and Ethical Issues for Lawyers and Law Firms (Second Edition),” published by the Pennsylvania Bar Institute. Contact him at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllRisk Mitigation: Employee Engagement Results in Fewer Lawsuits (and Other Benefits)
5 minute readMatt's Corner: Pa.R.D.E. 217—Obligations of a Formerly Admitted Attorney
2 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250