In the COVID-19 era, law firms face numerous cybersecurity challenges and vulnerabilities from lawyers and legal staff working remotely. Employees working from home are particularly vulnerable to phishing scams due to human errors and often have weak security protocols on their Wi-Fi networks, allowing hackers easier access to the network's traffic. In fact, on March 13, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency recognized these issues encouraged those that are moving to remote working status "to adopt a heightened state of cybersecurity," because of the significantly elevated risk of malware, phishing attacks and ransomware demands amid the coronavirus pandemic.

The most important goal for a law firm is to protect its data. If a firm does not have the right cybersecurity system set up, it may have to deal with a ransomware attack. This is exactly what happened last month in May, when the law firm of Grubman Shire Meiselas & Sacks, recognized as one of the premier entertainment and media law firms in the country, was hit with a data extortion scheme. A cybercriminal ring claimed to have stolen from the firm approximately 756 gigabytes of private documents and correspondence. The hackers alleged they have possession of information on the law firm's clients past and present, including Lady Gaga, Madonna, Nicki Minaj, David Letterman, John Mellencamp, Robert DeNiro, Elton John, the Kardashians, and even companies like Facebook, Activision, iHeartMedia, IMAX, Sony, HBO and Vice Media.

The hackers issued a ransom demand of $21 million to the law firm and threatened to gradually release the stolen data if they do not receive payment. After the firm refused to pay, the hackers delivered on their threat as 2.4 gigabytes of data related to Grubman Shire client Lady Gaga was released. Some other leaked files have included contracts, telephone numbers, email addresses, personal correspondence with the lawyers related to various case files, and nondisclosure agreements made with advertising and modeling firms.

The breach not only subjects the firm to major liability to their clients, the firm may also be found to violate its ethical responsibilities under the American Bar Association's Model Rules of Professional Conduct. Certain violations of the rules may even lead to disciplinary proceedings and all violations mean that the lawyers have not met the expectations of their clients or themselves. For example, Rule 1.6 is the confidentiality provision. The prohibition is absolute, because the rule says that attorneys shall not disclose such information relating to the representation of a client unless the client gives informed consent or the disclosure is impliedly authorized to carry out the representation, or is otherwise permissible under Rule 1.6. Rule 1.6 implies that disclosure can be either intentional or accidental. Subsection (c) states that every lawyer shall make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." There are several factors to consider, including the economic and noneconomic costs of the security protocol (e.g., a software system that has so many security layers that it is difficult to use), the nature of the information, and the likelihood of disclosure.

As shown, the combination of flawed technology and human errors make the home office a cybersecurity concern. Employees use their own personal computers and at-home Wi-Fi networks that are not as strong as the security, firewalls and routers at the office that firms invest in. Distractions while working from home, such as child care, roommates and not having a desk set-up like they would at the office, are having an impact on how people operate. In some cases, security policies are too much of a barrier for employees working from home to adapt to, especially if they are under pressure to hit deadlines.

Law firms thus need to address these vulnerabilities and take steps to keep their data and files secure. For example, the law firm's information technology department should have the resources they need to meet the business needs and keep the data secured. If the law firm issues computers or phones, the law firm should ensure that they are properly configured and have updated software. If the employees use their computer, they should use encrypted hard drives and virtual private network with passwords for connecting. Security experts should be consulted to create a set of policies and procedures that remote workers should follow when using the computer and accessing the network.

Additionally, all employees should be taught what to look for in phishing and malware schemes and other cyberthreats connected to the COVID-19 outbreak. All remote workers should also be provided with a list of emergency contact numbers and have them ready in case of a data breach so the IT department can handle them immediately. By taking proactive steps, law firms are ensuring that they are taking enough precautions to prevent any cyberattacks from bad actors taking advantage of this pandemic.

Brian S. Kabateck is a consumer rights attorney and founder of Kabateck LLP in Los Angeles. He represents plaintiffs in personal injury, mass torts litigation, class actions, insurance bad faith, insurance litigation and commercial contingency litigation.

Attorney Joana Fang is an associate with the firm and a member of its trial team. Fang handles a wide range of cases for the firm, including consumer class actions, personal injury, wrongful death and insurance bad-faith claims.