The Cyber Breach
Unfortunately, law firms are still regarded as “soft” in the comparative world of cyber targets. Many law firms use systems that are easier to penetrate than those of their more sophisticated clients. This imbalance in technology leaves the law firm as the weakest link in the data chain and an obvious target for cyber criminals.
Further, lawyers, even if employed at firms with sophisticated systems, are vulnerable to socially engineered attacks. Lawyers must work efficiently, look for new opportunities, and look to assist and procure potential clients. Many lawyers will click the links contained in unsolicited emails and continue to fall for phishing scams.
Indeed, a 2015 Legal Technology Survey found that at least 80 of the 100 biggest law firms in the country had been hacked. Smaller firms are also increasingly subject to incidents involving ransom-ware and pay bitcoin ransoms to recover data.
Competence and Confidentiality
In addition to a financial and a practical problem for lawyers, a cyber incident may lead to ethical problems as well. The ABA Model Rules have evolved to address technology and it is no longer acceptable for a lawyer to simply claim technological ignorance. What follows is a reminder of how the ABA Model Rules speak to technology:
ABA Model Rule 1.1: Competence, Comment [8]
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
ABA Model Rule 1.6: Confidentiality
“(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See also, Comment [18] and [19]
No lawyer wants to be the subject of a grievance or law suit as a consequence of technological incompetence and/or the failure to protect confidential client information.
Ten Tips for Maintaining Confidentiality in Cyber World
- Find and cure your weakest links. All attorneys, staff and vendors must exercise the utmost level of cybersecurity care, awareness and diligence. Training in cyber breach prevention and mitigation should be mandatory for everyone in every law firm, including founding partners and receptionists. Employing a technologically proficient team is the best prevention.
- Enforce polices to curtail human error. The majority of all security incidents are caused by human error. Consequently, the most sophisticated security system in the world is irrelevant if the potential for human error is unaddressed. For example, one law firm with a strong security system discovered someone had accessed client files. After performing numerous systems checks, the law firm ultimately discovered that an employee kept her passwords on a notepad in her unlocked desk drawer. A member of the cleaning staff found the notepad and was able to access client files.Many law firm partners still send confidential information from personal email accounts, use public Wi-Fi systems while waiting for flights or having coffee, and take other risks, such as failing to password protect their smartphones. Training and enforcement of cyber policies for everyone in the firm is necessary to avoid these common human errors that routinely lead to cyber breaches.
- Send Fake Emails to further provide cyber security training, a number of corporations now routinely send fake phishing emails to test their employees’ cyber security awareness and to gather open rates. These corporations then advise their employees of the open rate percentage and instruct them regarding the red flags that were ignored. For example, employees may ignore a change in the senders email address protocol, fail to hover over a link before clicking it (the name displayed may indicate that the link is not as represented), and may ignore other inconsistent information that would indicate that the email is a fraud. Corporations hope that this type of feedback is effective in encouraging employees to exercise more care before opening the next link or providing their information to a potential thief. Corporations also encourage staff to share any phishing emails that they receive for analysis and discussion.
- Pause before sending text messages and emails. The “reply to all’ key has been responsible for confidentiality breaches, embarrassment and awkwardness. Further, accidentally sending to the wrong “Mary” or not realizing the actual plaintiff has been copied on a document can cause further problems. Disabling the “reply to all” button and pausing an extra second before pushing “send” to review the distribution list is obviously good practice.Further, we have all likely read about a certain athlete’s attorney who accidentally texted a reporter a sentence that started “Heaven help us…” Perhaps simply avoiding the text message in a professional setting is the best idea. While a text may be a great way to communicate with friends and family, it is not the ideal form of communication to use professionally due to its fast and informal nature.
- Encrypt. Encryption is the best alternative for protecting sensitive data. Encrypted data is unreadable if a cell phone or computer is lost or if the data ends up in the wrong hands. Encryption, however, is the least used security feature found in most law firms. While encryption of all files is currently not ethically mandated, the failure to encrypt could arguably be viewed as a breach. ABA Model Rule 1.6 reads:
…This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. Comment [19]
Lawyers should evaluate the security needs of the actual data for each engagement to make sure that the confidentiality needs of their clients are adequately protected. Obtaining the client’s written consent before using email or text messaging to communicate with them, while advising of potential confidentiality issues, is also advisable. If your law firm does not encrypt data, disclose that to the client and provide them with the opportunity to refuse email communications from your firm.
- Passwords. Law firms should encourage strong passwords. The password should contain letters, both upper and lower case, characters, and numbers. Passwords should be changed regularly (every 90 days) and never repeated. One idea is to anchor your password to a phrase instead of a word. For example “She Loves to travel to Warm Weather and go swimming” can translate to the following password by using just the first letter of every word, with capitalization every so often: SLtttWWags. The value to this new password is that it is very hard to guess without knowing the original sentence, but yet easy to remember. Adding numbers and characters will then create a stronger password. Another option is to use a secure password generator.
- The cloud. While many attorneys conceptually understand that information stored in a cloud is stored off site, many have no idea that depending upon the vendor, cloud data could be stored internationally, governed by foreign law, and subject to search and seizure. Further, if an attorney places data in the cloud that is subject to state or federal privacy laws, the client should first provide their informed and written consent for such storage (adding this item to the engagement letter may be an option). Finally, the attorney should check with the bar association for their respective state’s ethical opinions that govern cloud storage.
- Update your systems. Law firms should update their systems, including the VPN, antivirus, anti-spyware and spam filters routinely. Class action lawsuits arising out of data violations are exploding and the first public data security class action complaint against a law firm was recently filed in Federal Court in Chicago. The plaintiffs allege that the firm’s outdated systems failed to protect client data. Damages are sought for the threat of a breach and the “diminished value” of the law firm’s services. Law firms should periodically update systems.
- Vet vendors. Vendors have been identified as the weak link in certain large exposure hacking incidents. Recall that the Target hackers were able to access the chain’s security systems by stealing credentials from a vendor. Examine all vendors’ cyber security protocols (does the vendor encrypt data, use a VPN system) as well as the vendor’s insurance policy and all controlling contracts. Understand where the vendor will store the information – international storage may present problems. Examine indemnification clauses and provisions regarding who will be expected to pay in the event of a data breach.
- Have a plan. Every law firm should establish a plan to follow in the event of a cyber breach. Further, like fire drills, law firms should practice cyber drills. Are documents routinely backed up? Are copies of the most important documents at an off-site, secure location? In the event of a hack or a ransom, does everyone know who to call? Vendors should be selected ahead of time so that in an emergency, the law firm is not panicked and scrambling. For example, privacy counsel, to establish immediate privilege and provide notice requirement advice, can easily be researched ahead of time. Selecting or creating a list of professionals to assist with restoring data or handling a ransomware incident should also be researched. Finally, cyber liability coverage can help to not only cover the costs related to a data breach, such as notification expense and regulatory fines, but can also provide professionals to assist in case of an emergency.
Deborah Bjes, Risk Manager
Swiss Re Corporate Solution