In the wake of the latest Petya and WannaCry cybersecurity breaches, it has become readily apparent that law firms are not immune to cyber attacks. In fact, they are becoming a target. Law firms must now become akin to the companies they defend when it comes to countering cyber attacks. The difference is law firms have ethical rules that require confidentiality of attorney-client and work-product information. Clients, particularly those in regulated industries, expect law firms to be securing their data by the same standards that they have in place in their own organizations.
Why Law Firms and What Duty Do They Have?
Probably a better question is, why not law firms? Our clients trust us with their most sensitive and highly-confidential information. Law firms have a wealth of highly-sensitive client data that could include, at a minimum, financial information, medical records and essential health care information and market-influencing mergers and acquisitions intelligence.
Law firms historically have not been prepared in the event of a breach. In a recent survey by LogicForce with over 200 firms participating, 49 percent of them reported that they were subject to hacking.¹ More importantly, those firms reported that they were unaware they had been hacked. Further, the study found that cyber attacks on law firms are non-discriminatory. The size of the firm and revenue stream did not seem to matter. The law firms also reported that 53 percent of them did not have any breach response plan developed and 18 lost a client for failing an IT audit. Another study conducted by the American Bar Association reported that 30.7 percent of all law firms and 62.8 percent of firms of 500 lawyers or more reported that current or potential clients provided them with security requirements.²
Lawyers and law firms are also unaware of their obligations to clients. The commentary to Rule 1.1 of the Model Rules of Professional Conduct requires attorneys to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." This makes clear that attorneys must be kept abreast of changes in technology. Gone are the days where attorneys can simply rely solely on their IT department to be compliant with the rules. Further, the Rules of Professional Conduct in every state generally provide, consistent with Rule 1.6(c) of the Model Rules, that "[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Essentially, under Rules 1.1 and 1.6, law firms have a duty to effectively protect their clients' information.
In the event of a breach, law firms must also be aware of the duty to notify their clients of a breach. In addition to Rule 1.4 (communications with the client) and the fiduciary law governing the lawyer-client relationship, law firms must also take into account the Restatement (Third) of the Law Governing Lawyers, which states: "If the lawyer's conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client." A strong security system may shield law firms from an ethical violation for failing to protect client data, however, this has no impact on the above-stated Rule requirements to inform clients of a breach.
What Can Lawyers and Law Firms Do?
First, and foremost, education is key. Law firms need to educate their attorneys and their staff about data security. Initially, network integrity, antivirus software, firewalls and recovery plans are integral to protecting your system. Firms must recognize that human error is one of the greatest vulnerabilities to a cyber security attack. Typically, cyber breaches are not caused by sophisticated attackers, but through phishing emails, lost laptops or compromised passwords. Firms should have and enact extra layers of security like dual factor authentication, and mobile devices, laptops, flash drives and firm servers should all be encrypted. Further, a firm's Board of Directors must be well-informed as senior-level accountability across companies, including law firms, is increasingly expected by regulators and courts.
Second, firms must implement and test their incident response plan. Like any company, law firms need to be aware of what kind of data they have and where it is. This is essential to know best how to protect your client's data and evaluate that you are in compliance with all applicable data security federal and state laws, including Health Insurance Portability and Accountability Act (HIPAA), Federal Trade Commission Act, Sarbanes-Oxley, Gramm-Leach-Bliley Act, the Electronic Communications Privacy Act (ECPA), the Children's Online Privacy Protection Act and the Fair Credit Reporting Act (FCRA). A law firm should have records management policies in place, including how a firm stores its electronically stored information (ESI), in order to reduce risk and limit liability. Firms must have policies in place regarding remote access, Wi-Fi "hotspots", clouds, Web email accounts and social networking sites. Coordination is vital for an effective incident response plan. The plan must designate who to contact in the event of a breach and identify individuals within your firm who are responsible for communication within your company, human relations, coordination with forensic teams, insurance carriers, outside counsel (if necessary) and outside vendors. Law firms should have a Chief Information Security Officer (CISO) to coordinate and maintain an enterprise security program.
There has been an increased pressure for law firms to become ISO/IEC 27001 certified. Becoming ISO 27001 certified protects your firm's clients and intellectual data and can minimize, and in some instances, prevent the damage in the event of a breach.
Third, law firms should conduct regular audits. Cybersecurity is ever-evolving. Even with the smartest team with the most advanced capabilities, the security of your system may fail without full support from your firm. If these plans are not consistently tested, they become outdated and essentially useless. It is essential to undergo table-top exercises with representative simulated-breach scenarios. Also, firms must re-visit their insurance coverage portfolio to determine whether there is cyber liability insurance coverage and, if not, consider either purchasing a cyber policy or choose to cede residual risk through contractual defense/indemnity service-level agreement provisions with third-party providers.
Becoming savvier of the risks now, prior to an attack, and taking affirmative steps to reduce that risk will allow your firm to better protect itself and its clients.