As cybercriminals become increasingly sophisticated, they find new ways to infiltrate systems and disrupt operations. Corporations, legal and other firms, nonprofit organizations, academic institutions and government agencies are among the countless victims of data breaches every year.
Until recently, breaches largely involved encryption where threat actors accessed networks and locked down systems, causing business interruption and often demanding a ransom for their release. While this tactic remains a common tool in most breaches, the growing threat that emerged in 2022 is incorporating data exfiltration into the toolkit. Now—with increasing frequency—multiple threat factors are becoming involved in a single incident: encrypting systems, stealing and selling data they have accessed, and threatening to expose the fact that an organization’s data was stolen unless they are paid the requested ransom. Among the many breaches experts handled in Q4 of 2022, very few did not include an element of exfiltration, which is in stark contrast to the first half of 2020, where less than 30% of data extortion incidents included exfiltration.
Due to the rise of exfiltration, lawyers should be on guard and ensure they are compliant with Rule 1.6(c) of the American Bar Association’s Model Rules of Professional Responsibility: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” If lawyers do not take “reasonable efforts,” they may risk sanctions, disbarment, and legal liability in the event of a data breach. The ABA issued an opinion on Model Rule 1.6 clarifying that what constitutes a reasonable effort is not a “hard and fast rule,” but rather a flexible set of factors that are weighed on a case-by-case basis.
The ABA opinion’s factors to be weighed include:
- the sensitivity of information;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost of employing additional safeguards;
- the difficulty of implementing the safeguards;
- and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
The ABA Standing Committee on Ethics and Professional Responsibility stresses that attorneys should assess the risk of inadvertent disclosure of client information before connecting to unsecure networks, using computers and servers without anti-virus software, and sending unencrypted communications.
In some cases of data exfiltration, the threat actors download a copy of the data; in other cases, they download a copy of the data and then also delete it from the network from which it was taken. The latter scenario reinforces the importance of regularly backing up all systems and the data they contain, so that in the event of deletion during a breach, the organization can reinstall a recent version of that data to reduce the impact on regular business operations.
Once stolen, data is often sold or threatened to be sold. Data may be posted on the dark web, or the threat actor may have a buyer already identified before the theft. Regardless of what the criminals do with exfiltrated data, dealing with this type of breach is a logistical nightmare. In many cases the stolen data includes trade secrets or the personally identifiable information of employees and/or clients of the organization, posing a substantial risk to everyone involved.