- Cyberthreats to attorneys and law firms continue to be substantial, real, and growing – security incidents and data breaches have occurred, are occurring, and will continue.
Cyberthreats to attorneys and law firms continue to be substantial, real, and growing – security incidents and data breaches have occurred, are occurring, and will continue. Recent articles have reported that the number of data breaches of large law firms remains high, while breaches of small and midsize firms have been growing.
ABA Formal Opinion 477R, discussed below, describes the current threat environment: “Cybersecurity recognizes a … world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if’…” a company (or law firm) will be breached. A corollary to this saying is that there are two kinds of companies (or law firms), those that have been hacked and know it, and those that have been hacked and don’t know it.
The greatest threats today are spearphishing, ransomware, business email compromise, supply chain/third-party compromises, insider threats, and lost and stolen laptops, smartphones, and portable devices. These and other threats are a particular concern to attorneys because of their duties of competence in technology and confidentiality.
It is critical for attorneys and law firms to recognize these threats and address them through comprehensive cybersecurity programs, including addressing people, policies and procedures, and technology.
This is the fourth in a series of cybersecurity articles by me for Law Practice Today, following “Cybersecurity for Attorneys: The Ethics of Securing Your Virtual Practice” (October 2021), “Cybersecurity for Attorneys: The Ethics of Incident Response” (November 2020), and “Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties” (November 2019). This article addresses the people part of cybersecurity.
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients, and also often have contractual and regulatory duties to protect confidential information.
Ethics Rules. Several ethics rules in the ABA Model Rules have particular application to protection of client data, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), supervision (Model Rules 5.1, 5.2 and 5.3), and safeguarding property (Model Rule 1.15).
At the ABA Annual Meeting in 2012 (ten years ago), the ABA adopted the recommendations of the ABA Commission on Ethics 20/20 on technology and confidentiality. They include:
Model Rule 1.4: Communications applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client's objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent” about use of technology. It requires notice to a client of a material loss or compromise of information relating to the client.
Model Rule 5.1: Responsibilities of Partners, Managers, and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of law firm staff and outsourced services, ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s ethical duties, including confidentiality.
Model Rule 1.15: Safeguarding Property requires attorneys to segregate and protect money and property of clients and third parties that is held by attorneys. Some ethics opinions and articles have applied it to electronic data held by attorneys.
These obligations are now well-established in the Model Rules, comments, and ABA and state ethics opinions.
Ethics Opinions. A number of ABA and state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the Ethics 20/20 amendments, they generally require competent and reasonable safeguards. There are three current ABA formal ethics opinions that address attorneys’ duty to safeguard information relating to clients when using technology, as follows:
Common Law and Contractual Duties. Along with the ethical duties, there are parallel common law duties defined by case law in the various states. They include competence, communication, and confidentiality. Breach of these duties can result in a malpractice action.
Increasingly, lawyers also have contractual duties to protect client data, particularly for clients in industries such as health care and financial services, which have regulatory requirements to protect privacy and security. They frequently include requirements for incident response and notice of security incidents and data breaches.
Regulatory Duties. Attorneys and law firms that have specified personal information about their employees, clients, clients’ employees, or customers, opposing parties and their employees, or even witnesses may also be covered by federal and state laws that variously require reasonable safeguards for covered information and notice to affected individuals and sometimes to regulators in the event of a data breach.
In addition, court confidentiality orders sometimes include requirements for safeguarding covered information.
More details about attorneys’ duties to safeguard client and confidential information and compliance with them are covered in the earlier articles in this series.
Understanding all the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing, and maintaining an appropriate risk-based cybersecurity program. A cybersecurity program should address the core security functions of identify, protect, detect, respond, and recover. The program should be appropriately scaled to the size of the firm and the sensitivity of the information.
Cybersecurity is a process to protect the confidentiality, integrity, and availability of information. Comprehensive security must address people, policies and procedures, and technology. While technology is a critical component of effective security, the other aspects must also be addressed. As explained by Bruce Schneier, a highly respected security professional, "[i]f you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." The best technical security is likely to fail without adequate attention to people and policies and procedures.
For more information on comprehensive cybersecurity programs, see the earlier articles listed above.
The old adage, “We have met the enemy and he is us,” applies to cybersecurity for attorneys and law firms. Many breakdowns in security are caused by or facilitated by users of technology. It has been widely reported that about 85% of security incidents involve a human element. Internal threats can come from insiders who are dishonest, malicious, disgruntled, untrained, distracted, rushed, bored, or careless. Multitasking is an enemy of security. Users can be threats, but can also be the first line of defense.
Dishonest, malicious, and disgruntled insiders can be extremely dangerous. Fortunately, reports of breaches caused by them are infrequent. More often, breaches are caused or facilitated by errors by users who are trying to do the right thing.
October was the 19th Annual National Cybersecurity Awareness Month in the United States, cosponsored by the Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance. Recognizing the critical role of people, this year’s campaign theme was “See Yourself in Cyber,” focusing on the people part of cybersecurity. CISA notes “while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.” More information is available on their websites.
The people element starts at the top. Management, whether a solo practitioner or a managing partner of a large firm, must take ownership of the cybersecurity program. Time and time again, it has been demonstrated that management buy-in is critical to success. Another important people consideration is assignment of responsibility. Management should appoint a person to oversee the security program. Depending on the size of the firm, security may be the sole function of a chief security officer or one of multiple duties of a lawyer or administrator. Someone must be in charge. The program should define security roles and responsibilities of everyone.
Supervising attorneys have a professional responsibility to ensure that they and those they supervise take competent and reasonable measures to safeguard client confidential information. This duty applies as well to junior attorneys who supervise staff and service providers.
Every user from the newest hire to senior management has a role in effective cybersecurity. Training is essential. Everyone with access to technology should be thoroughly trained in safe computing, both initially and periodically thereafter. All users should know how to use technology securely; be aware of current threats and how to protect against them; know what to do if there is an incident; and know how to get answers to questions. Beyond formal training, there should be constant security awareness, with everyone considering security as a part of everything they do with computers, mobile devices, and data.
Security should be a major consideration in the hiring of new employees. A thorough background check and review of references are necessary for law firm employees. They will have access to all kinds of client and firm information, and it is critical that they can be trusted. Security should also be a consideration with former employees, particularly when they are terminated or leave under adverse circumstances. It is important to insure that: (1) their accounts are closed and all access to firm technology is terminated; and (2) they have returned all firm laptops and other devices, as well as all firm electronic data and papers.
Users can make a major difference in guarding against threats from phishing. Phishing is a form of social engineering that uses e-mail to try to trick recipients into giving up confidential information or installing malware by opening a file or clicking on a link to a malicious web site. Phishing can be by email, phone (vishing), or SMS text (smishing). Spearphishing (targeted to a specific organization or individual) is particularly dangerous. CISA has reported that 90% of successful cyberattacks start with phishing.
CISA recommends “Think Before You Connect” to guard against phishing and explains:
Have you ever seen a link that looks a little off? It looks like something you’ve seen before, but it says you need to change or enter a password. Or maybe it asks you to verify personal information. It could be a text message or even a phone call. They may pretend to be your email service, your boss, your bank, a friend…. The message may claim it needs your information because you’ve been a victim of cybercrime.
It’s likely a phishing scheme: a link or webpage that looks like a legitimate, but it’s a trick designed by bad actors to have you reveal your passwords, social security number, credit card numbers, or other sensitive information. Once they have that information, they can use it on legitimate sites. And they may try to get you to run malicious software, also known as malware. Sadly, we are more likely to fall for phishing than we think.
If it’s a link you don’t recognize, trust your instincts and think before you click. We all need to Phight the Phish!
Last year, CISA published a Phishing Tip Sheet that includes additional recommendations.
A trained user, who is attentive to the risk, can often stop phishing in its tracks.
Business Email Compromise (BEC) is another threat that users can block. BEC is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes, including law firms. It is a scheme in which an attacker uses fraudulent email to impersonate an executive, business contact, or other trusted person to get money, gift cards, a transfer of funds, or sensitive information. BEC uses attacks like spearphishing or emails from a compromised legitimate email account. The FBI’s Internet Crime Complaint Center (IC3) reported that the adjusted losses for BEC incidents reported in 2021 were almost $2.4 billion, the highest losses for any reported crime.
A common form of BEC is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay “a vendor,” or appearing to be from a vendor, with new wire transfer instructions to a criminal’s account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale, or to a buyer to “hijack” the wire transfer of the payment of the purchase price. Another common example is the W-2 scheme, in which a fraudulent email, appearing to be from a corporate officer, directs an employee in payroll to send copies of W-2 tax forms to him or her by email. The information is then used to get refunds from fraudulent electronic tax returns.
Safeguarding against BEC includes the same considerations as guarding against phishing, with attention the nature of this threat. The FBI has a Business Email Compromise webpage that explains the threat and how to protect against it. For fraudulent wire transfers, the FBI recommends immediate notice to the bank, the local FBI office, and IC3. IC3 has a Recovery Asset Team that can assist with freezing and recovery of fraudulently transferred funds.
As with phishing, trained users, who are attentive to the risk, can often stop BEC in its tracks.
For both phising and BEC, in addition to addressing people, a layered defense should include policies and procedures (like verifying and reconfirming payment instructions or changes and information requests – other than just by email – and prompt reporting of phishing attempts and security incidents), and technology (like spam filters, external email flags, multifactor authentication, use of secure email, and promptly applying security updates).
Sources of helpful information on the people part of cybersecurity, as well as security generally, are listed below. In addition, the SANS Institute, a respected cybersecurity training and certification organization, publishes OUCH! - a monthly security awareness newsletter that is targeted to end users. It is available for free use and distribution. Recent examples include the October 2022 edition, “Emotional Triggers – How Cyber Attackers Trick You” and the July 2022 edition, “Phishing Attacks Are Getting Trickier.”
The people part of cybersecurity is best addressed through well-trained users who exercise constant security awareness, every day, every time they’re using technology.
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory duties. These duties should be addressed in a risk-based, comprehensive cybersecurity program, including addressing the people part of security.
American Bar Association, Cybersecurity Legal Taskforce
Jill D. Rhodes, Robert S. Litt and Paul S. Rosenzweig, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Third Edition (ABA 2022)
The views and opinions expressed in this article represent the view of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.