chevron-down Created with Sketch Beta.
August 27, 2013 Articles

Hackers Are Targeting Law Firms: Are You Ready?

By Stacy Berliner

You have been or will be hacked. It is a matter of "when," not "if." In this fast-paced environment, technology and devices are constantly changing—making it difficult for a busy lawyer to stay apprised of the best methods of protecting her client's information. But recent attacks on law firms, as well as revisions to the Model Rules of Professional Conduct, require attorneys to take notice, understand technology risks, and protect their client information.

Hackers Target Law Firms
Law firms represent easy targets because they typically have clients' sensitive trade secret and proprietary information, and that information is usually less protected when it is at a law firm. For example, law firms store client information on a single network that is often far less secure than those of the corporate clients they represent. Lawyers often use passwords that are easily cracked. Lawyers are more likely to click on malware-infected phishing email links. And lawyers review sensitive information at unsecure Wi-Fi hotspots. Also, law firms are one-stop shops for hackers. According to the General Counsel of Mandiant, a cybersecurity firm, "[B]y targeting large law firms, hackers can obtain information about hundreds or thousands of companies by breaching a single network." Mandiant estimates that 80 major U.S. law firms were hacked in 2011. Experts believe that law firm cyberattacks have and will continue to increase.

Many times, law firms do not publicly admit to data losses for fear of losing clients and goodwill. However, there have been a couple of high-profile cases. In 2011, the California firm of Gipson Hoffman & Pancione was representing CYBERsitter, a leading provider of blocking and filtering software programs, in a $2.2 billion lawsuit against Chinese computer firms and software makers and the Chinese government. Eleven email messages, known as spear-phishing (or Trojan) attacks, were sent to individuals at the firm. These emails appeared to be coming from other individuals within the firm, and each contained a link or attachment that, once selected, would download malware. The emails were sent days after the law firm filed the CYBERsitter lawsuit. The Gipson Hoffman & Pancione law firm claimed that the Trojan emails were linked to Chinese servers. Because technology-savvy attorneys recognized the emails as potentially compromising, the malware was not released. The law firm believes that there was no compromise to its system. In October 2011, it was reported that an employee of Baxter, Baker, Sidle, Conn & Jones of Maryland left an unencrypted portable hard drive containing 161 patients' medical data and case information on a train. The employee returned 10 minutes later to retrieve the hard drive, but it was gone.

Understanding Technology Risks and Protecting Client Information
Lawyers cannot bury their heads in the sand. With the August 2012 revisions to the Model Rules of Professional Conduct, lawyers have ethical obligations to competently protect clients and their information. Now, Rule 1.1 requires attorneys to maintain the requisite technologic knowledge and skill and to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." See Comment 8 to Rule 1.1.

Further, under Rule 1.6 (a), "[A] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent . . . ." Paragraph 1.6 (c) requires a lawyer to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Comments 18 and 19 to Rule 1.6 provide further guidance to an attorney's obligations with regard to ever-changing technology and what constitutes "reasonable efforts." Comment 18 requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties, and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. Comment 19 explains that:

[T]he lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

These new Model Rules and Comments provide attorneys with a general framework to understand what is reasonable and expected of them, while also allowing for flexibility in "special circumstances" and when the client has required "special security measures."

Implementing a Cyber-Security and Data-Protection Plan
To abide by the ethical rules and avoid expensive, embarrassing security breaches, all attorneys and law firms should devise cybersecurity and data protection plans, update the plans, and ensure that the plans are being implemented. The appropriate plan may vary depending on its data storage needs, its website specifics, and the size of the organization—including its number of employees and computers—as well as other factors, such as the sensitivity of the organization and the client information that is stored.

Attorneys devising a plan should engage cybersecurity experts, external consultants who can play a vital role in analyzing a law firm. These consultants can work in conjunction with the law firm's IT department to assess its overall security. This includes reviewing computer hard drives, software, network and data storage, mobile devices, email programs, and Internet sites. Consultants can also be extremely helpful in determining the employees' understanding of practices that increase cybersecurity. This allows the firm to appropriately identify other risks and efficiently address its specific cybersecurity needs. Once a data breach and prevention plan is in place, expert consultants can test the system through cybersecurity audits. Many times, these audits are performed by "white hats," or friendly hackers who attempt to penetrate an organization's cyber security.

Attorneys and law firms can take easy steps to protect their own information, as well as that of their clients. Cybersecurity and data protection plans may include the following:

  • Keep servers in locked room.
  • Control physical access to your computers.
  • Create user accounts for each employee.
  • Provide firewall security.
  • Update all antivirus programs and operating systems.
  • Secure your Wi-Fi networks.
  • Avoid unsecure Wi-Fi connections.
  • For remote access, use a VPN or other encrypted connection.
  • Make backup copies of important business data and information and encrypt backup media.
  • Employ best practices on payment cards.
  • Limit employee access to data and information.
  • Limit authority to install software.
  • Utilize passwords and authentication.
  • Invoke screensaver passwords after a reasonable time of inactivity.
  • Use complicated 12 character or more passwords.
  • Change passwords frequently (every 3–6 months).
  • Do not store passwords on the computer or an easily found location.
  • Change default values.
  • Never allow website/system to record a password.
  • Encrypt laptops with whole disk encryption.
  • Encrypt thumb drives.
  • Dispose of data-holding devices properly (i.e., DBAN to securely wipe data).
  • Devise document retention and destruction policies.
  • Develop a Mobile Device Plan.

Engaging Insurance and Crisis-Management Experts
Cyberattacks and data breaches can be financially devastating to an organization. These attacks and data breaches have cost upward of $110 billion worldwide. With these high costs, it is not prudent for a business to consider self-insuring, as attacks are highly unpredictable and at times can be completely devastating. The publicity from such incidents could also dramatically affect the organization. It is important for the cybersecurity plan to include an evaluation of the organization's current insurance plans as well as a determination of whether additional insurance products geared to a specific institution's cyber demands are necessary.

Cybersecurity insurance programs are relatively new and vary significantly from insurer to insurer. Because certain security breaches may implicate existing policies, it is best to start by reviewing your current program. For example, some security breaches may implicate claims against management (i.e., D&O and E&O policies), impact employee benefits (bonds), or implicate crime policies. If those policies exclude security-data breaches, it is time to review other products. Some data security policies may be stand-alone policies or "modules," while others are available in packages or can result from endorsements to existing liability policies. For example, some carriers provide data security protection through endorsements to errors and omission, employment practices liability, fiduciary, property and business interruption, and comprehensive liability policies. It is important to note that if coverage is added to existing policies, then the coverage may share limits of liability.

Cyber-liability insurance products cover a variety of risks. For example, products may cover an organization's failure to protect confidential information or misappropriation or improper disclosure; unintentional disclosure of private information that results in actual or risk of identity theft; failure to disclose or notify victims of a breach incident; violations of federal, state, local, and foreign laws governing data protection and privacy; and business interruption. These policies may cover costs for damages, a forensic examiner, remedial measures, consumer redress, business interruption, costs to hire crisis management firms, extortion payments, response costs, defense and administration costs, et cetera.

Another key element in establishing a comprehensive cybersecurity plan is retaining a crisis management firm. With the growing trend of cyberattacks, it is prudent to establish this relationship while in the planning stage. Crisis management firms can work with a law firm to devise a plan, test it, update it, and select a message to the public that is succinct and accurate. The right message and firm can help in retaining brand value and regaining public trust. It is their job to transform stories about vulnerability and victimization into narratives that highlight new levels of security, responsibility, and commitment to client privacy.

In The Art of War, the military strategist Sun Tzu observed, "The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand." The best way for an attorney to combat a cyberattack is to be prepared. A cybersecurity and data protection plan will help you prepare for that battle.

Keywords: woman advocate, litigation, cyber security, hacking, insurance, law firms


Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).