One day in early May the attorneys at a prominent law firm sat down at their computers to work, only to discover that none of their files were accessible. Making matters worse, the hackers who had infiltrated the law firm’s network stole 756GB of firm and client data before encrypted everything on the firm’s servers, demanded $21 million in ransom (later raised to $42 million) and threatened to begin releasing confidential data about the firm’s clients to the public.
The information stored by law firms is among the most sensitive, potentially saleable, and therefore most desirable data imaginable. Law firm breaches can have catastrophic effects on people’s lives, including wealthy and powerful world leaders. For example, after the hack of the Panamanian law firm, Mossack Fonseca, the offshore dealings of hundreds of politicians were exposed, including those of Russian leader Vladimir Putin (Chirgwin, Richard. “’Panama papers’ came from email server hack at Mossack Fonseca.” The Register, 5 Apr. 2016). Exposure of an entertainment or sports figure’s negotiations can have a dramatic effect on that professional’s earnings potential. Even on a lesser scale, if the details of an acrimonious divorce or business deal were exposed after a data breach, it could result in ruination for personal lives and fortunes alike. As the risks associated with storing information continue to grow exponentially greater, attorneys’ ethical responsibility to protect the confidentiality and integrity of the confidential and privileged data they hold takes on yet greater significance. Failure of attorneys to properly understand the implications of cybersecurity can result in a devastating impact on their clients and may even threaten the attorney’s license to practice law.
What is Cybersecurity?
From the largest multinational firm to the smallest solo practice, nobody is immune from a cyberattack or a cyberbreach. The best a firm can do is understand the risk, then take steps to manage the risk and mitigate the potential impact of a breach. In order to manage cybersecurity risk, it is important to first understand what cybersecurity is and the specific impact it can have on a law firm.
Cybersecurity encompasses not only the protection of hardware and network devices but also data stored and transmitted throughout the firm. Cybersecurity is protection of:
While data privacy is most commonly understood as the focus of cybersecurity, there are actually three cybersecurity objectives:
All organizations, including law firms, are subject to specific cybersecurity-related compliance requirements including state privacy laws (e.g. New York State's the Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act). Firms that accept credit cards for payment of fees are subject to Payment Card Industry Data Security Standard (PCI DSS) requirements. Law firms with healthcare practices may be subject to compliance with certain provisions of the HIPAA Rules. Firms with clients or counterparties in California are subject to the California Consumer Privacy Act (CCPA); those with clients or counterparties in the European Union are required to comply with General Data Protection Regulation (GDPR) privacy rules. Along with the compliance requirements applicable to all organizations, attorneys have additional ethical obligations under the Model Rules of Professional Conduct to ensure the protection of client data from inadvertent or unauthorized disclosure. Clients may also have specific requirements regarding a law firm’s cybersecurity, especially as firms are considered to be third party providers, and the list goes on...
The costs of a cyber breach are significant and may include fines and penalties, technology expenditures, forensics and legal costs, constituent notification requirements, operational downtime, and loss of billings. However, one of the most significant costs to a law firm is the reputational damage that can result from a breach. Clients are entrusting a firm with their confidential information; if one cannot protect this information then clients will find another firm that can.
What Can a Law Firm do to Protect Itself?
Although there is no way to fully protect a firm’s data or clients’ data there are best practices that will help to manage risk and mitigate losses in the event of a breach:
Most firms are not anxious to devote time and money to activities that are neither client facing nor revenue generating, but protecting the firm’s and clients’ data is a regulatory requirement, an ethical obligation, and just good business.
Elimination of cyber risk is not possible, but by gaining an understanding of the importance of cybersecurity, leveraging the use of expert advisors, and focusing on continuous incremental improvement, significant risk reduction is possible and necessary...unless you want your firm to be in the latest headline about a law firm breach.