Big Law is struggling to protect privileged and sensitive information among the onslaught of breaches, an ever-demanding workload, and their own human errors.
In the wake of recently exposed law firm data breaches among several of the Am Law 100 emerges a larger issue around managing client confidentiality—one of the bedrocks of law firms’ responsibilities.
In the modern digital world, it also becoming more of a complex challenge, which is the topic of a recent whitepaper released by Delta-Risk, a cybersecurity consulting company based in Washington, D.C.
And nowhere is the concern over client confidentiality perhaps more pronounced than in industry’s vulnerabilities to cyberthreats. Law firms are some of the most attractive targets for cyberattackers, the whitepaper notes, because they handle a variety of sensitive information, from “potential mergers and acquisitions, patent and trade secrets, litigation plans, and generally very specific and confidential information on clients and their dealings.”
Law Firm Breaches
Over the past several years, cyberattacks on law firms have run the gamut from hacktivist breaches and nation-state attacks to low-level blackmail attempts.
Earlier this week, new reports revealed that hackers gained access to the computer networks of law firms working on M&A deals, including Cravath, Swaine & Moore and Weil, Gotshal & Manges. A Weil spokesperson declined to comment, but Cravath confirmed that the firm identified a “limited breach of its IT systems” in the summer of 2015, according to The American Lawyer.
While law firms have kept hush about it, data breaches at law firms actually date back several years: For example, in 2010, California-based law firm Gipson, Hoffman & Pancione was the target of malicious phishing emails from Chinese hackers shortly after filing a software piracy lawsuit again the government and the country’s firms. The firm was quickly able to identify the malware and prevent any data infiltration.
In 2012, however, Chinese hackers successfully breached Washington D.C. firm Wiley Rein, who represented Solarworld in an antidumping case against the country, as a part of a wider cyberattack effort.
Gipson, Hoffman & Pancione and Wiley Rein declined to comment for this article, while Ziprick and Cramer and Brown Firm did not immediately respond to requests for comment.
But that is not unusual, said Joseph Abrenio, vice president of commercial services at Delta-Risk, who is also president of the Midwest Cybersecurity Alliance. He noted that firms are usually hesitant to disclose breaches due to legal, ethical, and as important, branding issues. The amount of breaches at law firms, he believes, is higher than what is usually reported.
Yet as more breaches enter the public eye, it is possible to begin to understand the scope of the problem. In early 2016, for example, a cybercriminal, with the moniker “Oleras,” was reported soliciting other hackers in an effort to breach 48 law firms, almost all of which are among the Am Law 100. The cyber criminals previously targeted dozens of M&A law firms.
Other examples of law firm breaches go back to 2012, notably the politically-motivated breach of the now defunct law firm Puckett & Faraj by hacktivist group Anonymous. The firm represented former staff sergeant Frank Wuterich, a key figure in the controversial Hadith killings in Iraq in 2005. While Anonymous was only after his emails, they released the emails, and all subsequent sensitive information, of many of the firm’s other public clients.
But cybercriminals don’t always have as complex intentions — some are attempts for a quick financial gain. In 2015, for example, the firm of California-based Ziprick and Cramer suffered a ransomware attack, which was able to encrypt data on an employee’s workstation and within the firm’s in-house servers. The cybercriminals threatened to destroy the data unless paid, but Ziprick and Cramer had a data backup solution in place, and dismissed the ransom.
Florida-based Brown Firm, however, was not so lucky. A ransomware attack in early 2016 crippled the firm’s systems and froze unrecoverable data. After consulting with IT professionals and law enforcement, the firm paid $2,500 for the decryption key.
The Human Factor
While the fear of breaches of client confidentiality through cyberattacks is pervasive, the “most prevalent [cause of data loss] is human error and negligence,” said Abrenio
“Let’s face it, productivity is king, and lawyers, paralegals, assistants, all of the staff are constantly under great pressure to produce,” he explained. “When you’re doing that at such a high rate, ultimately its bound that human failure is going to happen. And I’ve seen numerous inadvertent disclosures of data that is either to opposing counsel, to counsel not even involved in the case or people that have no relationship to the case.”
How inadvertent disclosures affect client confidentially usually depends on the specifics of the disclosure. To highlight this point, the whitepaper cites the 2008 case of Victor Stanley, Inc. v. Creative Pipe, Inc., which involved a defendant’s attorney who, through the process of a mishandled e-discovery request, handed over privileged information to opposing counsel.
“Because of the questionable way the defense handled the discovery request search and how they dealt with the problems of the disclosure,” the whitepaper noted, “the court determined the balancing test it employed weighed against the defense. The inadvertently disclosed documents were no longer privileged. The defense’s technical failures exposed their clients’ privileged information to their adversaries.”
But five years later, the situation was different in 2013’s Kyko Global, Inc. v. Privthi Info. Solutions, a case involving a defense counsel that improperly destroyed certain privileged data through reformatting a hard drive. When the hard drive was handed over, the plaintiff was able to recover the data. Here, however, the court found that the intention and actions of the defense counsels were adequate to support the data’s privileged status.
What courts in both cases took into consideration, the whitepaper noted, was whether attorneys acted in a reasonable way to protect their client information. But it cautioned, “the baseline standard of what is ‘reasonable’ and what should be done in the event of a breach or disclosure is bound to change with improvements in technology.”
The fault assigned to law firms and attorneys who mishandle data out of court and the discovery process is far more clear cut — situations, Abrenio noted, that happen far too often.
“What I’ve also seen unfortunately is lost data, the standard lost briefcase, or nowadays the electronic form of that, lost laptops; it’s amazing what frequency of that I have seen occur and it’s troubling and because these laptops are unencrypted,” he said.
The whitepaper discusses once such instance involving an IT employee of the firm Stern, Agee, and Leach who left an unencrypted laptop containing sensitive data in a public restroom. The firm suffered a $225,000 fine from the Financial Industry Regulatory Authority (FINRA) for the incident.
Fines, however, may be the least of a law firm’s problem when it suffers a data brief of privileged and sensitive data. The whitepaper notes that 47 states, as well as Washington D.C., Guam, Puerto Rico and the Virgin Islands, have breach notification laws which require organizations to notify affected residents if the breach meets certain conditions, like a threshold number of people affected.
Attorney responsibilities post-data breach, however, extend beyond state laws to ethical obligations, such as those outlined in the American Bar Association (ABA) Model Rules of Professional Conduct. Rule 1.1, which requires lawyers provide competent representation, for example, “now extends that competency to the use of technology,” the whitepaper noted. Similarly, Rule 1.6 requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure” of client data.
ABA rule 5.3 was also expanded to ensure that, among other things, “Internet-based service to store client information,” such as cloud services comply with a proper security measures and other ethnical obligations.
While cyberattacks and human error make data breaches seem inevitable, there are ways to shore up one’s defenses against the likelihood of unintentional data loss. The whitepaper suggests that firms first and foremost “develop a comprehensive cybersecurity program,” which includes employee cybersecurity training, monitoring their data and data policies, frequently testing their cybersecurity defenses for weaknesses, and fostering a “culture of cybersecurity compliance.”
But firms must also prepare for lapses, for “even the best laid plans and preparation sometime fail.”
The whitepaper advises purchasing cybersecurity insurance in case of successful attacks, adding “claw-back” procedures to document production agreements in case of inadvertent disclosures, and instituting a “two-pass process of reviewing documents that will be transmitted.”