Cyber-attacks are the new reality in almost every industry; however, law firms represent the latest targets for cybercriminals. Despite facing increased threats of cyber breaches, most firms are not prepared for how to respond if and/or when such a breach occurs. A study conducted by LogicForce revealed that 40 percent of surveyed firms did not recognize that their confidential client data was breached. Preventative measures and a prepared response plan are crucial components of any viable legal practice.
While numerous law firms have fallen victims to cyber-attacks, DLA Piper has suffered one of the most significant breaches to date. The attack, which occurred last June, shut down the firm’s computer systems and left employees unable to access their files for days. Although the breach eventually resolved, it cost the firm millions of dollars and served as a warning to those who feel invulnerable to these types of attacks.
In addition to business incentives, a variety of state and federal laws require lawyers to protect confidential information. Confidentiality is a paramount pillar of the attorney-client relationship. Within the context of cybersecurity, lawyers have an ethical obligation to maintain electronically stored client information. Most states have adopted Model Rule 1.6, which requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to such information. As we have seen, solely relying on an IT department may not be enough to comply with these provisions.
Ohio has modified its Rules of Professional Conduct to reflect modern law firm practice and its changing use of technology. Rule 1.1 governs attorney competence. The comments to said rule provide that to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all CLE requirements to which the lawyer is subject.
While it may seem that smaller firms are unlikely targets of cyberattacks, history has shown otherwise. It is important to remember that law firms are perfect targets for cybercriminals, regardless of their size or the perceived interest of their clientele. This is because all law firms, regardless of size, retain valuable information such as personal data, intellectual property, trade secrets, and confidential business dealings. This information can be extremely valuable to those who seek to exploit it.
Cyberattacks are particularly troubling because of the manner in which they can be completed. Individuals operating with seemingly absolute anonymity can access confidential information from remote locations, either by bypassing existing security measures or through the use of common schemes such as phishing. Furthermore, gaining access to an employee’s account will often allow the hacker greater access to the law firm’s system. Thus, it may be difficult not only to identify the source of the breach, but also the scope of the harm that has been perpetrated.
Although these indirect methods of cyberattacks appear to be the most commonly reported, there are more traditional means by which cyber breaches can occur. As reported by the Ohio Bar Association, the most common cyber breaches experienced by law firms are those associated with lawyers who lose a laptop, thumb drive, or mobile phone. Another common source of an attack stems from laptops or mobile phones that are stolen from an office or vehicle. Similar to the off-site hacking scenario discussed above, the same information can usually be obtained by directly accessing an employee’s cell phone or computer.
What are some ways you can prevent cyber hacks that occur at your firm?
The ABA has published a comprehensive guide for law firms, “Top Security Tips for Your Law Practice,” which includes advice for preventing and responding to cyber-attacks. Some of the tips include:
- Educating yourself and your employees (Check out “ABA Cybersecurity Handbook,” by Jill Rhodes and Robert S. Litt).
- Get cyber insurance. Even though the risk of costly data breach has created a growing liability for companies, general insurance typically does not cover cyberattacks.
- Make sure to encrypt your networks, mobile phone, laptops and thumb drives.
- Use good passwords on all devices.
- Keep your server in a locked closet or room.
- Consult with competent security experts to identify risks and implement measures specific to your firm.
In short, an attorney’s obligation to maintain confidential information is not a novel idea. However, the emerging threat of cyberattacks means that fulfilling this requirement in a competent manner requires a two-pronged approach: first, the employment of preventative measures; and secondly, preparing a responsive plan should a breach actually occur. And, in light of the ethical obligations governing our practice, failure to implement either component can be costlier than the economic burden of addressing the cyberattack. Eric Nemecek