As an attorney, you should already be familiar with the discovery process in litigation. One area of risk that many professionals fail to consider is the cybersecurity risk that occurs during the discovery phase of litigation. During discovery we collect documents, usually in an electronic format, either provided through consent or provided because of the subpoena. Let’s take a moment to examine a case where the discovery process went wrong.
In this case a forensic accountant was provided with documents from opposing counsel on a jump drive. These documents had been requested through the discovery process. The forensic accountant did a check on the jump drive and determined that it was infected with spyware. The spyware would send data stored on the forensic accountant’s computers to a third party. Upon realizing that the jump drive provided by opposing counsel was infected with malware the forensic accountant contacted the attorney and mentioned that he discovered the spyware and this was a potential ethical issue that could be reported to the State Bar. The attorney claimed he knew nothing of the spyware and was innocent of any wrongdoing. At the suggestion of the forensic accountant the attorney hired a cybersecurity expert to test the law firms’ servers and other electronic devices for malware. The spyware was detected on the law firm servers and was infecting all the documents and communications the firm was sending out. The law firm was able to have the spyware removed, at a significant cost, and continue operations with an uninfected IT system.
Many small and midsize firms don’t recognize the cybersecurity risks that are inherent in the discovery process. Because you are collecting information from third parties you need to be aware of the cybersecurity risk from malware in emails, on jump drives, or other electronic media. Plaintiffs, defendants and other parties may not have appropriate internal controls over cybersecurity to prevent their IT systems from being infected with malware, such as spyware or ransomware, and that malware can be transferred to any firm or organization they share data with. In litigation the parties are taking adversarial stance and both the plaintiff and defendant could stand to benefit if they were able to place malware on a law firm’s or forensic accountant’s IT system. There doesn’t always have to be intent to commit harm. It is highly probable that unsophisticated defendants and plaintiffs would have no knowledge that their own IT systems had been infected with malware and could transfer the malicious software unknowingly.
It is important for firms of all sizes to assess their risk of cyber fraud including data breaches, spyware, ran somewhere, and other cybersecurity risks. It is important to establish good cybersecurity internal controls to help mitigate the risks of cyber fraud.
Have questions on this topic, you can message me directly on LinkedIn.