Law Firms Also Increasing In Risk Of -Cyberattacks: What Lawyers Need To Know
Cyberattacks have become much more frequent in recent years, and law firms find themselves increasingly at risk. In 2015, two large law firms, Cravath, Swaine & Moore, and Weil Gotshal & Manges, were hacked. One may ask, why law firms? They don’t maintain long lists of customer credit card or bank account information like Target, Home Depot, or JP Morgan Chase, all of which were hacked in recent years.
Why do hackers go after law firms?
Law firms have information that is very attractive to hackers. In the attacks on Cravath and Weil Gotshal, the hackers, who were allegedly from China, sought confidential information on pending mergers and acquisitions, so that they could trade in the shares of the companies involved before the information became public. Law firms have a great deal of sensitive information like this, on transactions, bankruptcy filings, intellectual property, and other client dealings, from which hackers could potentially profit in some way.
Why are law firms vulnerable to cyberattacks?
Resources and attention are most often the source of law firms’ vulnerability. Many law firms, even larger ones, have not invested enough in their IT systems to make cyberattacks more difficult. They may not see the need to budget for the most up-to-date technology, or realize their IT systems do much more than just create and store documents. In addition, mobile devices such as laptops, tablets, and smartphones are often more vulnerable than in-house systems. Finally, many managing attorneys neither understand nor wish to be distracted by IT and other technological issues, and just want to leave things to “the IT guy.” However, cybersecurity is an enterprise-wide issue, and many potential clients, especially larger ones, are now asking law firms about their cyber- and data-security preparedness.
Legal and ethical implications for law firms
The same laws that apply to businesses in general also apply to law firms when it comes to protecting client data. These laws include state notification laws concerning consumer data and laws related to personal health information. In addition, lawyers have ethical duties that are triggered by cybersecurity considerations. Rule 1.1 of Colorado’s Rules of Professional Conduct requires an attorney to provide “competent representation” to a client, which requires “the legal knowledge, skill, thoroughness and preparation” necessary for that representation.
Comment 8 to Rule 1.1 states that lawyers must stay familiar with changes in “communications and other relevant technologies” in order to remain competent as required by the Rule. If a lawyer does not personally have the technical expertise required, he or she may seek expert advice or services to assist with compliance.
A lawyer’s obligation of confidentiality regarding client information also applies. Rule 1.6(c) of Colorado’s Rules of Professional Conduct states:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment 18 to Rule 1.6 explains that various factors will help determine if the efforts to prevent inadvertent or unauthorized disclosure are reasonable, including:
the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
The Federal Trade Commission, which has jurisdiction over companies that have had consumer information stolen or compromised in cyberattacks, also looks at whether a company has taken “reasonable” steps to protect that information, weighing factors similar to those above. If a law firm loses client data due to a cyberattack, it might find itself subject not just to government enforcement actions, but possible bar discipline for ethical violations.
As law firms become more frequent targets of cyberattacks, they too need to consider the following steps to increase they data security, lower the chances of an attack, and mitigate their liability if an attack does occur:
- Know what data they hold and how they maintain it
- Based on the data they hold, know what federal and state laws apply
- Develop a cybersecurity plan
- Implement policies and procedures for handling data and use of computers and other devices
- Conduct training of all employees, not just support staff, on protecting the firm’s data
- Develop an incident response plan to implement in the event of an attack
The extent of this planning depends, of course, on the size of the firm, the type of data it maintains for clients, its resources, and the consequences to clients of a data breach. In this way, a law firm is no different from any other organization or business, and cannot afford to ignore the increasing risk of a cyber attack.
For more information on how we can help you lower your data breach risk, contact Spitz Legal Counsel at 720-575-0440, or email at mark@spitzlegalcounsel.com. Visit us at www.spitzlegalcounsel.com.